ML17319A328

From kanterella
Jump to navigation Jump to search

Transmittal of Final Columbia Generating Station Accident Sequence Precursor Report (Licensee Event Report 397-2016-004)
ML17319A328
Person / Time
Site: Columbia Energy Northwest icon.png
Issue date: 11/20/2017
From: Klos L
Plant Licensing Branch IV
To: Reddemann M
Energy Northwest
Klos L, 301-415-5136
References
EPID L-2017-PMP-0010, LER 2016-004
Download: ML17319A328 (19)
v  d  e


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 November 20, 2017 Mr. Mark E. Reddemann Chief Executive Officer Energy Northwest P.O. Box 968 (Mail Drop 1023)

Richland, WA 99352-0968

SUBJECT:

TRANSMITTAL OF FINAL COLUMBIA GENERATING STATION ACCIDENT SEQUENCE PRECURSOR REPORT (LICENSEE EVENT REPORT 397-2016-004) (EPID L-2017-PMP-0010)

Dear Mr. Reddemann,

By letter dated February 15, 2017 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML17046A177), Energy Northwest (the licensee) submitted a Licensee Event Report (LER) 397-2016-004, "Automatic Scram Due to Off-site Load Reject," for Columbia Generating Station (Columbia) to the U.S. Nuclear Regulatory Commission (NRG) staff pursuant to Title 10 of the Code of Federal Regulations Section 50.73. As part of the Accident Sequence Precursor (ASP) Program, the NRC staff reviewed the event to identify potential precursors and to determine the probability of the event leading to a core damage state. The results of the analysis are provided in the enclosure to this letter.

The NRC does not request a formal analysis review, in accordance with the guidance in Regulatory Issue Summary 2006-24, "Revised Review and Transmittal Process for Accident Sequence Precursor Analyses" (ADAMS Accession No. ML060900007), because the analysis resulted in a conditional core damage probabflity (CCDP) of less than 1x10*4 Final ASP Analysis Summary. A brief summary of the final ASP analysis, including the results, is provided below.

Offsite Load Reject Causes Automatic Scram with Subsequent Operator Errors Resulting in a Loss of Condenser Heat Sink. This event is documented in LER 397-2016-004 and Inspection Report (IR) 05000397/2017008.

Executive Summary. On December 18, 2016, at 11 :24 a.m., an automatic scram occurred due to a fault on an offsite transmission network. A reactor scram was automatically initiated by the plant response to the transient. All control rods fully inserted and main steam isolation valves automatically closed due to the loss of power to both reactor protection system (RPS) busses that occurred during the transient following the scram. All safety systems operated as designed.

A full safety system isolation occurred due to the loss of RPS, which isolated reactor closed cooling water flow from containment causing primary containment temperature and pressure to increase, and subsequent high pressure actuations. Two reactor safety relief valves cycled automatically, and then were manually cycled to maintain reactor pressure. Reactor water level

M. Reddemann was restored using reactor core isolation cooling (RCIC), control rod drive flow, and high pressure core spray (HPCS). The following complications occurred during the event response:

  • Operators failed to trip the main generator (after successfully tripping the main turbine),

which prevented the automatic fast transfer of the safety-related buses to their normal source of power,(startup auxiliary transformer) with the plant offline.

  • Operators tailed to establish the proper lineup for RCIC restart, which subsequently required operators to maintain reactor water level using HPCS.

Due to the reactor trip and MSIV closure, this event was modeled as a loss of condenser heat sink initiating event with complications. Given the modeling assumptions used in this analysis, the CCDP was calculated to be 1x10* 5

  • For most boiling-water reactors, a loss of condenser heat yields CCDPs in the 1o-6 5 range, which is largely dependent on the availability of teedwater. The most likely core damage sequence involves the postulated failures of RCIC and HPCS, and the subsequent failure of manual reactor depressurization. This accident sequence accounts for approximately 62 percent of the event CCDP.

Three Green findings were identified with this event. All three findings were screened within Phase 1 of the Significance Determination Process evaluation. Two of the findings were due to the operators failing to follow procedures, resulting in the complications noted above. A third finding was associated with the licensee's failure to identity and correct a condition adverse to quality related to the use of spiral wound gaskets for restricting orifices in the HPCS system.

Summary of Analysis Results. This operational event resulted in a best estimate CCDP of 1x10*5 . The detailed ASP analysis can be found in the enclosure.

If you have any questions, please contact me at (301) 415-5136 or via e-mail at John.Klos@nrc.gov.

Sincerely, L l~Jii P oje~nager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-397

Enclosure:

Columbia Final ASP Program Analysis - Precursor cc: Listserv

ENCLOSURE FINAL ACCIDENT SEQUENCE PRECURSOR ANALYSIS - COLUMBIA GENERATING STATION, OFFSITE LOAD REJECT CAUSES AUTOMATIC SCRAM WITH SUBSEQUENT OPERATORS ERRORS RESULTING IN A LOSS OF CONDENSER HEAT SINK (LER 397-2016-004) - PRECURSOR

Final ASP Program Analysis - Precursor Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Offsite Load Reject Causes Automatic Scram with Columbia Generating Subsequent Operator Errors Resulting in a Loss of Station Condenser Heat Sink LER: 397-2016-004 Event Date: 12/18/2016 CCDP = 1x10-5 IR: 05000397/2017008 Plant Type: General Electric Type 5 Boiling-Water Reactor (BWR) with Wet, Mark II Containment Plant Operating Mode (Reactor Power Level): Mode 1 (100% Reactor Power)

Analyst: Reviewer: Contributors: BC Review Date:

Christopher Hunter Ian Gifford N/A 6/29/2017 EXECUTIVE

SUMMARY

On December 18, 2016, at 11:24 a.m., an automatic scram occurred due to a fault on an offsite transmission network. A reactor scram was automatically initiated by the plant response to the transient. All control rods fully inserted and main steam isolation valves (MSIVs) automatically closed due to the loss of power to both reactor protection system (RPS) busses that occurred during the transient following the scram. All safety systems operated as designed. A full safety system isolation occurred due to the loss of RPS, which isolated reactor closed cooling water flow from containment causing primary containment temperature and pressure to increase, and subsequent high pressure actuations. Two reactor safety relief valves (SRVs) cycled automatically and then were manually cycled to maintain reactor pressure. Reactor water level was restored using reactor core isolation cooling (RCIC), control rod drive flow, and high pressure core spray (HPCS). The following complications occurred during the event response:

  • Operators failed to trip the main generator (after successfully tripping the main turbine),

which prevented the automatic fast transfer of the safety-related buses to their normal source of power (startup auxiliary transformer) with the plant offline.

  • Operators failed to establish the proper lineup for RCIC restart, which subsequently required operators to maintain reactor water level using HPCS.

Due to the reactor trip and MSIV closure, this event was modeled as a loss of condenser heat sink initiating event with complications. Given the modeling assumptions used in this analysis, the conditional core damage probability (CCDP) was calculated to be 1x10-5. For most BWRs, a loss of condenser heat yields CCDPs in the 10-6-10-5 range, which is largely dependent on the availability of feedwater. The most likely core damage sequence involves the postulated failures of RCIC and HPCS, and the subsequent failure of manual reactor depressurization.

This accident sequence accounts for approximately 62 percent of the event CCDP.

Three Green findings were identified with this event. All three findings were screened within Phase 1 of the Significance Determination Process (SDP) evaluation. Two of the findings were due to the operators failing to follow procedures, resulting in the complications noted above. A third finding was associated with the licensees failure to identify and correct a condition adverse to quality related to the use of spiral wound gaskets for restricting orifices in the HPCS system.

1

LER 397-2016-004 EVENT DETAILS Event Description. On December 18, 2016, at 11:24 a.m., an automatic scram occurred due to a fault on an offsite transmission network. A reactor scram was automatically initiated by the plant response to the transient. All control rods fully inserted and MSIVs automatically closed due to the loss of power to both RPS busses that occurred during the transient following the scram. All safety systems operated as designed. A full safety system isolation occurred due to the loss of RPS, which isolated reactor closed cooling water flow from containment causing primary containment temperature and pressure to increase, and subsequent high-pressure actuations. Two reactor SRVs cycled automatically, and then were manually cycled, to maintain reactor pressure. Reactor water level was restored using RCIC, control rod drive flow, and HPCS.

The plant response resulted in a few complications. After the initial successful start and injection of RCIC, a plant operator failed to establish the proper lineup for restart. This resulted in a trip of the RCIC pump after which operators used HPCS to maintain reactor water level.

Operators successfully tripped the main turbine per plant procedures, but failed to trip the main generator, which resulted in degraded voltage until power was automatically transferred to the backup power sources. The primary containment was successfully vented through a standby gas treatment filter per plant procedures to lower primary containment pressure. Additional information is provided in licensee event report (LER) 397-2016-004 (Ref. 1) and inspection report (IR) 05000397/2017008 (Ref. 2).

Cause. The cause of the offsite transmission network fault is still under evaluation by Bonneville Power Administration (the offsite transmission network operator).

MODELING ASSUMPTIONS Analysis Type. A test/limited use Standardized Plant Analysis Risk (SPAR) model for Columbia Generating Station, created in June 2017, was used for this initiating event analysis.

Analysis Rules. The ASP Program uses SDP results for degraded conditions when available.

However, the ASP Program performs independent analysis for initiating events.

IR 05000397/2017008 describes the results of the special inspection performed at Columbia Generating Station in response to this event. Three Green (i.e., very low safety significance) findings were identified and LER 397-2016-004 is closed. These three findings were associated with the licensee failure to:

  • Follow Procedure 3.3.1, Reactor Scram, Revision 62. Specifically, the licensee failed to trip the main generator per Procedure PPM 3.3.1, Step 6.2.9, although it was required for a load rejection scram.
  • Follow Procedure SOP-RCIC-INJECTION-QC, RCIC RPV Injection - Quick Card, Revision 5. During a complicated reactor scram on December 18th, licensed operators failed to open the RCIC turbine trip valve, RCIC-V-1, prior to initiating RCIC. As a result, RCIC tripped on over-speed, required local resetting, and led to licensed operations personnel injecting with the HPCS system, a non-preferred injection source.
  • Promptly identify and correct a condition adverse to quality. Specifically, since 2009, the licensee failed to implement prompt corrective actions to correct an adverse condition related to the use of spiral wound gaskets for restricting orifices in the HPCS system.

2

LER 397-2016-004 These three Green findings were screened within Phase 1 of the SDP evaluation because the findings:

  • Were not deficiencies affecting the design or qualification of a mitigating system,
  • Did not represent a loss of system and/or function,
  • Did not represent an actual loss of function of a single train for greater than its technical specification (TS) allowed outage time, and
  • Did not represent an actual loss of function of one or more non-TS trains of equipment designated as high safety-significant in accordance with the licensees maintenance rule program for greater than 24 hours1 days <br />0.143 weeks <br />0.0329 months <br />.

A review of the Columbia Generating Station LERs within 1 year of this event revealed no windowed degradations.

SPAR Model Changes. In reviewing the base SPAR model, incorrect logic was identified for some of the electrical fault tree buses. Specifically, the base SPAR model did not credit the ability of the backup auxiliary transformer to supply offsite power to buses SM-7 and SM-8.1 In addition, the fault trees for buses SM-1, SM-2, and SM-3 incorrectly credit supply power from the normal auxiliary transformer, which is unavailable after the main generator is tripped. These fault trees also did not credit power from the startup auxiliary transformer.2 Therefore, Idaho National Laboratory created a test/limited use model to address these issues.

In addition to the base SPAR model changes, the following analysis-specific modifications were necessary:

  • The ACP-BUS-SM4 (division III AC bus SM-4 power fails) fault tree was modified to provide credit for recovery of offsite power (via bus SM-2) to bus SM-4. Basic event HE-LOOP-SM4 (loss of offsite power to division III bus SM-4) was moved under a new AND gate ACP-BUS-DIV3-4 (offsite power to bus SM-4 is unavailable). Gate ACP-BUS-DIV3-4 was inserted under existing gate ACP-BUS-DIV3-2 (normal offsite power supply is unavailable).

A new basic event, ACP-XHE-RECOVERY (operators fail to align offsite power), was inserted under gate ACP-BUS-DIV3-4 and set to IGNORE. The revised ACP-BUS-SM4 fault tree is provided in Figure B-1 in Appendix B.

  • The HE-LOOP (house event-loss of offsite power initiating event has occurred) house event was inserted to replace HE-LOOP-SM7 (loss of offsite power to division I bus SM-7),

HE-LOOP-SM4, HE-LOOP-SM8 (loss of offsite power to division II bus SM-8), in the ACP-BUSSM1 (AC power from bus SM-1 is unavailable), ACP-BUSSM2 (AC power from bus SM-2 is unavailable), and ACP-BUSSM3 (AC power from bus SM-3 is unavailable) fault trees, respectively. This modification allows the use of HE-LOOP-SM7, HE-LOOP-SM4, HE-LOOP-SM8 house events in this analysis to model the loss of offsite power only to 1 The backup auxiliary transformer cannot supply offsite power to bus SM-4. Only the startup auxiliary transformer and the HPCS EDG can provide power to bus SM-4.

2 The startup auxiliary transformer normally supplies power to buses SM-1, SM-2, and SM-3 when the main generator is offline.

3

LER 397-2016-004 buses SM-7, SM-4, SM-8.3 The revised ACP-BUSSM1, ACP-BUSSM2, and ACP-BUSSM3 fault trees are provided in Figure B-2, Figure B-3, and Figure B-4 in Appendix B.

  • The HE-LOOP-BACKUP (loss of offsite power from backup aux transformer) house event was replaced with the HE-LOOP house event in the ACP-BUS-SM7 (division I AC bus SM-7 power fails) and ACP-BUS-SM8 (division II AC bus SM-8 power fails) fault trees. This change ensured that the consequential loss of offsite power (LOOP) sequences were correctly calculated in the analysis.4 The revised ACP-BUS-SM7 and ACP-BUS-SM8 fault trees are provided in Figure B-5 and Figure B-6 in Appendix B.

Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this event analysis:

  • This analysis models the December 18, 2016, reactor trip at Columbia Generating Station as a loss of condenser heat sink transient due to the MSIV closure. Therefore, the probability for IE-LOCHS (loss of condenser heat sink) was set to 1.0; all other initiating event probabilities were set to zero.

- No credit for recovery of the condenser heat sink was provided in this analysis, which is potentially conservative.5 Sensitivity analyses indicate that not crediting recovery of the condenser heat sink has a negligible effect on the results.

  • During the event, voltage degraded to the set-point of the degraded voltage relays, causing power to busses SM-7 and SM-8 to switch from the normal auxiliary transformer to the backup auxiliary transformer. Bus SM-4 was supplied by the division III emergency diesel generator (EDG). Therefore, basic events HE-LOOP-SM-7, HE-LOOP-SM-8, and HE-LOOP-SM-4 were set to TRUE.

- Recovery. If postulated failures of the backup auxiliary transformer and/or the division III EDG had occurred, operators had the ability to align offsite power from the startup auxiliary transformer (through buses SM-1, SM-3, and SM-2) to repower buses SM-7, SM-8, and SM-4. Since buses SM-7 and SM-8 can be powered from either the backup auxiliary transformer or their respective EDGs, only potential recovery of electrical power to bus SM-4 is important for this analysis.6 Specifically, if postulated failures of the division III (HPCS) EDG, RCIC, and manual reactor depressurization were to occur, 3 Approximately 5 minutes after the reactor scram, the main generator tripped on volts-to-hertz protection. The main generator trip initiated the fast transfer logic and non-safety busses SM-1, SM-2, SM-3, SH-5, and SH-6 transferred to the startup auxiliary transformer.

4 Some consequential LOOPs may not result in the loss of offsite power to the backup auxiliary transformer.

Supply power to the backup auxiliary transformer comes from a different source (115kV line from Benton Switching Station) than the startup auxiliary transformer (230kV line from Ashe Substation). Therefore, this modeling change is potentially conservative.

5 Note that NRC inspectors identified an operator training weakness involving the execution of repowering the RPS buses during the recovery to the December 18th event. Specifically, the control room operations crew did not effectively implement procedure ABN-RPS, Loss of RPS, Revision 11, in a timely manner. See IR 05000397/2017008 for additional information.

6 For recovery of electrical power from the startup auxiliary transformer (via buses SM-1 and SM-3) to buses SM-7 and SM-8, both the backup auxiliary power transformer in conjunction with failures of the applicable EDG would need to occur. Given that the combined failure probability is sufficiently low, crediting recovery would have a negligible effect on the analysis results.

4

LER 397-2016-004 operators would have approximately 30 minutes to restore power to bus SM-4 via bus SM-2 and initiate HPCS.7 The SPAR-H Human Reliability Analysis Method (Ref. 3 and 4) was used to estimate non-recovery probability of operators to restore power to bus SM-4 via bus SM-2 (as represented by basic event ACP-XHE-RECOVERY). Tables 1 and 2 provide the key qualitative information for this recovery and the performance shaping factor (PSF) adjustments required for quantification of the human error probability for ACP-XHE-RECOVERY using SPAR-H.

Table 1. Key Qualitative Information for ACP-XHE-RECOVERY The definition for this human failure event (HFE) is the operators failure to align Definition power from bus SM-2 to bus SM-4 given the failure of the division III EDG within 30 minutes.

Given the postulated failures of division III EDG, RCIC, and manual reactor Description and depressurization, operators would have approximately 30 minutes (before core Event Context uncovery) to align power from bus SM-2 to bus SM-4 by manually closing breakers 2/4 and 4/2.

Operator Action For successful recovery, operators would have to manually close breakers 2/4 Success Criteria and 4/2 from the main control room.

  • Loss of voltage on bus SM-4:

Nominal Cues

  • Deenergized safety equipment (e.g., division III EDG and HPCS).

Procedural

  • ABN-ELEC-SM2/SM4, SM-2, SM-4 and SL-21 Distribution System Failures Guidance
  • SOP-ELEC-SM4-MAINT, Removing/Restoring SM-4 from/to Service Diagnosis/Action This recovery action contains diagnosis and action activities.

Table 2. SPAR-H Evaluation for ACP-XHE-RECOVERY Multiplier PSF Notes Diagnosis/Action The most limiting time for this recovery action is 30 minutes. The time needed to manually close the two breakers is approximately 5 minutes. This would leave approximately 25 minutes available for diagnosis, which is sufficient. However, because the time for diagnosis is less than 30 minutes, the diagnosis PSF for available time is Time Available 1/1 set to Nominal.

Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 4 for guidance on apportioning time between the diagnosis and action components of an HFE.

7 In this analysis, operators are assumed to successfully initiate HPCS if they successfully align power from bus SM-2 to bus SM-4 because the execution portion of initiating HPCS is not expected to significantly increase the HEP for the overall recovery.

5

LER 397-2016-004 Multiplier PSF Notes Diagnosis/Action The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2) because core damage will occur if operators fail to restore power to bus SM-4.

Stress 2/1 The PSF for action stress was not determined to be a performance driver for this HFE and, therefore, was assigned a value of Nominal (i.e., x1).

The PSF for diagnosis complexity is assigned a value of Moderately Complex (i.e., x2) because operators would have to deal with multiple equipment unavailabilities.

Complexity 2/1 The PSF for action complexity was not determined to be a performance driver for this HFE and, therefore, was assigned a value of Nominal (i.e., x1).

Procedures Experience/Training, No event information is available to warrant a change in Ergonomics/HMI, 1 /1 these PSFs (diagnosis or action) from Nominal for this HFE.

Fitness for Duty, Work Processes The HEP is calculated using the following SPAR-H formula:

Power Recovery HEP = (Product of Diagnosis PSFs

  • Nominal Diagnosis HEP) +

(Product of Action PSFs

  • Nominal Action HEP)

= (4

  • 0.01) + (1
  • 0.001) = 4x10-2 Therefore, the human error probability for ACP-XHE-RECOVERY was set to 4x10-2.

Sensitivity analyses indicate that increased credit for restoring power to safety-related buses has only a minor effect on the results.

  • During the event, RCIC initially provided inventory makeup to the reactor. However, when operators attempted to re-initiate RCIC after it was terminated due to high reactor water level, operators failed to open the RCIC turbine trip valve prior to initiating RCIC.

As a result, RCIC tripped on over-speed and required a local reset. Operators successfully reset RCIC approximately 13 minutes after the pump trip. Basic events RCI-RESTART (restart of RCIC is required) and RCI-TDP-RS-RSTRT (RCIC fails to restart given start and short-term run) were set to TRUE to model the required restart of RCIC and initial failure to restart. Note that credit for recovery (provided in the base SPAR model) is provided by basic event RCI-XHE-XL-RSTRT (operator fails to recover RCIC failure to restart).8

  • During the event, HPCS was operated in the minimum flow configuration for 3 hours0.125 days <br />0.0179 weeks <br />0.00411 months <br /> and 42 minutes. On December 18, 2016, a leak and loose bolts were identified on the first flange downstream of the minimum flow isolation valve (HPCS-V-12) associated with restricting orifice RO-5. The licensee determined that the root cause for the observed leakage from the flange associated with restricting orifice RO-5 was due to inadequate gasket and flange design for the HPCS system operating conditions. The gasket for 8 The base SPAR model provides a nominal human error probability of 0.25 for this recovery event (based on data provided in NUREG/CR-6928, Industry-Average Performance for Components and Initiating Events at U.S.

Commercial Nuclear Power Plants, Appendix C, Section C.2.

6

LER 397-2016-004 RO-5 was in service since initial plant construction; the licensee was unable to locate any documented maintenance on this mechanical joint. The licensee calculated the leak rate at the RO-5 flange to be approximately 4.7 gallons per minute with the HPCS pump in minimum flow mode. NRC inspectors agreed with the licensee determination that despite the failure of the gasket for RO-5, the HPCS system was capable of performing its safety function. Therefore, the HPCS leak was not considered in this analysis.9

  • All other safety systems responded as designed.

ANALYSIS RESULTS CCDP. The point estimate CCDP for this event is 1.0x10-5. The ASP Program acceptance threshold is a CCDP of 1x10-6 or the CCDP equivalent of an uncomplicated reactor trip with a non-recoverable loss of feed water or the condenser heat sink), whichever is greater. This CCDP equivalent for Columbia Generating Station is 5.5x10-6.10 Therefore, this event is a precursor.

Dominant Sequence. The dominant accident sequence is loss of condenser heat sink sequence 45 (CCDP = 6.8x10-6), which contributes approximately 62 percent of the total CCDP.

The dominant sequence is shown graphically in Figure A-1 in Appendix A. The sequences that contribute at least 1.0 percent to the total CCDP are provided in the following table.

Sequence CCDP  % Contribution Description Successful reactor trip; RCIC and HPCS fail; and reactor LOCHS 45 6.33E-6 60.6%

depressurization fails RPS fails resulting in an anticipated transient without scram (ATWS); recirculation pumps are successfully tripped; SRVs open successfully; power conversion LOCHS 49-07 2.44E-6 23.4% system fails; standby liquid control system succeeds; operator successfully inhibit automatic depressurization; and reactor water level cannot be maintained above top of active fuel Successful reactor trip; RCIC and HPCS fail; reactor LOCHS 44 9.14E-7 8.8% depressurization succeeds; and all available sources of low-pressure injection fail Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related LOCHS 48-30 1.56E-7 1.5%

buses; RCIC and HPCS fail; reactor depressurization succeeds; and low-pressure injection fails Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related LOCHS 48-33 1.39E-7 1.3%

buses; RCIC and HPCS fail; and reactor depressurization fails 9 This issue is documented in a separate LER (397-16-005).

10 For BWRs, a loss of condenser heat sink initiating event typically assumes that the condensate system is available to provide a source of low-pressure injection to the reactor.

7

LER 397-2016-004 REFERENCES

1. Columbia Generating Station, "LER 397/16-004 - Automatic Scram Due to Offsite Load Reject, dated February 15, 2017 (ADAMS Accession No. ML17046A177).
2. U.S. Nuclear Regulatory Commission, Columbia Generating Station - NRC Special Inspection Report 05000397/2017008, dated April 6, 2017 (ADAMS Accession No. ML17096A781).
3. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ML051950061).
4. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ML112060305).

8

LER 397-2016-004 Appendix A: Key Event Tree LOSS OF CONDENSER HEAT REACTOR SHUTDOWN CONSEQUENTIAL LOSS OF SRV'S FAILS TO CLOSE HPCS RCIC SUPPRESSION POOL MANUAL REACTOR TWO PUMPS CRD FLOW LOW PRESSURE INJECTION CONDENSATE ALTERNATE LOW PRESS SUPPRESSION POOL POWER CONVERSION CONTAINMENT VENTING LATE INJECTION # End State SINK OFFSITE POWER COOLING DEPRESS (LPCI OR LPCS) INJECTION COOLING SYSTEM RECOVERY (Phase - CD)

IE-LOCHS RPS OEP SRV HCS RCI SPC DEP CRD LPI CDS VA SPC PCSR CVS LI 1 OK 2 OK 3 OK 4 CD 5 OK 6 CD LI01 7 OK 8 OK 9 OK 10 CD 11 OK 12 CD LI02 13 OK 14 OK 15 CD 16 OK 17 CD LI02 18 OK 19 CD 20 OK 21 CD LI02 22 CD 23 OK 24 OK 25 CD 26 CD 27 CD 28 OK 29 OK 30 OK 31 CD 32 OK 33 CD LI02 34 OK 35 OK 36 OK 37 CD 38 OK 39 CD LI02 40 OK 41 CD 42 OK 43 CD LI02 44 CD 45 CD 46 1SORV P1 47 2SORVS P2 48 LOOPPC 49 ATWS 50 CD Figure A-1. Columbia Generating Station Loss of Condenser Heat Sink Event Tree A-1

LER 397-2016-004 Appendix B: Modified Fault Trees COLM DIVISION III AC BUS SM-4 POWER FAILS ACP-BUS-SM4 LOSS OF HPCS DUE TO SEISMIC LOSS OF POWER TO 4160V AC BUS DIVISION III AC POWER BUS SM-4 FAILURE OF E-SM-4 FAILS ACP-MC-4A1-EQ Ext ACP-DIV3-1 ACP-BAC-LP-SM4 2.29E-05 DIESEL GENERATOR 3 FAILURES NORMAL OFFSITE POWER SUPPLY IS UNAVAILABLE DG3 Ext ACP-DIV3-2 OFFSITE POWER TO BUS SM-4 IS AC POWER FROM BUS SM-2 IS BREAKER E-CB-2/4 FAILS OPEN UNAVAILABLE UNAVAILABLE ACP-DIV3-4 ACP-BUSSM2 Ext ACP-CRB-CO-ECB24 3.82E-06 BREAKER E-CB-4/2 FAILS OPEN LOSS OF OFFSITE POWER TO OPERATORS FAIL TO ALIGN ACP-CRB-CO-ECB42 3.82E-06 DIVISION III (BUS SM-4)_ OFFSITE POWER HE-LOOP-SM4 False ACP-XHE-RECOVERY Ignore Figure B-1. Modified ACP-BUS-SM4 Fault Tree B-1

LER 397-2016-004 AC POWER FROM BUS SM-1 IS UNAVAILABLE ACP-BUSSM1 OFFSITE POWER IS UNAVAILABLE HOUSE EVENT - LOSS OF OFFSITE BREAKER E-CB-S1 FAILS TO CLOSE POWER IE HAS OCCURRED ROOP Ext HE-LOOP False ACP-CRB-OO-ECBS1 2.05E-03 BREAKER E-CB-N1/1 FAILS TO OPEN ACP-CRB-CC-ECBN11 2.05E-03 AC POWER BUS E-SM-1 FAILS ACP-BAC-LP-ESM1 2.29E-05 ALTERNATE TRANSFORMER TR-S OOS FOR T&M ACP-TFM-TM-ETRS 1.75E-03 ALTERNATE TRANSFORMER TR-S FAILS TO FUNCTION ACP-TFM-FC-ETRS 6.07E-05 Figure B-2. Modified ACP-BUSSM1 Fault Tree B-2

LER 397-2016-004 AC POWER FROM BUS SM-2 IS UNAVAILABLE ACP-BUSSM2 OFFSITE POWER IS UNAVAILABLE HOUSE EVENT - LOSS OF OFFSITE AC POWER BUS E-SM-2 FAILS POWER IE HAS OCCURRED ROOP Ext HE-LOOP False ACP-BAC-LP-ESM2 2.29E-05 BREAKER E-CB-N1/2 FAILS TO OPEN ACP-CRB-CC-ECBN12 2.05E-03 BREAKER E-CB-S2 FAILS TO CLOSE ACP-CRB-OO-ECBS2 2.05E-03 ALTERNATE TRANSFORMER TR-S OOS FOR T&M ACP-TFM-TM-ETRS 1.75E-03 ALTERNATE TRANSFORMER TR-S FAILS TO FUNCTION ACP-TFM-FC-ETRS 6.07E-05 Figure B-3. Modified ACP-BUSSM2 Fault Tree B-3

LER 397-2016-004 AC POWER FROM BUS SM-3 IS UNAVAILABLE ACP-BUSSM3 OFFSITE POWER IS UNAVAILABLE HOUSE EVENT - LOSS OF OFFSITE AC POWER BUS E-SM-3 FAILS POWER IE HAS OCCURRED ROOP Ext HE-LOOP False ACP-BAC-LP-ESM3 2.29E-05 BREAKER E-CB-S3 FAILS TO CLOSE ACP-CRB-OO-ECBS3 2.05E-03 ALTERNATE TRANSFORMER TR-S OOS FOR T&M ACP-TFM-TM-ETRS 1.75E-03 ALTERNATE TRANSFORMER TR-S FAILS TO FUNCTION ACP-TFM-FC-ETRS 6.07E-05 BREAKER E-CB-N1/3 FAILS TO OPEN ACP-CRB-CC-ECBN13 2.05E-03 Figure B-4. Modified ACP-BUSSM3 Fault Tree B-4

LER 397-2016-004 COLM DIVISION I AC BUS SM-7 POWER FAILS ACP-BUS-SM7 CRITICAL SWITCHGEAR SM7 HVAC DIVISION I AC POWER FAILS IESD-LOAC-FLAG ACP-SM7-HVAC Ext ACP-DIV1-2 IESD-LOAC-FLAG False SEISMIC FAILURE OF E-MC-7F ACP-MC-7F-EQ Ext LOSS OF POWER TO 4160V AC BUS DIVISION I AC POWER BUS (SM-7)

FAILS ACP-DIV1-1 ACP-BAC-LP-SM7 2.29E-05 ALTERNATE POWER FROM BACKUP DIESEL GENERATOR 1 FAILURES NORMAL OFFSITE POWER SUPPLY AUX TRANSFORMER (E-TR-B) IS UNAVAILABLE ACP-BUS-SM7203 DG1 Ext ACP-DIV1-3 OFFSITE POWER IS UNAVAILABLE HOUSE EVENT - LOSS OF OFFSITE CIRCUIT BREAKER B-7 FAILS TO POWER IE HAS OCCURRED CLOSE ROOP Ext HE-LOOP False ACP-CRB-OO-ECBB7 2.05E-03 ALTERNATE TRANSFORMER TR-B FAILS TO FUNCTION ACP-TFM-FC-ETRB 6.07E-05 ALTERNATE TRANSFORMER TR-B OOS FOR T&M ACP-TFM-TM-ETRB 1.75E-03 Figure B-5. Modified ACP-BUS-SM7 Fault Tree B-5

LER 397-2016-004 COLM DIVISION II AC BUS SM-8 POWER FAILS ACP-BUS-SM8 CRITICAL SWITCHGEAR SM8 HVAC LOSS OF POWER TO 4160V AC BUS DIVISION II AC POWER BUS (SM-8)

FAILS ACP-SM8-HVAC Ext ACP-DIV2-1 ACP-BAC-LP-SM8 2.29E-05 SEISMIC FAILURE OF E-MC-8F ACP-MC-8F-EQ Ext ALTERNATE POWER FROM BACKUP DIESEL GENERATOR 2 FAILURES NORMAL OFFSITE POWER SUPPLY AUX TRANSFORMER (TR-B) IS IS UNAVAILABLE UNAVAILABLE ACP-BUS-SM823 DG2 Ext ACP-DIV2-2 OFFSITE POWER IS UNAVAILABLE HOUSE EVENT - LOSS OF OFFSITE ALTERNATE TRANSFORMER TR-B POWER IE HAS OCCURRED FAILS TO FUNCTION ROOP Ext HE-LOOP False ACP-TFM-FC-ETRB 6.07E-05 ALTERNATE TRANSFORMER TR-B OOS FOR T&M ACP-TFM-TM-ETRB 1.75E-03 CIRCUIT BREAKER B-8 FAILS TO CLOSE ACP-CRB-OO-ECBB8 2.05E-03 Figure B-6. Modified ACP-BUS-SM8 Fault Tree B-6

Package: ML17319A422 Letter: ML17319A328 ASP Report: ML17249A968 OFFICE NRR/D0RULPL4/LA NRR/D0RULPL4/PM NAME PBlechman JKlos DATE 11/20/17 11/20/17

Retrieved from "https://kanterella.com/w/index.php?title=ML17319A328&oldid=1986366"