ML050960263

From kanterella
Jump to navigation Jump to search
Final Precursor Analysis - Perry Grid Loop
ML050960263
Person / Time
Site: Perry FirstEnergy icon.png
Issue date: 12/17/2004
From: Christopher Hunter
NRC/RES/DRAA/OERAB
To:
Shared Package
ML060030075 List:
References
LER 03-002
Download: ML050960263 (18)
v  d  e


Text

Enclosure Final Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research Perry Automatic Reactor Trip and Loss of Offsite Power Due to the August 14, 2003, Transmission Grid Blackout Event Date 8/14/2003 LER: 440/03-002 CCDP1 = 3x10-5 December 17, 2004 Event Summary At 1610 hours0.0186 days <br />0.447 hours <br />0.00266 weeks <br />6.12605e-4 months <br /> on August 14, 2003, Perry experienced a disturbance on the electrical grid and a subsequent main generator trip followed by a turbine trip and a reactor trip while operating at 100%

power. Plant emergency diesel generators (EDGs) started and supplied power to safety-related plant loads until offsite power was restored. Attachment A is a timeline of significant events. (Refs.

1 and 2).

Cause. The reactor trip and loss of offsite power (LOOP) were caused by grid instability associated with the regional transmission system blackout that occurred on August 14, 2003.

Other conditions, failures, and unavailable equipment. Residual heat removal (RHR) train A was inoperable for approximately 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> because of air binding in the keep-fill system pump. The low-pressure core spray (LCS) system was also affected by the air binding in the keep-fill system pump, but the LCS system was recoverable from the start of the LOOP (Refs. 3 and 4).

Approximately 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> into the event, the reactor core isolation cooling (RCIC) turbine-driven pump was manually secured to prevent an automatic shutdown on high steam tunnel temperature. The steam tunnel temperature was caused by a loss of ventilation.

The Division 1 EDG tripped on reverse power while being removed from service. This had no effect on the conditional core damage probability (CCDP) for this event; it will be analyzed as a separate Accident Sequence Precursor (ASP) analysis.

Recovery opportunities. Offsite power was first available at 1737 hours0.0201 days <br />0.483 hours <br />0.00287 weeks <br />6.609285e-4 months <br /> when one transmission yard breaker was closed. Offsite power was restored to the Division 1 emergency bus at 1813 hours0.021 days <br />0.504 hours <br />0.003 weeks <br />6.898465e-4 months <br /> on August 14, to the Division 3 emergency bus at 1214 hours0.0141 days <br />0.337 hours <br />0.00201 weeks <br />4.61927e-4 months <br /> on August 15, and to the Division 2 emergency bus at 1548 hours0.0179 days <br />0.43 hours <br />0.00256 weeks <br />5.89014e-4 months <br /> on August 15.

1 For the initiating event assessment, the parameter of interest is the measure of the CCDP. This is the value obtained when calculating the probability of core damage for an initiating event with subsequent failure of one or more components following the initiating event. The value reported here is the mean.

1

LER 440/03-002 Analysis Results

! Conditional Core Damage Probability (CCDP)

The CCDP for this event is 3x10-5. The acceptance threshold for the ASP Program is a CCDP of 1x10-6. This event is a precursor.

Mean 5% 95%

Best estimate 3x10-5 1x10-6 1x10-4

! Dominant Sequences The dominant core damage sequences for this assessment are LOOP sequences 30 (44.4% of the total CCDP) and LOOP sequence 21 (30.7% of the total CCDP). The LOOP event tree is shown in Figure 1.

The events and important component failures in LOOP Sequence 30 are:

S loss of offsite power occurs, S reactor shutdown succeeds, S emergency power is available, S safety relief valves (SRVs) reclose after opening S high-pressure core spray (HPCS) fails, S reactor core isolation cooling (RCIC) fails, S manual depressurization succeeds, and S low pressure injection fails.

The events and important component failures in LOOP Sequence 21 are:

S loss of offsite power occurs, S reactor shutdown succeeds, S emergency power is available, S SRVs reclose after opening, S HPCS fails, S RCIC succeeds, S suppression pool cooling (SPC) fails, S manual depressurization succeeds, S low pressure injection fails, and S alternate low pressure injection fails.

2

LER 440/03-002

! Results Tables S The CCDP values for the dominant sequences are shown in Table 1.

S The event tree sequence logic for the dominant sequences is presented in Table 2a.

S Table 2b defines the nomenclature used in Table 2a.

S The most important cut sets for the dominant sequences are listed in Table 3.

S Table 4 presents names, definitions, and probabilities of (1) basic events whose probabilities were changed to update the referenced SPAR model, (2) basic events whose probabilities were changed to model this event, and (3) basic events that are important to the CCDP result.

Modeling Assumptions

! Assessment Summary This event was modeled as a LOOP initiating event. Rev. 3.10 (SAPHIRE 7) of the Perry SPAR model (Ref. 5) was used for this assessment. The specific model version used as a starting point for this analysis is dated December 10, 2004.

RHR Train A, LCS, and RCIC were inoperable at various times during the LOOP. Since this event involves a LOOP of significant duration, probabilities of nonrecovery of offsite power at different times following the LOOP are important factors in the estimation of the CCDP.

Best Estimate: Offsite power was available in the switchyard approximately 90 minutes after the LOOP. The first safety bus was returned to offsite power at 1813 (2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after the LOOP). Failure to recover offsite power to plant safety-related loads (if needed because EDGs fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2) breakers failing to close on demand, or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. This analysis assumed that at least 30 minutes are necessary to restore power to an emergency bus given that offsite power is available in the switchyard. The time available for operators to restore proper breaker line-ups to prevent core damage is dependent on specific accident sequences and is modeled as such using the SPAR human reliability model (Ref. 6). Assumptions described below, combined with the assumption of offsite power restoration described above, form the bases for the LOOP nonrecovery probabilities.

! Important Assumptions Important assumptions regarding power recovery modeling include the following:

S No opportunity for the recovery of offsite power to safety-related loads is considered for any time prior to power being available in the switchyard.

S At least 30 minutes are required to restore power to emergency loads after power is available in the switchyard.

S SPAR models do not credit offsite power recovery following battery depletion.

3

LER 440/03-002 The GEM program used to determine the CCDP for this analysis will calculate probabilities of recovering offsite power at various time points of importance to the analysis based on historical data for grid-related LOOPs. In this analysis, this feature was overridden; offsite power recovery probabilities were based on (1) known information about when power was restored to the switchyard and (2) use of the SPAR human error model to estimate probabilities of failing to realign power to emergency buses for times after power was restored to the switchyard.

Attachment B is a procedure for analysis of LOOP events in the ASP Program. Attachment C is a description of the approach to estimating offsite power recovery probabilities.

! Event Tree and Fault Tree Modifications Train A of RHR (RHR-A) was inoperable for the first 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> of the event because of air binding in the keep-fill system pump. After 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, RHR-A was operable. Failure of the keep-fill system is not modeled in the RHR-A fault tree of the base SPAR model; therefore, the RHR-A fault tree was updated to include this failure mode. The updated RHR-A fault tree is shown in Figure 2. For this analysis, the recovery of train A of RHR was credited for long-term LOOP sequences. The following project rules were created to apply the recovery to long-term LOOP sequences:

if INIT(IE-LOOP)

  • system(CVS)
  • RHR-A-KEEP-FILL then DeleteEvent = RHR-A-KEEP-FILL; AddEvent = RHR-A-KEEP-FILL-REC; elsif INIT(IE-LOOP)
  • RHR-A-KEEP-FILL then DeleteEvent = RHR-A-KEEP-FILL; AddEvent = RHR-A-KEEP-FILL-REC; endif Additionally, the LCS pump train was affected by the failure of the keep-fill system; however the LCS pump train was immediately recoverable. Like RHR-A, failure of the keep-fill system is not modeled in the LCS fault tree of the base SPAR model; therefore, the LCS fault tree was updated to include this failure mode. The updated LCS fault tree is shown in Figure 3. The three basic events involved in the these two changes are included in the basic event probability changes section.

! Basic Event Probability Changes Table 4 includes basic events whose probabilities were changed to reflect the event being analyzed. The bases for these changes are as follows:

S LCS pump train is unavailable because of keep-fill system failure (LCS-KEEP-FILL). This event represents the failure of the LCS pump train due to the keep-fill system failures. Since the LCS pump train was immediately recoverable, recovery of the system was credited. Using the SPAR human error model to determine the value (see Attachment D), LCS-KEEP-FILL was set to 2.1x10-1. This is assumed to be the mean of a constrained noninformative distribution.

S Probability of failure to recover offsite power in 30 minutes (OEP-XHE-XL-NR30M). During the event, offsite power was not available in the switchyard until 4

LER 440/03-002 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, there was no opportunity to recover offsite power in 30 minutes and OEP-XHE-XL-NR30M was set to TRUE.

S Probability of failure to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (OEP-XHE-XL-NR01H).

During the event, offsite power was not available in the switchyard until 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, there was no opportunity to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and OEP-XHE-XL-NR01H was set to TRUE.

S Probability of failure to recover offsite power in 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> (OEP-XHE-XL-NR03H). During the event, offsite power was not available in the switchyard until 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had approximately 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to recover offsite power to the vital safety buses. Using the SPAR human error model to determine the value (see Attachment C), OEP-XHE-XL-NR03H was set to 1.0x10-2.

S Probability of failure to recover offsite power in 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> (OEP-XHE-XL-NR07H). During the event, offsite power was not available in the switchyard until 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had approximately 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to recover offsite power to the vital safety buses. Using the SPAR human error model to determine the value (see Attachment C), OEP-XHE-XL-NR07H was set to 1.0x10-3.

S Probability of failure to recover offsite power in 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> (OEP-XHE-XL-NR016H). During the event, offsite power was not available in the switchyard until 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had approximately 14.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to recover offsite power to the vital safety buses. Using the SPAR human error model to determine the value (see Attachment C), OEP-XHE-XL-NR16H was set to 1.0x10-3.

S Probability that restart of RCI is required (RCI-RESTART). During the event, RCI and HPCS automatically started to provide flow to the reactor vessel. Upon reaching level 8 in the reactor, both systems were isolated. RCIC was later used to provide makeup inventory to the reactor. Since RCI restart occurred, RCI-RESTART was set to TRUE.

S Probability of RCI TDP failing to run (RCI-TDP-FR-TRAIN). Approximately 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> into the event, the RCIC turbine-driven pump was automatically isolated because of high steam tunnel temperature due to a loss of ventilation. Therefore, RCI-TDP-FR-TRAIN was set to TRUE.

S Probability of operator failing to recover failure of RCI to run (RCI-XHE-XL-RUN). This event represents the probability that an operator fails to recover the failure of the RCI TDP to run. During this event, the RCI TDP was taken offline, not because of mechanical failure, but because of an inhospitable plant environment (high steam tunnel temperature). Therefore, for this analysis, RCI-XHE-XL-RUN was updated to represent a composite of two distinct failure modes, mechanical failure and inhospitable plant environment. The mechanical failure portion was calculated by multiplying the probability of mechanical failure (1.2x10-2) by the probability of operator recovery of mechanical failure (5.0x10-1), yielding an overall mechanical failure probability of 6.0x10-3. The probability of the operator failing to recover the RCI TDP from the inhospitable plant environment was calculated using 5

LER 440/03-002 the SPAR human error model to determine the diagnosis and recovery value, 5.5x10-3 (see Attachment C). RCI-XHE-XL-RUN was set to the sum of the two probabilities, 1.15x10-2.

S RHR-A is unavailable because of keep-fill system failures (RHR-A-KEEP-FILL).

This event represents the short-term failure-to-run (< 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />) of the RHR train A.

Since the pump was unavailable for the first 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, RHR-A-KEEP-FILL was set to 1.0. (Note: Due to the way that the GEM program applies recovery rules, RHR-A-KEEP-FILL must be set to 1.0, not TRUE.)

S RHR-A train keep-fill nonrecovery after 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (RHR-A-KEEP-FILL-REC). This event represents the long-term (> 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />) failure-to-recover the keep-fill system.

Since the RHR system was available after the first 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, long-term recovery of the system was credited. Using the SPAR human error model to determine the value (see Attachment D), RHR-A-KEEP-FILL-REC was set to 2.1x10-1. This is assumed to be the mean of a constrained noninformative distribution.

S Probability of diesel generators failing to run (ZT-DGN-FR-L). The default diesel generator mission times were changed to reflect the actual time to recover power to the first safety bus (approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />). Since the overall fail-to-run is made up of two separate factors, the mission times for the factors were set to the following: ZT-DGN-FR-E = 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (base case value) and ZT-DGN-FR-L = 8.75 hours8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br />.

References

1. Licensee Event Report 440/03-002, Revision 1, Reactor Scram Due to Electric Grid Disturbance, event date December 2, 2003 (ADAMS Accession No. ML033530117).
2. NRC Region 1 Grid Special Report, October 15, 2003 (ADAMS Accession No. ML0324102160).
3. NRC Special Inspection Report 440/03-009, October 10, 2003 (ADAMS Accession No. ML032880107).
4. Licensee Event Report 440/03-005, Revision 1, Technical Specification Violation/Loss of Safety Function due to Air Bound Water-leg Pump, event date October 31, 2003 (ADAMS Accession No. ML040070073).
5. J. A. Schroeder, Standardized Plant Analysis Risk Model for Nine Mile Point 2 (ASP BWR C), Revision 3.10, December 2004.
6. D. Gertman, et al., SPAR-H Method, INEEL/EXT-02-10307, Draft for Comment, November 2002 (ADAMS Accession No. ML0315400840).

6

LER 440/03-002 Table 1. Conditional probabilities associated with the highest probability sequences.

Conditional core damage Percentage Event tree Sequence no. probability (CCDP)1 contribution name LOOP 30 1.2x10-5 44.4%

-6 LOOP 21 8.3x10 30.7%

2 -5 Total (all sequences) 2.7x10

1. Values are point estimates. (File name: GEM 440-03-002 12-13-2004.wpd)
2. Total CCDP includes all sequences (including those not shown in this table).

Table 2a. Event tree sequence logic for the dominant sequences.

Event tree Sequence Logic name no. (/ denotes success; see Table 2b for top event names)

LOOP 30 /RPS, /EPS, /SRV, HCS, RCI, /DEP, LPI LOOP 21 /RPS, /EPS, /SRV, HCS, /RCI, SPC, /DEP, LPI, VA Table 2b. Definitions of fault trees listed in Table 2a.

DEP MANUAL DEPRESSURIZATION FAILS EPS LOSS OF ONSITE EMERGENCY POWER HCS HPCS FAILS TO PROVIDE SUFFICIENT FLOW TO REACTOR VESSEL LPI LOW-PRESSURE INJECTION IS UNAVAILABLE RCI RCIC FAILS TO PROVIDE SUFFICIENT FLOW TO REACTOR VESSEL RPS REACTOR SHUTDOWN FAILS SPC SUPPRESSION COOLING MODE OF RHR FAILS SRV ONE OR MORE SRVS FAIL TO CLOSE VA ALTERNATE LOW-PRESSURE INJECTION FAILS 7

LER 440/03-002 Table 3. Conditional cut sets for dominant sequences.

Percent CCDP1 contribution Minimal cut sets2 Event Tree: LOOP, Sequence 30 5.0x10-7 4.1 SSW-MDP-TM-TRNC RHR-A-KEEP-FILL EPS-DGN-FR-DGB LCS-KEEP-FILL RCI-XHE-XL-RUN 2.9x10-7 2.4 RCI-XHE-XO-ERROR LCS-KEEP-FILL EPS-DGN-FR-DGB HCS-XHE-XO-ERROR1 RHR-A-KEEP-FILL 2.5x10-7 2.1 ECW-MDP-TM-C001B RHR-A-KEEP-FILL SSW-MDP-TM-TRNC LCS-KEEP-FILL RCI-XHE-XL-RUN 2.5x10-7 2.1 SSW-MDP-TM-TRNC RCI-XHE-XL-RSTRT EPS-DGN-FR-DGB RHR-A-KEEP-FILL RCI-TDP-FS-RSTRT LCS-KEEP-FILL 1.2x10-5 Total (all cut sets)3 Event Tree: LOOP, Sequence 21 4.2x10-7 5.1 OPR-XHE-XM-ALPI RHR-A-KEEP-FILL SSW-MDP-TM-TRNC LCS-KEEP-FILL EPS-DGN-FR-DGB 2.1x10-7 2.5 OPR-XHE-XM-ALPI RHR-A-KEEP-FILL ECW-MDP-TM-C001B LCS-KEEP-FILL SSW-MDP-TM-TRNC 2.1x10-7 2.5 FWS-EDP-TM-TRN EPS-DGN-FR-DGB SPCAI RHR-A-KEEP-FILL SSW-MDP-TM-TRNC LCS-KEEP-FILL 2.1x10-7 2.5 OPR-XHE-XM-ALPI RHR-A-KEEP-FILL EPS-DGN-FR-DGB LCS-KEEP-FILL EPS-DGN-FR-DGC 8.3x10-6 Total (all cut sets)3

1. Values are point estimates.
2. See Table 4 for definitions and probabilities for the basic events.
3. Totals include all cut sets (including those not shown in this table).

8

LER 440/03-002 Table 4. Definitions and probabilities for modified or dominant basic events.

Probability/

Event name Description Modified frequency ECW PUMP 1B IS IN TEST OR ECW-MDP-TM-C001B 5.0x10-3 No MAINTENANCE EPS-DGN-FR-DGB EDG B FAILS TO RUN 1.0x10-2 No

-2 EPS-DGN-FR-DGC EDG C FAILS TO RUN 1.0x10 No DIESEL FIREWATER PUMP FWS-EDP-TM-TRAIN UNAVAILABLE BECAUSE OF TEST AND 5.0x10-3 No MAINTENANCE OPERATOR FAILS TO START/CONTROL HCS-XHE-XO-ERROR1 1.4x10-1 No HPCS INJECTION LOSS OF OFFSITE POWER INITIATING IE-LOOP 1.0 Yes1 EVENT LCS PUMP TRAIN IS UNAVAILABLE BECAUSE OF KEEP-FILL SYSTEM LCS-KEEP-FILL 2.1x10-1 Yes2 FAILURES (OPERATOR FAILURE TO RECOVER)

OPERATOR FAILS TO RECOVER OEP-XHE-XL-NR30M TRUE Yes3 OFFSITE POWER IN 30 MINUTES OPERATOR FAILS TO RECOVER OEP-XHE-XL-NR01H TRUE Yes3 OFFSITE POWER IN 1 HOUR OPERATOR FAILS TO RECOVER OEP-XHE-XL-NR03H 1.0x10-2 Yes3 OFFSITE POWER IN 3 HOURS OPERATOR FAILS TO RECOVER OEP-XHE-XL-NR07H 1.0x10-3 Yes3 OFFSITE POWER IN 7 HOURS OPERATOR FAILS TO RECOVER OEP-XHE-XL-NR16H 1.0x10-3 Yes3 OFFSITE POWER IN 16 HOURS OPERATOR FAILS TO ALIGN OPR-XHE-XM-ALPI ALTERNATE LOW PRESSURE 1.0x10-2 No INJECTION RCI-RESTART RESTART OF RCIC IS REQUIRED TRUE Yes2 RCIC FAILS TO RUN GIVEN THAT IT RCI-TDP-FR-TRAIN TRUE Yes2 STARTED RCIC FAILS TO RESTART GIVEN START RCI-TDP-FS-RSTRT 1.2x10-2 No AND SHORT-TERM RUN OPERATOR FAILS TO RECOVER RCIC RCI-XHE-XL-RSTRT 5.0x10-1 No FAILURE TO RESTART OPERATOR FAILS TO RECOVER RCIC RCI-XHE-XL-RUN 1.2x10-2 Yes2 FAILURE TO RUN OPERATOR FAILS TO START/CONTROL RCI-XHE-XO-ERROR 1.0x10-3 No RCIC INJECTION RHR-A TRAIN IS UNAVAILABLE RHR-A-KEEP-FILL BECAUSE OF KEEP-FILL SYSTEM 1.0 Yes2 FAILURES 9

LER 440/03-002 Probability/

Event name Description Modified frequency RHR-A-KEEP-FILL- RHR TRAIN A KEEP-FILL NONRECOVERY 2.1x10-1 Yes2 REC AFTER 6 HOURS SUPPRESSION POOL CLEANUP SPCAI 1.0 No ALTERNATE INJECTION FAILS SSW PUMP C IS UNAVAILABLE SSW-MDP-TM-TRNC 2.0x10-2 No BECAUSE OF MAINTENANCE ZT-DGN-FR-L EDG FAILS TO RUN (LATE) 7.0x10-3 Yes4

1. Initiating event assessment- all other initiating event frequencies set zero.
2. Changed to reflect to the event being analyzed. See report and Basic Event Probability Changes for further details.
3. Evaluated per the SPAR-H method (Ref. 4). See report and Attachment C for further details.
4. Changed mission times to correspond to the time offsite power was restored to the first vital bus. See report and Basic Event Probability Changes for further details.

10

LER 440/03-002 Attachment A Event Timeline Table A.1 Timeline of significant events.

Date Time Event 1610 Generator, turbine, and reactor trip due to grid instability 8/14/03 1737 Offsite power is restored to the switchyard 1813 Division 1 emergency bus is switched to offsite power source 1214 Division 3 emergency bus is switched to offsite power source 37847 1548 Division 2 emergency bus is switched to offsite power source 11

LER 440/03-002 Attachment B LOOP Analysis Procedure This procedure is not intended to stand alone; instead it is intended to augment ASP Guideline A:

Detailed Analysis2. LOOP event analyses are a type of initiating event assessment as described in ASP Guideline A. Specific analysis steps that are unique to ASP analysis of LOOP events are included here.

1. Determine significant facts associated with the event.

1.1 Determine when the LOOP occurred.

1.2 Determine when stable offsite power was first available in the switchyard.

1.3 Determine when offsite power was first restored to an emergency bus.

1.4 Determine when offsite power was fully restored (all emergency buses powered from offsite, EDGs secured).

1.5 Identify any other significant conditions, failures, or unavailabilities that coincided with the LOOP.

2. Model power recovery factors associated with the best estimate case and any defined sensitivity cases.

2.1 For the best estimate case, the LOOP duration is the time between the occurrence of the LOOP and the time when stable power was available in the switchyard plus the assumed time required to restore power from the switchyard to emergency buses. Attachment C documents the probabilistic analysis of power recovery factors for the best estimate case analysis.

2.2 If EDGs successfully start and supply emergency loads, plant operators do not typically rush to restore offsite power to emergency buses, preferring to wait until grid stability is more certain. Therefore, a typical upper bound sensitivity case considers the LOOP duration as the time between the occurrence of the LOOP and the time when offsite power was first restored to an emergency bus. Attachment C documents the probabilistic analysis of power recovery factors for the sensitivity case analysis.

3. Model event-specific mission durations for critical equipment for the best estimate case and any defined sensitivity cases. (For most equipment, SPAR model failure probabilities are not functions of defined mission durations and are therefore not affected by this analysis step. Notable exceptions include EDGs and, for PWRs, turbine-driven auxiliary feedwater pumps.)

3.1 For the best estimate case, mission durations are set equal to the assumed LOOP duration as defined in Step 2.1 above.

3.2 For a typical upper bound sensitivity case, mission durations are set equal to the time between the occurrence of the LOOP and the time when offsite power was fully restored to all emergency buses. (Note these mission durations are longer than the assumed LOOP duration defined in Step 2.2 above; they are intended to represent the longest possible mission duration for any critical equipment item.)

2 ASP Guideline A: Detailed Analysis, U.S. Nuclear Regulatory Commission.

12

LER 440/03-002 Attachment C Power Recovery Modeling

! Background The time required to restore offsite power to plant emergency equipment is a significant factor in modeling the CCDP given a LOOP. SPAR LOOP/SBO models include various sequence-specific ac power recovery factors that are based on the time available to recover power to prevent core damage. For a sequence involving failure of all of the cooling sources, only about 30 minutes would be available to recover power to help avoid core damage. On the other hand, sequences involving successful early inventory control and decay heat removal, but failure of long-term decay heat removal, would accommodate several hours to recover ac power prior to core damage.

In this analysis, offsite power recovery probabilities are based on (1) known information about when power was restored to the switchyard and (2) estimated probabilities of failing to realign power to emergency buses for times after offsite power was restored to the switchyard. Power restoration times were reported by the licensee in the LER and in response to the questionnaire that was conducted by the NRC Regional Office. The time used is the time at which the grid operator informed the plant that power was available to the switchyard (with a load limit). This ASP analysis does not consider the possibility that grid power would have been unreliable if that power were immediately used.

Failure to recover offsite power to plant safety-related loads (if needed because EDGs fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2) breakers failing to close on demand, or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. The SPAR human error model (ref.) was used to estimate nonrecovery probabilities as a function of time following restoration of offsite power to the switchyard. The best estimate analysis assumes that at least 30 minutes are necessary to restore offsite power to emergency buses given offsite power is available in the switchyard.

! Human Error Modeling The SPAR human error model generally considers the following three factors:

S Probability of failure to diagnose the need for action S Probability of failure to successfully perform the desired action S Dependency on other operator actions involved in the specific sequence of interest This analysis assumes no probability of failure to diagnose the need to recover ac power and no dependency between operator performance of the power recovery task and any other task the operators may need to perform. Thus, each estimated ac power nonrecovery probability is based solely on the probability of failure to successfully perform the desired action.

The probability of failure to perform an action is the product of a nominal failure probability (1.0x10-3) and the following eight performance shaping factors (PSFs):

13

LER 440/03-002 S Available time S Stress S Complexity S Experience/training S Procedures S Ergonomics S Fitness for duty S Work processes For each ac power nonrecovery probability, the PSF for available time is assigned a value of 10 if the time available to perform the action is approximately equal to the time required to perform the action, 1.0 if the time available is between 2 and 4 times the time required, and 0.1 if the time available is greater than or equal to 5 times the time required. If the time available is inadequate (i.e., less than the time to restoration of power to the switchyard plus 30 minutes for the best estimate), the ac power nonrecovery probability is 1.0 (TRUE).

The PSF for stress is assigned a value of 5 (corresponding to extreme stress) for all ac power nonrecovery probabilities. Factors considered in assigning this PSF include the sudden onset of the LOOP initiating event, the duration of the event, the existence of compounding equipment failures (ac power recovery is needed only if one or more emergency buses are not powered by EDGs), and the existence of a direct threat to the plant.

For all of the ac power nonrecovery probabilities, the PSF for complexity is assigned a value of 2 (corresponding to moderately complex) based on the need for multiple breaker alignments and verifications.

For all of the ac power nonrecovery probabilities, the PSFs for experience/training, procedures, ergonomics, fitness for duty, and work processes are assumed to be nominal (i.e., are assigned values of 1.0).

! Results Table C.1 presents the calculated values for the ac power nonrecovery probabilities used in the best estimate analysis.

Table C.1 AC Power Nonrecovery Probabilities PSF Nominal Time Product of Nonrecovery Nonrecovery Factor Value Available All Others Probability OEP-XHE-XL-NR30M 1.0x10-3 Inadequate 10 TRUE OEP-XHE-XL-NR01H 1.0x10-3 Inadequate 10 TRUE OEP-XHE-XL-NR03H 1.0x10-3 1 10 1.0x10-2 OEP-XHE-XL-NR07H 1.0x10-3 0.1 10 1.0x10-3 OEP-XHE-XL-NR16H 1.0x10-3 0.1 10 1.0x10-2 14

LER 440/03-002 Attachment D Modified Human Error Events For this analysis, the values of two operator recovery events, LCS-KEEP-FILL and RHR-A-KEEP-FILL-REC, were updated using the standard SPAR Model Human Error Worksheet. A summary of the worksheet results are provided by table D.1.

Table D.1 Human Error Basic Event Probabilities PSF1 Complexity Training Procedures Time Stress Nominal Nonrecovery Factor Value Nonrecovery Probability LCS-KEEP-FILL 1.0x10-2 .1 2 2 1 50 2.0x10-1 (Diagnosis) 2.1x10-1 (Total)

LCS-KEEP-FILL 1.0x10-3 .1 2 1 1 50 1.0x10-2 (Action)

RHR-A-KEEP-FILL-REC 1.0x10-2 .1 2 2 1 50 2.0x10-1 (Diagnosis) 2.1x10-1 (Total)

RHR-A-KEEP-FILL-REC 1.0x10-3 .1 2 1 1 50 1.0x10-2 (Action)

1. All other PSFs were set to nominal (i.e., 1.0).

15

LER 440/03-002 OSS OF OFFSITE POWER REACTOR EMERGENCY SRV'S HPCS RCIC SUPPRESSION MANUAL LOW ALTERNATE OFFSITE SUPPRE SSION CONTAINMENT CONTAINMENT LATE S HUTDOWN POWER CLOSE POOL REACTOR PRESSURE LOW PRESS POWER POOL SPRAY VENTING INJECTION COOLING DEPRESS INJECTION INJECTION RECOVERY COOLING (EARLY) IN 16 HRS IE-LOOP RPS EPS SRV HCS RCI SPC DEP LPI VA OPR-16H SPC CSS CVS LI # END-STA TE 1 OK 2 OK 3 OK 4 OK LI00 5 CD 6 OK LI01 7 CD 8 OK 9 OK 10 OK 11 OK LI00 12 CD 13 OK LI01 14 CD 15 OK 16 16 OK 17 OK LI00 18 CD 19 OK LI01 20 CD 21 CD 22 CD 23 OK 24 OK 25 OK 26 OK LI00 27 CD 28 OK LI01 29 CD 30 CD 31 CD P1 T32 LOOP-1 P2 T33 LOOP-2 T34 SBO T35 ATWS Figure 1: Perry LOOP event tree with dominant sequences highlighted.

LER 440/03-002 LPCS SYSTEM FAILURES LCS LCS IS UNAVAILABLE LPCS SUPPR ESSION ECCS SUPPRESSION DIVISION I 125 D IVISION I AC LPCS PUMP TRAIN DUE TO KEEPF ILL POOL STR AINER POOL STRAIN ERS VDC POWER IS POWER IS UNAVAILABLE IS UN AVAILABLE SYSTEM FAILURES PLUGS FAIL FR OM COMMON UN AVAILABLE CAUSE 2.1E- 1 7.2E- 5 5.6E-8 17 LCS-KEEP-F ILL LCS-STR- PG- LPC S RHR- STR-CF-SPOOL DIV AC DIV- 1-DC L CS-1 LPCS INJEC TIO N LPC S PUMP DISCHARGE LPCS PUMP FAILS LPCS PUMP FAILS CKV F006 FAILS CKV FAILS TO TO RU N T O STAR T TO OPEN OPEN 1.0E-4 1.0E-4 5.1E- 4 1. 2E- 3 LCS-CKV-C C-INJ EC LCS-CKV-C C-PCKV LCS-MDP- FR- PUMP L CS-MDP-FS-PUMP Figure 2: Perry LCS Fault Tree (The figure is cropped to show event modification)

LER 440/03-002 RHR PUMP TRAIN A IS UNAVAILABLE RHR- A 18 RHR-A IS UNAVAILABLE RHR PUMP A DISCHARGE RHR PUMP A FAILS RHR PUMP A FAILS DUE TO KEEPFILL CKVS FAILS TO TO RUN TO START SYSTEM FAILURES OPEN 1.0E+0 1.0E-4 5.1E-4 1.2E-3 RHR-A-KEEP-FILL RHR-CKV-CC-PCKVA RHR-MDP-FR-PUMPA RHR- MDP-FS- PUMPA Figure 3: Perry RHR-A Fault Tree (The figure is cropped to show event modification)

Retrieved from "https://kanterella.com/w/index.php?title=ML050960263&oldid=2594411"