ML062710038

From kanterella
Revision as of 13:44, 23 November 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Final Precursor Analysis - River Bend Station, LER-458/04-005-01, Automatic Reactor Trip Due to Loss of Non-Vital 120V Instrument Bus
ML062710038
Person / Time
Site: River Bend Entergy icon.png
Issue date: 05/16/2006
From: Demoss G
NRC/RES/DRASP/DDOERA/OEGI
To:
References
LER-04-005-01
Download: ML062710038 (36)


Text

Final Precursor Analysis Accident Sequence Precursor Program -- Office of Nuclear Regulatory Research Automatic Reactor Trip Due to Loss of Non-Vital 120V River Bend Station Instrument Bus Event Date 12/10/2004 LER: 458/04-005-01 CCDP1 =2.7 x 10-5 May 16, 2006 Event Summary On December 10, 2004, at 1:17p.m. CST, with the unit operating at 100% power, a capacitor shorted on the static switch control board of the non-safety-related ELGAR (Model UPS-503-1-102) static inverter BYS-INV01B (See Figure 1). As a result, power was lost to 120V Instrument Bus VBN-PNL01B1 (References 1, 2). This resulted in: a loss of control power to the feedwater regulating valves, and a downshift in the speed setting for the B Reactor Recirculation pump, as well as a loss of indication to several instruments powered by the Instrument Bus. The loss of control power to the feedwater regulating valves resulted in them locking-up in place. This resulted in an overfeed condition and the additional cold water caused in increase in thermal neutron power. The lowering recirculation system flow caused the Average Power Rate Meter (APRM) power-to-flow setpoint to lower. The reactor then automatically tripped on high APRM power level.

With the main feedwater regulating valves locked-up in their full power position, excess feedwater was delivered to the reactor pressure vessel (RPV) causing a high level in the RPV.

This resulted in an automatic high RPV water level trip of the running feedwater pumps (Reference 2). In response to this, operators initiated Reactor Core Isolation Cooling (RCIC) to maintain post-trip reactor water level, which should have lowered rapidly had the feedwater regulating valves not been locked up in the 100% flow position before the feedwater pumps tripped. Immediately after RCIC was initiated, it shut down approximately 11 seconds later and the RCIC turbine steam supply valve closed as designed in response to the high RPV level trip signal. The operators then prepared to re-initiate RCIC once the high level trip cleared as the reactor continued to generate steam through the main turbine bypass valves to the main condenser. While the RCIC was idle, an alarm actuated indicating presence of water in the RCIC turbine exhaust line drain trap.

Wide range reactor water level recorders B21-R623A and B21-R623B digital indications continued to rise above the top of scale +60 inches. The indication stopped rising at +150 inches. The operators questioned further use of RCIC for water level control because they were concerned that the main steam lines might be filled with water. The main steam lines leave the RPV at approximately +95 inches. The operators discussed an operating experience event during which operators at another plant started RCIC with water in the steam line. In that 1

For the initiating event assessment, the parameter of interest is the measure of the CCDP. This is the value obtained when calculating the probability of core damage for an initiating event with subsequent failure of one or more components following the initiating event. The value reported here is the mean value.

1

LER 458/04-005-01 instance, the turbine tripped on overspeed and required local action to reset the turbine trip.

Also, complicating the operators decision making process was the loss of the only valid indication of reactor water level: the upset range indicator, which was directly lost due to the loss of 120V Instrument Bus VBN-PNL01B1 and the unexpected RCIC alarms. This resulted in a situation in which there were totally contradictory level indications presented to the operators from the main control board.

As a result, when the RPV level returned on-scale on the wide range and narrow range reactor water level instruments, the operators used the High Pressure Core Spray (HPCS) for reactor water level control. This complicated the operators response to the event, since HPCS draws water from condensate storage and adds water to the suppression pool when it is not used to add water to the RPV. As a result, the operators had to start the RHR system in the suppression pool cooling to facilitate rejecting water from the suppression pool to radwaste to maintain suppression pool level below high level action points.

The 120V Instrument Bus VBN-PNL01B1 was shifted to an alternate power source by placing the UPS in the manual bypass mode (See Figure 1). The feedwater regulating system was restored to service at approximately 4:57 p.m. CST on the same day, and the HPCS was secured and returned to its normal standby configuration.

Analysis Results

! Conditional Core Damage Probability (CCDP)

This event was modeled as a general plant transient with additional failures caused by the loss of 120V Non-Vital Instrument Power. The additional failures included: loss of ability to automatically regulate feedwater flow (which caused a high RPV water level condition and led to tripping of all running feedwater pumps and the RCIC) and the loss of several RPV level indications on the main control board which complicated the operators response to the event.

The CCDP for this event was calculated as 2.7 x10-5 (point estimate). An uncertainty analysis was performed to assess the effects of parameter uncertainties. The results of the uncertainty analysis are summarized below.

CCDP 5% Mean 95%

River Bend Station 3.5 x 10-6 2.7 x 10-5 9.1 x 10-5

! Dominant Sequences Appendix A provides the event tree models used in this analysis. The actual event sequence of the December 10, 2004 event is similar to Sequence 10, shown in Figure A-1 of Appendix A. If additional system or component failures had occurred, a core damage sequence could occur.

2

LER 458/04-005-01 There is one dominant accident sequence (See Table 1) which accounts for 99% of the total CCDP. All other accident sequences account for less than 1% of the total CCDP.

The dominant sequence involves a transient shutdown followed by the failure of all high pressure makeup systems (main feedwater, HPCS, RCIC), and then a failure to manually depressurize the RPV and go on to low pressure makeup systems.

! Results Tables S The conditional probabilities for the dominant sequences are shown in Table 1.

S The event tree sequence logic for the dominant sequences are presented in Table 2a.

S Table 2b defines the nomenclature used in Table 2a.

S The most important cut sets for the dominant sequences are listed in Table 3a and 3b.

S Definitions and probabilities for modified or dominant basic events are provided in Table 4.

Modeling Assumptions

! Analysis Type The event was analyzed as an event analysis using the River Bend SPAR Model Revision 3.12 (Reference 3). Revision 3.12 is an updated SPAR model prepared by INEL in response to a request to separate the feedwater and main condenser functions in the event tree model.

! Unique Design Features River Bend is a General Electric BWR-6, with a Mark III containment. It differs in design from Grand Gulf in the following areas: (a) the main feedwater pumps are electric motor driven pumps which can provide makeup to the RPV without a supply of steam, and (b) there is no capability for containment venting as a means of decay heat removal.

! Modeling Assumptions Summary Key modeling assumptions. The key modeling assumptions are listed below and discussed in detail in the following sections. These assumptions are important contributors to the overall risk.

  • Loss of 120V Instrument Bus VBN-PNL01B1 resulted in an event which can be simulated as a general transient event, requiring reactor trip, continued RPV makeup to match boil-off, and pressure control/decay heat removal.

In order to properly simulate the event sequence, basic event IE-TRANS is set TRUE, and all other initiating events are set FALSE.

  • Loss of 120V Instrument Bus VBN-PNL01B1 locked-up the feedwater regulating valves in the 100% power position resulting in a high RPV water level trip of all feedwater pumps immediately following the reactor trip.

3

LER 458/04-005-01 This was simulated by adding basic event FWLCS-OVERFILL (set to TRUE) to the main feedwater and RCIC fault tree models as described in Figure B-1 of Appendix B.

  • In the event that all other makeup sources were unavailable, emergency RPV makeup could be provided by restarting one of the electric motor driven feedwater pumps and cycling them on/off as needed to maintain water level. This is modeled by incorporation of a base event for non-recovery of the feedwater system: MFW-XHE-RESTART as shown in Figure B-1 of Appendix B.
  • The RCIC system, initially started by the operators to control post-trip RPV water level, automatically tripped after 11 seconds due to high RPV water level and operators did not restart it out of concerns of water in the steam lines. This was simulated by adding basic event FWLCS-OVERFILL (set to TRUE) to the RCIC fault tree model as described in Figure B-2 of Appendix B.
  • Operators were concerned about the possibility of water in the RCIC steam line and were focused on avoiding damage to the RCIC steam turbine due to water induction. Because of this: after the RCIC tripped there was no intent to attempt restarting the RCIC. Operators were initially confused in their response to the event due to the trip of the feedwater pumps and RCIC pump on high level, the offscale high RPV water on the narrow and wide range level indicators and the offscale low RPV water level on the upset range level indicators. The additional alarm registered for water in the RCIC turbine exhaust moisture trap would only serve to increase concerns about water induction.

Because of this, recovery of RCIC is not considered in the analysis.

  • The High Pressure Core Spray (HPCS) was manually started to maintain post-trip RPV water level. In the event operators failed to start HPCS as RPV water levels trended lower, the HPCS would automatically start on low RPV level based on one out of two taken twice coincidence logic (Section 6.3.2.2.1, Reference 4). The HPCS auto-start logic is not modeled in the current SPAR model but its operation is critical in a situation where operators are confused about actual RPV water levels. Because specific details on the design of the logic are not presented in the updated FSAR (Reference 4) an assumption is made that the logic has a failure probability of no worse than 1E-3. This is modeled by incorporation of basic event HPCS-LOGIC-FAILURE into the HPCS fault tree as is shown in Figure B-3 of Appendix B. Sensitivity studies were performed on the effects of alternate basic event probabilities and the 1E-3 failure probability is judged to be reasonable for periodically tested safety-grade instrumentation.
  • Throughout the event, RPV pressure control/decay heat removal was provided by steam bypass to the main condenser. (Reference 1,2) Because of this, there were no actual challenges to the safety/relief valves (SRVs). Had 4

LER 458/04-005-01 RPV water level trends resulted in MSIV operation, the SRVs would have cycled and discharged steam to the suppression pool. The operators when they started HPCS additionally started suppression pool cooling (RHR) as a precaution -

although it was not necessary.

  • Fault Tree Modifications The following basic events were added to the SPAR model:
  • Basic Event FWLCS-OVERFILL was added to both the main feedwater fault tree (Figure B-1 of Appendix B) and RCIC fault tree (Figure B-2 of Appendix B) to simulate the effects of the locked-up feedwater regulating valves which caused the tripping of both the main feedwater pumps and the RCIC on high RPV level.
  • Basic Event MFW-XHE-RESTART was added to the main feedwater fault tree (Figure B-1 of Appendix B) to simulate the possibility of operators manually restarting a feedwater pump to provide emergency RPV makeup. This basic event is subsequently replaced via Sequence Cutset Recovery Rules described in Appendix C.
  • The failure of RPV water level functional recovery is modeled as a single basic event: RPV-XHE-LEVEL. RPV water level recovery can be accomplished by either restarting a motor driven feedwater pump, starting HPCS, or by manually depressurizing the RPV and injecting water from either: the condensate pumps, the low presure core spray pumps (LPCS), or the low pressure coolant injection (LPCI or RHR) pumps. The probability of operators failing RPV functional water level recovery is treated by sequence cutset recovery rules documented in Appendix C. The probability of basic event RPV-XHE-LEVEL is developed in the Human Reliability in Appendix D.
  • Basic Event HPCS-LOGIC-FAILURE was added to the HPCS fault tree (Figure B-3 of Appendix B) to simulate the automatic start capability of the HPCS given sensed one of two - taken twice - low RPV level signals. The base case SPAR Model (Reference 3), as a simplification does not model the automatic start capability of HPCS. In many cases this capability is not significant to understanding the risk of operating events. For situations where both feedwater and RCIC have tripped due to high level trips and the level instrumentation is providing contradictory indications to operators, the automatics start capability of HPCS must be incorporated into the assessment in order to properly characterize the risk.

! Basic Event Probability Changes Table 4 provides all the basic events that were modified to reflect the best estimate of the conditions during the event. IE-TRANS is set TRUE, and all other initiating events 5

LER 458/04-005-01 are set FALSE. No other changes were made to Base Case SPAR basic event probabilities.

! SPAR Model Corrections The base case River Bend SPAR model Revision 3.11 was based upon a simplification that feedwater and main condenser are treated as one event tree decision node and that the failure of either system fails both. This simplification does not properly represent actual BWR emergency operating procedures in which feedwater can be used for makeup despite loss of the main condenser, or the use of RCIC or HPCS as a makeup source when the feedwater system has failed and the main condenser is being used for decay heat removal/RPV pressure control. INEL personnel were contacted to make a modification to the general plant transient event tree. This resulted in River Bend SPAR Model 3.12 (Reference 3).

! Sensitivity Analyses Sensitivity analyses were performed to determine the effects of data and modeling uncertainties on the CCDP point estimate result which is treated as the base case. To assess data uncertainties, an Importance Analysis using Fussel-Vesely and Risk Increase Ratio importance measures was conducted to identify the most sensitive parameters. The Fussel-Vesely importance measure ranks basic events according to the weight of the cutsets in which they appear. The Risk Increase Ratio Importance identifies those parameters which if they vary from the current value to 1.0 (failed) cause the largest increase in CCDP. This analysis identified that the CCDP is particularly sensitive to the following basic events:

HPCS-LOGIC-FAILURE HPCS actuation logic failure 1.0E-003 RPV-XHE-LEVEL Failure of Operators to restore RPV level 2.5E-003 HCS-MDP-TM-TRAIN HPCS Pump test/maintenance unavailability 7.0E-003 HCS-MDP-FS-HPCS HPCS Pump fails to start 1.5E-003 The HPCS logic failure probability (1.0E-3) is recognized as a modeling assumption used in lieu of creating a detailed fault tree model. The documentation on the logic design for River Bend Station is not available to support such model development. To evaluate the effects of this modeling assumption, a parametric study bound the entire range of possible failure probabilities (e.g., 0.0 - 1.0) was performed. The results of this sensitivity study are shown graphically in Figure 2. Figure 2 shows that as the failure probability of the logic becomes less than 1E-3, it has no effect on the results. This is because for values smaller than this, other faults dominate the overall failure probability of HPCS (e.g., failure to start, test/maintenance unavailability, and failure to run, etc.). The likelihood that the actual HPCS logic failure probability is larger than the assumed value (e.g., 1.0E-3) is considered remote because of the following considerations:

the logic is safety grade, one out of two taken twice redundant, and is subject to periodic surveillance and technical specification operability requirements.

The other base events failure probabilities are developed in the SPAR model documentation (Reference 3) or in the Human Reliability Assessment in Appendix D based on the SPAR-H 6

LER 458/04-005-01 Process. The following table provides the results of the parameter sensitivity analyses and how the resultant CCDP changed from the base case value of 5.4 x 10-6 as a result of single parameter changes. In all cases, the base case values were increased by a factor of x 5.0 which is considered to be a maximum upper bound value.

Sensitivity Modification CCDP1 Study 1 RPV-XHE-LEVEL (Failure of Operators to restore 2.6 x 10-4 RPV level) failure probability increased by x 5.0 2 HCS-MDP-TM-TRAIN (HPCS Pump test/maintenance unavailability) unavailability 1.2 x 10-4 increased by x 5.0 3 HCS-MDP-FS-HPCS (HPCS Pump fails to start) 6.9 x 10-5 failure probability increased by x 5.0 Note 1: CCDP sensitivity study calculations are based on point estimate values.

The conclusion from these sensitivity studies is that relatively large changes in the most sensitive base event probability values results in effects that are within the 90% bounds.

7

LER 458/04-005-01 References

1. David N. Norfing (Entergy), Unplanned Automatic SCRAM Due to Loss of Non-Vital 120V Instrument Bus, LER 458/04-005-01, issued June 22,2005, ML051790232.
2. David N. Graves (USNRC) to Paul D. Hinnenkamp (Entergy), River Bend Station - NRC Integrated Inspection Report 05000458/2004005, issued February 14, 2005, ML050450486.
3. Robert Buell and John Schroeder (INEL), Standardized Plant Analysis Risk Model for River Bend (ASP BWR C) Revision 3.12, issued August 24, 2005.
4. Entergy,River Bend Station Updated Safety Analysis Report, Revision 17, issued August 27, 2000.

8

LER 458/04-005-01 Figure 1. River Bend Station 120V Non-Vital Instrument Bus 9

LER 458/04-005-01 Figure 2. Results of CCDP Sensitivity Study on HPCS Logic Failure Probability 10

LER 458/04-005-01 Table 1. Conditional core damage probabilities of dominating sequences.

Event tree Sequence no. CCDP1 Contribution name TRAN 56 2.7 x 10-5 99%

Total (all sequences)2 2.7 x 10-5 100%

1. Values are point estimates.
2. Total CCDP includes all sequences (including those not shown in this table).

Table 2a. Event tree sequence logic for dominant sequence.

Event tree Sequence Logic name no. (/ denotes success; see Table 2b for top event names)

TRAN 56 /RPS /SRV MFW HCS RCI DEP Table 2b. Definitions of top events listed in Table 2a.

Top Event Definition RPS REACTOR SHUTDOWN FAILS SRV ONE OR MORE SRVS FAIL TO CLOSE HCS HPCS FAILS TO PROVIDE SUFFICIENT FLOW TO RX VESSEL MFW MAIN FEEDWATER RCI REACTOR CORE ISOLATION COOLING DEP MANUAL DEPRESSURIZATION FAILS 11

LER 458/04-005-01 Table 3a. Conditional cut sets for the dominant sequences.

Percent CCDP Minimum Cut Sets (of basic events)

Contribution Event Tree: TRAN Sequence 56 1.8E-005 65.03 HCS-MDP-TM-TRAIN RPV-XHE-LEVEL 3.8E-006 13.94 HCS-MDP-FS-HPCS RPV-XHE-LEVEL 2.5E-006 9.29 HCS-MOV-CC-INJEC RPV-XHE-LEVEL 1.5E-006 5.57 HCS-MOV-FT-SUCTR RPV-XHE-LEVEL 1.3E-006 4.78 HCS-MDP-FR-HPCS RPV-XHE-LEVEL 2.7 x 10-5 99% Total (all cutsets)1

1. Total Importance includes all cutsets (including those not shown in this table).

Table 4. Definitions and probabilities for modified and dominant basic events.

Event Name Description Probability/Frequency Modified (per year)

HCS-MDP-FR-HPCS HPCS PUMP FAILS TO RUN 5.2E-004 HCS-MDP-FS-HPCS HPCS PUMP FAILS TO START 1.5E-003 HCS-MDP-TM-TRAIN HPCS IS UNAVAILABLE BECAUSE OF 7.0E-003 MAINTENANCE HCS-MOV-CC-INJEC HPCS INJECTION VALVE FAILS TO OPEN 1.0E-003 HCS-MOV-FT-SUCTR HPCS SUCTION TRANSFER FAILS 6.0E-004 HCS-XHE-XM-RCOOL OPERATOR FAILS TO ESTABLISH ROOM 1.0E-003 COOLING WITH HPCS-LOGIC-FAILURE FAILURE OF HPCS 1/2 TAKEN TWICE 1.0E-003 YES(1)

AUTOSTART LOG IE-IORV INADVERTENT/STUCK OPEN RELI 1.5E-002 +0.0E+000 FALSE YES IE-ISL-RHR ISLOCA IE 2-MOV RHR interfac 1.4E-007 +0.0E+000 FALSE YES IE-LLOCA LARGE LOCA 3.0E-005 +0.0E+000 FALSE YES IE-LOCHS LOSS OF CONDENSER HEAT SINK 2.0E-001 +0.0E+000 FALSE YES 12

LER 458/04-005-01 Event Name Description Probability/Frequency Modified (per year)

IE-LOIA LOSS OF INSTRUMENT AIR 6.0E-003 +0.0E+000 FALSE YES IE-LOMFW LOSS OF FEEDWATER 1.0E-001 +0.0E+000 FALSE YES IE-LOOP LOSS OF OFFSITE POWER 0 FALSE YES IE-MLOCA MEDIUM LOCA 4.0E-005 +0.0E+000 FALSE YES IE-SLOCA SMALL LOCA 4.0E-004 +0.0E+000 FALSE YES IE-TDCB LOSS OF VITAL DC BUS 2.5E-003 +0.0E+000 FALSE YES IE-TMVB LOSS OF VITAL MEDIUM VOLTAGE 4.0E-002 +0.0E+000 FALSE YES IE-TRANS GENERAL PLANT TRANSIENT 8.0E-001 1.0E+000 TRUE YES IE-TSWS LOSS OF SERVICE WATER 4.0E-004 +0.0E+000 FALSE IE-XLOCA EXCESSIVE LOCA (VESSEL RUPTU 1.0E-007 +0.0E+000 FALSE RPV-XHE-LEVEL OPERATORS FAIL TO CONTROL RPV LEVEL (2)

NOTES:

1. Value is a conservative estimate of HPCS logic performance
2. Value is based on Human Reliability Analysis - See Appendix D.

13

LER 458/04-005-01 Appendix A Event Tree Models Showing Dominant Sequences

LER 458/04-005-01 Figure A-1. Transient Event Tree Showing Dominant Sequence 15

LER 458/04-005-01 Appendix B Fault Tree Models Showing Changes

LER 458/04-005-01 Figure B-1. Feedwater Fault Tree Showing Modifications 17

LER 458/04-005-01 Figure B-2. RCIC Fault Tree Showing Modifications 18

LER 458/04-005-01 Figure B-3. HPCS Fault Tree Showing Modifications 19

LER 458/04-005-01 Appendix C Modifications to SPAR Sequence Cutset Recovery Rules

LER 458/04-005-01 l

l TECH SPEC SECTION ----------------------------------------------------

l l The following rule removes maintenance combinations prohibited by Tech Specs. The logic l was generated using the ME-TECHSPECS fault tree. Cutset removal using the rules here is l much faster than using ME-TECHSPECS as a mutually exclusive top event.

l if (SSW-MDP-TM-TRND

  • SSW-MDP-TM-TRNA +

SSW-MDP-TM-TRND

  • SSW-MDP-TM-TRNB +

SSW-MDP-TM-TRNA

  • SSW-MDP-TM-TRNB +

SSW-MDP-TM-TRND

  • SSW-MDP-TM-TRNC +

SSW-MDP-TM-TRNA

  • SSW-MDP-TM-TRNC +

SSW-MDP-TM-TRNB

  • SSW-MDP-TM-TRNC +

LCS-MDP-TM-TRAIN

  • SSW-MDP-TM-TRNC +

SSW-MDP-TM-TRNA

  • RHR-MDP-TM-TRNB
  • RHR-MDP-TM-TRNC +

SSW-MDP-TM-TRNA

  • EPS-DGN-TM-DGB +

SSW-MDP-TM-TRNC

  • RHR-MDP-TM-TRNB
  • RHR-MDP-TM-TRNC +

SSW-MDP-TM-TRNC

  • EPS-DGN-TM-DGB +

SSW-MDP-TM-TRND

  • RHR-MDP-TM-TRNA +

SSW-MDP-TM-TRNB

  • RHR-MDP-TM-TRNA +

RHR-MDP-TM-TRNA

  • RHR-MDP-TM-TRNB
  • RHR-MDP-TM-TRNC +

RHR-MDP-TM-TRNA

  • EPS-DGN-TM-DGB +

SSW-MDP-TM-TRND

  • EPS-DGN-TM-DGA +

SSW-MDP-TM-TRNB

  • EPS-DGN-TM-DGA +

RHR-MDP-TM-TRNB

  • RHR-MDP-TM-TRNC
  • EPS-DGN-TM-DGA +

EPS-DGN-TM-DGA

  • EPS-DGN-TM-DGB +

LCS-MDP-TM-TRAIN

  • SSW-MDP-TM-TRNA
  • RHR-MDP-TM-TRNB +

LCS-MDP-TM-TRAIN

  • RHR-MDP-TM-TRNA
  • RHR-MDP-TM-TRNB +

LCS-MDP-TM-TRAIN

  • RHR-MDP-TM-TRNB
  • EPS-DGN-TM-DGA +

LCS-MDP-TM-TRAIN

  • SSW-MDP-TM-TRNA
  • RHR-MDP-TM-TRNC +

LCS-MDP-TM-TRAIN

  • RHR-MDP-TM-TRNA
  • RHR-MDP-TM-TRNC +

LCS-MDP-TM-TRAIN

  • RHR-MDP-TM-TRNC
  • EPS-DGN-TM-DGA +

SSW-MDP-TM-TRND

  • LCS-MDP-TM-TRAIN +

LCS-MDP-TM-TRAIN

  • SSW-MDP-TM-TRNB +

LCS-MDP-TM-TRAIN

  • RHR-MDP-TM-TRNB
  • RHR-MDP-TM-TRNC +

LCS-MDP-TM-TRAIN

  • EPS-DGN-TM-DGB +

RCI-TDP-TM-TRAIN

  • SSW-MDP-TM-TRNC +

CCS-ACX-TM-FANA

  • CCS-ACX-TM-FANB +

CCS-ACX-TM-FANA

  • CCS-ACX-TM-FANC +

CCS-ACX-TM-FANB

  • CCS-ACX-TM-FANC +

FWS-EDP-TM-TRNA

  • FWS-EDP-TM-TRNB +

SLC-MDP-TM-TRNA

  • SLC-MDP-TM-TRNB +

SLC-EPV-TM-TRNA

  • SLC-EPV-TM-TRNB +

LCS-MDP-TM-TRAIN

  • EPS-DGN-TM-DGC +

LCS-MDP-TM-TRAIN

  • HCS-MDP-TM-TRAIN +

RCI-TDP-TM-TRAIN

  • EPS-DGN-TM-DGC +

21

LER 458/04-005-01 RCI-TDP-TM-TRAIN

  • HCS-MDP-TM-TRAIN ) then DeleteRoot; endif l

l HEP DEPENDENCY RULES SECTION -----------------------------------------

l l

l High Pressure Injection l

zRCI = RCI-XHE-XO-ERROR; zHCS = HCS-XHE-XO-ERROR; if zRCI

  • zHCS then DeleteEvent = HCS-XHE-XO-ERROR; AddEvent = HCS-XHE-XO-ERROR1; endif l

l Early Low-Pressure Injection l

zCDS = CDS-XHE-XO-ERROR; zVA = OPR-XHE-XM-ALPI; if zCDS

  • zVA then DeleteEvent = OPR-XHE-XM-ALPI; AddEvent = OPR-XHE-XM-ALPI4; endif l

l Residual Heat Removal/Venting l

l No dependent event substitutions required.

l l Late Low-Pressure Injection l

zCRD = CRD-XHE-XM-VLVS + CRD-XHE-XM-PUMP; zVA1 = OPR-XHE-XM-ALPI1; zVA2 = OPR-XHE-XM-ALPI2; 22

LER 458/04-005-01 if zCRD

  • zVA1 then DeleteEvent = OPR-XHE-XM-ALPI1; AddEvent = OPR-XHE-XM-ALPI5; elsif zCRD
  • zVA2 then DeleteEvent = OPR-XHE-XM-ALPI2; AddEvent = OPR-XHE-XM-ALPI6; elsif zCDS
  • zVA2 then DeleteEvent = OPR-XHE-XM-ALPI2; AddEvent = OPR-XHE-XM-ALPI7; endif 23

LER 458/04-005-01 Appendix D Human Reliability Analysis

LER 458/04-005-01 HRA Worksheets for At-Power SPAR HUMAN ERROR WORKSHEET Plant: River Bend Initiating Event: IE-TRANS Basic Event: RPV-XHE-LEVEL Event Coder: ______John Bickel___________________

Basic Event Context: Failure to Restore, Maintain post-trip RPV water level using some combination of feedwater, RCIC, HPCS - or - manual depressurization and use of: LPCS, LPCI, or condensate pumps Basic Event

Description:

Failure to Restore, Maintain post-trip RPV water level Does this task contain a significant amount of diagnosis activity? YES T (start with Part I -

Diagnosis) NO ~ (skip Part I - Diagnosis; start with Part II - Action) Why?

PART I. EVALUATE EACH PSF FOR DIAGNOSIS A. Evaluate PSFs for the Diagnosis Portion of the Task, if any.

Reviewer:____________________

LER 458/04-005-01 Please note specific reasons for Multiplier for PSFs PSF Levels PSF level selection in this Diagnosis column.

Available Inadequate time P(failure) = 1.0 ~ From a condition of high RPV Time water level, there is substantial Barely adequate time (.2/3 x nominal) 10 ~ additional time for the operators to make a decision on restoring Nominal time 1 ~ water level and selecting the pumps to accomplish the intent of Extra time (between 1 and 2 x nominal and > the procedures.

than 30 min) 0.1 T Expansive time (> 2 x nominal and > 30 min) 0.01 ~

Insufficient information 1 ~

Stress/ Extreme 5 ~

Stressors High 2 ~

Nominal 1 T Insufficient Information 1 ~

Complexity Highly complex 5 ~

Moderately complex 2 ~

Nominal 1 T Obvious diagnosis 0.1 ~

Insufficient information 1 ~

Experience/ Low 10 ~ Operators routinely drill on RPV Training level restoration procedure in Nominal 1 ~ simulator training High 0.5 T Insufficient information 1 ~

Procedures Not available 50 ~ RPV level restoration procedure is based on BWROG emergency Incomplete 20 ~ procedure guidelines which are symptom oriented.

Available, but poor 5 ~

Nominal 1 ~

Diagnostic/symptom oriented 0.5 T Insufficient information 1 ~

Reviewer:____________________

LER 458/04-005-01 Please note specific reasons for Multiplier for PSFs PSF Levels PSF level selection in this Diagnosis column.

Ergonomics/ Missing/Misleading 50 ~ The combination of off-scale high HMI RPV level readings with failed Poor off-scale low RPV level readings 10 T caused by the 120V instrument bus loss contributed to some Nominal 1 ~

confusion but operators went ahead with use of HPCS to Good 0.5 ~

maintain RPV level based upon symptoms.

Insufficient Information 1 ~

Fitness for Unfit P(failure) = 1.0 ~

Duty Degraded Fitness 5 ~

Nominal 1 T Insufficient information 1 ~

Work Poor 2 ~

Processes Nominal 1 T Good 0.8 ~

Insufficient information 1 ~

Reviewer:____________________

LER 458/04-005-01 Plant: River Bend Initiating Event: IE-TRANS Basic Event: RPV-XHE-LEVEL Event Coder:

Basic Event Context: Failure to Restore, Maintain post-trip RPV water level using some combination of feedwater, RCIC, HPCS - or - manual depressurization and use of: LPCS, LPCI, or condensate pumps Basic Event

Description:

Failure to Restore, Maintain post-trip RPV water level B. Calculate the Diagnosis Failure Probability.

(1) If all PSF ratings are nominal, then the Diagnosis Failure Probability = 1.0E-2 (2) Otherwise, the Diagnosis Failure Probability is: 1.0E-2 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Diagnosis: 1.0E-2 x 0.1_ x _1.0_ x 1.0_ x _0.5_ x 0.5_ x 10_ x 1.0 x 1.0_ = 2.5E-3 C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.

When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-2 for Diagnosis. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:

NHEP. PSF HEP =

composite NHEP.( PSF composite 1) + 1 Diagnosis HEP with Adjustment Factor = N/A D. Record Final Diagnosis HEP.

If no adjustment factor was applied, record the value from Part B as your final diagnosis HEP.

If an adjustment factor was applied, record the value from Part C.

Final Diagnosis HEP = 1.25E-2 Reviewer:____________________

LER 458/04-005-01 Plant: River Bend Initiating Event: IE-TRANS Basic Event: RPV-XHE-LEVEL Event Coder: John Bickel Basic Event Context: Failure to Restore, Maintain post-trip RPV water level using some combination of feedwater, RCIC, HPCS - or - manual depressurization and use of: LPCS, LPCI, or condensate pumps Basic Event

Description:

Failure to Restore, Maintain post-trip RPV water level PART II. EVALUATE EACH PSF FOR ACTION A. Evaluate PSFs for the Action Portion of the Task, if any.

Please note specific reasons for Multiplier for PSFs PSF Levels PSF level selection in this Diagnosis column.

Available Inadequate time P(failure) = 1.0 ~ The required actions: starting Time HPCS, a feedwater pump, Time available is . the time required 10 ~ depressurizing and starting LPCS or LPCI are relatively simple and Nominal time 1 ~ quick to undertake once a decision has been reached to do Time available > 5x the time required 0.1 ~ so.

Time available is > 50x the time required 0.01 T Insufficient information 1 ~

Stress/ Extreme 5 ~

Stressors High 2 ~

Nominal 1 T Insufficient Information 1 ~

Complexity Highly complex 5 ~

Moderately complex 2 ~

Nominal 1 T Insufficient information 1 ~

Experience/ Low 3 ~ Operators regularly drill on RPV Training level restoration post-trip.

Nominal 1 ~

High 0.5 T Insufficient information 1 ~

Reviewer:____________________

LER 458/04-005-01 Please note specific reasons for Multiplier for PSFs PSF Levels PSF level selection in this Diagnosis column.

Procedures Not available 50 ~

Incomplete 20 ~

Available, but poor 5 ~

Nominal 1 T Insufficient information 1 ~

Ergonomics/ Missing/Misleading 50 ~

HMI Poor 10 ~

Nominal 1 T Good 0.5 ~

Insufficient Information 1 ~

Fitness for Unfit P(failure) = 1.0 ~

Duty Degraded Fitness 5 ~

Nominal 1 T Insufficient information 1 ~

Work Poor 5 ~

Processes Nominal 1 T Good 0.5 ~

Insufficient information 1 ~

Reviewer:____________________

LER 458/04-005-01 Plant: River Bend Initiating Event: IE-TRANS Basic Event: RPV-XHE-LEVEL Event Coder:

Basic Event Context: Failure to Restore, Maintain post-trip RPV water level using some combination of feedwater, RCIC, HPCS - or - manual depressurization and use of: LPCS, LPCI, or condensate pumps Basic Event

Description:

Failure to Restore, Maintain post-trip RPV water level B. Calculate the Action Failure Probability.

(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3 (2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Action: 1.0E-3 x 0.01 x 1.0_ x 1.0 x 0.5_ x 1.0_ x 1.0 x 1.0 x _1.0_ = 5.0E-6 C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.

When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:

NHEP. PSF composite HEP =

NHEP.( PSF composite 1) + 1 N/A Action HEP with Adjustment Factor =

D. Record Final Action HEP.

If no adjustment factor was applied, record the value from Part B as your final action HEP. If an adjustment factor was applied, record the value from Part C.

Final Action HEP = 5.0E-6 Reviewer:____________________

LER 458/04-005-01 Plant: River Bend Initiating Event: IE-TRANS Basic Event: RPV-XHE-LEVEL Event Coder:

Basic Event Context: Failure to Restore, Maintain post-trip RPV water level using some combination of feedwater, RCIC, HPCS - or - manual depressurization and use of: LPCS, LPCI, or condensate pumps Basic Event

Description:

Failure to Restore, Maintain post-trip RPV water level PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)

Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probability from Part I and the Action Failure Probability from Part II. In instances where an action is required without a diagnosis and there is no dependency, then this step is omitted.

2.5E-3 Pw/od = Diagnosis HEP 2.5E-3 + Action HEP 5.0E-6_ =

Part IV. DEPENDENCY For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence (Pw/d).

If there is a reason why failure on previous tasks should not be considered, such as it is impossible to take the current action unless the previous action has been properly performed, explain here:

Reviewer:____________________

LER 458/04-005-01 Condition Crew Time (close Location Cues Dependency Number of Human Action Failures Rule Number (same or in time or (same or (additional or ~ - Not Applicable.

different) not close in different) no Why?

time) additional) 1 s c s na complete When considering recovery in a series e.g., 2nd, 3rd, or 4th checker 2 a complete If this error is the 3rd error in the 3 d na high sequence, then the dependency is at lease moderate.

4 a high If this error is the 4th error in the 5 nc s na high sequence, then the dependency is at least high.

6 a moderate 7 d na moderate 8 a low 9 d c s na moderate 10 a moderate 11 d na moderate 12 a moderate 13 nc s na low 14 a low 15 d na low 16 a low 17 zero Using Pw/od = Probability of Task failure Without Formal Dependence (calculated in Part III):

For Complete Dependence the probability failure is 1.

For High Dependence the probability of failure is (1+ Pw/od/2)

For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7 For Low Dependence the probability of failure is (1+19 x Pw/od)/20 For Zero Dependence the probability of failure is Pw/od Calculate Pw/d using the appropriate values:

Pw/d = (1 + ( * ))/ =