ML19172A086

From kanterella
Revision as of 16:50, 19 October 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
Jump to navigation Jump to search
(External_Sender) NEI 19-02 Revision 0, Guidance for Assessing Open Phase Condition Implementation Using Risk Insights
ML19172A086
Person / Time
Site: Nuclear Energy Institute
Issue date: 06/20/2019
From: Geier S
Nuclear Energy Institute
To: Eric Benner, Mike Franovich
Division of Operating Reactor Licensing, NRC/NRR/DRA
References
NEI 19-02, NRC Bulletin 2012-01
Download: ML19172A086 (50)


Text

NRR-DRMAPEm Resource From: GEIER, Stephen <seg@nei.org>

Sent: Thursday, June 20, 2019 2:15 PM To: Benner, Eric; Franovich, Mike Cc: TRUE, Doug; UHLE, Jennifer; KRUEGER, Greg; PIMENTEL, Frances; Williams, Donna; Fong, CJ; ANDERSON, Victoria

Subject:

[External_Sender] NEI 19-02 Revision 0, "Guidance for Assessing Open Phase Condition Implementation Using Risk Insights" Attachments: NEI 19 Guidance for Assessing Open Phase Condition Implementation- ....pdf Eric and Mike, Attached please find the approved issue of NEI 19-02, Guidance for Assessing Open Phase Condition Implementation Using Risk Insights, provided for the staffs information. This document is referenced in the NEI OPC Initiative, Revision 3, transmitted to the NRC via letter on June 6, 2019, as providing a probabilistic method for risk evaluation of operator response for OPC solutions developed using the OPC Initiative framework. NEI 19-02, Revision 0, provides risk assessment guidance based on the premise that the risk associated with an OPC event is significantly reduced through the implementation of detection and alarm circuits.

In developing the final document for issue, we have addressed comments provided by the staff during public meetings held on the industrys OPC initiative and to review previous drafts of the methodology on February 20, 2019, March 20, 2019, and May 7, 2019. These public meetings were held to discuss with the staff previous drafts of the OPC risk-informed methodology and the proposed changes to the NEI OPC initiative.

We look forward to working with the staff on implementing the final actions towards completing the OPC Industry Initiative and eventual closeout of NRC Bulletin 2012-01.

Best Regards, Steve Stephen E. Geier, PE l Sr. Director, Engineering & Risk 1201 F Street, NW, Suite 1100 l Washington, DC 20004 P: 202.739.8111 M: 202.765.5813 nei.org This electronic message transmission contains information from the Nuclear Energy Institute, Inc. The information is intended solely for the use of the addressee and its use by any other person is not authorized. If you are not the intended recipient, you have received this communication in error, and any review, use, disclosure, copying or distribution of the contents of this communication is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by electronic mail and permanently delete the original message. IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

Sent through www.intermedia.com 1

Hearing Identifier: NRR_DRMA Email Number: 64 Mail Envelope Properties (3c4663d31b97466f85c2b3ae0ff89f15)

Subject:

[External_Sender] NEI 19-02 Revision 0, "Guidance for Assessing Open Phase Condition Implementation Using Risk Insights" Sent Date: 6/20/2019 2:14:50 PM Received Date: 6/20/2019 2:15:17 PM From: GEIER, Stephen Created By: seg@nei.org Recipients:

"TRUE, Doug" <det@nei.org>

Tracking Status: None "UHLE, Jennifer" <jlu@nei.org>

Tracking Status: None "KRUEGER, Greg" <gak@nei.org>

Tracking Status: None "PIMENTEL, Frances" <fap@nei.org>

Tracking Status: None "Williams, Donna" <Donna.Williams@nrc.gov>

Tracking Status: None "Fong, CJ" <CJ.Fong@nrc.gov>

Tracking Status: None "ANDERSON, Victoria" <vka@nei.org>

Tracking Status: None "Benner, Eric" <Eric.Benner@nrc.gov>

Tracking Status: None "Franovich, Mike" <Mike.Franovich@nrc.gov>

Tracking Status: None Post Office: nei.org Files Size Date & Time MESSAGE 2598 6/20/2019 2:15:17 PM NEI 19 Guidance for Assessing Open Phase Condition Implementation- ....pdf 755447 Options Priority: Standard Return Notification: No Reply Requested: No Sensitivity: Normal Expiration Date:

Recipients Received:

NEI 19-02, [Rev 0]

Guidance for Assessing Open Phase Condition Implementation Using Risk Insights Prepared by the Nuclear Energy Institute May 2019

© NEI 2019. All rights reserved. nei.org

May 2019 NEI 19-02, Rev 0 Acknowledgements This document was developed by the Nuclear Energy Institute. NEI acknowledges and appreciates the contributions of NEI members and other organizations in providing input, reviewing and commenting on the document including NEI Project Lead: Frances Pimentel Industry Lead: Greg Krueger - Exelon Corporation and NEI Loanee Matt Johnson - Jensen Hughes Richard Anoba - Jensen Hughes Erin Collins - Jensen Hughes Kazimierz Leja - Exelon Corporation Notice Neither NEI, nor any of its employees, members, supporting organizations, contractors, or consultants make any warranty, expressed or implied, or assume any legal responsibility for the accuracy or completeness of, or assume any liability for damages resulting from any use of, any information apparatus, methods, or process disclosed in this report or that such may not infringe privately owned rights.

© NEI 2019. All rights reserved. nei.org

May 2019 NEI 19-02, Rev 0 Executive Summary This report provides guidance for the performance of a risk assessment to inform the decision of whether to implement the Open Phase Isolation System (OPIS) automatic trip function or to implement the OPIS to provide alarm and indication to the control room operator and rely on proper operator action to diagnose and respond to the presence of an Open Phase Condition (OPC).

Following the January 2012 Byron Station event, utilities designed and implemented the OPIS with intent to automatically isolate the plant from an OPC using an automatic trip function to remove the OPC from the plant electrical system and align alternate power. The risk benefit of the function to detect and automatically remove the OPC from the plant competes with potential detrimental impact the automatic operation would have on the plant. In some cases, the OPIS automatic trip function may introduce risk compared with an OPIS that relies on operator action to diagnose the condition and take appropriate action. Risk analysis techniques can be used to inform a decision in whether to implement the OPIS with automatic trip function.

This report provides discussion of the factors influencing the results of a risk assessment, such as use of existing operating experience, guidance for estimating the likelihood of an OPC, consideration of spurious operation of the OPIS, and how to integrate the existing plant response model (Probabilistic Risk Assessment - PRA) to estimate difference in risk between the two alternatives. Assumptions and sources of uncertainty are discussed and guidance for the performance of sensitivity evaluations which are used to inform the decision of the different possible outcomes of the risk assessment are also provided. Based on pilot studies, an Appendix is provided with an example risk assessment document outline is also provided.

Insights developed from the pilot assessments and benchmarking effort using Exelon fleet plant PRA models shows that plants with separate connections to the offsite power system are more robust to OPCs by virtue of the redundancy in the electrical distribution system due to a remaining source of offsite power being available to one emergency bus with a single OPC affecting another emergency bus.

Even if an OPC could potentially impact all emergency buses, the probability of core damage and large early release can be demonstrated to be small if the plant response provides adequate time for operators to take mitigating action to detect and respond to the OPC. New plant features such as low leakage seals for Pressurized Water Reactor (PWR) Reactor Coolant Pumps (RCPs) and for both PWRs and Boiling Water Reactors (BWRs), as well as multiple sources of reliable AC independent core cooling systems, and the ability to reset and recover electrical loads, should the loads be demanded and trip during OPC conditions provide additional capability to mitigate the impact of an OPC.

© NEI 2019. All rights reserved. nei.org

May 2019 NEI 19-02, Rev 0 Table of Contents 1 Introduction ..................................................................................................................................... 1 2 Purpose ............................................................................................................................................ 1 3 Background ...................................................................................................................................... 1 3.1 The Byron Event .................................................................................................................. 1 3.2 Additional Operating Experience ........................................................................................ 2 3.3 NRC Risk Assessment .......................................................................................................... 5 3.4 Open Phase Isolation Systems ............................................................................................ 5 3.5 Plant Impact Summary........................................................................................................ 5 3.6 Evaluation Decision Guidance............................................................................................. 6 4 PRA MODELING GUIDANCE ........................................................................................................... 11 4.1 Initiating Event Analysis .................................................................................................... 11 4.2 OPC Frequency and Probability Analysis .......................................................................... 12 4.3 Plant Response Analysis.................................................................................................... 16 4.4 Plant Electrical Distribution .............................................................................................. 17 4.5 OPC Event Tree ................................................................................................................. 19 4.6 Open Phase Isolation System Model ................................................................................ 23 4.7 Human Reliability Analysis ................................................................................................ 27 4.8 Equipment Recovery ......................................................................................................... 29 4.9 AC Power Recovery ........................................................................................................... 31 4.10 Fire and External Events ................................................................................................... 32 4.11 Quantification and Sensitivity Analysis ............................................................................. 33 4.12 Results Interpretation ....................................................................................................... 37 5 Conclusion...................................................................................................................................... 40 6 References ..................................................................................................................................... 40 Appendix A - Analysis File Template ........................................................................................................... 42

© NEI 2019. All rights reserved. nei.org

May 2019 NEI 19-02, Rev 0 1 INTRODUCTION This document provides the guidance and template for applying a plant-specific risk evaluation to compare the difference between operator manual response and automatic response to an Open Phase Condition (OPC) at a nuclear power plant.

2 PURPOSE The purpose of this document is to provide guidance and a general framework for performing a plant-specific risk evaluation of an Open Phase Condition (OPC) at a nuclear power plant. Potential options and considerations are provided to support a realistic risk assessment of the open phase condition based on plant specific electrical designs and response to such a condition. The primary focus is to provide guidance regarding comparison of the change in risk between operating with automatic functions to isolate a power supply affected by an OPC versus reliance on operator manual action.

3 BACKGROUND This section discusses the background information driving the need to represent an OPC in a nuclear plant Probabilistic Risk Assessment (PRA), based on existing operating experience and preliminary risk assessments of the OPC performed by the NRC and industry.

3.1 The Byron Event On January 30, 2012 [1], a mechanical failure of an insulator on the Startup Auxiliary Transformer (the SAT) providing offsite power to Byron 2 caused an open circuit on one phase of the transformer primary (an OPC). The SAT supplies power to the Byron 4.16kV emergency buses and to two of the four 6.9kV RCP buses. The OPC did not cause an undervoltage signal on the 4.16kV emergency buses but resulted in a reactor trip on 6.9kV bus undervoltage. The turbine and main generator did not immediately trip.

Although the power to the emergency buses was insufficient due to the OPC, the emergency diesel generator (EDG) did not start and load because of the lack of undervoltage trip of the emergency bus.

After approximately 30 seconds had passed, the main generator tripped on reverse power. During the 30 seconds after the reactor trip and prior to main generator trip, the two RCPs powered by the 6.9kV buses being fed from the SAT with the OPC remained running on only two phases. After the main generator trip, the non-safety related buses being supplied by the Unit Auxiliary Transformer (UAT) fast transferred to the SAT with the OPC, and 40 seconds later, all four RCPs tripped on overcurrent.

The OPC also resulted in the tripping of equipment on the emergency bus, including a charging pump, component cooling water pump, and service water pump. An Auxiliary Feedwater (AFW) pump tripped on overcurrent after auto-start signal occurred on RCP bus undervoltage. A component cooling water pump tripped on overcurrent after an automatic start signal on low suction pressure. Operators attempted to restart the service water pump but were not successful. Several pieces of equipment powered by the 480V buses began to trip due to activation of the thermal overload relays.

Operators diagnosed the problem in approximately eight minutes and tripped the SAT breakers to the 4.16kV emergency buses, triggering an undervoltage signal. The EDGs started and the bus loads sequenced, restoring power and equipment on the 4.16kV emergency buses.

© NEI 2019. All rights reserved. nei.org, page 1

May 2019 NEI 19-02, Rev 0 3.2 Additional Operating Experience Operating experience (OE) has shown that OPC events have occurred at multiple U.S. sites. Some of the events, with applicable Agency-wide Document Access and Management System (ADAMS) accession number documenting the Licensee Event Report reference, are shown below. These events are taken from Reference [2] and LER searches. Each event involved an initial component failure that caused an open phase, though some OPCs progressed as loss of offsite power events because abnormal electrical conditions were detected by the plant protective relaying even without an open phase detection relay.

Not all events resulted in a unit trip.

Plant Date Licensee Event Description Report / ADAMS Accession /

Inspection Report Oconee Unit 31 12/07/15 LER #2015-002-00 Broken overhead line conductor to one phase of and the offsite power transformer that powers all ML16057A062 emergency buses post- trip discovered during (special operator rounds. There was no unit trip because inspection report) the power supply was in normal alignment in standby.

Oconee Unit 11 12/15/15 ML16057A062 Broken Strands on overhead line conductors of all (special three phases to the offsite power transformer that inspection report) powers all emergency buses post-trip discovered during detailed inspection. Conductor cores were intact. Subsequent testing on intact cores provided indication the original failed conductor was still capable of carrying adequate current to supply loads during design basis accident. There was no unit trip because the power supply was in normal alignment in standby.

Byron Unit 11 2/28/12 ML12272A358 Failed insulator on standby transformer and ground fault actuated protective relays. Initial failure was OPC but event progressed as LOOP due to the actuation of protective relaying in response to the fault condition. There was no unit trip because of plant fast transfer capability which aligned an alternate power supply to the buses affected by the OPC and offsite power was aligned to the emergency buses from an alternate source.

© NEI 2019. All rights reserved. nei.org, page 2

May 2019 NEI 19-02, Rev 0 Plant Date Licensee Event Description Report / ADAMS Accession /

Inspection Report Byron Unit 21 1/30/12 ML12272A358 Failed insulator on standby transformer caused open phase condition. See section 3.1 for a detailed description of the event. The event caused an OPC to the emergency buses and a unit trip.

Beaver Valley 11/27/07 ML080280592 During a walkdown of the offsite switchyard, a site Unit 11 construction supervisor discovered the A phase conductor on a three-phase power line had broken off in the switchyard. Due to the design of the transformer, voltage indication was normal, so the condition was not detected. There was no unit trip because the power supply was in normal alignment in standby.

Fitzpatrick 12/19/05 ML060610079 Broken bus bar conductor detected by abnormal AND amperage readings by the local grid operator.

ML060620519 There was no unit trip because the power supply Nine Mile was in normal alignment in standby. Note, this is Point Unit 11, 2 one OPC (one broken bus bar) that affected two plants with shared switchyard.

South Texas 3/1/01 ML011200051 One phase of three phase circuit breaker in the Project Unit 2001 switchyard failed to close. The plant was in the 21, 3 process of removing a switchyard bus from service for maintenance. Three circulating water pumps tripped offline and operators manually tripped the unit in accordance with procedures. The OPC could have affected one of three emergency buses but the design of the main and unit aux transformers to the emergency bus can provide power to emergency bus loads given an open phase on the high side of the main power transformer, which is where the OPC occurred.

The other emergency buses were powered by a separate transformer and were not affected.

© NEI 2019. All rights reserved. nei.org, page 3

May 2019 NEI 19-02, Rev 0 Plant Date Licensee Event Description Report / ADAMS Accession /

Inspection Report Comanche 6/23/92 LER #92-016-00 During a severe thunderstorm with winds in Peak Unit 1 excess of 70 mph, the Phase B line between transformer and motor operated disconnect switch broke at the connection to the disconnect switch. The line fell resulting in an overcurrent signal. Plant protective relaying detected the condition and isolated the power supply and the event progressed as a LOOP to the emergency buses. There was no unit trip.

Nine Mile 12/11/90 LER #90-023-00 115kV drop line broke at the barrel of the lug Point Unit 1 connecting to the bushing on phase one of one of the two offsite power transformers. Phase imbalance was detected and the breakers supplying both transformers opened and the event progressed as a LOOP. Both transformers are connected through a motor operated disconnect, which opened due to the trip of the supply breakers. One transformer could have been immediately restored to service, but operators locked out the breaker due to the sighting of an ARC flash. There was a plant downpower due to loss of one reactor recirculation pump, but no unit trip.

Monticello 7/16/87 LER #87-014-00 A substation transformer phase conductor broke free causing a phase to phase fault and plant undervoltage condition that tripped reactor recirculation pumps, circulating water pumps, and a cooling tower pump. The unit tripped on low condenser vacuum. Plant protective relaying detected and cleared the fault. Duration of the undervoltage conditions was approximately 50 milliseconds on the emergency buses before the fault was cleared, which was not long enough duration to start and transfer to the emergency diesels and the loss of voltage relaying did not actuate, so the event progressed like a momentary LOOP and loss of power conversion system transient.

Note 1: This event appears to be included as a plant count in the OPC frequency count in Reference

[2].

© NEI 2019. All rights reserved. nei.org, page 4

May 2019 NEI 19-02, Rev 0 Note 2: This event appears to be included as one plant count in the OPC frequency count in Reference

[2], because even though two plants were affected the JAF and NMP1 switchyard is shared and only one bus bar failed.

Note 3: Reference [2] included this date as 3/1/16, however, the date should be 3/1/01.

3.3 NRC Risk Assessment In May of 2017, the NRC performed a risk assessment to estimate the impact of a postulated loss of a single phase in a three-phase high voltage offsite power circuit [2]. The results of the risk assessment supported the preposition that the original, as-discovered electrical configuration of nuclear power plants was susceptible to an Open Phase Condition (OPC), and has the potential of being risk significant.

However, this evaluation is considered conservative and not necessarily representative of the risk at a specific site.

3.4 Open Phase Isolation Systems An Open Phase Isolation System (OPIS) was proposed [3] to detect the OPC and actuate alarms and/or automatic circuit breaker operation, as appropriate based on plant design requirements. The function of the OPIS reduces the chance that an OPC affects the emergency bus equipment before action or automatic actuations and ensures the bus can be disconnected from the OPC supply and an alternate power supply can be aligned.

3.5 Plant Impact Summary Conceivably, an OPC can result in an initiating event at any nuclear power plant. Various plant equipment whose failure would result in a reactor, turbine, or main generator trip depend on AC power for continued plant operation. The specific initiating event impact to a nuclear power plant is dependent on the location of the OPC in the electrical system supporting this equipment, the specific status (e.g.,

degraded, available) of any electrical power bus affected by the OPC if protective relaying detected the condition, and the status of equipment using the buses for AC power to support continued safe and stable operation or safe shutdown of the plant.

In some configurations, an OPC will result in an immediate plant trip. In other configurations, an OPC would not result in an immediate plant trip but could cause a plant trip if equipment affected by the OPC trips due to protective relaying action, and the plant is manually tripped in response to the loss of the equipment. In others, the OPC will not cause immediate trip but may impact the emergency buses after an unrelated plant trip or independent event results in the transfer of electrical power to a standby source with an OPC. This would apply to all other initiating events such as Transients, Loss of Coolant Accidents (LOCAs), etc.

Assuming potential impact to the emergency buses, the immediate concern is similar to a LOOP/SBO, with the emergency buses and associated equipment rendered potentially unavailable. For PWRs, loss of seal cooling to the reactor coolant pumps (RCPs) is an immediate concern (particularly those where RCPs are not tripped automatically by the nature of the event and plant configuration). Core cooling can be provided by AC independent or steam driven pumps, but may depend ultimately on restoration of AC power to support DC power. For BWRs, continued core cooling via AC independent or steam driven pumps may depend on the eventual restoration of AC power. Plant specific timing and mitigation capability can impact the risk associated with an OPC.

© NEI 2019. All rights reserved. nei.org, page 5

May 2019 NEI 19-02, Rev 0 3.6 Evaluation Decision Guidance This section provides risk evaluation decision guidance to facilitate an understanding of the plant-specific electrical design and the potential impact an OPC may have on the facility prior to embarking on a detailed risk evaluation. This is based on the benchmarking effort that applied the pilot PRA method to a variety of plant designs and electrical configurations.

The decision to operate the plant relying on the alarm function of the OPIS (i.e., not the automatic power supply trip function) can be based on a qualitative assessment of the factors that have significant impact on the risk of operating the plant. These factors are based on the results of the application of the guidance to a wide variety of plant types and operating configurations that influence the risk of alternatives.

Based on the insights, plants with electrical configuration with diverse emergency bus power supplies during normal operation or automatically aligned post-trip will likely have very small difference in risk between operating with the automatic function and manual alarm function only. Plants with this configuration should be able to demonstrate, by documenting the potential OPC impact and qualitative assessment of risk, a very small difference in risk between automatic and manual implementation alternatives.

Plants with an electrical configuration that provides power to the emergency buses from the same source during normal operation or aligned post-trip potentially have greater than very small difference in risk between operating in automatic function and manual alarm function only. Factors that influence the risk are the reliability of the operator response (time available to diagnose and perform the action, clarity of cues and procedures, frequency and quality of training) and overall low plant conditional core damage probability in SBO conditions (plants with AC independent core cooling means with sufficiently long coping capability, such as diesel driven equipment, FLEX strategies, or isolation condensers, etc.).

Plants that normally provide power to emergency buses via independent transmission and transformer circuits that align both emergency buses to a single transmission circuit represent a higher risk potential because an OPC in the transmission circuit would propagate to all emergency buses.

Plants in the latter two categories may still show very small change in risk via combination of operator action reliability and low plant conditional core damage probability (CCDP) in SBO conditions. Electrical loads that are demanded and trip/lock out during an OPC would need to be recoverable and easily reset so they can operate on diesel generator power. If the combination of operator action reliability and plant CCDP still result in greater than very small change in risk between the alternatives, global reduction of the importance of OPC by performing a plant-specific OPC frequency evaluation may reduce the OPC frequency, which would reduce the overall difference in risk between alternatives but would require an evaluation of the OPC operating experience against the plant-specific configuration.

Spurious operation of the OPIS, if operating in automatic mode, could trip the plant if the plant is designed to trip on loss of offsite power to the emergency buses or emergency bus transformer(s). The trip response would be uncomplicated outside of the need to verify emergency bus status and therefore would have a low overall impact to risk. Some plants do not automatically trip on a loss of the emergency bus power supply because there is a fast bus transfer scheme designed to preclude a trip on loss of offsite power to the emergency buses. Although other failures could occur concurrent with the spurious OPIS and result in a trip (e.g., failure of the fast transfer scheme), these scenarios are of low

© NEI 2019. All rights reserved. nei.org, page 6

May 2019 NEI 19-02, Rev 0 probability. These plants should have time to assess whether an OPC is present prior to the need to shut down or take other actions.

Ultimately, for plants with emergency buses susceptible to an OPC on one part of the transmission or switchyard circuit, the risks and benefits of the alternatives are plant-specific and should be weighed for the specific plant. However, it is envisioned that the plant-specific design, mitigation features, operator response and potential increases in risk from enabling the automatic function of the OPIS can show that the difference between automatic and manual response to an OPC from a risk perspective can be small.

All plants, no matter the applicable influencing factors provided in Table 2 below, can pursue the risk evaluation to credit operation in the alarm mode only. The description of the configurations and the number of potential plants within each configuration in Table 1 is taken from an NRC Memorandum

[11]. This differentiation of electrical configurations, and the benchmark applications of this methodology across 22 U.S. nuclear units, is used to facilitate the scope and depth of the risk evaluation.

Table 2 summarizes the potential factors that influence the risk comparison of the automatic and manual OPC mitigation response with a characterization of the impact using the benchmarking results.

© NEI 2019. All rights reserved. nei.org, page 7

May 2019 NEI 19-02, Rev 0 Configuration Description Number Potential difference of Plants in risk: manual vs.

automatic mitigation 1 Single connection to offsite power source 19 Small (Less than 1E-05 (switchyard) feeding both ESF buses through for CDF and 1E-06 for one or two offsite power transformers (SATs) LERF) during normal power operating conditions.

2 Plants with ESF buses normally aligned to the 27 Very Small (less than UAT during power operation. Upon unit trip, 1E-06 for CDF and 1E-the ESF buses are transferred (using a bus 07 for LERF) transfer scheme) to the offsite power transformers that are normally energized but may be on standby mode (no load condition) or partially loaded with some nonsafety-related loads.

3 Only one train of ESF buses may be potentially 40 Very Small (less than vulnerable to open-phase condition between 1E-06 for CDF and 1E-the switchyard and an SAT, as it is unlikely that 07 for LERF) redundant trains will be impaired simultaneously.

4 Generator output breaker design using the 9 Judged to be small (less generator step up transformer and the unit than 1E-05 for CDF and auxiliary transformers as the immediate 1E-06 for LERF), based on access power source from the grid after the plant type 1 result turbine or generator trip. ESF buses do not automatically transfer to redundant offsite circuits.

5 Normal feeds to ESF buses split between UATs 9 Small (Less than 1E-05 and SATs. In seven out of nine plants, after the for CDF and 1E-06 for unit trip, the ESF bus fed from UAT will also be LERF) automatically transferred to a common SAT.

© NEI 2019. All rights reserved. nei.org, page 8

May 2019 NEI 19-02, Rev 0 Normal Operating Influencing Factor OPIS Mode Potential Impact Specific Mitigating Factors Configuration 1, 4, 5 Emergency bus Manual High Impact - Actuation of AC-independent core cooling electrical loads and loads may trip protective systems such as Diesel-Driven supporting loads are relaying which may require AFW (PWR) and high reliability demanded prior to OPIS manual reset, all three phases RCP seals, FLEX systems, Isolation success. may not be monitored for condensers.

input to protective relaying at Protective relaying confirmed each electrical load.

adequate to protect demanded loads under unbalanced phase conditions.

Emergency bus loads easily recoverable from the main control room.

Automatic Low Impact - OPIS timing N/A designed to actuate prior to load protective relaying 1, 4, 5, and RCPs powered All RCPs do not Manual High Impact - RCP seal cooling Reliable operator action to trip from bus not affected by automatically trip via may be lost due to the OPC RCPs, loss of seal cooling alarms OPC protective relaying if with the RCPs running. and response procedures, OPC occurs or RCPs on guidance to trip RCPs given an separate power supply OPC alarm.

(PWR).

Automatic Low Impact - Automatic OPIS N/A designed to ensure seal cooling remains available given OPC.

© NEI 2019. All rights reserved. nei.org, page 9

May 2019 NEI 19-02, Rev 0 Normal Operating Influencing Factor OPIS Mode Potential Impact Specific Mitigating Factors Configuration 2, 3, 5 (if independent Emergency bus Manual Low Impact - Actuation of N/A source to each emergency electrical loads and loads may trip protective bus aligned after transfer supporting loads are relaying which may require for configuration 5) demanded prior to OPIS manual reset; all three phases success. may not be monitored for input to protective relaying at each electrical load, however, another division remains available, and for some plants trip would potentially have to occur to result in demands on emergency buses.

Automatic Low Impact - OPIS timing N/A designed to actuate prior to load protective relaying.

Opposite division remains available and trip would have to occur to result in demands for emergency buses.

2, 3, 5 (if independent All RCPs do not Manual Low Impact - One division N/A source to each emergency automatically trip via remains available, and plant bus aligned after transfer protective relaying if trip would have to occur to for configuration 5) OPC occurs or RCPs on align supply with OPC.

separate power supply Automatic Low Impact - One division N/A (PWR).

remains available, and emergency diesel power aligned to support seal cooling.

© NEI 2019. All rights reserved. nei.org, page 10

May 2019 NEI 19-02, Rev 0 4 PRA MODELING GUIDANCE This section provides guidance on performing a plant-specific Probabilistic Risk Assessment (PRA) of an OPC at two nuclear power plants. The plant-specific PRA approach utilizes the existing PRA accident sequence models, specifically, the transient, LOOP, and SBO models, as appropriate based on the plant design, configuration, and impact of OPC on the electrical distribution at the plant. The two pilot assessments are for a pilot PWR [7] and a pilot BWR [8]. The two dual-unit plants normally provide offsite power to emergency buses for a single unit through two transformers with a common switchyard feed (PWR) or one transformer (BWR). This type of configuration is somewhat unique and considered bounding when compared to other safety related emergency bus configurations at other U.S. facilities.

Although the OPIS is designed to automatically trip the circuit breakers and isolate the power supply with the OPC to the plant emergency buses, this assessment credits manual operator action in response to the OPIS alarm in the main control room. It also addresses the factors required to develop the Human Failure Event (HFE) Human Error Probability (HEP). This guidance can be used to compare the risk between operating with the automatic isolation function of the OPIS and operating with reliance on operator manual action only.

The use of existing plant-specific PRA models along with probabilistic information developed below is intended to provide sufficient risk information without the need to develop separate detailed models of the OPIS.

4.1 Initiating Event Analysis For plants where an OPC causes an automatic trip, several existing plant initiating events or categories adequately represent the initiating event impact. Review of the Byron event [1] shows the possible initiating events are:

  • Loss of offsite power (LOOP) to the emergency buses (may progress to SBO-like conditions)

Depending on the specific plant design and electrical configuration, other initiating events may be possible. For example, an OPC on a power supply unique to the balance of plant equipment (main feedwater, condensate, etc.) or a specific loss of single bus initiating event may result in loss of the equipment, causing the existing initiating event to occur. This guidance focuses on the loss of offsite power initiating event (e.g., loss of three phase power to all plant emergency buses) as a surrogate measure to facilitate use of existing utility PRA tools to evaluate the risk or change in risk associated with an OPC. For a PWR, the event may progress to RCP seal LOCA via loss of seal cooling depending on the plant specific design. Plants with physically and electrically independent offsite power supplies to the emergency buses would experience a response similar to a loss of bus initiating event.

In specific plant configurations, spurious operation of the OPIS may result in a plant trip. The event would progress as a LOOP transient. In plants where spurious OPIS does not result in immediate trip, eventual manual shutdown may be required unless offsite power is restored to the emergency buses.

Plants with a fast transfer scheme designed to keep the unit on-line on a loss of offsite power to an emergency bus may not trip when the OPIS spuriously operates. In this configuration, plants that power

© NEI 2019. All rights reserved. nei.org, page 11

May 2019 NEI 19-02, Rev 0 balance of plant loads with the same offsite power supply may trip if the OPIS automatic function is not enabled, due to loss of BOP loads in the time it takes the operators to respond to the OPIS alarm.

4.2 OPC Frequency and Probability Analysis OPC Frequency In Section 4.2 of Reference [2], the NRCs provided conservative estimate for the OPC frequency of 8.1E-03/year, is based on 7 failures in 10.1 years, 100 reactors, and a plant capacity factor of 0.92. The first six rows in Table 1 of Reference [2] were used to develop the frequency. These events are described in Section 3.2 of this document. The correlation of events to the count of 7 is not explicitly shown in Reference [2]. Based on an effort to validate the frequency by looking at the specific LERs and reports documenting the events, it was determined that the first six rows in the table are U.S. domestic nuclear plant operating experience, which were used to be consistent with the SPAR models per the statement after Table 1 in Reference [2]. The second six rows relate to international operating experience documented in IAEA Safety Report Series No. 91.

Of the U.S. domestic data, the event on 12/7/15 was actually two separate events at two units (Oconee 3 on 12/7/15 and Oconee 1 on 12/15/15), so the total plant count from the first six rows of Table 1 in Reference [2] is 7. The 12/9/05 event affected two plants with a share switchyard (Fitzpatrick and Nine Mile Point 1) but was failure of only one bus bar, so it should be counted as just one event. A Bayesian update of the 7 plants (failures) with a half failure yielded a count of 7.5 in the numerator. One of the events in the first six rows of Table 1 in Reference [2] has a date of 3/1/16. However, the LER associated with the event shows the date as 3/1/01. With the date change, the number of years in the denominator should be 15, instead of 10.1. Using 15 years, the frequency estimate in Reference [2]

should have been 5.43E-03.

Per a review of the 7 failures listed on Table 1 of Reference [2], only two of the events (i.e., events on 1/30/12 and 3/01/01) appear to have affected downstream plant equipment. Also, it is not clear why the data window was limited to 2001 to 2015. Offsite power data has been collected since the 1990s (References [5] and [6]).

The NRC analysis in Reference [2] assumed a conservative worst-case scenario where a single OPC occurs on the high voltage side of the line feeder to the transformers providing offsite AC power to the plant emergency buses. The OPC was assumed to impact all downstream buses. The location of an OPC requires additional apportionment which would further reduce this probability. It is not clear that a single OPC will always impact all downstream buses. Many plants have separate transformers that supply normal power to the emergency buses. In some cases, these are only powered from a common source in a ring bus configuration at the highest voltage levels in the nuclear power operator switchyard.

Faults at this level require an additional failure layer.

For plants which have offsite power feeds in a reserve standby state, absent of an independent detection/isolation system, the impact of an OPC on the offsite power feed will only be detected after a reactor/turbine/main generator trip event has occurred. For these cases, a dimensionless probability of OPC is developed derived from the yearly frequency for a one-year duration. The probability of latent OPC affecting the emergency buses post-trip depends on failure of the OPIS to alarm the condition. In this scenario, operator rounds may still detect the OPC. If the OPIS fails and self-alarms the failure, repair of the OPIS in a timely manner minimizes the chance a latent OPC can affect the emergency bus.

© NEI 2019. All rights reserved. nei.org, page 12

May 2019 NEI 19-02, Rev 0 Additionally, a post-trip, 24-hour mission failure could occur in configurations where offsite power to the emergency buses is available initially but an OPC develops during the 24-hour mission time. In this case, it would not be an initiating event but could result in an OPC plant response that occurs after an initial, unrelated plant initiating event (e.g., Transients, LOCAs, etc.).

Alternative OPC frequencies and probabilities have been estimated beyond that developed in the NRC analysis. For example, Reference [4] provides OPC frequency of 1.56E-03/year, based on 4 events in 2465.59 reactor-years and a plant capacity factor of 0.96. Reference [4] was developed in 2012 and as discussed in section 3.2, additional operating experience shows additional events that should be considered in developing a plant specific OPC frequency. The following discussion is an example of an evaluation that can be performed in order to estimate an OPC frequency.

Reference [4] utilized the data from the following NRC website, and identified operating events with an OPC occurrence. The events are described at the following website:

https://www.nrc.gov/reactors/operating/ops-experience/open-phase-electric-systems.html A review of this industry operating experience identified the following OPC events. The events and the specific ADAMS accession number are reproduced in the following bullets. These events are described in section 3.2 of this document.

This operating experience was evaluated in Reference [4]. Reference [4] assessed that the Fitzpatrick and Nine Mile Point events were actually the same event as the plants share a switchyard. Only one failure of a single phase occurred so this was counted as only one event. Therefore four OPC events were used to calculate OPC frequency. Each event was assumed applicable to the OPC initiating event frequency. The total number of events was divided by the total number of reactor-critical years to estimate the OPC frequency.

Using a similar approach but taking into account more recent operating experience, the OPC frequency can be estimated the same way. Reference [2] was completed in May of 2017, and includes more recent operating experience. Reference [2] tabulated both domestic and international OPC experience.

Ultimately, however, U.S. nuclear plant experience was used to estimate the frequency, consistent with the scope of initiating events considered in the U.S. NRC SPAR models for the U.S. nuclear fleet. This is common practice for models developed for the U.S. nuclear fleet as the assumption of data applicability from the U.S. experience is considered to be best estimate based on equipment, maintenance, and operational similarities. Reference [2] estimated 7 events and included a Bayesian update using a non-informed prior, which yields a numerator count of 7.5. In addition to the events from Reference [2], 3 prior events that include a component failure (failure of a line, breaker phase, or conductor) that could

© NEI 2019. All rights reserved. nei.org, page 13

May 2019 NEI 19-02, Rev 0 have progressed to an OPC that affected the plant emergency buses but progressed as LOOP or occurred in the part of the power system that did not affect the emergency buses, are also described in section 3.2 and are added to the 7 events from Reference [2]. Assuming no additional events have occurred, the denominator, based on 10 years of U.S. fleet experience, can be revised to include time through the end of 2017. The NRC website contains reactor operating data for the number of critical reactor years. Using the web site for Operating Time, https://nrcoe.inel.gov/resultsdb/ReactorYears/, and selecting the By Plant Calendar Year link, a total of 2750 reactor-years of critical operation between 1987 and 2017 is provided. Using the numerator count of 10.5 and 2750 reactor-critical years, this equates to an OPC frequency of:

  • OPC Frequency = 10.5 events / 2750 reactor-years = 3.81E-03 per reactor-year The post-trip OPC probability is calculated for an annual exposure time and a 24-hour mission time
  • OPC Post-Trip Probability (1-year exposure) = (3.81E-03 per reactor-year)
  • 1 year = 3.81E-03
  • OPC Post-Trip Probability (24-hour mission) = (3.81E-03 per reactor-year) * (1 year / 365 days) =

1.05E-05 The alternative frequency assessment above assumes no U.S. nuclear industry open phase events have occurred, beyond the events identified in Reference [2] and the additional LERs, and only the domestic plant data used in Reference [2] is applicable to the OPC frequency calculation.

An alternative, plant-specific assessment can be performed utilizing plant-specific experience. Such an assessment should be performed consistent with the data analysis in the existing PRA loss of offsite power initiating event frequency estimate. The steps to complete the estimate are as follows:

1. Perform a search for industry loss of phase events for the data period consistent with the existing PRA. Sources of loss of phase events may include Licensee Event Reports (LERs) and existing LOOP data sources such as those published by the NRC and by EPRI (References [5] and

[6]). Determine if the event is applicable to the plant by comparing the event to the specific plant being evaluated.

2. Estimate a prior frequency based on the number of occurrences of a loss of phase event and the reactor critical years or calendar years for the data period.
3. If necessary, perform a Bayesian update of the prior with plant specific loss of phase event occurrences and reactor critical or calendar years.

Based on the above two examples, the OPC initiating event frequency could be expected to fall in the range of 3.81E-03 to 5.43E-03. The same value can be used to estimate the post-trip probabilities for a 1-year exposure and 24-hour mission time. Care should be taken to properly categorize a specific event as either a full LOOP (applicable to LOOP frequency) or applicable as an OPC only. For example, the Byron Unit 1 event included a ground fault which resulted in electrical conditions that actuated the existing undervoltage relaying which isolated the OPC from the emergency buses and aligned the emergency diesel generators. Byron Unit 1 is designed not to trip on loss of power to the emergency buses, and within hours, cross-tie from Unit 2 restored offsite power to the emergency buses. Although this event began with a component failure that could have progressed to an OPC to the emergency

© NEI 2019. All rights reserved. nei.org, page 14

May 2019 NEI 19-02, Rev 0 buses, the event progressed as a LOOP due to the other conditions that occurred and allowed the existing protective relaying to detect the condition and isolate the emergency buses from the failed power supply. If distinguishing events between LOOP and OPC, some events may have already been counted in the LOOP frequency for the plant PRA and this would need to be accounted for if developing an OPC frequency for the PRA to estimate total risk from OPC and all other accidents (including LOOPs).

For the change in risk evaluation, this is not necessary since the change in risk only depends on the OPC frequency.

The PWR [7] and BWR [8] pilot assessments conservatively utilize the OPC initiating event frequency of 5.43E-03, and a post-trip 24-hour mission estimate based on this frequency. A plant-specific OPC data analysis or calculation of an OPC frequency is not required to get a bounding estimate of the change in risk between alternatives. Use of the conservative NRC value can be used as was the case for the example risk evaluation performed for this document.

Spurious OPIS Actuation As discussed in section 3.5, spurious operation of the OPIS, with the auto-trip function enabled, could have an adverse impact on risk. The magnitude of the impact depends on the plant specific configuration and whether this configuration would likely cause a unit trip given a loss of offsite power to the emergency buses. Automatic OPIS trip function actuation may also be preferable in cases where an actual OPC would cause a plant trip that could be precluded if automatic function is enabled and the plant is designed to fast transfer power and stay on-line given a loss of offsite power from the switchyard to the emergency buses and other buses powered by the same transformer. During the Byron unit 2 event, the reactor tripped after equipment powered by the SAT detected the undervoltage; with the reactor tripped, the main generator tripped on reverse power, and eventually the RCPs also tripped on overcurrent. If the OPIS is operated in alarm only, the operators would not be able to accomplish the action to trip the offsite power supply breaker prior to actuation of protective relaying and the plant trip would occur.

Spurious operation data was collected during the OPIS installation monitoring period and can be used to estimate the frequency/probability of a spurious OPIS. Reference [12] discusses observed spurious OPIS actuation data taken during the monitoring period and includes an estimate of spurious operation of 8E-02 using this data. Reference [12] also discusses an example plant OPIS model which provided an estimate of 2E-02/yr. OPIS models using IEEE-500 data developed for the PWR pilot and the BWR pilot show a range of 9E-03/yr (one OPIS monitoring the SAT with only one relay detecting open phase and actuating OPIS) to 2E-02/yr (Two OPIS monitoring upstream of the SATs, one relay detecting open phase per SAT and either can actuate the OPIS).

There are five events in Reference [12]. Event 1 was attributed to an unusual combination of electrical current spike when energizing a transformer along with faulty signal (Potential Transformer) input.

Event 2 was attributed to faulty signal (injection source) components, which were replaced, and no issues were noted after replacement. Event 3 was attributed to relay time delay setting specified during the design phase which was adjusted to match field conditions. Event 4 was a relay algorithm issue for low current operation which was addressed, and no issues have been seen since. Event 5 was attributed to a switching transient on the grid which may have introduced sub-harmonics into the voltage system but is still under review.

© NEI 2019. All rights reserved. nei.org, page 15

May 2019 NEI 19-02, Rev 0 Of this data, two relate to components that likely failed (event 1 PT and event 2 injection sources). Two events related to relay timing and relay algorithm optimization (events 3 and 4). The last event is under review, so without knowing the reason for the spurious actuation, the event should be counted.

Assuming the relay timing and algorithm issues have been addressed during the monitoring period, using the remaining 3 events assuming 75% of 99 plants experienced a 6 month monitoring mode period, yields a frequency of 3 divided by (0.75

  • 99
  • 0.5) equals 8E-02/yr. Assuming the hardware failures are related to first of a kind installation and operation and would decrease with time, using one event instead of 3, gives a frequency of 1 divided by (0.75
  • 99
  • 0.5) equals 2.7E-02/yr.

A range of 2E-02/yr to 8E-02/yr to represent potential spurious operation is expected based on this assessment. Plants could use a value of zero to conservatively estimate the change in risk between alternatives. Sensitivity studies can illuminate the impact of assumptions made in applying the rate of spurious operation to the model.

4.3 Plant Response Analysis An OPC which is not isolated from the emergency buses is similar initially to a LOOP with no emergency power to the emergency buses, which is effectively a Station Blackout (SBO). The OPC has the potential to render safety buses unavailable until the buses are recovered. In some plant configurations, the non-safety buses might still be available if fed by another transformer with a diverse high voltage feed. The availability of non-safety buses could provide decay heat removal options not available in a typical SBO.

In an OPC, the emergency power supply is available, but the safety buses are in a degraded condition and not in a failed condition. The OPC could result in damage to equipment if circuit protective devices (e.g., overcurrent trips) fail to function. The plant response to an OPC is a function of plant specific design (PWR versus BWR) and/or operational differences.

Pressurized Water Reactor (PWR)

The immediate concern for a PWR during an OPC is the response to a loss of seal cooling. At Westinghouse sites, this requires the loss of both injection and thermal barrier cooling to reactor coolant pumps (RCS Seal LOCA). An OPC, unlike an SBO, does not ensure the RCPs are secured. If power to the RCP is not lost due to the same OPC, then operations must trip the RCPs. Westinghouse PWRs have traditionally been more susceptible to RCP Seal LOCA issues. Core cooling is maintained via the Steam Generators which are fed from Steam Turbine Driven Feedwater Systems (e.g., Steam Turbine Driven EFW or AFW) or other AC independent core cooling pumps. The Steam Turbine Driven Feedwater Systems are normally controlled by DC power. The available core damage mitigation time is a function of the time it takes to uncover the core due to RCP Seal LOCA or a loss of secondary heat removal. The time to the loss of secondary heat removal is related to battery depletion time. The degraded condition on the safety buses could cause the component cooling water (CCW - thermal barrier cooling) and charging pumps to trip (loss of seal injection), resulting in a loss of RCP cooling. Some plants have a diverse alternate RCP seal injection system that is independent of AC Power. If the RCPs are tripped due to loss of the non-safety buses, the probability of seal failure is much lower. Also, if an RCP Seal LOCA occurs due to loss of seal cooling, hours are available to restore power before core damage occurs.

Many plants have installed the shutdown seals. For these seals, RCP seal LOCA is precluded beyond 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> if the RCPs are tripped with secondary heat removal available, thereby affording greater operator response times in response to an OPC event.

© NEI 2019. All rights reserved. nei.org, page 16

May 2019 NEI 19-02, Rev 0 For other initiating events, post-trip, the plant response would reflect the loss of emergency bus power.

Transients would proceed similar to the LOOP/SBO response. Other initiating events, such as LOCAs, would introduce timing different than a transient or a LOOP with RCP trip. For example, a large LOCA would create much less time for operator action before makeup is required and emergency bus loads are demanded. In this case, no credit is taken for the operator manual action to isolate the OPC from the emergency bus.

Boiling Water Reactor (BWR)

The immediate concern for a BWR is limited due to the availability of steam driven DC powered mitigation systems (e.g., HPCI, RCIC, etc.). The Steam Turbine Driven Injection Systems are normally controlled by DC power and are therefore not impacted by the OPC effecting AC buses. The available core damage mitigation time is a function of continued core makeup and cooling from Steam Turbine Driven Injection Systems (i.e., battery depletion time). During an OPC, the Steam Turbine Driven Injection Systems will be controlled by the safety batteries. The time to deplete the batteries and the time to core damage after loss of all core cooling will determine the time available to restore power before core damage occurs. Some BWRs have a HPCS instead of one of the steam driven core cooling sources. The HPCS bus may be powered by the same supply affected by the OPC. Many plants have procedures that direct the operators to strip DC loads during a SBO, thereby extending the battery depletion time and the time to core damage. Most plants now have FLEX strategies in place to provide an alternate means to power the steam driven pumps directly or the chargers. For those plants that also have a long battery life, this is an effective additional mitigation strategy.

For other initiating events, post-trip, the plant response would reflect the loss of emergency bus power.

Transients would proceed similar to the LOOP/SBO response. Other initiating events, such as LOCAs, would introduce timing different than a transient or a LOOP.

The modeling approach used for both plant types assumes the OPIS is installed which will either detect the OPC and initiate automatic trip function or provide an alarm in the main control room, alerting the operators of the condition affecting the emergency buses. The model is adjusted to credit either automatic trip function or the alarm mode in order to develop change in risk estimates.

Spurious Operation The plant response to a spurious operation of the OPIS depends on the plant electrical design. Impacts could range from a fast transfer to alternate power supply with no impact to operating plant equipment, to a LOOP-like transient plant trip. In both cases, offsite power recovery may be immediately available unless plant conditions preclude the operators from being able to recover power quickly.

4.4 Plant Electrical Distribution The plant impact of the OPC is driven primarily by the impact to the emergency buses. Depending on the configuration of the electrical distribution system, primarily the offsite power scheme, the impact could affect all emergency buses. Example configurations of an OPC that can impact the emergency buses are discussed in this section and are considered bounding compared to other designs across the U.S. nuclear fleet.

© NEI 2019. All rights reserved. nei.org, page 17

May 2019 NEI 19-02, Rev 0 Examples of configurations are shown in Figures 1 and 2 [2]. Figure 1 shows both emergency buses are normally fed by the same power transformer from the 345 kV switchyard. An OPC on or upstream of the transformer primary winding would propagate to each emergency bus. In this example, multiple units are therefore affected by the same OPC.

Figure 1 - Example Electrical Configuration 1 - Both Safeguards Buses Affected Figure 2 [2] illustrates an OPC impacting all safety buses during a configuration when a cross-tie between two transformer feeds is in place. Although the configuration is not likely during normal operation, the figure is being used to illustrate the potential propagation of an OPC to all the safety buses. If the plant is normally operated with diverse high voltage feeds to the transformers, one OPC would not affect both buses; however, if the unusual configuration is not prohibited the condition may be possible. A fraction of time in a given alignment could be developed and applied to reduce the frequency of OPC events that propagate to all emergency buses.

© NEI 2019. All rights reserved. nei.org, page 18

May 2019 NEI 19-02, Rev 0 Figure 2: Example Electrical Configuration 2 - Both Safeguards Buses Affected 4.5 OPC Event Tree The OPC event tree is based on transfers to existing accident sequences that model the plant response to an event that is similar to the conditions induced by the OPC impact on plant equipment. The unique model impact of the OPC relates to success or failure of the OPIS, operator actions cued by the OPIS and OPC conditions, and bus overcurrent relays that function to protect running motor loads from the degraded bus conditions.

The event tree is simply one that models the OPIS detection and response to an OPC initiating event. It includes the expected automatic and operator response to the initiator.

Figures 3 and 4 show example event tree models with example parameter values of the plant response to the OPC for the example electrical configurations shown in Figures 1 and 2. Figure 3 shows the plant response to an OPC affecting emergency buses that directly results in a plant trip. Figure 4 shows the plant response to an OPC affecting emergency buses that occurs prior to the plant trip and the plant trip transfers the emergency buses to the supply with the OPC.

© NEI 2019. All rights reserved. nei.org, page 19

May 2019 NEI 19-02, Rev 0 Figure 3 - Example OPC Initiating Event Model for Electrical Configurations with Both Safeguards Buses Impacted Event Tree Headings IE-OPC Heading IE-OPC represents the occurrence frequency of the OPC initiating event, which is the entry condition to the event tree. An open phase condition occurs that results in loss of phase to the emergency buses and automatic plant trip. The trip can occur due to loss of the emergency buses directly or because of OPC impact to other buses where equipment is lost. For a PWR, the trip may occur if seal cooling is lost due to trip of the equipment being fed from the emergency bus. In this case, the operator actions modeled focus on the trip of the RCPs and the plant in response to the loss of seal cooling.

OPIS-DET Heading OPIS-DET represents the success or failure of the OPIS to detect the OPC and provide an alarm in the main control room notifying the operators of the condition or to automatically trip the system.

Failure of the system at this heading results in transfer to the SBO response, representing the loss of all equipment on the emergency buses, as the OPC would be affecting equipment on each emergency bus.

This results in potential trip of the equipment due to overcurrent relay actuation, thermal overload action, or inability to start needed equipment on the bus. Success represents actuation of the alarm in the main control room or automatic isolation of the OPC.

© NEI 2019. All rights reserved. nei.org, page 20

May 2019 NEI 19-02, Rev 0 OCPROT Heading OCPROT represents the success or failure of the emergency bus motor overcurrent protection to actuate and trip the breaker to the motor given the OPC in the time prior to the trip of the power supply breakers to the emergency bus. Failure represents a transfer to a degraded LOOP or SBO response (LOOP or SBO with equipment that is unavailable, damaged, or unrecoverable due to overcurrent and no successful trip of the motor breaker). Success represents trip of circuit breaker motors on overcurrent, so they will be available to automatically or manually start after the power supply affected by the OPC circuit breaker is opened. Electrical studies may exist that show that overcurrent relaying will not actuate in the time it takes the OPIS to automatically trip the circuit breaker from the power supply affected by the OPC. If so, this node would not need to be questioned. If the OPIS fails or manual operator action only is credited, electrical studies may have to be completed to justify whether overcurrent protection is required to protect the bus load.

OPCMIT-AUTO Heading OPCMIT-AUTO represents the success or failure of the OPIS to automatically trip the supply breakers providing offsite power to the emergency buses (i.e., the supply affected by the occurrence of the OPC). Failure of the system represents loss of the immediate automatic trip function which progresses to the need for manual trip. Success isolates the OPC to the emergency buses resulting in start of the emergency power source and LOOP conditions, or LOOP conditions with some equipment consequences if overcurrent relaying is demanded and fails.

OPCMIT-MAN Heading OPCMIT-MAN represents the success or failure of the operators to trip the supply breakers providing offsite power to the emergency buses (i.e., the supply affected by the occurrence of the OPC).

Failure of the system at this heading represents the loss of all equipment on the emergency buses, as the OPC would be affecting equipment on each emergency bus, resulting in potential trip of the equipment due to overcurrent relay actuation, thermal overload action, or inability to start needed equipment on the bus. Success represents manual trip (opening) the supply breakers allowing a valid bus undervoltage signal to start the emergency AC power supply (e.g., emergency diesel generators) and provide power to the emergency buses and recover loads that require manual reset before being placed back into service.

Event Tree End States INIT-LOOP This end state represents transfer to a LOOP sequence based on successful isolation of the power supply affected by the OPC to the emergency buses. The plant response continues as a typical LOOP, although the probability of AC recovery could be affected by the ability to repair the supply with the OPC prior to recovering AC to the emergency buses, if credited in the PRA (see section 3.6 for treatment of AC recovery). If overcurrent relaying was required to protect an emergency bus load, local trip resets and recoveries may need to be modeled in the fault tree.

© NEI 2019. All rights reserved. nei.org, page 21

May 2019 NEI 19-02, Rev 0 INIT-LOOPSC This end state represents transfer to a LOOP sequence based on successful isolation of the power supply affected by the OPC to the emergency buses. However, overcurrent protection associated with the motor loads on the emergency buses has failed which results in potential damage to the motor loads rendering them irrecoverable. Any affected loads would be unavailable given the LOOP. There may be a combination of successful and failed overcurrent relaying on an emergency bus load basis. If overcurrent relaying was required to protect an emergency bus load, local trip resets and recoveries may need to be modeled in the fault tree.

INIT-SBO This end state represents transfer to an SBO sequence based on failure to isolate the power supply affected by the OPC from the emergency bus, and where overcurrent protection successfully trips the motor loads on the emergency bus. If overcurrent relaying was required to protect an emergency bus load, local trip resets and recoveries may need to be modeled in the fault tree, which may affect the probability of AC (offsite power) recovery, if using one of the existing offsite power recovery curves.

INIT-SBOSC This end state represents transfer to an SBO sequence based on failure to isolate the power supply affected by the OPC from the emergency bus, and where overcurrent protection fails to trip the motor loads on the emergency bus, which results in potential damage to the motor loads rendering them irrecoverable. Any affected loads would be unavailable given the SBO. There may be a combination of successful and failed overcurrent relaying on an emergency bus load basis. If overcurrent relaying was required to protect an emergency bus load, local trip resets and recoveries may need to be modeled in the fault tree, which may affect the probability of AC (offsite power) recovery, if using one of the existing offsite power recovery curves.

© NEI 2019. All rights reserved. nei.org, page 22

May 2019 NEI 19-02, Rev 0 Figure 4 - Example Post-Trip OPC Model for Electrical Configurations with Both Safeguards Buses Impacted The post-trip event tree (Figure 4) is equivalent to the initiating event tree, assuming the OPC occurs after the trip. Prior to the trip, if the OPIS alarm fails, the OPC could remain until bus transfer, and no additional cues via overcurrent relays would occur. If enough indications (such as phase voltage or phase current) are not available in the MCR, the condition could remain undiscovered until the initiating event occurs, and emergency bus loads begin to trip on overcurrent.

The pilot assessments [7] and [8] utilize the OPC initiating event tree and the post-trip event tree.

4.6 Open Phase Isolation System Model The Open Phase Isolation System (OPIS) has two major functions. The function addresses the capability to detect and monitor the occurrence of an OPC upstream of the transformers that provide offsite power to the emergency safeguards buses at the plant and provide an alarm or automatic trip of circuit breakers providing power through the transformers to the emergency buses.

The automatic trip function of the OPIS could introduce a potential increase in the likelihood of loss of offsite power events due to random spurious automatic trips. The design and installation of the OPIS will have addressed random spurious trips. Depending on the plant configuration and design response to an

© NEI 2019. All rights reserved. nei.org, page 23

May 2019 NEI 19-02, Rev 0 undervoltage on the emergency buses, it is possible the automatic OPIS could result in a fast bus transfer of non-safety related buses that if successful, does not result in an automatic plant trip.

For the pilot PWR, this new detection scheme monitors the current on the high side of the SATs to detect a loss of phase or low load condition. The relays are multifunction microprocessor-based programmable relays. The relay compares the positive, negative, and zero sequence currents. On detection of a loss of phase upstream of the SAT, the scheme isolates the SAT via the transformer protection lockout relay. This change to add loss of phase protection functionally maintains all the existing interlock functions for the SAT 86 lockout relays.

Figure 5 shows the OPIS interface with the high side of the SATs, the comparison of positive, negative, and zero sequence currents, outputs to the SAT 86 lockout relays, and outputs to the main control room alarm and automatic trip function.

Figure 6 is a trip logic diagram for the PWR pilot OPIS. Factoring in load conditions, positive, negative, and zero sequence currents are compared to detect an OPC and actuate the alarm and the automatic trip of the 86 lockout relays associated with the SAT feeder breakers, removing the offsite power path to the emergency buses, and resulting in a valid undervoltage actuation on the emergency buses.

Figure 5: Example OPIS Design

© NEI 2019. All rights reserved. nei.org, page 24

May 2019 NEI 19-02, Rev 0 Figure 6: Example OPIS Logic The NRC evaluation [2] assumed that the OPIS failure would closely model those of protective relays.

The NRC evaluation OPIS failure rate was conservatively assumed to be 3.2E-07 per hour, based on protective relaying failure data from IEEE-500 [9]. Assuming a one-year mission time, the post-trip failure probability for OPC was assumed to be 3E-03.

The PWR pilot OPC/OPIS risk assessment [7] quantified OPIS monitoring function failure probability of

~1.0E-04/year based on a plant-specific fault tree model. This value can be assumed to be the lower limit for the OPIS monitoring function.

OPIS reliability is a factor in the total CDF and LERF contribution from OPC events in the PRA. When analyzing the difference in risk between automatic trip function and manual alarm function, however, the OPIS failure probability does not contribute to the change in risk estimates, unless different failure probabilities are used to model failure of the trip function and failure of the alarm function. In this assessment, the failure of the OPIS is assumed to result in failure of both the trip and the alarm function, and thus, does not contribute to the change in risk estimates.

Figure 7 shows example fault tree logic that models the alarm function of the OPIS and the operator action to trip the circuit breakers associated with offsite power supply to the emergency buses.

© NEI 2019. All rights reserved. nei.org, page 25

May 2019 NEI 19-02, Rev 0 Figure 7: Example OPIS Fault Tree Model (Monitoring and Operator Action)

The determination of a plant-specific estimate of failure probability for the OPIS monitoring function will require a qualitative comparison of the plant-specific OPIS design and the OPIS design modeled in PWR pilot OPC/OPIS risk assessment. Adjustments to the PWR pilot OPC/OPIS risk assessment OPIS failure probability can be applied, as required, to quantify the plant-specific bounding OPIS failure probability.

The first step involves a qualitative evaluation of the design to understand if the probability of the OPIS failure should be adjusted from the upper or lower limits provided in the previous paragraphs.

Adjustments are based on the following:

  • Number of current or voltage inputs available that will detect an OPC
  • Relay type/design
  • Functional logic redundancy (e.g., one-out-of-two OPIS relays actuate, or two-out-of-two, etc.)

Making the assumption that protective relays are generally similar enough to apply similar failure data, in this case, from IEEE-500 [9], the difference in OPIS failure will primarily be driven by the level of redundancy in the detection and alarm actuation scheme.

The PWR pilot OPIS is essentially a one-out-of-two logic scheme with current detection of a common OPC upstream of the SAT, actuated by microprocessor-based relay.

If the plant OPIS requires two-out-of-two logic or only has one set of components that can fail the OPIS (every individual component, such as CT or PT, relay, or alarm can fail the function), failure of one input can result in OPIS failure. In this condition increase the OPIS failure probability to 1E-02.

© NEI 2019. All rights reserved. nei.org, page 26

May 2019 NEI 19-02, Rev 0 If the plant OPIS has more redundancy (multiple channels of detection and logic components would have to fail to result in no signal), decrease the failure probability to 1E-05.

An alternative, more explicit treatment is to develop an explicit model of the components in the system based on the design. Review of the OPIS failure mode and effects analysis or other documentation associated with the design of the OPIS is recommended to understand system behavior prior to developing a detailed model. Assumptions regarding the failure probability of some of the components making up the OPIS inputs (e.g., current transformers), the OPIS relay, and output actuation devices (lockout relay) may be required. For example, in the NRC analysis [2], data from IEEE-500 was assumed applicable to the OPIS. Uncertainty in the data may need to be discussed and/or characterized for impact on the overall results of the OPC/OPIS model and PRA.

As previously noted, the probability of OPIS failure is important to determining the total CDF and LERF impact, but does not impact the difference in risk between operating with automatic trip function or manual alarm function only, unless the two failure modes are modeled with different failure probabilities. In the case overall CDF and LERF are high, more detailed modeling can reduce the estimated OPIS failure probability. As an example, if the OPIS relay includes a self-alarm feature which can provide the operators indication of a fault within the OPIS that precludes proper operation, repair of the system can be initiated in a timely manner to minimize the time the OPIS is failed. The probability of OPIS reliability would depend on the mean time to repair the fault. Obtaining adequate repair parts can reduce the time to repair, which reduces the probability the OPIS is failed when concurrent with an OPC.

4.7 Human Reliability Analysis The NRC analysis in Reference [2] assumed a conservative worst-case scenario assuming RCP seal loss of integrity and leakage starting in 13 minutes. It was therefore assumed that 13 minutes was available for the operator to mitigate the OPC.

A best-estimate HRA for an OPC event involves a realistic assessment of the failure to diagnose an OPC given several cues in the control room, and failure to perform necessary response to an OPIS alarm.

Best-estimate plant response models are used to establish the time-windows for performing OPC mitigation actions. Industry has installed an OPIS, which would either alarm or once enabled, alarm and automatically isolate offsite feeders to the safeguard buses upon detection of an OPC. The reliability of operator action to manually isolate the offsite feeders could be sufficient to preclude the need to arm the automatic isolation feature of the OPIS.

Upon loss of a single phase, the affected unit would be expected to experience OPIS alarm in the control room and a subsequent plant trip may occur. Based on the alarm response procedures and other confirmatory checks, the operator will open the offsite power feed breaker and cross-tie breakers to each of the associated ESF buses. From this point forward, for plants in which the OPC results in automatic or manual reactor/turbine/main generator trip, the event will resemble a LOOP event. An expected sequence of events is provided below:

  • Loss of single phase condition (OPC)
  • OPIS alarm in the control room and subsequent plant trip (plants that auto trip)
  • Operator opens the offsite power feed breakers to affected ESF buses

© NEI 2019. All rights reserved. nei.org, page 27

May 2019 NEI 19-02, Rev 0

  • Undervoltage Relays start the DGs
  • DGs are running at rated speed and voltage, and the DG feed breakers close
  • Undervoltage Relays reset and the Load Sequencers start
  • Operators reset lockout relays, thermal overloads, and restart pumps and Non-ESF equipment as time permits Some sites are already utilizing the automatic trip function of the OPIS. In order to accurately model the operator response if the automatic trip function is not enabled, procedure changes may be required to achieve a level of reliability roughly equivalent or better than the reliability of the automatic trip function. One key to low probability of operator action failure is sufficient time to take action given actuation of the alarm, and sufficient time to provide for recovery if the initial operator action to open the offsite power supply breakers to the emergency bus fails. Assuming core damage timing is not driven by the immediate need to establish seal cooling or to trip the RCPs (for a PWR), greater than one hour should be available considering initial success of RCP seal integrity and secondary heat removal via AC independent AFW/EFW pumps. For a BWR, greater than one-hour timing is based on initial success of AC independent high pressure pumps. In this case, if the OPC is not initially isolated from the emergency buses, the unbalanced phase condition may result in trip of time overcurrent relays associated with 4kV bus motors, and/or 480V thermal overload relays. Trip of 4kV bus motors may provide additional cues in the MCR of the unbalanced phase condition on the emergency buses. Trip of 4kV and/or 480V motors may impact the plant response if a lockout relay is actuated or a thermal overload requires manual reset. For further discussion of the potential impact on electrical equipment exposed to the unbalanced phase condition on the emergency bus, see section 4.8.

The PWR assessment [7], considering core damage timing (1.8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> to core damage, one-hour conservative time window assumed) based on initial shutdown seal success, overcurrent protection success, and cues from the OPIS alarm and separate indications of the OPC, yields a mean HEP of 1.2E-

03. The assessment also includes an HEP to recover loads with protective relays that require reset (4kV motor loads) in the main control room and local reset (480V thermal overloads). The HEP is 5.5E-04 for a total HEP of 1.75E-03. In the assessment, failure of either operator action is modeled to result in complete loss of the affected emergency buses. This is conservative because the number of emergency bus loads that actuate, trip, and require reset is dependent on the specific automatic or manual demands that occur during the specific sequence of events after the plant trip and the individual electrical load response to the OPC induced phase imbalance.

The BWR assessment [8] considered a longer time window, but 4kV and 480V resets occur outside of the main control room. The total HEP is 2.2E-03.

Given the dependence of operator actions to illustrate an equivalent mitigation response to an automatic OPIS response, the following is an example list of operator interview questions which may be required to achieve a realistic evaluation of manual action failure probabilities.

1. How is an open phase condition (OPC) detected in the control room (MCR)?
2. If detected by alarm, specify alarm number and alarm response procedure.

© NEI 2019. All rights reserved. nei.org, page 28

May 2019 NEI 19-02, Rev 0

3. Besides alarm in the MCR, are there other indications in the MCR that could be used to confirm or diagnose the presence of an OPC (for example, phase-to-phase voltage indication)? If so, specify these other indications and their location in the MCR (front panels, or panels in the back).
4. If OPC alarm occurs, is it easily noticeable? Or would it typically occur in combination with other alarms that have higher priority?
5. Has alarm occurred spuriously and if so, how often compared to legitimate signal?
6. What are the expected actions after an OPC alarm?
7. If the OPC-affected power supply is not automatically disconnected, do the operators open the breakers manually? Is such an action in a procedure and if so which one? Is it performed from the MCR?
8. Are the operators trained on the response to an OPC? If so, how often? Does the training consider situations where automatic actions fail to occur (leading the operators to manually open the breakers of the OPC-affected power supply)?
9. Given an OPC alarm, how long would it typically take for the operators to perform each of the following actions:
a. detect the alarm,
b. diagnose the issue (assuming automatic trip of the OPC-affected power supply did not occur),
c. respond and trip the OPC-affected power supply.
10. Are there JPMs for the response to an OPC?
11. How is the action executed (pushbuttons or switches in the MCR)?
12. If the OPC is alarmed and the plant has not automatically tripped, would the operators proactively trip the plant and/or the RCPs (PWR only)?

4.8 Equipment Recovery Operating a three-phase motor with less than three phases of electrical power (i.e., the condition induced on the emergency bus if an OPC occurs and OPIS does not automatically isolate the offsite power supply to the emergency bus) introduces electrical conditions that result in unbalanced power flow, and consequently higher than normal current through the remaining phase(s). At lower-level voltage unbalances, a resulting elevated temperature can cause a reduction in service life of the motor.

If the voltage unbalance is high enough, the resulting current unbalance can cause protective devices (overcurrent relays, circuit breakers, thermal overload relays) to trip isolating the motor load. For a double open phase faults (two phases open-circuit), the connected loads lose rotational torque which causes them to quickly transition to locked-rotor current conditions and ultimately trip their protective devices.

© NEI 2019. All rights reserved. nei.org, page 29

May 2019 NEI 19-02, Rev 0 The total current in each phase, including the increase in current in the phases due to the OPC, is dependent on the load on the motor. Lightly loaded motors may, therefore, not be adversely affected by the OPC and if initially running, the motor may continue to run on the remaining phases without adverse impact. Motors that are heavily or fully loaded may need to be tripped to protect the motor from the adverse effects of the overcurrent condition (excessive heating) in the phases. Excessive heating can cause a breakdown in motor insulation which can leadto an electrical fault and motor damage. The effects of excessive heating are dependent on the current, the time the heating occurs, the heat dissipation capability of the motor, and the capacity of the various parts of the motor (conductors, insulation, etc) to resist breakdown under temperature.

If an OPC results in currents that exceed design capability of the motor, protective features designed to remove power from the motor during overcurrent conditions using time overcurrent relays or thermal overloads, or both, should protect the motor from catastrophic damage. The presence of an OPC can increase phase current magnitudes of the motor. Therefore, the motor protection should detect the overcurrent conditions in any of the three phases and interrupt the power to the motor as required.

Motors that are not running and are started by manual or automatic closure of the circuit breaker or motor starter/contactor will draw starting current (locked rotor current) from the power supply through the remaining phases. Starting current is several times higher than full load current with all phases available. With less than three phases, current flow through the remaining phases would be higher than if all three phases were available. In this case, similar to a running motor case, the protective features should remove the electrical power from the motor by tripping the circuit breaker or actuating the overload mechanism.

The risk evaluation should confirm whether an OPC would result in an overcurrent condition requiring motor protection and/or qualitatively confirm that the existing protection would detect overcurrent conditions regardless of which phase or phases in the power system are open. If the protective relaying time characteristic is based on three phase current flow or all phases are not monitored for overcurrent/overload, the protection may not actuate before current exceeds design values for the motor with less than three phases available at motor input. The risk evaluation should ensure those motors are unavailable (failed) if the overcurrent/overload protection is inadequate to trip the motor circuit breaker or actuate the overload device, prior to exceeding design current values, or an engineering evaluation should be performed to determine if the motor is recoverable after the circuit breaker or overload is reset. Exceeding design values does not guarantee catastrophic failure of the motors. In some cases, the motor may experience a loss of design life (generally stated to be 20 years),

and the reduction is related to the temperature above design the motor experiences and the length of time at that temperature, but the motor would still be functional for the PRA mission time.

If the motor protective relaying actuates a lockout relay to trip the motor circuit breaker, it may require local, manual reset of the lockout relay in order to close the circuit breaker after a suitable three phase power supply is available on the emergency bus. The risk evaluation should account for the operator action to restore equipment, if necessary, after manual trip of the breakers that provide offsite power to the emergency bus. Similarly, 480V loads with thermal overload devices may trip and require local reset before the load can be placed back into service.

Discussions with electrical personnel regarding the impact of motors running when an OPC occurs, the PWR and BWR pilot assessments assume motors will trip on overcurrent and can be recovered,

© NEI 2019. All rights reserved. nei.org, page 30

May 2019 NEI 19-02, Rev 0 consistent with the OPC event at Byron. Motors that are demanded to start with an OPC on the bus are assumed to trip, but can be recovered after the OPC is isolated from the emergency bus.

4.9 AC Power Recovery After an OPC, offsite AC power could be aligned from a diverse offsite source, or by repairing the supply with the OPC. AC recovery is typically modeled in response to LOOP/SBO events in the plant PRA and is provided by LOOP classifications of plant-centered, switchyard-centered, grid-related, and weather-centered [10]. AC recovery timing is modeled using lognormal distributions and a time exceedance probability curve showing the probability of recovery AC power prior to exceeding a given time. In a typical PRA, these curves are used to define probabilities of recovering AC before reaching a point in time following a LOOP initiating event representing a damage state (i.e., core damage).

In the January 30, 2012 Byron event [1], the OPC was repaired and offsite power restored 34 hours3.935185e-4 days <br />0.00944 hours <br />5.621693e-5 weeks <br />1.2937e-5 months <br /> after the initial failure (Reference [1] does not indicate whether earlier restoration was possible). A similar (but not the same OPC because a ground fault also occurred) event occurred in February of 2012, which required repair of a similar component (underhung porcelain insulator) that failed in the January event, in which offsite power was restored within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> via a unit emergency bus cross-tie breaker, which aligned the opposite unit SAT supply to the emergency buses. These OPC events occurred at the switchyard level at Byron. Other OPC events are possible depending on the number of operating transmission lines feeding the switchyard and the configuration of the transmission grid outside the switchyard.

Published data in References [5] and [6] does not directly distinguish between LOOPs caused by open-phase conditions and LOOPs caused by other events. For the pilot assessments [7] and [8], offsite power recovery time is based on assumption and judgment. The offsite power via the time exceedance curve that best reflects the general nature of an OPC (OPC events potentially require repair of SSCs; OPC events can occur in the transmission/distribution grid or in the switchyard) is difficult to judge without additional analysis of potential recovery times given OPC occurrence. The grid-centered curve is assumed to be applicable on the basis that it generally reflects the longest time to repair/recover LOOP events that affect the transmission system, and the events that affect the grid-related LOOP data (e.g.,

failed insulators, broken conductors) are also possible at the switchyard level. The grid-centered LOOP data and recovery times also reflect complex events related to grid interconnections and grid electrical protection schemes, so some of the grid-related LOOP data may not directly apply to an OPC.

The plant-centered curve includes data reflecting failures inside the plant boundary. The data may not be most applicable to OPC events that occur in the switchyard or grid. Switchyard-centered data may be applicable, but generally results in higher probability of recovering AC power at a given time compared to grid-centered and weather-centered events, and the existing Byron event durations shows that recovery time may be generally longer than existing switchyard LOOP data (it should be noted the Byron event does not distinguish when AC could have been recovered versus actually recovered). Weather-centered events, which include widespread damage to SSCs, are judged to not be applicable to OPC which by nature is a lower damage event than those due to extreme weather.

There is uncertainty in the applicability of the AC recovery curves, which may need to be addressed and characterized.

© NEI 2019. All rights reserved. nei.org, page 31

May 2019 NEI 19-02, Rev 0 The PWR pilot assessment assumes AC recovery is possible regardless of whether the operators successfully trip the offsite power circuit breakers providing power to the emergency buses given an OPC or whether they fail to complete the action. If the operators succeed, plant emergency AC can be aligned, and the event progresses as a typical LOOP where AC recovery can be credited if random failure of emergency power occurs. If the operator fails, AC recovery can be credited given time available if AC independent core cooling succeeds and (for a PWR) RCP seal LOCA does not occur. In both cases, the electrical overcurrent protection associated with circuit breakers providing power to the motors on the emergency bus must succeed to prevent damage to the motors, and for the case where the operator fails to disconnect the power supply to the emergency buses, indications of the OPC independent of the OPIS alarm are required to cue recovery.

4.10 Fire and External Events This guidance primarily addresses OPC impact to internal events risk and models. In general, fire and external event risk and models should not be significantly impacted by inclusion of an OPC. If the impact to fire and external events risk and models is small, the difference in risk between the automatic trip function and the alarm function will be very small, however, the following general considerations for OPC impact from external hazard PRAs can be applied.

Fire Events Fire PRAs that credit offsite power supplies may have impact from incorporation of the potential for an OPC and OPIS. Spurious operation of the OPIS with automatic function enabled may result in a plant (reactor/turbine/main generator) trip, depending on the plant response to isolation of offsite power from the emergency buses. Fire damage could result in a spurious OPIS alarm, which may impact the operators in the MCR and/or result in operator action to separate the offsite power supply from the emergency buses. Spurious operation may be a risk if the plant is designed to trip on a loss of power to the emergency buses or if the same fire that actuates the OPIS also causes a plant trip and LOOP and precludes offsite power recovery within a relatively short time frame (for example, by re-closing the offsite power breaker opened by the OPIS) via other cable impacts. In this case, there is little difference in risk between operating with automatic function and manual alarm function because of the plant response to the loss of the other cables in the fire scenario.

Fires could damage electrical cabling associated with the OPIS and provide loss of OPIS automatic trip function and or alarm function, which if concurrent with an OPC during the PRA mission time, results in the OPC affecting the loads on the emergency buses (overcurrent protection and DC control power may also be affected by the fire). The probability of a post-trip (24-hour exposure) OPC is relatively small. For plants that automatically transfer emergency buses to offsite power transformers after a plant trip, an OPC could occur prior to a fire event, and if the OPIS failed and the failure was not detected, could be a latent condition that affects the emergency buses after a fire induced plant trip. Combining the likelihood of a fire with the occurrence of an OPC and failure of the OPIS makes the scenario unlikely.

Seismic Events Generally, seismic PRAs assume or model a fragility of a seismic induced LOOP at a given seismic acceleration. Given the potential for widespread damage to the switchyard and/or transmission/distribution grid, and the general correlation of similar components (i.e., the individual conductors, insulators, structures associated with offsite power) it can be assumed the likelihood of an

© NEI 2019. All rights reserved. nei.org, page 32

May 2019 NEI 19-02, Rev 0 OPC without a full LOOP is small. In lower acceleration seismic events in which offsite power to the emergency buses does not fail due to structural failure caused by the seismic event, chatter of electromechanical contacts associated with the OPIS may cause isolation of offsite power from the emergency buses via automatic trip function or if the operators respond to spurious alarm by isolating offsite power. If the plant trips during this event but offsite power remains available in the switchyard, the operators could re-align the tripped breaker and recover offsite power. For plants that automatically transfer emergency buses to offsite power transformers after a plant trip, an OPC could occur prior to a seismic event, and if the OPIS failed and the failure was not detected, could be a latent condition that affects the emergency buses after a seismic induced plant trip. Combining the likelihood of a seismic event with the occurrence of an OPC and failure of the OPIS makes the scenario unlikely.

High Winds Events Like seismic events, High Wind PRAs assume or model a fragility of an induced LOOP at a given wind speed. Given the potential for widespread damage to the switchyard and/or transmission/distribution grid, and the general correlation of similar components (e.g., the individual conductors, insulators, structures associated with offsite power) it can be assumed the likelihood of an OPC without a full LOOP is small.

Other External Events Other external events are generally insignificant to risk and the occurrence of an OPC due to the event would depend on the likelihood of potential damage to the offsite power supply. Such damage would need to result in an OPC and not result in a full LOOP (for example, explosions near the plant could conceivably damage a single phase, but given the three phases are located together, if the event damaged one phase it would probably damage all three). Local damage to a structure or component that causes loss of one phase without the other would actuate the OPIS and the plant would respond the same as to a random OPC with no additional consequences.

4.11 Quantification and Sensitivity Analysis Quantification of the pilot assessment PWR model and a BWR model was performed to estimate the change in CDF and LERF between operation with automatic trip function and alarm function. Electrical overcurrent protection was assumed successful and adequate to protect the loads affected by the OPC.

AC (offsite power) recovery time was assumed similar to durations that have occurred after grid-centered LOOP events. A format for presenting the quantification results is shown in the tables below.

An analysis file template is provided in Appendix A.

© NEI 2019. All rights reserved. nei.org, page 33

May 2019 NEI 19-02, Rev 0 Plant Base CDF - Base CDF - OPC Impact Base CDF - OPC Change in CDF between Name/Type OPC Impact modeled (per yr.) Impact modeled OPC impact with not modeled Credit for both (per yr.) Credit for Automatic OPIS and (per yr.) Automatic OPIS and Operator Manual Operator Manual Action Operator Manual Action Only. and Operator Manual Action Action Only.

Pilot PWR 1.12E-05 1.15E-05 1.22E-05 7.2E-07 Pilot BWR 1.32E-06 2.34E-06 5.14E-06 2.81E-06 Plant Base LERF - Base LERF - OPC Base LERF - OPC Change in LERF between Name/Type OPC Impact Impact modeled (per Impact modeled OPC impact with not modeled yr.) Credit for both (per yr.) Credit for Automatic OPIS and (per yr.) Automatic OPIS and Operator Manual Operator Manual Action Operator Manual Action Only. and Operator Manual Action Action Only.

Pilot PWR 9.03E-07 9.07E-07 9.32E-07 2.55E-08 Pilot BWR 1.30E-07 1.36E-07 1.48E-07 1.21E-08 Sensitivity Analysis Uncertainties in the overall OPC model require characterization of the impact on the change in CDF and change in LERF results. The following sensitivity studies can be used to understand the impact of key contributors to the risk evaluation results. Note that it is not necessary to perform all of the sensitivities listed because some are contingent on the plant electrical design and potential OPC impact on equipment. For example, some of the sensitivities suggested below assume an OPC would impact all ESF buses and potentially impact running equipment and recovery of impacted equipment. If the plant configuration is such that an OPC impacts only one division, the overcurrent sensitivities would not be required for they reflect boundary conditions that would not exist given the plant design.

© NEI 2019. All rights reserved. nei.org, page 34

May 2019 NEI 19-02, Rev 0 Sensitivity Case Method Discussion OPC Occurrence Reduce OPC frequency/probability using The OPC frequency factors through the Frequency/Probability only events that have occurred and change in risk. A refined estimate of OPC affected downstream buses. In section 3.2, frequency could directly affect the change two events included in the frequency in risk estimates.

estimate in Reference [2] affected downstream buses, giving 2 failures in 15 years for 100 plants. With Bayesian update, frequency is 2.5 / (100*10.1*0.92) = 1.45E-03 OPIS Failure Increase OPIS failure probability by factor The OPIS failure probability does not affect Probability of 5 to account for hardware failure the change in risk estimates, because OPIS probability differences failure is modeled to fail both automatic trip function and the alarm function.

Operator action HEP Assume inadequate procedures and Operator action should be reliable, training (increase total HEP one order of procedures clear, and training frequency magnitude increase) sufficient. This sensitivity provides perspective on result impact if th AC Power Recovery 1 Assume AC power recovery at the 95 The probability of AC recovery factors percentile of the grid-related curve. directly through the change in risk.

Multiplied by factor of 3 (AC non-recovery Decreasing the probability of AC recovery modeled as lognormal distribution with reduces risk.

error factor of 3).

th AC Power Recovery 2 Assume AC power recovery at the 5 The probability of AC recovery factors percentile of the grid-related curve. directly through the change in risk.

Divided by factor of 3 (AC non-recovery Decreasing the probability of AC recovery modeled as lognormal distribution with reduces risk.

error factor of 3).

© NEI 2019. All rights reserved. nei.org, page 35

May 2019 NEI 19-02, Rev 0 Sensitivity Case Method Discussion Spurious Operation For plants that automatically trip on spurious operation of the OPIS, assume upper bound of 8E-02 based on initial operating experience data.

Spurious Operation For plants that modeled spurious operation as adverse to risk, assume no spurious can occur.

The two sensitivities below are recommended for plants where all ESF buses have potential to be impacted by a single OPC Overcurrent Success 1 Assume overcurrent protection fails and There is some risk to normally running 4kV motors are unrecoverable when OPC motors if the worst case OPC occurs and disproportionally affects phase without the overcurrent protection doesnt monitor overcurrent protection. Assume magnitude all three phases. Damage, although of current impact on monitored phases is unlikely, is possible.

below overcurrent trip setpoint. Assume all normally running loads are tripped and unrecoverable and assume operators disconnect OPC prior to any emergency bus motor starts. This does not apply to the automatic function because automatic trip timing precludes prolonged exposure to an OPC.

© NEI 2019. All rights reserved. nei.org, page 36

May 2019 NEI 19-02, Rev 0 Sensitivity Case Method Discussion Overcurrent Success 2 Assume overcurrent protection fails and There is some risk to normally running 4kV motors are unrecoverable when OPC motors if the worst case OPC occurs and disproportionally affects phase without the overcurrent protection doesnt monitor overcurrent protection. Assume magnitude all three phases. Damage, although of current impact on monitored phases is unlikely, is possible. If automatic start on below overcurrent trip setpoint. Assume all ECCS or operator attempts to start normally running loads are tripped and equipment, the potential to damage unrecoverable and assume operators miss redundant equipment is higher OPC alarm and try to start redundant safety bus motors. This does not apply to the automatic function because automatic trip timing precludes prolonged exposure to an OPC.

4.12 Results Interpretation The risk metrics quantified in this evaluation allow assessment of two impacts to the PRA. The first impact is on the base CDF and LERF itself. The second impact is the difference in risk between operating the plant with automatic OPIS function to trip the circuit breaker associated with the power supply affected by the OPC, and operating with the OPIS function to provide an alarm to cue operator manual action to trip the circuit breaker associated with the power supply affected by the OPC.

The following general conservatisms were identified during the benchmark evaluations of the difference in risk between OPIS automatic trip function mode and alarm function mode.

1. All domestic nuclear power plant OPC operating experience events used in the NRC risk evaluation are assumed applicable to all plants, and are assumed to occur in the switchyard at the most limiting location (e.g., the input to the offsite power transformer or transformers, if common physical or electrical input, that provide power to the plant emergency buses).

Including failure events where the applicable failure could not occur at a subject plant increases the change in risk between alternatives, because the difference in probability of core damage (CD) or Large Early Release (LER) given OPC is multiplied by the OPC frequency.

2. For plants that provide offsite power to buses (emergency or balance of plant) during normal operation, the OPC will propagate a phase imbalance to the bus and result in a potential plant trip via trip of equipment protective relaying or loss of equipment function, a reactor trip is assumed to occur. In some cases, operators may be able to preclude a trip by taking action to avoid the loss of systems/equipment affected by the OPC. This is conservative for plants that would not immediately trip on an OPC to the emergency buses but a delayed trip could occur due to eventual effects from the loss of a system or components. If the plant does not immediately trip and the OPIS alarms the OPC or other monitoring (switchyard inspections) detects the OPC, the plants would be in a technical specification LCO with eventual manual

© NEI 2019. All rights reserved. nei.org, page 37

May 2019 NEI 19-02, Rev 0 shutdown required unless alternative offsite power feed can be aligned. This increases the change in risk between alternatives because some OPC events will not cause automatic or manual shutdown prior to restoring Technical Specification operability.

3. The OPC condition is assumed to occur without a concurrent low-impedance ground fault; thus, no credit is taken for existing overcurrent or undervoltage relaying to detect the condition and isolate the OPC from the emergency buses. This increases the difference in risk between the alternatives because some OPC events would demand the existing (non-OPIS) protective relaying, equally reducing the frequency that either automatic trip function or alarm response is needed.
4. In manual alarm function mode, the OPC induced phase imbalance is assumed to result in trip of protective relaying for each load powered by the bus affected by the OPC (in automatic mode the OPIS is designed to actuate before other relays). For plants with protective relaying that requires manual reset (e.g., 480V AC Motor Control Center breakers with thermal overloads or motor circuit breaker overcurrent relaying that actuates a lockout relay) this increases the difference in risk between alternatives because it increases the probability of CD and LER given OPC occurrence, but only applies to the alarm mode.
5. Offsite power recovery is modeled using grid recovery data, as a surrogate for repairing the components that failed and caused the OPC. This is conservative because the grid centered curve represents widespread loss of power events that are more challenging than failure of conductors (bus bar connection, drop line, etc) in the operating experience data. This increases the difference in risk between the alternatives because the factor increases the probability of CD and LER equally for both alternatives, increasing the difference between the two.
6. FLEX strategies provide an alternative success path given loss of plant emergency AC buses. FLEX is not formally modeled in all plant PRAs; including FLEX would decrease the change in CDF and LERF between alternatives because it would decrease the overall probability of CD and LER given OPC induced station blackout, whether automatic trip function or alarm mode only is credited.

Considering HFE dependency, it would decrease the probability of CD or LER more for automatic trip function because it does not involve operator action to isolate the OPC from the plant, unless this action and actions to deploy FLEX are completely independent.

The following general non-conservatisms were identified during the benchmark evaluations of the difference in risk between OPIS automatic trip function mode and alarm function mode.

1. All plants are assumed to be in normal electrical configuration, with more than one transmission feeder aligned to the switchyard. Time spent in unusual configurations which would propagate a phase imbalance via an OPC in the transmission system is assumed to be small. This decreases the change in risk between alternatives because the OPC frequency would be higher if only a single transmission feeder were aligned to the switchyard, and the frequency is multiplied by the difference in probability of CD or LERF between the alternatives.
2. In manual alarm function mode, all electrical loads are assumed to be recoverable given actuation of protective relaying. Motor load overcurrent relaying that does not monitor current on all three phases to the motor are assumed to trip via increased current on the available two

© NEI 2019. All rights reserved. nei.org, page 38

May 2019 NEI 19-02, Rev 0 phases. This decreases the change in risk between alternatives because it decreases the probability of CD and LER given OPC occurrence with OPIS in alarm mode.

3. In alarm function mode for PWRs without physically independent offsite sources to the emergency buses, if RCP motors are affected by the same phase imbalance that propagates to the emergency buses, the protective relaying is assumed to trip the RCPs. If the phase imbalance is not sufficient to trip the RCP motors, the imbalance is implied to be insufficient to cause loss of motors associated with seal cooling. The OPIS alarm response procedure will direct trip of the RCPs, and the loss of seal-cooling alarms would provide diverse alarm/indication cues to trip the RCPs. Thus, failure to trip RCPs given OPIS alarm actuation is unlikely. This decreases the change in risk between alternatives because it decreases the probability of CD and LER given OPC occurrence with OPIS in alarm mode.

Base Risk Impact Base risk is primarily driven by the frequency of the OPC and the level of redundancy with which the OPC can be detected (the design of the OPIS) and the OPIS automatic trip function actuated (in automatic function mode). In manual alarm mode, base risk is primarily driven by the frequency of the OPC, the level of redundancy with which the OPC can be detected, and probability of operator action to isolate the OPC from the emergency buses, and recover any loads that tripped. In both modes, the plant SBO response contributes when the OPC is not isolated from the emergency buses. There is also an impact to base CDF and LERF because automatic trip function can result in a LOOP on a spurious OPIS, or the operators may trip the plant given an alarm actuation by a spurious operation of the OPIS in alarm mode, for plants that trip on a loss of offsite power to the emergency buses. Plants that do not trip automatically on a loss of offsite power to the emergency buses may eventually require manual shutdown unless the offsite power supply is re-aligned to the emergency buses or an alternate offsite power supply aligned.

Based on the results in sections 4.10 and 4.11, the change in base CDF and change in LERF results using the pilot assessments and methodology described in this document, are considered small. Small is defined as a quantitative change in CDF near 1E-06 and change in LERF near 1E-07. The application of a 1E-05 CDF ceiling and a quantitative result near 1E-06 is suggested as a risk performance measure in recognition that the existing PRA models and risk analysis methods described in this report are used to provide a measure of the change in risk that does not require detailed model development to represent the OPIS. Therefore a small difference in risk combined with the known conservative and non-conservative biases listed above is sufficient to conclude whether to enable the automatic trip function of the OPIS. The significant risk reduction from OPC events has already been addressed due to recognition of potential OPC impacts and implementation of plant changes to monitor for such events.

Response to OPC events, whether manual or automatic, requires recognition of the condition to drive the response; therefore, the risk difference is minimal and confirmed to be extremely small by virtue of applying the methodology described in this guidance. Lastly, improved mitigation of loss of AC power events due to plant or procedural changes at facilities since the event at Byron in 2012 also contribute to the absolute reduction in risk from OPC.

Change in Risk Impact Generally, the change in risk between the automatic OPIS function to trip the circuit breaker associated with the power supply affected by the OPC and the function to alarm to cue operator manual action

© NEI 2019. All rights reserved. nei.org, page 39

May 2019 NEI 19-02, Rev 0 would depend on the difference in failure probability of the OPIS in automatic mode and the difference in probability of the same OPIS hardware failing to cue an alarm plus the failure probability of the operator action to isolate the OPC and restore systems affected by the OPC that trips any protective relaying in the time the bus was exposed to the OPC. Essentially, the closer the reliability of the operator manual action gets to the reliability of the automatic function, the smaller the change in risk should become.

The difference in the probability of core damage or large early release is primarily influenced by the differences in the time the operator takes to accomplish the same action as the automatic OPIS trip.

Impact on the plant emergency bus loads depends on the time the bus loads are exposed to the unbalanced phase condition. The response of the load protective relaying is dependent on the individual load and relaying, which differs depending on the electrical design of the individual load. The known existence of an OPC, and therefore the likelihood of the overcurrent condition, may still require additional scrutiny and time before recovering a critical load.

Factors that reduce the base risk due to an OPC will reduce the change in risk between operating modes by virtue of the overall risk being low and therefore the difference between smaller numbers becoming smaller. Plants with high base risk may still be able to show acceptable change in risk if the consequences to the additional time the bus loads are exposed to the OPC are small; in effect, if the protection of loads occurs and they are easily recoverable.

Regarding spurious operation, while automatic OPIS can result in a LOOP at a plant and the operator may trip the plant in response to an OPIS alarm, the alarm mode allows for confirmation of additional indications that an OPC has occurred prior to an operator taking action to trip the plant. Based on this factor, redundant and diverse OPC cues could prevent an operator from tripping the plant on a spurious OPIS alarm, whereas the automatic OPIS does not allow for confirmation of the OPC prior to actuating a trip, so spurious operation contributes more to plants operating with automatic OPIS mode enabled.

5 CONCLUSION This document provides the guidance and framework for performing a plant-specific risk evaluation of an Open Phase Condition (OPC) at a nuclear power plant. Using the guidance, change in CDF and change in LERF results small enough (under a proposed 1E-05 CDF ceiling) to support credit for manual operator action to isolate an OPC from the plant emergency buses can be developed.

6 REFERENCES

[1] Unit 2 Loss of Normal Offsite Power and Reactor Trip and Unit 1 Loss of Normal Offsite Power Due to Failure of System Auxiliary Transformer Inverted Insulators, LER 2012-001-00 (ADAMS Accession ML12272A358), September 28, 2012

[2] ML17234A631 - Preliminary Estimate on the Impact of Open Phase Condition, May 2017.

[3] OPC VII Revision 3

[4] Byron PRA Applications Notebook, Risk Assessment - Unit 2 LOOP Event - IR 1319908, BY-MISC-010, Revision 0, April 2012.

© NEI 2019. All rights reserved. nei.org, page 40

May 2019 NEI 19-02, Rev 0

[5] NUREG/CR-6980, Volume 1, Reevaluation of Station Blackout Risk at Nuclear Power Plants, Analysis of Loss of Offsite Power Events: 1986-2004, December 2005.

[6] EPRI Report 1002987, Losses of Off-Site Power at U.S. Nuclear Power Plants (1990-2001), April 2002.

[7] PWR OPC Pilot Assessment

[8] BWR OPC Pilot Assessment

[9] IEEE 500-1984 - IEEE Guide To The Collection And Presentation Of Electrical, Electronic, Sensing Component, And Mechanical Equipment Reliability Data for Nuclear-Power Generating Stations

[10] Analysis of Loss-of Offsite-Power Events 1987 - 2016, INL/EXT-17-42376 Revision 1, August 2017.

[11] NRC Memorandum from Roy K Matthew to Patrick Hiland, ADAMS Accession ML13052A711, February 2013.

[12] Draft NEI White Paper, Evaluation of Removal of the Auto Trip Function from OPC Designs August 2018.

© NEI 2019. All rights reserved. nei.org, page 41

May 2019 NEI 19-02, Rev 0 APPENDIX A - ANALYSIS FILE TEMPLATE This appendix provides a template for completing the OPC analysis. References to the main body of the guidance document are provided in brackets (e.g., [Section 4.1]).

A.1. Purpose and Scope Provide the purpose and scope of the analysis, for example:

Following the open phase condition (OPC) at Byron Unit 2 and similar events at other plants, an open phase isolation system (OPIS) has been installed at [Plant]. The OPIS has two functions, detect and alert the operators of an OPC allowing them to manually trip the offsite power (OSP) breakers to the engineered safeguards (ESF) buses, and the automatic trip of the OSP breakers if an OPC is detected.

The reliability of the operator action to manually isolate the offsite feeders may be sufficient to preclude the need to arm the automatic isolation feature of the OPIS. In addition, the automatic isolation feature may increase the likelihood of loss of offsite power (LOOP) events due to spurious automatic trips. This analysis was performed to demonstrate that the use of the alarm-only configuration of the OPIS (i.e.,

with the automatic isolation feature disabled) provides sufficient risk reduction of an OPC event. An increase in CDF of less than 1.0E-06 and an increase in LERF of less than 1.0E-07 due to an OPC is considered satisfactory.

A.2. Assumptions and Limitations Provide a list of assumptions and limitations applicable to the analysis:

x Assumptions related to OPIS reliability [Section 4.8]

x Assumptions related to OSP recovery [Section 4.9]

x Assumptions related to external events [Section 4.10]

x Assumptions related to modeling [Section 4.12].

x Additionally, any plant or PRA model-specific assumptions A.3. References Provide references used in the analysis, for example:

x OPC NEI Guidance Document and supporting references [Section 6]

x Plant electrical configuration [Section 4.4]

x OPIS configuration [Section 4.6]

x Alarm procedures [Section 4.7]

x PRA notebooks

© NEI 2019. All rights reserved. nei.org, page 42

May 2019 NEI 19-02, Rev 0 A.4. PRA Model Development A.4.1. Initiating Event Analysis [Section 4.1]

In this section, determine if an OPC can cause a plant initiating event with the OPIS operating with automatic trip function enabled, with the OPIS operating in alarm mode only, and/or if spurious operation of the OPIS occurs.

A.4.2. OPC Frequency and Probability Analysis [Section 4.2]

In this section, determine the OPC frequency and probability (i.e., select the available published estimate or determine a plant specific frequency/probability and fully describe the determination of the frequency), and the frequency of spurious operation.

A.4.3. Plant Response Analysis [Section 4.3, Section 4.5]

In this section describe the high-level response to an OPC at the plant (initiating event impact, plant response impact, whether the event would proceed like a LOOP/SBO, loss of individual bus, or simple transient. Describe how spurious OPIS actuation could impact the plant.

A.4.4. Offsite Power Configuration [Section 4.4]

Describe the offsite power configuration and how a single OPC on the electrical circuit would affect the plant emergency buses. Also describe impact the same OPC would have on the balance of plant buses, if applicable.

A.4.5. OPIS Configuration [Section 4.6]

Review and describe the OPIS, including the hardware, monitored electrical parameters, automatic trip function, alarm function, and actuation logic.

A.4.6. Human Reliability Analysis [Section 4.7]

Develop the Human Failure Events that model the operator action required to separate the OPC from the emergency buses, given actuation of the OPIS alarm. Describe the cues, procedures, and timing associated with the human failure event. Develop an action that models recovery of equipment that is running or demanded, if the equipment would trip when running or demanded during an OPC.

A.4.7. Equipment Recovery [Section 4.8]

In this section determine the probability of equipment recovery for equipment that is running or receives start demand with an OPC. With automatic function enabled, OPIS actuation relay timing may preclude a trip of running equipment. With operation in manual alarm only, consider the time operators could take to diagnose the condition and take action to remove the OPC. Determine the location the operator must perform the recovery actions.

© NEI 2019. All rights reserved. nei.org, page 43

May 2019 NEI 19-02, Rev 0 A.4.8. AC Power Recovery [Section 4.9]

In this section discuss and describe the basis for AC Power Recovery (i.e., use the PRA grid recovery, or use an alternate curve and describe the basis).

A.4.9. External Events Evaluation [Section 4.10]

Evaluate the impact of the change in risk estimates considering external events. The available operating experience data does not show external event caused OPCs, so qualitative discussion may be sufficient to support the decision. Simple calculation estimates, if presented, should be described similar to those in the guidance.

A.4.10. PRA Model Changes Document the changes made to the PRA model, including changes to the logic model, new basic events and values (OPC initiating event, post-trip probability, frequency of spurious operation, OPIS failure data, human error probabilities)

A.5. Quantification of Results and Sensitivity Analysis A.5.1. Change in Risk Results [Section 4.11]

Document the change in CDF and change in LERF risk metrics that compare the risk of operating the OPIS with automatic trip function enabled versus operating with the alarm function only.

Table 1: Results of OPC Analysis OPC and &>Z& &>Z&

Baseline OPC and Risk Metric Auto/Manual Manual - Manual -

(No OPC) Manual OPIS OPIS Baseline Automatic CDF LERF Generally, a change in CDF of less than 1.0E-06 and delta LERF of less than 1.0E-07 is considered a small change. Change in CDF and LERF that are above 1.0E-06 or 1.0E-07 may still support a decision to operate the OPIS with alarm function only provided qualitative reasons are sufficient for the plant staff desiring to operate the OPIS with alarm function only. Change in CDF or LERF below these values may be deemed unacceptable based on qualitative reasons if such reasons, such as risk of damage to a balance of plant motor, are deemed A.5.2. Sensitivity Analysis [Section 4.11]

Perform sensitivity studies to characterize the uncertainty in the OPC change in risk analysis [Section 4.11]. Sensitivity study results should be considered in concert with the base results to provide a complete risk-informed input to any decision.

A.6. Model Files Provide a list of the associated model files used and altered for the analysis.

© NEI 2019. All rights reserved. nei.org, page 44