ML062710045

From kanterella
Jump to navigation Jump to search
Final Precursor Analysis - Grand Gulf, Unit 1
ML062710045
Person / Time
Site: Grand Gulf Entergy icon.png
Issue date: 08/22/2005
From: Demoss G
NRC/RES/DRASP/DDOERA/OEGI
To:
References
LER 416/03-002
Download: ML062710045 (58)
v  d  e


Text

LER: 416/03-002 Final Precursor Analysis Accident Sequence Precursor Program -- Office of Nuclear Regulatory Research Automatic Reactor SCRAM Due To Loss of Offsite Power With Grand Gulf Unit 1 Condenser Vacuum Pump Inoperable and Subsequent Failure of Instrument Air Event Date 4/24/2003 LER: 416/03-002 CCDP1 = 1.3x10-6 August 22, 2005 Event Summary:

On April 14, 2003, ENTERGY Mississippi removed 500 kV Breaker J5204 (See Figure 1) from service in the switchyard at Grand Gulf Nuclear Station by opening disconnects J5203 and J5205 in order to repair an internal gas leak (See Figure 1). On the morning of April 24, 2003, work was continuing on Breaker J5204 when high winds in the switchyard caused Disconnect Switch J5205 to close, creating a line-to-ground fault, which isolated all incoming 500 kV power to Service Transformer 21 (ST21). Coincident with this, failures in the ENTERGY Mississippi carrier transmission fault relaying system caused both 500 kV power sources from the Baxter-Wilson Station and the Franklin Station switchyards to be isolated from the Grand Gulf Nuclear Station switchyard. The Grand Gulf generator temporarily remained on the 500 kV east bus powering ST11.

Because of this 500 kV electrical grid transient, the Grand Gulf Nuclear Station turbine generator control system sensed a full load rejection and responded by initiating a turbine control valve fast closure and automatic reactor trip. (References 1,2) All control rods inserted as designed. Loss of transformer ST21 resulted in a bus undervoltage on the Division I, II and III ESF busses that resulted in the start of the Division I, II and III emergency diesel generators. Reactor water level 2 was reached, MSIVs closed (due to loss of the two RPS buses), and the High Pressure Core Spray (HPCS) and Reactor Core Isolation Cooling (RCIC) systems started as designed. Operators stabilized and maintained reactor pressure vessel (RPV) water level according to procedures.

Reactor pressure was maintained by the proper cycling of the Safety/Relief Valves (S/RVs).

Approximately a half hour into the event, suppression pool cooling was initiated using the Residual Heat Removal (RHR) Systems. A detailed sequence of events is provided in Appendix A.

Essential AC electrical buses were properly supplied throughout the duration of the event by the operation of the emergency diesel generators. Had any of the emergency buses become de-energized due to the failure of a diesel, the buses could be transferred back to offsite sources.

1 For the initiating event assessment, the parameter of interest is the measure of the CCDP. This is the value obtained when calculating the probability of core damage for an initiating event with subsequent failure of one or more components following the initiating event. The value reported here is the mean value.

1

LER: 416/03-002 The transition of the plant to eventual cold shutdown was complicated by the loss of the Instrument Air System which required approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to restore. The Instrument Air System supports several systems credited in the plant emergency procedures for alternate emergency decay heat removal and containment cooling. These systems include: CRD flow (in the enhanced flow control mode), Fire Water makeup to the RPV, and Containment Venting for Containment Heat Removal.

Had the normal operation of HPCS, RCIC, and RHR systems failed and the need to utilize alternate RPV makeup and containment cooling, these alternate measures would have been impacted until Instrument Air was restored. Firewater makeup to the RPV can be accomplished without Instrument Air by opening a motor operated bypass valve either remotely or via turning a handwheel.

Analysis Results

! Conditional Core Damage Probability (CCDP)

This event was modeled as an initiating event loss of offsite power (LOOP) with complications caused by the additional loss of Instrument Air. The CCDP for this event was calculated as 1.0 x10-6 (point estimate). An uncertainty analysis was performed to assess the effects of parameter uncertainties. The results are summarized below.

CCDP 5% Mean 95%

Grand Gulf Unit 1 1.0 x 10-7 1.3 x 10-6 4.3 x 10-6

! Dominant Sequences Appendix B provides the event tree models used in this analysis. The actual event sequence of the April 24, 2003 event is LOOP Sequence 1, shown in Figure B-1 of Appendix B. If additional system or component failures had occurred a core damage sequence could occur. There are five dominant accident sequences (See Table 1) which account for 79% of the total CCDP. All other accident sequences account for less than 6.5% of the total CCDP.

The most dominant accident sequence is LOOP Sequence 41-04 which accounts for 24% of the total CCDP. The important system and component failures in Sequence LOOP 41-04 (See Figures B-1, B-2 of Appendix B) are:

! Loss of Offsite Power occurs

! Automatic Reactor Trip occurs

! Emergency Power is supplied by the Diesel Generators

! S/RVs open and close to control RPV pressure and one fails to re-close

! High Pressure Core Spray is actuated

! Suppression Pool Cooling is attempted but fails

! Containment Spray Cooling is initiated

! Containment Venting fails due to Loss of Instrument Air 2

LER: 416/03-002 The next most dominant Sequence: LOOP 44-03-14 accounts for 18% of the total CCDP. The important system and component failures of Sequence LOOP 44-03-14 (See Figures B-1, B-3, and B-4 of Appendix B) are:

! Loss of Offsite Power occurs

! Automatic Reactor Trip occurs

! Emergency Power from the Diesel Generators fails

! Division III Emergency Power from the HPCS Diesel Generator is available

! High Pressure Core Spray is attempted but fails

! Operators successfully cross-tie the Division III Bus to other plant Buses

! S/RVs open and close to control RPV pressure without failure to re-close

! Reactor Core Isolation Cooling is actuated but fails

! Operators successfully carry out Emergency RPV Depressurization

! Low Pressure Coolant Injection is attempted but fails The next most dominant Sequence: LOOP 40 accounts for 15% of the total CCDP. The important system and component failures of Sequence LOOP 40 (See Figure B-1 of Appendix B) are:

! Loss of Offsite Power occurs

! Automatic Reactor Trip occurs

! Emergency Power is supplied by the Diesel Generators

! S/RVs open and close to control RPV pressure without failing to re-close

! High Pressure Core Spray is actuated but fails

! Reactor Core Isolation Cooling is actuated but fails

! Manual Depressurization fails

! 2/2 CRD injection in high flow mode fails The next most dominant Sequence: LOOP 05 accounts for 12% of the total CCDP. The important system and component failures of Sequence LOOP 05 (See Figure B-1 of Appendix B) are:

! Loss of Offsite Power occurs

! Automatic Reactor Trip occurs

! Emergency Power is supplied by the Diesel Generators

! S/RVs open and close to control RPV pressure without failing to re-close

! High Pressure Core Spray is actuated to provide RPV makeup

! Suppression Pool Cooling is attempted but fails

! Operators successfully carry out Emergency RPV Depressurization

! Containment Spray Cooling is attempted but fails

! Containment Venting fails due to Loss of Instrument Air The next most dominant Sequence: LOOP 44-39 accounts for 10% of the total CCDP. The important system and component failures of Sequence LOOP 44-39 (See Figures B-1 and B-3 of Appendix B) are:

3

LER: 416/03-002

! Loss of Offsite Power occurs

! Automatic Reactor Trip occurs

! Emergency Power from the Diesel Generators fails

! Division III Emergency Power from the HPCS Diesel Generator fails

! S/RVs open and close to control RPV pressure without failing to re-close

! Reactor Core Isolation Cooling is attempted but fails

! Results Tables

! The conditional probabilities for the dominant sequences are shown in Table 1.

! The event tree sequence logic for the dominant sequences are presented in Table 2a.

! Table 2b defines the nomenclature used in Table 2a.

! The most important cut sets for the dominant sequences are listed in Table 3a and 3b.

! Definitions and probabilities for modified or dominant basic events are provided in Table 4.

Modeling Assumptions:

! Analysis Type The actual event was a loss of onsite electric power (OEP) that occurred with two sources of off-site power available and that could be reconnected if necessary. The event was modeled in this analysis as a loss of offsite power initiating event (IE-LOOP) using the Grand Gulf Revision 3.10 Standardized Plant Analysis Risk (SPAR) Model (Reference 4). The probability of IE-LOOP was set to 1.0. The probabilities of the other initiating events were set to 0.0. The analyzed LOOP duration is equivalent to the actual event. The LOOP initiating event and its duration are therefore considered key boundary conditions for this analysis.

Equipment and operator actions that were successful during the actual event are assumed to perform at their normal failure probability values. Equipment and operator actions that failed during the event are failed (set to TRUE) in the analysis.

LOOP recovery basic events that occur prior to offsite power being available are set TRUE (failed).

These events can not be successful since the know duration of the offsite power event is greater than the time available for recovery action. LOOP recovery basic events that occur after offsite power is available are set consistent with the human error likelihood of re-energizing the ESF buses. This analysis approach of replacing the statistically based non-recovery curves contained in the SPAR model with specific human actions which follows the approach of analyzing a LOOP event of known duration. Since the LOOP duration is known, then the status of power to the switchyard is known at any given time. However, the normal value for the actions to re-energize the ESF buses given switchyard power is available needs to be determined. The human error likelihood is determined using the SPAR-H methodology (Reference 5). Since the Grand Gulf event was a momentary LOOP, then there are no LOOP recovery events set to true.

The emergency diesel generator mission run times have been adjusted consistent with the time it took to re-energize the various ESF buses from the offsite power following the event.

4

LER: 416/03-002 Other changes to model the event are described below.

! Unique Design Features Grand Gulf is a standard General Electric BWR-6, with a Mark III containment.

! Modeling Assumptions Summary Key modeling assumptions. The key modeling assumption are listed below and discussed in detail in the following sections. These assumptions are important contributors to the overall risk.

  • Offsite 500kV Power was lost for approximately 74 seconds. Following the inadvertant closure of the disconnect, an undervoltage condition of Division II and III ESF buses cause the autostart of the Division II and III emergency diesel generators. Failures in the carrier transmission fault relaying system caused both normal 500kV power sources from the Baxter-Wilson Station and Franklin Station switchyards to be isolated from the Grand Gulf switchyard. Because the of this 500kV power grid transient, the Grand Gulf turbine generator controls sensed a load rejection resulting in an automatic reactor scram. Approximately 74 seconds later, the main generator output breaker opened resulting in a loss of 500kV to the Division I ESF bus. The Division I emergency diesel generator then autostarted. At about the same time, the 500kV Franklin and Baxter-Wilson line feeder breakers closed and restored power to the Grand Gulf Nuclear Station (GGNS) switchyard (Reference 6).
  • The Port Gibson 115kV line was available throughout the event. GGNS is supplied with AC power from the 500kV switchyard and the 115kV (Port Gibson) offsite circuit. From the switchyard, AC voltage is stepped down to 34.5kV through two service transformers that supply two ESF transformers and eight balance of plant (BOP) transformers. The 115kV offsite circuit feeds another ESF transformer with 4160V output voltage (References 1, 2). This 115kV line available for offsite power recovery at all times during this event and the operators were found to adequately trained on connecting this power supply in a proper and safe manner (Reference 6).

Division I: 6.2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, Division II: 5.8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, and Division III: 5.075 hours8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br /> (Reference 1). Diesel generator fail to run and common cause failure to run probabilities were adjusted to reflect the run time of the first diesel to be secured, namely 5.07 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />.

  • Instrument Air system became totally unavailable at the time of loss of offsite power and was not recovered until an instrument air compressor was successfuly restarted at two hours into the event. During the actual loss of 5

LER: 416/03-002 offsite power event, the running Instrument Air and Service Air System compressors shutdown as designed. Operators were unable to remotely restart the air compressors due to a loss of control air. The Unit 1 Instrument Air compressor was manually started about 20 minutes into the event (Reference 1) but was ineffective in restoring the air header and was shutdown several minutes later. Approximately two hours into the event, operators were successful in starting the Unit 2 Instrument Air compressor and used it to restore the air header pressure.

  • The CRD pumps and Containment Vent valves, both credited for long term heat removal, depend on the Instrument Air System. The Grand Gulf IPE (Table 3.2-3 of Reference ) illustrates that the Instrument Air System supports all of the following systems:

(a) CRD pump enhanced flow control (alternate RPV makeup),

(b) Opening valves to allow Fire Water Injection (alternate RPV makeup),

(c) Long term makeup to the dedicated bottled air supply for the S/RVs2, (d) Opening, modulation of Feedwater flow control valves (alternate RPV makeup),

(e) Opening Containment vent valves (alternate decay heat removal),

(f) Plant Service Water which supports Instrument Air compressor cooling, (g) Modulation of the chilled water system flow control.

(h) Re-opening of closed Main Steam Isolation Valves to restore heat removal by Main Condenser In the SPAR loss of offsite power event sequence analysis, only items (a) and (e) are modeled in the current SPAR event trees. Modeling the support dependencies of the other systems would only be necessary in non-LOOP transient events.

  • There was no possibility to recover the main condenser unit as an alternate decay heat removal system. At the time the April 24th event, Reference 2 noted that the main condenser mechanical vacuum pump system was tagged out for maintenance. This implies any temporary interruption in loss of main steam flow (such as via the closure of the MSIVs) would incapacitate the steam jet air ejectors that remove non-condensible gasses. Without a mechanical vacuum pump, this combination results in a loss of condenser vacuum and inability to use the use the main condenser as an alternate decay heat removal. The current SPAR loss of offsite power event sequence models do not credit recovery of the main condenser after re-opening the MSIVs.

! Fault Tree Modifications Addition of a basic event AIR-XHE-NOREC-2HR to the Control Rod Drive (CR1) and Containment Venting of the Suppression Pool (CVS) fault trees for the non-recovery of Instrument Air. Two changes were made to the Grand Gulf 1 SPAR Model Fault Trees:

(1) Modifications to the CR1 Fault Tree to Account for Non-recovery of Instrument Air 2

Compressed air to operate the Safety/Relief valves was available throughout the event from dedicated bottles which are hold a sufficient reserve to allow multiple cycles.

6

LER: 416/03-002 The base case CR1 fault tree was modified by the addition of a basic event describing the non-recovery of Instrument Air over the long term (~ 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) which similarly prevents modulating the CRD flow control valves to their full open position. The specific logic modifications are shown in Figure C-1 in Appendix C. The fault probability is derived in the HRA in Appendix D.

(2) Modifications to the CVS Fault Tree to Account for Non-recovery of Instrument Air The base case CVS fault tree was modified by the addition of a basic event describing the non-recovery of Instrument Air over the long term (~ 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) which similarly prevents opening the containment venting valves to their full open position. The specific logic modifications are shown in Figure C-2 in Appendix C. The fault probability is derived in the HRA in Appendix D.

! Basic Event Probability Changes Table 4 provides all the basic events that were modified to reflect the best estimate of the conditions during the event. The basis for these changes are provided below.

Operators fail to recover offsite power in 30 minutes (OEP-XHE-XL-NR30M) and within one hour (OEP-XHE-XL-NR01H). These basic event probabilities were changed to 2.0 x 10-2 reflecting the fact that offsite power was available and all that was required was to properly execute the procedure to reconnect. Short term offsite power recovery is considered in the situation of a Station Blackout with a stuck open S/RV. The bases for this number is formally derived in the HRA in Appendix D and considers the fact that required time to carry out the recovery was on the order of the available time.

Operators fail to recover offsite power at 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> and 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> (OEP-XHE-XL-NR02H, OEP-XHE-XL-NR04H, OEP-XHE-XL-NR08H, OEP-XHE-XL-NR10H). These basic event probabilities were all changed to 2.0 x 10-4 reflecting the fact that offsite power was available and all that was required was to properly execute the procedure to reconnect. Longer term offsite power recovery is credited for sequences where suppression cooling is required.The bases for this number is formally derived in the HRA in Appendix D and considers the fact that required time to carry out the recovery was significantly less than the available time.

Modifications to diesel generator failure to run probability to reflect actual diesel run times during the event. The diesel generator failure to run probability in the base case SPAR model (Reference 4) is based on a compound event which includes portions dealing with short term failure to run (one hour or less) and a longer term failure model which uses a different failure rate. The base case model assumes a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> run time mission. The base events involved are: EPS-DGN-FR-DGA, EPS-DGN-FR-DGB, and EPS-DGN-FR-DGC. These compound base events are in turn composed of short term and longer term basic elements: ZTN-DGN-FR-E, and ZTN-DGN-FR-L which are each calculated based on Pr(t) = 1 - exp(-t) using different hourly failure rates.

Where: e = 3.0 x 10-3 hr-1 (short term failure rate) and l = 8.4 x 10-4 hr-1 (longer term failure rate) 7

LER: 416/03-002 The total diesel failure to run probability becomes for 5.07 hour8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> mission time:

Pr = 1 - exp(-e x 1hr) + 1- exp(-l x(5.07 - 1hr)) = 6.25 x 10-3 The EPS-DGN-FR-DGA, EPS-DGN-FR-DGB, and EPS-DGN-FR-DGC values were changed to the value noted above as shown in Table 4. This change results in a reduction in the failure to run probabilities for all three diesels.

! SPAR Model Corrections The existing SPAR Model LOOP event tree assumptions for scenarios where emergency power is available, there are no open S/RVs, and some form of RPV makeup has been continuously maintained do not consider the availability of Shutdown Cooling and are excessively pessimistic.

This is an inconsistency in modeling assumptions for equivalent modeling for general plant transients. To correct this model assumption, the recovery model for the LOOP event tree was modified by addition of the following recovery rule:

l Long-term recovery of SDC given initial success of injection.

if system(/SRV)

  • (system(/HCS)+system(/RCI)+system(/CRD)+system(/CDS)+system(/LCS)+

system(/LCI)+system(/VA)) * (system(SD1) + system(SDC)) then AddEvent = SDC-LTERM-NOREC; This recovery rule is identical to that utilized for general plant transients.

! Sensitivity Analyses Sensitivity analyses were performed to determine the effects of data and modeling uncertainties on the CCDP = 1.0 x 10-6 point estimate result which is treated as the base case. To assess data uncertainties, an Importance Analysis using Fussel-Vesely and Risk Increase Ratio importance measures was conducted to identify the most sensitive parameters.

The following table provides the results of the sensitivity analyses and how the resultant CCDP changed from the base case value of 1.0 x 10-6 as a result of single parameter changes.

8

LER: 416/03-002 Sensitivity Modification CCDP1 Study 1 RCI-XHE-XO-ERROR (Operator fails to start or control RCIC) failure probability increased by x 1.8 x 10-6 5.0 2 SSW-MDP-TM-TRNA (Service Water Pump Test and Maintenance) unavailability increased by x 2.0 x 10-6 5.0 3 ADS-XHE-XM-MDEPR (Operator fails to Start or Control RHR) failure probability increased by x 1.7 x 10-6 5.0 4 OEP-XHE-XL-NR08H (Operator fails to recover onsite electric power within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />) failure 1.3 x 10-6 probability increased by x 5.0 AIR-XHE-NOREC-2HR (Operators fail to recover 5 Instrument Air within 2 Hours) failure probability 1.5 x 10-6 increased by x 5.0 Note 1: CCDP sensitivity study calculations are based on point estimate values.

The conclusion from these sensitivity studies is that relatively large changes in the most sensitive base event probability values results in effects that are within the 90% bounds.

9

LER: 416/03-002

References:

1. Grand Gulf Nuclear Station, Unit 1, LER: 416/03-002, Reactor Scram Due to a Partial Loss of Offsite Power, issued June 23, 2003. ML032790367
2. Inspection Report IR: 50-416/2003-02. ML032090437
3. Risk Assessment for Reactor Trip with Loss of Offsite Power and Loss of Instrument Air, Memo from D.P. Loveless(NRC Region IV) to W.D. Johnson, issued April 30, 2003.
4. Idaho National Engineering and Environmental Laboratory, Standardized Plant Analysis Risk Model for Grand Gulf 1 (ASP BWR C), Revision 3.10, December 10, 2004.
5. Grand Gulf Nuclear Station, Individual Plant Evaluation Summary Report, December 1992.
6. The SPAR-H Human Reliability Analysis Method, INEEL/EXT-02-01307, May 30, 2004.

10

LER: 416/03-002 Figure 1 11

LER: 416/03-002 Table 1. Conditional core damage probabilities of dominating sequences.

Event Sequence no. CCDP1 Contribution tree name LOOP 41-04 2.4 x 10-7 24.6%

LOOP 44-03-14 1.8 x 10-7 18%

LOOP 40 1.5 x 10-7 15%

LOOP 05 1.2 x 10-7 12%

LOOP 44-39 1.0 x 10-7 10%

Total (all sequences)2 1.0 x 10-6 100 %

1. Values are point estimates.
2. Total CCDP includes all sequences (including those not shown in this table).

Table 2a. Event tree sequence logic for dominant sequence.

Event Sequenc Logic tree e

(/ denotes success; see Table 2b for top event names) name no.

LOOP 41-04 /RPS /EPS P1 /HCS SPC CSS CVS LOOP 44-03-14 /RPS EPS /B1 HCS /DGX /SRV RC1 /DEP LCI1 LOOP 40 /RPS /EPS /SRV HCS RCI DEP CRD LOOP 05 /RPS /EPS /SRV /HCS SPC /DEP SDC CSS CVS LOOP 44-39 /RPS EPS B1 P1 RCI 12

LER: 416/03-002 Table 2b. Definitions of top events listed in Table 2a.

Top Event Definition RPS REACTOR SHUTDOWN FAILS EPS LOSS OF ONSITE EMERGENCY POWER SRV ONE OR MORE SRVS FAIL TO CLOSE P1 ONE SRV FAILS TO CLOSE B1 DIVISION III POWER AVAILABLE HCS HPCS FAILS TO PROVIDE SUFFICIENT FLOW TO RX VESSEL SPC SUPPRESSION POOL COOLING MODE OF RHR FAILS DGX DIVISION III POWER CROSS-TIE RCI REACTOR CORE ISOLATION COOLING RC1 REACTOR CORE ISOLATION COOLING DEP MANUAL DEPRESSURIZATION FAILS SDC SHUTDOWN COOLING MODE OF RHR IS UNAVAILABLE CSS CONTAINMENT SPRAY MODE OF RHR FAILS LCI1 LOW PRESSURE COOLANT INJECTION (ONE TRAIN)

CRD CONTROL ROD DRIVE PUMP INJECTION (2 PUMPS)

CVS CONTAINMENT (SUPPRESSION POOL) VENTING 13

LER: 416/03-002 Table 3a. Conditional cut sets for the dominant sequences.

Percent CCDP Contributio Minimum Cut Sets (of basic events) n Event Tree: LOOP Sequence 41-04 3.1E-008 12.94 PPR-SRV-OO-1VLV RHR-XHE-XM-ERROR AIR-XHE-NOREC-2HR 1.6E-008 6.47 PPR-SRV-OO-1VLV RHR-XHE-XM-ERROR CVS-XHE-XM-VENT 1.4E-008 5.82 CVS-AOV-CC-AV36 PPR-SRV-OO-1VLV RHR-XHE-XM-ERROR 1.4E-008 5.82 CVS-AOV-CC-AV34 PPR-SRV-OO-1VLV RHR-XHE-XM-ERROR 1.4E-008 5.82 CVS-AOV-CC-AV35 PPR-SRV-OO-1VLV RHR-XHE-XM-ERROR 1.4E-008 5.82 CVS-AOV-CC-AV37 PPR-SRV-OO-1VLV RHR-XHE-XM-ERROR 3.4E-009 1.40 PPR-SRV-OO-1VLV RHR-MDP-CF-START AIR-XHE-NOREC-2HR 2.46 x 10-7 24.6% Total (all cutsets)1

1. Total Importance includes all cutsets (including those not shown in this table).

14

LER: 416/03-002 Table 3a. (Continued) Conditional cut sets for the dominant sequences.

CCDP Percent Minimum Cut Sets (of basic events)

Contribution Event Tree: LOOP Sequence 44-03-14 1.8E-008 10.07 RCI-XHE-XO-ERROR SSW-MDP-TM-TRNA EPS-DGN-FR-DGB HCS-XHE-XO-ERROR1 1.2E-008 6.62 EPS-FAN-FR-DGB RCI-XHE-XO-ERROR SSW-MDP-TM-TRNA HCS-XHE-XO-ERROR1 1.1E-008 6.40 RCI-XHE-XO-ERROR SSW-MDP-TM-TRNA EPS-DGN-FS-DGB HCS-XHE-XO-ERROR1 4.2E-009 2.40 RCI-XHE-XO-ERROR SSW-MDP-TM-TRNA SSW-MDP-FS-PUMPB HCS-XHE-XO-ERROR1 3.0E-009 1.69 SSW-MDP-TM-TRNA EPS-DGN-FR-DGB HCS-MDP-TM-TRAIN RCI-TDP-FS-TRAIN RCI-XHE-XL-START 2.8E-009 1.60 RCI-XHE-XO-ERROR SSW-MDP-TM-TRNA SSW-XHE-XR-TRNB HCS-XHE-XO-ERROR1 2.8E-009 1.60 RCI-XHE-XO-ERROR SSW-MDP-TM-TRNA SSW-MOV-CC-F018B HCS-XHE-XO-ERROR1 2.8E-009 1.60 RCI-XHE-XO-ERROR SSW-MDP-TM-TRNA SSW-MOV-CC-F001B HCS-XHE-XO-ERROR1 2.8E-009 1.60 RCI-XHE-XO-ERROR SSW-MDP-TM-TRNA SSW-MOV-CC-F006B HCS-XHE-XO-ERROR1 2.8E-009 1.60 RCI-XHE-XO-ERROR SSW-MDP-TM-TRNA SSW-MOV-CC-F005B HCS-XHE-XO-ERROR1 2.2E-009 1.28 EPS-FAN-FS-DGB RCI-XHE-XO-ERROR SSW-MDP-TM-TRNA HCS-XHE-XO-ERROR1 2.0E-009 1.11 EPS-FAN-FR-DGB SSW-MDP-TM-TRNA HCS-MDP-TM-TRAIN RCI-TDP-FS-TRAIN RCI-XHE-XL-START 1.9E-009 1.07 SSW-MDP-TM-TRNA EPS-DGN-FS-DGB HCS-MDP-TM-TRAIN RCI-TDP-FS-TRAIN RCI-XHE-XL-START 1.8E-009 1.04 SSW-MDP-TM-TRNA EPS-DGN-FR-DGB HCS-MDP-TM-TRAIN RCI-TDP-FR-TRAIN RCI-XHE-XL-RUN 1.8E-009 1.04 RCI-TDP-TM-TRAIN SSW-MDP-TM-TRNA EPS-DGN-FR-DGB HCS-MDP-FS-HPCS 1.8 x 10-7 18% Total (all cutsets)1

1. Total Importance includes all cutsets (including those not shown in this table).

15

LER: 416/03-002 Table 3a. (Continued) Conditional cut sets for the dominant sequences.

CCDP Percent Minimum Cut Sets (of basic events)

Contribution Event Tree: LOOP Sequence 40 7.0E-008 45.86 CRD-XHE-XM-VLVS RCI-XHE-XO-ERROR ADS-XHE-XM-MDEPR HCS-XHE-XO-ERROR1 1.2E-008 7.71 CRD-XHE-XM-VLVS ADS-XHE-XM-MDEPR HCS-MDP-TM-TRAIN RCI-TDP-FS-TRAIN RCI-XHE-XL-START 7.3E-009 4.75 CRD-XHE-XM-VLVS ADS-XHE-XM-MDEPR HCS-MDP-TM-TRAIN RCI-TDP-FR-TRAIN RCI-XHE-XL-RUN 7.2E-009 4.72 CRD-XHE-XM-VLVS RCI-TDP-TM-TRAIN ADS-XHE-XM-MDEPR HCS-MDP-FS-HPCS 6.0E-009 3.93 CRD-XHE-XM-VLVS RCI-TDP-TM-TRAIN ADS-XHE-XM-MDEPR HCS-XHE-XO-ERROR 6.0E-009 3.93 CRD-XHE-XM-VLVS RCI-TDP-TM-TRAIN ADS-XHE-XM-MDEPR HCS-MOV-CC-INJEC 3.6E-009 2.36 CRD-XHE-XM-VLVS RCI-TDP-TM-TRAIN ADS-XHE-XM-MDEPR HCS-MOV-FT-SUCTR 3.5E-009 2.29 CRD-XHE-XM-VLVS ADS-XHE-XM-MDEPR HCS-MDP-TM-TRAIN RCI-MOV-CC-INJEC 3.5E-009 2.29 CRD-XHE-XM-VLVS RCI-XHE-XO-ERROR ADS-XHE-XM-MDEPR HCS-MDP-TM-TRAIN 3.1E-009 2.02 CRD-XHE-XM-VLVS RCI-TDP-TM-TRAIN ADS-XHE-XM-MDEPR HCS-MDP-FR-HPCS 2.0E-009 1.32 CRD-XHE-XM-VLVS ADS-XHE-XM-MDEPR HCS-MDP-FS-HPCS RCI-TDP-FS-TRAIN RCI-XHE-XL-START 1.8E-009 1.17 CRD-XHE-XM-VLVS ADS-XHE-XM-MDEPR HCS-MDP-TM-TRAIN RCI-TDP-FS-RSTRT RCI-RESTART RCI-XHE-XL-RSTRT 1.7E-009 1.10 CRD-XHE-XM-VLVS ADS-XHE-XM-MDEPR HCS-MOV-CC-INJEC RCI-TDP-FS-TRAIN RCI-XHE-XL-START 1.7E-009 1.10 CRD-XHE-XM-VLVS ADS-XHE-XM-MDEPR RCI-TDP-FS-TRAIN HCS-XHE-XO-ERROR RCI-XHE-XL-START 1.5 x 10-7 15% Total (all cutsets)1

1. Total Importance includes all cutsets (including those not shown in this table).

16

LER: 416/03-002 Table 3a. (Continued) Conditional cut sets for the dominant sequences.

CCDP Percent Minimum Cut Sets (of basic events)

Contribution Event Tree: LOOP Sequence 05 1.6E-008 13.12 RHR-XHE-XM-ERROR AIR-XHE-NOREC-2HR SDC-LTERM-NOREC 8.0E-009 6.56 RHR-XHE-XM-ERROR CVS-XHE-XM-VENT SDC-LTERM-NOREC 7.2E-009 5.91 CVS-AOV-CC-AV37 RHR-XHE-XM-ERROR SDC-LTERM-NOREC 7.2E-009 5.91 CVS-AOV-CC-AV34 RHR-XHE-XM-ERROR SDC-LTERM-NOREC 7.2E-009 5.91 CVS-AOV-CC-AV36 RHR-XHE-XM-ERROR SDC-LTERM-NOREC 7.2E-009 5.91 CVS-AOV-CC-AV35 RHR-XHE-XM-ERROR SDC-LTERM-NOREC 1.7E-009 1.42 RHR-MDP-CF-START AIR-XHE-NOREC-2HR SDC-LTERM-NOREC 1.2 x 10-7 12% Total (all cutsets)1

1. Total Importance includes all cutsets (including those not shown in this table).

17

LER: 416/03-002 Table 3a. (Continued) Conditional cut sets for the dominant sequences.

CCDP Percent Minimum Cut Sets (of basic events)

Contribution Event Tree: LOOP Sequence 44-39 1.8E-008 17.27 PPR-SRV-OO-1VLV RCI-TDP-TM-TRAIN EPS-DGN-CF-RUN 1.5E-008 14.33 EPS-FAN-CF-RUN PPR-SRV-OO-1VLV RCI-TDP-TM-TRAIN 7.1E-009 7.00 PPR-SRV-OO-1VLV RCI-TDP-TM-TRAIN EPS-DGN-CF-START 4.9E-009 4.84 PPR-SRV-OO-1VLV EPS-DGN-CF-RUN RCI-TDP-FS-TRAIN RCI-XHE-XL-START 4.1E-009 4.01 EPS-FAN-CF-RUN PPR-SRV-OO-1VLV RCI-TDP-FS-TRAIN RCI-XHE-XL-START 3.0E-009 2.98 PPR-SRV-OO-1VLV EPS-DGN-CF-RUN RCI-TDP-FR-TRAIN RCI-XHE-XL-RUN 2.5E-009 2.47 EPS-FAN-CF-RUN PPR-SRV-OO-1VLV RCI-TDP-FR-TRAIN RCI-XHE-XL-RUN 2.3E-009 2.26 EPS-FAN-CF-START PPR-SRV-OO-1VLV RCI-TDP-TM-TRAIN 2.0E-009 1.96 PPR-SRV-OO-1VLV EPS-DGN-CF-START RCI-TDP-FS-TRAIN RCI-XHE-XL-START 1.5E-009 1.44 PPR-SRV-OO-1VLV EPS-DGN-CF-RUN RCI-XHE-XM-RCOOL 1.5E-009 1.44 PPR-SRV-OO-1VLV RCI-XHE-XO-ERROR EPS-DGN-CF-RUN 1.5E-009 1.44 PPR-SRV-OO-1VLV EPS-DGN-CF-RUN RCI-MOV-CC-INJEC 1.3E-009 1.29 PPR-SRV-OO-1VLV DCP-BAT-CF-BATT 1.2E-009 1.21 PPR-SRV-OO-1VLV EPS-DGN-CF-START RCI-TDP-FR-TRAIN RCI-XHE-XL-RUN 1.2E-009 1.19 EPS-FAN-CF-RUN PPR-SRV-OO-1VLV RCI-XHE-XO-ERROR 1.2E-009 1.19 EPS-FAN-CF-RUN PPR-SRV-OO-1VLV RCI-MOV-CC-INJEC 1.2E-009 1.19 EPS-FAN-CF-RUN PPR-SRV-OO-1VLV RCI-XHE-XM-RCOOL 1.0 x 10-7 10% Total (all cutsets)1

1. Total Importance includes all cutsets (including those not shown in this table).

18

LER: 416/03-002 Table 4. Definitions and probabilities for modified and dominant basic events.

Event Name Description Probability/ Frequency Modified (per year)

ADS-SRV-CC-VALV1 ADS VALVE FAILS TO OPEN 2.5E-003 ADS-SRV-CC-VALV2 ADS VALVE FAILS TO OPEN 2.5E-003 ADS-SRV-CC-VALV3 ADS VALVE FAILS TO OPEN 2.5E-003 ADS-SRV-CC-VALV4 ADS VALVE FAILS TO OPEN 2.5E-003 ADS-SRV-CC-VALV5 ADS VALVE FAILS TO OPEN 2.5E-003 ADS-SRV-CC-VALV6 ADS VALVE FAILS TO OPEN 2.5E-003 ADS-SRV-CC-VALV7 ADS VALVE FAILS TO OPEN 2.5E-003 ADS-SRV-CC-VALV8 ADS VALVE FAILS TO OPEN 2.5E-003 ADS-TSW-FT-DC125 POWER TRANSFER SWITCH FAILS TO TRANSFER 1.5E-003 ADS-XHE-XM-MDEPR OPERATOR FAILS TO DEPRESSURIZE THE REACTOR 5.0E-004 ADS-XHE-XM-STMLN OPERATOR FAILS TO ALIGN RCIC STEAM LINE FOR D 1.0E-003 NOTES:

1. Base case values modified to reflect actual diesel generator run times.
2. Base case values modified to reflect short term, long term non-recovery modeling assumptions. (See Appendix D)
3. Values selected to simulate loss of onsite electric power.

19

LER: 416/03-002 Table 4. (Continued) Definitions and probabilities for modified and dominant basic events.

Event Name Description Probability/ Frequency Modified (per year)

HCS-MDP-FR-HPCS HPCS PUMP FAILS TO RUN 5.2E-004 HCS-MDP-FS-HPCS HPCS PUMP FAILS TO START 1.2E-003 HCS-MDP-TM-TRAIN HPCI TRAIN IS UNAVAILABLE BECAUSE OF MAINTENA 7.0E-003 HCS-MOV-CC-INJEC HPCS INJECTION VALVE FAILS TO OPEN 1.0E-003 HCS-MOV-FT-SUCTR HPCS SUCTION TRANSFER FAILS 6.0E-004 HCS-XHE-XO-ERROR OPERATOR FAILS TO START/CONTROL HPCS INJECTIO 1.0E-003 HCS-XHE-XO-ERROR1 OPERATOR FAILS TO START/CONTROL HPCS INJECTIO 1.4E-001 OEP-XHE-XL-NR01H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 2.0E-002 YES(2)

OEP-XHE-XL-NR04H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 4 2.0E-004 YES(2)

NOTES:

1. Base case values modified to reflect actual diesel generator run times.
2. Base case values modified to reflect short term, long term non-recovery modeling assumptions. (See Appendix D)
3. Values selected to simulate loss of onsite electric power.

20

LER: 416/03-002 Table 4. (Continued) Definitions and probabilities for modified and dominant basic events.

Event Name Description Probability/ Frequency Modified (per year)

RPS-SYS-FC-HCU HCU COMPONENTS FAIL 1.1E-007 RPS-SYS-FC-PSOVS HCU SCRAM PILOT SOVS FAIL 1.7E-006 RPS-SYS-FC-RELAY TRIP SYSTEM RELAYS FAIL 3.8E-007 RRS-CRB-CC-PUMP1 RECIRC PUMP 1 FIELD BREAKER FAILS TO OPEN 1.5E-003 RRS-CRB-CC-PUMP2 RECIRC PUMP 2 FIELD BREAKER FAILS TO OPEN 1.5E-003 SDC-LTERM-NOREC OPERATOR FAILS TO RECOVER SDC IN THE LONG-TER 1.6E-002 SLC-CKV-CC-F006 SLC INJECTION CHECK VALVE F006 FAILS TO OPEN 1.0E-004 SLC-CKV-CC-F007 SLC INJECTION CHECK VALVE F007 FAILS TO OPEN 1.0E-004 SLC-CKV-CC-F222 SLC INJECTION CHECK VALVE F222 FAILS TO OPEN 1.0E-004 SLC-MDP-TM-TRNB SLC PUMP TRAIN B IS UNAVAILABLE BECAUSE OF MA 5.0E-003 SLC-XHE-XM-ERROR OPERATOR FAILS START/CONTROL SLC 1.0E-003 SLC-XHE-XR-SLCS OPERATOR FAILS TO RESTORE SLCS AFTER MAINTENA 1.0E-003 SSW-MDP-FR-PUMPB SSW PUMP B FAILS TO RUN 5.2E-004 SSW-MDP-FS-PUMPA SSW PUMP A FAILS TO START 1.5E-003 SSW-MDP-FS-PUMPB SSW PUMP B FAILS TO START 1.5E-003 IE-HCS-V HPCS ISOLATION VALVE 13-21 O 5.7E-007 +0.0E+000 FALSE IE-LCS-V LPCS ISOLATION VALVE 13-21 O 5.7E-007 +0.0E+000 FALSE IE-LLOCA LARGE LOCA INITIATOR 3.0E-005 +0.0E+000 FALSE IE-LOOP LOSS OF OFFSITE POWER 3.3E-002 1.0E+000 TRUE IE-MLOCA MEDIUM LOCA INITIATOR 4.0E-005 +0.0E+000 FALSE IE-RCI-V RCIC ISOLATION VALVE 13-21 O 5.7E-007 +0.0E+000 FALSE IE-RHR-V-A LPCI LOOP A ISOLATION VALVE 5.7E-007 +0.0E+000 FALSE IE-RHR-V-B LPCI LOOP B ISOLATION VALVE 5.7E-007 +0.0E+000 FALSE IE-RHR-V-C LPCI LOOP C ISOLATION VALVE 5.7E-007 +0.0E+000 FALSE IE-RHR-V-S SHUTDOWN COOLING ISOLATION V 5.7E-007 +0.0E+000 FALSE IE-SLOCA SMALL LOCA INITIATING EVENT 4.0E-004 +0.0E+000 FALSE IE-TDCB LOSS OF VITAL DC BUS 2.5E-003 +0.0E+000 FALSE IE-TRANS TRANSIENT INITIATOR 8.0E-001 +0.0E+000 FALSE IE-TSWS TOTAL LOSS OF SERVICE WATER 4.0E-004 +0.0E+000 FALSE ZV-LOOP-EW-LAMBDA EXTREME WEATHER RELATED LOSS 2.3E-003 +0.0E+000 ZV-LOOP-GR-LAMBDA GRID RELATED LOSS OF OFFSITE 1.7E-002 +0.0E+000 ZV-LOOP-PC-LAMBDA PLANT CENTERED LOSS OF OFFSI 2.4E-003 +0.0E+000 ZV-LOOP-SC-LAMBDA SWITCHYARD CENTERED LOSS OF 8.7E-003 1.0E+000 ZV-LOOP-SW-LAMBDA SEVERE WEATHER RELATED LOSS 3.0E-003 +0.0E+000 NOTES:

1. Base case values modified to reflect actual diesel generator run times.
2. Base case values modified to reflect short term, long term non-recovery modeling assumptions. (See Appendix D)
3. Values selected to simulate loss of onsite electric power.

21

LER: 416/03-002 Appendix A Sequence of Key Events 22

LER: 416/03-002 April 24, 2003 09:48:34 500 kV Breaker J5204 Disconnected J5205 closes (due to wind) causing a line-to-ground fault.

09:48:34 ST21 Lockout Trip, Breakers J5208 and J1652 Open, ST21 Lost. Breakers J2425, J2420 Open. Franklin 500 kV Line De-energized. Breakers J2240, 2244 Open. Baxter-Wilson 500 kV Line De-energized. West Bus Lockout. Breakers J5228, J5240, J5216 Open.

09:48:34 Load rejection relay actuates, Turbine Control Valve Fast Closure, Automatic Reactor Protection System trip.

09:48:34 Condensate Booster Pump C, Condensate Pumps B and C trip.

09:48:37 Division II EDG start sequence initiated.

09:48:37 Division III EDG start sequence initiated.

09:48:38 Turbine trip, Turbine stop valve closure.

09:48:41 Unit 2 Instrument Air Compressor trip.

09:48:42 Safety/Relief Valve auto actuation (2 S/RVs open for approximately 1 minute and begin to cycle to maintain pressure control) 09:48:46 Condensate Booster Pump A trip.

09:48:50 Condensate Booster Pump B trip.

09:48:53 Manual Reactor Scram, Mode switch placed in Shutdown Mode.

09:49:15 Main Steam Line Isolation Valves close.

09:49:20 Condensate Pump A trip.

09:49:47 Reactor Feedwater Pumps A,B trip.

09:49:47 Main Generator lockout relay actuated (Volts/Hertz ratio) 09:49:48 Main Generator output breaker opens. Generator is off-line and East 500 kV bus de-energized.

09:49:49 Breaker J2425 auto-closes. Franklin 500 kV line re-energizes.

09:49:51 Breaker J2240 auto-closes. Baxter-Wilson 500 kV line re-energizes.

09:49:53 Division I EDG start sequence initiated.

09:50:05 Service Air and Instrument Air auto cross-connect at ~90 psig.

23

LER: 416/03-002 09:56:02 RPV Level 2 reached.

09:56:07 High Pressure Core Spray (HPCS) and Reactor Core Isolation Cooling (RCIC) systems auto-start.

09:58:40 HPCS pump secured by control room operator.

09:58:xx Control room operators establish and maintain RPV pressure and level via manual operation of S/RVs and RCIC.

09:59:41 Unit 1 Instrument Air Compressor auto-start.

10:18:29 Unit 1 Instrument Air Compressor trip (loss of seal air pressure).

10:20:51 Control room operators start Suppression Pool Cooling using Residual Heat Removal (RHR) System A.

10:25:28 Control room operators start Suppression Pool Cooling using RHR System B.

10:25:xx Unit 1 Instrument Air Compressor restarted and secured several times in attempt to provide temporary control air. Instrument air header pressure not restored.

10:58:xx Offsite Power restored to ST21.

11:08:xx Abnormal sounds and vibration reported by eyewitnesses near the Unit 1 Instrument Air Compressor.

11:45:xx Unit 2 Instrument Air Compressor started by manually adjusting fittings and regulators.

11:50:xx Attempts to restore Unit 1 Instrument Air Compressor suspended.

11:51:xx Unit 2 Instrument Air Compressor restores header air pressure.

14:38:xx Condensate Pump A restarted.

14:53:xx Power restored to Division III ESF Bus from offsite power. Division III EDG secured.

15:30:xx Condensate Booster Pump C restarted.

15:37:xx Power restored to Division II ESF Bus from offsite power. Division II EDG secured.

16:00:xx Power restored to Division I ESF Bus from offsite power. Division I EDG secured.

17:00:xx Feedwater Control System placed on start-up water level control.

22:02:xx Spent Fuel Pool Cooling restored.

23:25:xx Main Steam Isolation Valves re-opened. Unable to recover Main Condenser due to inoperable (tagged out) mechanical vacuum pump.

April 25, 2003 05:15:xx RHR System B started in Shutdown Cooling Mode.

24

LER: 416/03-002 06:35:00 Reactor plant in Mode 4. Reactor plant temperature < 200 <F.

Appendix B Event Tree Model Showing Dominant Sequences 25

LER: 416/03-002 Figure B Grand Gulf 1 Loss of Offsite Power Event Tree 26

LER: 416/03-002 Figure B Grand Gulf 1 Open Relief Valve Event Tree 27

LER: 416/03-002 Figure B Grand Gulf 1 Station Blackout Event Tree 28

LER: 416/03-002 Figure B Grand Gulf 1 Station Blackout Event Tree 29

LER: 416/03-002 Appendix C Fault Tree Models Showing Changes 30

LER: 416/03-002 Figure C-1 Modifications to the Base Case CR1 Fault Tree Figure C-2 Modifications to the Base Case CVS Fault Tree 31

LER: 416/03-002 32

LER: 416/03-002 33

LER: 416/03-002 Appendix D Human Reliability Analysis 34

LER: 416/03-002 SPAR Model Human Error Worksheet (Page 1 of 3)

Plant: Grand Gulf Unit 1 Event Name: AIR-XHE-NOREC-2HR Task Error

Description:

Operator fails to recover Instrument Air to allow Containment Venting and enhanced CRD flow over the long term following the success of HPCS and RCIC but failure of Suppression Pool Cooling mode of RHR..

Does this task contain a significant amount of diagnosis activity ? YES U NO .

If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2.

Table 1. Diagnosis worksheet.

Multiplier If non-nominal PSF levels are selected, please for note specific reasons in this column PSFs PSF Levels Diagnosis

1. Available Inadequate 1.0a Indications on Instrument Air system status Time exist in the Control Room. The diagnosis of Barely adequate < 20 m 10 inadequate air pressure would take place after Nominal . 30 m 1 verifying that other ESF features are Extra > 60 m 0.1 T operating. Suppression pool cooling would not be entered until pool temperatures Expansive > 24 h 0.01 reached specific limits.
2. Stress Extreme 5 Failure of Suppression Pool Cooling mode of High 2 RHR would be the first significant ESF failure.

Nominal 1T 3.Complexity Highly 5 Diagnosis and restoration, or crosstie of Air Moderately 2 Compressors is clearly an operation that is done during maintenance activities.

Nominal 1T

4. Experience Low 10 Diagnosis and restoration, or crosstie of Air

/Training Nominal 1T Compressors is clearly an operation that is done during maintenance activities.

High 0.5

5. Procedures Not available 50 Diagnosis and restoration, or crosstie of Air Available, but poor 5 Compressors is clearly an operation that is done during maintenance activities.

Nominal 1T Diagnostic/symptom oriented 0.5 6.Ergonomics Missing/Misleading 50 Control room indication and alarms exist.

Poor 10 Nominal 1T Good 0.5

7. Fitness for Unfit 1.0a Duty Degraded Fitness 5 Nominal 1T
8. Work Poor 2 Processes Nominal 1T Good 0.5 35

LER: 416/03-002 SPAR Model Human Error Worksheet (Page 2 of 3)

Table 2. Action worksheet.

PSFs PSF Levels Multiplier If non-nominal PSF levels are selected, for Action please note specific reasons in column

1. Available Inadequate 1.0a Successful operation of HPCS and RCIC Time Time available . time required 10 provides several hours to carry out the recovery - as compared to situation where Nominal 1T they both fail early.

Available > 5x time required 0.1 Available > 50x time required 0.01

2. Stress Extreme 5 This would not be a normal or routine High 2 T restoration of Instrument Air.

Nominal 1

3. Complexity Highly 5 Diagnosis and restoration, or crosstie of Air Moderately 2 Compressors is clearly an operation that is done during maintenance activities.

Nominal 1U

4. Experience/ Low 3 Diagnosis and restoration, or crosstie of Air Training Nominal 1U Compressors is clearly an operation that is done during maintenance activities.

High 0.5

5. Procedures Not available 50 Diagnosis and restoration, or crosstie of Air Available, but poor 5 Compressors is clearly an operation that is done during maintenance activities.

Nominal 1U

6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1U Good 0.5
7. Fitness for Unfit 1.0a Duty Degraded Fitness 5 Nominal 1U
8. Work Poor 2 Pre-positioned equipment (fittings and hoses)

Processes Nominal 1 existed to facilitate cross-connection.

Good 0.5 U

a. Task failure probability is 1.0 regardless of other PSFs.

Table 3. Task failure probability without formal dependence worksheet.

Task Nom. Time Stress Compl. Exper./ Proced. Ergon. Fitness Work Prob.

Portion Prob. Train. Process Diag. 1.0E-2 x 0.1 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 1.0E-3 36

LER: 416/03-002 Action 1.0E-3 x 1.0 x 2.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 x 0.5 1.0E-3 Total 2.0E-3 SPAR Model Human Error Worksheet (Page 3 of 3)

For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence.

Table 4. Dependency condition worksheet.

Condition Crew (same Location Time (close Cues Dependency Number of Human Action Number or (same or in time or not (additional or Failures Rule different) different) close in time) not additional) 1 s s c - complete If this error is the 3rd error in 2 s s nc na high the sequence, then the dependency is at least 3 s s nc a moderate moderate.

4 s d c - high 5 s d nc na moderate If this error is the 4th error in 6 s d nc a low the sequence, then the dependency is at least high.

7 d s c - moderate 8 d s nc na low This rule may be ignored only if 9 d s nc a low there is compelling evidence for 10 d d c - moderate less dependence with the previous tasks.

11 d d nc na low 12 d d nc a low 13 U zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):

For Complete Dependence the probability of failure = 1.0 For High Dependence the probability of failure = (1 + P)/2 For Moderate Dependence the probability of failure = (1 +6P)/7 For Low Dependence the probability of failure = (1 + 19P)/20 UFor Zero Dependence the probability of failure = P 37

LER: 416/03-002 SPAR Model Human Error Worksheet (Page 1 of 3)

Plant: Grand Gulf Unit 1 Event Names: ACP-XHE-NOREC-30M, OEP-XHE-NOREC-1H Task Error

Description:

Operator fails to recover AC Power to de-energized plant buses given that power is available on offsite grid.

Does this task contain a significant amount of diagnosis activity ? YES NO U

.Condition of de-energized plant buses is obvious.

If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2.

Table 1. Diagnosis worksheet.

Multiplier If non-nominal PSF levels are selected, please for note specific reasons in this column PSFs PSF Levels Diagnosis

1. Available Inadequate 1.0a Time Barely adequate < 20 m 10 Nominal . 30 m 1 Extra > 60 m 0.1 Expansive > 24 h 0.01
2. Stress Extreme 5 High 2 Nominal 1
3. Complexity Highly 5 Moderately 2 Nominal 1
4. Experience/ Low 10 Training Nominal 1 High 0.5
5. Procedures Not available 50 Available, but poor 5 Nominal 1 Diagnostic/symptom oriented 0.5
6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1 Good 0.5
7. Fitness for Unfit 1.0a Duty Degraded Fitness 5 Nominal 1
8. Work Poor 2 Processes Nominal 1 Good 0.5 SPAR Model Human Error Worksheet (Page 2 of 3) 38

LER: 416/03-002 Table 2. Action worksheet.

PSFs PSF Levels Multiplier If non-nominal PSF levels are selected, for Action please note specific reasons in this column

1. Available Inadequate 1.0a This HEP is for scenarios involving Station Time Time available . time required 10 T Blackout with stuck open S/RVs. In such scenarios core damage can occur in the Nominal 1 30min - 1 hr time frame. Hence the time Available > 5x time required 0.1 available is nominally the required time.

Available > 50x time required 0.01

2. Stress Extreme 5 Given local blackout of plant buses stress High 2 T levels would be higher than nominal.

Nominal 1

3. Complexity Highly 5 Restoration of in-house loads from offsite Moderately 2 sources would be covered by standard operating procedures.

Nominal 1U

4. Experience/ Low 3 Restoration of in-house loads from offsite Training Nominal 1U sources would be covered by standard operating procedures.

High 0.5

5. Procedures Not available 50 Restoration of in-house loads from offsite Available, but poor 5 sources would be covered by standard operating procedures.

Nominal 1U

6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1U Good 0.5
7. Fitness for Unfit 1.0a Duty Degraded Fitness 5 Nominal 1U
8. Work Poor 2 Restoration of in-house loads from offsite Processes Nominal 1U sources would be covered by standard operating procedures.

Good 0.5

a. Task failure probability is 1.0 regardless of other PSFs.

Table 3. Task failure probability without formal dependence worksheet.

Task Nom. Time Stress Compl. Exper./ Proced. Ergon. Fitness Work Prob.

Portion Prob. Train. Process Diag. N/A Action 1.0E-3 x 10 x 2.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 x 0.5 2.0E-2 Total 2.0E-2 SPAR Model Human Error Worksheet (Page 3 of 3) 39

LER: 416/03-002 For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence.

Recovery of electrical power on plant buses would be first task.

Table 4. Dependency condition worksheet.

Condition Crew (same Location Time (close Cues Dependency Number of Human Action Number or (same or in time or not (additional or Failures Rule different) different) close in time) not additional) 1 s s c - complete If this error is the 3rd error in 2 s s nc na high the sequence, then the dependency is at least 3 s s nc a moderate moderate.

4 s d c - high 5 s d nc na moderate If this error is the 4th error in 6 s d nc a low the sequence, then the dependency is at least high.

7 d s c - moderate 8 d s nc na low This rule may be ignored only if 9 d s nc a low there is compelling evidence for 10 d d c - moderate less dependence with the previous tasks.

11 d d nc na low 12 d d nc a low 13 U zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):

For Complete Dependence the probability of failure = 1.0 For High Dependence the probability of failure = (1 + P)/2 For Moderate Dependence the probability of failure = (1 +6P)/7 For Low Dependence the probability of failure = (1 + 19P)/20 UFor Zero Dependence the probability of failure = P 40

LER: 416/03-002 SPAR Model Human Error Worksheet (Page 1 of 3)

Plant: Grand Gulf Unit 1 Event Names: OEP-XHE-NOREC-2H, OEP-XHE-NOREC-4H, OEP-XHE-NOREC-8H, OEP-XHE-NOREC-10H, OEP-XHE-NOREC-12H Task Error

Description:

Operator fails to recover AC Power over the long term to de-energized plant buses given that power is available on offsite grid.

Does this task contain a significant amount of diagnosis activity ? YES NO U Condition of de-energized plant buses is obvious.

If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2.

Table 1. Diagnosis worksheet.

Multiplier If non-nominal PSF levels are selected, please for note specific reasons in this column PSFs PSF Levels Diagnosis

1. Available Inadequate 1.0a Time Barely adequate < 20 m 10 Nominal . 30 m 1 Extra > 60 m 0.1 Expansive > 24 h 0.01
2. Stress Extreme 5 High 2 Nominal 1
3. Complexity Highly 5 Moderately 2 Nominal 1
4. Experience/ Low 10 Training Nominal 1 High 0.5
5. Procedures Not available 50 Available, but poor 5 Nominal 1 Diagnostic/symptom oriented 0.5
6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1 Good 0.5
7. Fitness for Unfit 1.0a Duty Degraded Fitness 5 Nominal 1
8. Work Poor 2 Processes Nominal 1 Good 0.5 41

LER: 416/03-002 SPAR Model Human Error Worksheet (Page 2 of 3)

Table 2. Action worksheet.

PSFs PSF Levels Multiplier If non-nominal PSF levels are selected, for Action please note specific reasons in this column

1. Available Inadequate 1.0a The specific scenarios involved for these Time Time available . time required 10 HEPs are failures to restore power in time to prevent suppression pool failure due to lack Nominal 1 of cooling. The time frame for suppression Available > 5x time required 0.1 T pool failure is assumed much greater than 2 Available > 50x time required 0.01 hours.
2. Stress Extreme 5 Given local blackout of plant buses stress High 2 T levels would be higher than nominal.

Nominal 1

3. Complexity Highly 5 Restoration of in-house loads from offsite Moderately 2 sources would be covered by standard operating procedures.

Nominal 1U

4. Experience/ Low 3 Restoration of in-house loads from offsite Training Nominal 1U sources would be covered by standard operating procedures.

High 0.5

5. Procedures Not available 50 Restoration of in-house loads from offsite Available, but poor 5 sources would be covered by standard operating procedures.

Nominal 1U

6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1U Good 0.5
7. Fitness for Unfit 1.0a Duty Degraded Fitness 5 Nominal 1U
8. Work Poor 2 Restoration of in-house loads from offsite Processes Nominal 1 sources would be covered by standard operating procedures.

Good 0.5 U

a. Task failure probability is 1.0 regardless of other PSFs.

Table 3. Task failure probability without formal dependence worksheet.

Task Nom. Time Stress Compl. Exper./ Proced. Ergon. Fitness Work Prob.

Portion Prob. Train. Process Diag. N/A Action 1.0E-3 x 0.1 x 2.0 x 2.0 x 1.0 x 1.0 x 1.0 x 1.0 x 0.5 2.0E-4 Total 2.0E-4 42

LER: 416/03-002 SPAR Model Human Error Worksheet (Page 3 of 3)

For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence.

Recovery of electrical power on plant buses would be first task.

Table 4. Dependency condition worksheet.

Condition Crew (same Location Time (close Cues Dependency Number of Human Action Number or (same or in time or not (additional or Failures Rule different) different) close in time) not additional) 1 s s c - complete If this error is the 3rd error in 2 s s nc na high the sequence, then the dependency is at least 3 s s nc a moderate moderate.

4 s d c - high 5 s d nc na moderate If this error is the 4th error in 6 s d nc a low the sequence, then the dependency is at least high.

7 d s c - moderate 8 d s nc na low This rule may be ignored only if 9 d s nc a low there is compelling evidence for 10 d d c - moderate less dependence with the previous tasks.

11 d d nc na low 12 d d nc a low 13 U zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):

For Complete Dependence the probability of failure = 1.0 For High Dependence the probability of failure = (1 + P)/2 For Moderate Dependence the probability of failure = (1 +6P)/7 For Low Dependence the probability of failure = (1 + 19P)/20 U For Zero Dependence the probability of failure = P 43

LER: 416/03-002 Appendix E Resolution of Licensee Review Comments on Draft Version 44

LER: 416/03-002 Comments on Preliminary Precursor Analysis Automatic Reactor Scram Due to Loss of Offsite Power With Condenser Vacuum Pump Inoperable and Subsequent Failure of Instrument Air It is estimated that incorporation of the following comments would result in at least a 2.6E-07 reduction in the point estimate CCDP. (The 2.6E-07 is from removal of the contribution from sequences LOOP 41-04 and LOOP 05. Incorporation of other comments would also reduce the remaining CCDP.) The overall point estimate CCDP would be less than 7.4E-07

7. Event Summary, 2nd paragraph--Bus undervoltage on the Division I, II and III ESF buses was caused by the loss power from both ST21 and ST 1 I. The loss of ST21caused undervoltage on the Division II and I l l ESF buses. The Division I bus, which was connected to ST 11, was carried for a short period of time by the plant generator until J5232 opened.

Response: This does not effect the results or conclusions of the analysis. No changes are incorporated.

8. Event Summary, 4th paragraph-Instrument Air is not required for fire water makeup to the RPV since there is a motor operated bypass valve which can be opened (manually, if necessary) to supply firewater to the auxiliary building. Also, firewater and CRD are considered level control systems, not decay heat removal systems.

Response: The subject paragraph was revised to note that RPV makeup using Firewater can be accomplished without availability of Instrument Air. This does not change the results or conclusions of the analysis.

9. Analysis Results, Dominant Sequences, 2nd paragraph (sequence LOOP 41 -04)-This sequence is not a realistic depiction of the GGNS response. It includes a dependency between containment heat removal and continued operation of ECCS pumps that does not exist. The HPCS pump (as well as the LPCl and LPCS pumps) can pump saturated water and GGNS has concluded that the HPCS system will not fail as a result of containment failure.

Response: The assumed ability to continuously recirculate saturated water from the suppression pool to the RPV following containment failure and maintain core cooling has not been conclusively demonstrated. No changes were made to the analysis.

10. Analysis Results, Dominant Sequences, 4th paragraph (sequence LOOP 40)-The list of important system and component failures is not consistent with the event tree sequence. The event tree sequence includes failure of depressurization and CRD and it does not include failure of containment spray and containment venting. Note also that GGNS does not consider that CRD can be successful unless some other high pressure system has controlled level for approximately 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />.

45

LER: 416/03-002 Response: The text description has been modified as suggested. The modeling change suggested by the licensee, however, will not reduce the estimated ASP CCDP.

11. Analysis Results, Dominant Sequences, 5th paragraph (sequence LOOP 5)-See comment 3 above. This sequence also includes a non-realistic dependency between containment heat removal and continued operation of HPCS and is not applicable to GGNS.

Response: The assumed ability to continuously recirculate saturated water from the suppression pool to the RPV following containment failure and maintain core cooling has not been conclusively demonstrated. No changes were made to the analysis.

12. Modeling Assumptions, Analysis Type, 3rd paragraph-At GGNS any or all of the 3 ESF buses can be connected to any combination (even, only one) of the three ESF transformers. Note also, that once power was restored to the East bus no operator actions were required to restore power to the ESF 11 transformer. In addition the ESF 12 transformer (powered for 115 kv Port Gibson line) was never lost. So with this set of circumstances there would only be operator actions to transfer the ESF buses to either ESF 11 or 12. This is a very simple manipulation (i.e., one switch for each ESF bus) that can be performed in the control room.

Response: The ASP analysis process did consider this simple operator recovery action, but also considered the possibility that the operator s failed to accomplish the recovery. This does not effect the results or conclusions of the analysis. No changes incorporated.

13. Modeling Assumptions, Analysis Type, 4th paragraph-This states that mission run times have been adjusted consistent with the "time it took to re-energize the ESF buses. Later in the Key modeling assumptions, it is stated that the diesel generator fail to run and common cause failure to run probabilities were adjusted to reflect the run time of the first diesel (5.07 hrs).

The statement in the 4th paragraph implies that it "takes" 5.07 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> to re-energize the ESF buses, while the actual time to re-energize a bus is much less than that. This should be revised to state the mission run times were adjusted to be consistent with actual diesel generator run times for the event.

Response: The ASP analysis was carried out consistent with standard NRC practice for performing such analyses. No changes are incorporated.

14. Modeling Assumptions, Key Modeling Assumptions, 5th bullet, (b)-While it is true that there are air operated valves associated with the fire water RPV makeup, there are also motor operated valves, which can be opened manually, that bypass the air operated valves.

Procedures for fire water makeup note that the bypass valves (both remote operation and local manual operation) may have to be utilized.

Response: This does not effect the results or conclusions of the analysis. No changes are incorporated.

15. Modeling Assumptions, Key Modeling Assumptions, 5th bullet, (c)-This is slightly misleading.

Instrument air provides air to the S/RVs for their opening. If air is lost, then it is necessary in the long term to connect bottled air to ensure continued operation of the ADS valves. All of 46

LER: 416/03-002 the S/RVs have accumulators that will allow a number of valve cycles. The ADS S/RVs have, in addition, larger receiver tanks that allow more valve cycles for the ADS valves. Thus, the S/RVs have adequate air to operate for a period of time without the bottles connected.

Response: This does not effect the results or conclusions of the analysis. No changes are incorporated.

16. Modeling Assumptions, Key Modeling Assumptions, 5th bullet, (f) -Note that the instrument air/service air compressors are cooled by turbine building cooling water (TBCW). Note also that instrument air compressor cooling can be cross-tied from TBCW to standby service water B (SSW B).

Response: This does not effect the results or conclusions of the analysis. No changes are incorporated.

17. Modeling Assumptions, Basic Event Probability Changes, 2nd paragraph (OEP-XHE-XL-NR30M & OEP-XHE-XL-NRO1H and associated Appendix D worksheet)-This paragraph indicates that the time required to reconnect offsite power to a bus (assuming a ESF bus) is on the order of the available time. This is not true for a station blackout condition. With a dead bus (i.e., diesels failed to start or load) the only action required is to close one switch in the control room for each ESF bus. The action time for this is seconds or a couple of minutes at most. Therefore, the multiplier utilized in Appendix D for Available Time should be at most 0.1

(>5x time required) instead of a multiplier of 10. This would change the probability for these events to 2E-04 instead of 2E-02.

Response: The base events noted above do not appear in any of the dominant cutsets and do not effect the results or conclusions of the analysis. No changes are incorporated.

18. Modeling Assumptions, Basic Event Probability Changes, 2nd paragraph (OEP-XHE-XLNR04H, OEP-XHE-XL-NR08H, and OEP-XHE-XL-NR1 OH and associated Appendix D worksheet)-Same basic comment as comment number 11 above. In this case the multiplier for Available Time should be 0.01 instead of 0.1. This would result in a probability for these events of 2E-05 instead of 2E-04.

Response: The base events noted above do not appear in any of the dominant cutsets and do not effect the results or conclusions of the analysis. No changes are incorporated.

19. Table 3a., Minimum Cut Sets for LOOP Sequence 41-04-As indicated in comment 3 above, this sequence includes a non-realistic dependency between containment heat removal and continued operation of HPCS and is not applicable to GGNS.

Response: The assumed ability to continuously recirculate saturated water from the suppression pool to the RPV following containment failure and maintain core cooling has not been conclusively demonstrated. No changes were made to the analysis.

20. Table 3a., Minimum Cut Sets for LOOP Sequence 44-03-14-These cut sets do not include credit for recovery of offsite power. Credit for recovery of off site power is appropriate since 47

LER: 416/03-002 offsite power recovery to either the Division I or II bus would make other mitigating equipment available. This appears to be true for all of the displayed cut sets. Most of the LCll (one train of low pressure coolant injection) failures appear to be the result of SSW failures. It should be noted that none of the LPCl or LPCS pumps have a direct dependency on SSW. The LPCS pump will fail at approximately 10 to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> due to lack of room cooling although the HPCS DG cross-tie procedure does not allow the use of the LPCS pump if the HPCS DG has been cross-tied to the Div 1 ESF bus. LPCl A and B will automatically switch to containment spray mode on high containment pressure (-9 psig) and there is not a procedure to bypass the automatic realignment. This will occur in approximately 6 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> if SSW or venting is not available for containment cooling. LPCl C should be able to continue to run even if the containment fails. The bottom line for this sequence is unless there is a failure to start of the low pressure pump for the selected division, there is significant time available to recover offsite.

Response: LOOP Sequence 44-03-14, which is a sequence transferred from the LOOP event tree to the SBO event tree (upon failure on the onsite power system). The 44-03-14 sequence does not need to consider offsite power recover because Division III power is available and is successfully cross-connected. The basic events which are found in the dominant sequence cutsets (Table 3a) do not involve unavailability of electric power, they involve equipment unavailability due to test/maintenance, common cause failures, and human errors. No changes were made to the analysis.

21. Table 3a., Minimum Cut Sets for LOOP Sequence 05- As indicated in comment 5 above, this sequence includes a non-realistic dependency between containment heat removal and continued operation of HPCS and is not applicable to GGNS.

Response: The assumed ability to continuously recirculate saturated water from the suppression pool to the RPV following containment failure and maintain core cooling has not been conclusively demonstrated. No changes were made to the analysis.

22. Table 3a., Minimum Cut Sets for LOOP Sequence 44-39-Shouldnt there be recovery of offsite power events in these cutsets? Even with a stuck open relief valve, no HPCS and no RClC there is approximately 30 minutes available to recover offsite power. More time is available for the RClC fail to run events.

Response: The ASP model presumes that with: (a) a loss of offsite power, (b) the failure of all onsite power sources (which incapacitates: HPCS, LPCI, and CRD), (c) the failure of the steam driven RCIC, and (d) a stuck open S/RV, that there is insufficient time for offsite power recovery. No analysis has been provided demonstrating that this scenario can be recovered in time. No changes were made to the analysis.

23. Table 3a., Minimum Cut Sets for LOOP Sequence 44-39-Several of the cut sets include a failure of operator to establish room cooling event (RCI-XHE-XM-RCOOL). This is not a failure at GGNS. RClC does not require room cooling for continued operation for the PRA mission time.

48

LER: 416/03-002 Response: The basic event RCI-XHE-XM-RCOOL appears in two dominant sequence cutsets which respectively contribute to: 1.44% and 1.19% of a 10% contributor to CCDP. No analysis has been provided demonstrating the ability of the RCIC to operate without room cooling for specific periods of time. No changes were made to the analysis.

24. Appendix A, April 24, 2003, 09:49:48-East 500 kV line should be East 500 kV bus.

Response: The text has been corrected as suggested.

49

Retrieved from "https://kanterella.com/w/index.php?title=ML062710045&oldid=2185902"