LER 318/04-001

1

Final Precursor AnalysisAccident Sequence Precursor Program -- Office of Nuclear Regulatory Research

Calvert Cliffs 2 Excessive Steam Demand — Reactor Trip Due to Low SteamGenerator Water Level After Feed Pump Trip

Event Date 1/23/2004LER 318/04-001-00;IR 05000317/2004008 and05000318/2004008

CCDP = 4.0 x 10-6

June 1, 2006

Event Summary

At 3:26 pm on January 23 2004, Calvert Cliffs Nuclear Power Plant (CCNPP) Unit 2 trippedfrom 100 percent power, initiated by the Reactor Protective System due to low steam generatorwater level caused by an erroneous overspeed trip signal on 22 Steam Generator Feed Pump(SGFP). The control room operator could not reset the SGFP, and the reactor was scrammedupon an automatic reactor trip signal.

The Turbine Bypass Valves (TBVs) and Atmospheric Dump Valves (ADVs) opened asdesigned, but the “quick open” signal did not clear due to the failure of a relay in the reactorregulating circuit. The open valves (turbine bypass and atmospheric dump) resulted inovercooling of the Reactor Coolant System (RCS) and also generation of a Safety InjectionActuation Signal (SIAS) and a Steam Generator Isolation Signal (SGIS).

About three minutes after the reactor trip, both Main Steam Isolation Valves (MSIVs) were shutupon receipt of an SGIS, isolating steam flow through the TBVs and thereby slowing the rate ofRCS cooldown. Approximately six minutes later, the operations crew could take control of theADVs through the Auxiliary Shutdown Panel, terminating the RCS overcooling anddepressurization.

During the recovery, a large insurge of subcooled water caused by full charging with a relativelyhigh RCS heatup, cooled the pressurizer, lowering the RCS pressure to produce a secondSIAS.

The following summarizes the sequence of actions on January 23, 2004, leading to the eventfrom Unit 2 operating at 100 percent power:

• 3:26 pm: 22 Steam Generator Feed Pump (SGFP) tripped on overspeed.• The Reactor Operator (RO) attempted to reset 22 SGFP but failed to achieve normal

operation (three attempts to reset the SGFP controls).

LER 318/04-001

1 The “quick open” signal is generated by the Reactor Regulating System and serves to momentarily fully open the TBVsand ADVs when the reactor trips, provided that the RCS average temperature (Tave) is greater than 557oF.

2 Each of the four TBVs is sized to pass 10% of the steam flow for a total of 40%, and each of the two ADVs is sized topass 2.5% of the steam flow for a total of 5%. Therefore, the excessive steam demand was equivalent to 45% of the steam flow.

2

• 3:27 pm: The RO manually tripped the reactor when the conditions for Steam Generator(SG) level warranted and entered Post Trip Immediate Actions EOP-0 (subsequentanalysis of the performance of the reactor protection system indicated that the reactortripped automatically 1 second prior to the insertion of the manual trip signal).

• Upon reactor trip, the “quick open” signal1 opened the TBVs and ADVs, but these valveswere not closed due to the persistent signal as a result of the K7 relay failure.

• The open TBVs and ADVs caused an excessive steam demand2 that rapidly overcooledthe RCS and the Main Steam System.

• 3:28 pm: The SG levels were lowered and the Auxiliary Feedwater Actuation Signal(AFAS) caused 21 and 23 AFW Pumps to start.

• The RCS pressure decreased to SIAS setpoint which caused the signal to automaticallystart standby safety systems, including 2A & 2B Diesel Generators, 21 & 23 HighPressure Safety Injection (HPSI) Pumps, 21 & 22 Low Pressure Safety Injection (LPSI)Pumps, and 21 & 22 Containment Spray (CS) Pumps.

• The SIAS caused RCS letdown to be isolated, and the operating crew secured tworeactor coolant pumps for procedure requirements for receipt of a SIAS signal.

• 3:29 pm: The SG pressure decreased to SGIS setpoint, causing both MSIVs to closeautomatically.

• 3:36 pm: The operating crew transferred control of the ADVs to the Auxiliary ShutdownPanel where the “quick open” signal was removed and the steam flow was subsequentlythrottled, thereby terminating the RCS overcooling and depressurization.

• The pressurizer level trended up due to post-trip decay heat, RCP heat input, and fullcharging pump operation with letdown isolated.

• A second SIAS signal was received during the recovery phase.

A more detailed chronology of the events can be found in Appendix A, and References 1 and 2.

Cause. The root causes of the Calvert Cliffs Unit 2 Reactor Trip and the associated failures ormalfunctions are as follows [1, 2]:

• The trip of 22 SGFP was caused by degradation of voltage from the power sourcesupplying the digital speed monitor which generated an erroneous trip signal to theSGFP controls trip circuit. The voltage degradation was caused by corrosion on thecontact surfaces of the power supply fuse due to high humidity in the control cabinet. Allfuses and fuse holders in the Units 1 and 2 SGFP control cabinets were replaced.

• The inability to reset and start 22 SGFP was determined to have resulted from a shift inthe mechanical calibration of the Electric to Hydraulic (E/H) Converter. The specificcause of the shift has not been identified in Reference 1.

LER 318/04-001

3 The LOMFW event tree was used in lieu of the general transient (i.e., TRANS) event tree, because the loss of 22SGFP led to SG low level which necessitated a reactor trip. The failure of the K7 relay is not directly included in the revised SPARmodel; however, a basic event for excessive steam demand which results from the relay failure has been included in the model toenable the assessment of the risk impact.

4 When the reactor tripped, the TBVs and ADVs opened to the full-open position upon receipt of the “quick open” signalprovided to the valves, and thereby relieving stored energy in the secondary and primary systems for a short period. However, theTBVs and ADVs did not re-close automatically because of the contacts sticking closed in the K7 relay.

3

• The failure to re-close the TBVs and the ADVs was caused by a normally open contactsticking closed in the K7 relay of the Reactor Regulating System (RRS). The root causeof this failure has been identified as an under-rated K7 relay (i.e., the K7 relay contactsare rated for 29 VDC, but were installed in a 125 VDC circuit).

Recovery Opportunity. If the operators had correctly diagnosed the cause of the excessivesteam demand within a relatively short time (e.g., 10 to 30 minutes depending on the specificsequences, such as functioning of MSIVs or control rods) and switched to the alternate channelof the Reactor Regulating System (RRS) [2] after failure of the RRS Channel X, the ADVs andTBVs would have properly controlled reactor temperature and terminated the uncontrolledcooldown. However, it is believed that the cause (i.e., the under-rated condition of the K7 relay)could not have been easily diagnosed in such a short time and under a stressful situation. Furthermore, CCNPP did not have an off-normal procedure for failure of the RRS, and as aresult, no credit is taken for the availability of the alternate channel.

Condition Duration. The K7 relay of the Reactor Regulating System successfully functionedwhen the reactor tripped on May 28, 2003. Based on licensee review, the K7 relay contactswould have failed to open on the next relay actuation, following the May reactor trip [1,2]. Therewere no other demands or tests which would have demonstrated whether the quick openfunction was operational from May 28, 2003, until the reactor trip on January 23, 2004, whenthe RRS relay failure was identified by a self revealing event. Therefore, the K7 relay was infailure condition for a period of 240 days (May 28, 2003 ~ January 23, 2004).

Other concurrent or windowed events. No other significant operating events existed atCalvert Cliffs 2 while the K-7 relay was inoperable according to the LER Search Database.

Analysis Results

! Importance

Two different types of analyses were performed to evaluate the impact of the inoperableK7 relay and the associated excess steam demand event on plant risk: a) initiating eventassessment and b) condition assessment. The initiating event assessment was carriedout using the event tree for loss of main feedwater (i.e., LOMFW)3 with the failure of theK7 relay. This relay failure has negative impact on all the potential accident scenarios4

including activation of the quick open signal for the TBVs and the SG ADVs; however,the K7 relay and the associated excessive steam demand are not included in the SPARmodel for Calvert Cliffs [3]. Therefore, all the event trees other than those for irrelevant

LER 318/04-001

4

initiating events (i.e., large LOCA and medium LOCA) have been modified to properlyevaluate the risk impact associated with the excessive steam demand. The modifiedLOMFW event tree projects an initiating event assessment CCDP of 4.0 x 10-6 for theESD event. The uncertainty distribution for the CCDP is given below.

CCDP

5% Mean 95%

Calvert Cliffs 2 2.2E-7 4.1E-6 1.5E-5

Condition assessment also has been conducted by assuming that the K7 relay of theReactor Regulating System was in failure condition for 240 days, based on the findingdiscussed in the Special Inspection Report [2]. The condition assessment for theexcessive steam demand event yields a CCDP of 1.2 x 10-6. As the initiating eventassessment yields a higher CCDP than the condition assessment, the discussion belowis focused on the former.

! Dominant Sequences

The dominant core damage sequences resulting from LOMFW in this analysis are:Sequence 51 (50.0% of the total CCDP) and Sequence 34 (47.5%). The LOMFW eventtree with these dominant sequences highlighted is shown in Figure 1 (Appendix B).

The events and important component failures in LOMFW Sequence 51 are:

S Loss of main feedwater occurs,S Reactor trip fails, andS Excessive steam demand occurs.

The events and important component failures in LOMFW Sequence 34 are:

S Loss of main feedwater occurs,S Reactor trip succeeds, S Excessive steam demand occurs, S Both MSIVs are closed, S Steam generator cooling fails, andS Once through cooling fails.

! Results Tables

! The conditional core damage probabilities for the dominant sequences areshown in Table 1.

LER 318/04-001

5

! The event tree sequence logic for the dominant sequences is presented inTable 2a.

! Table 2b defines the nomenclature used in Table 2a.! The most important cut sets for the dominant sequences are listed in Table 3.! Definitions and probabilities for modified or dominant basic events are provided

in Table 4.

Modeling Assumptions

! Analysis Type

The Revision-3-Plus of the Calvert Cliffs Standardized Plant Analysis Risk (SPAR)model [3] was used for this assessment. The SPAR Revision-3-Plus does not model theexcessive steam demand, and therefore, the SPAR model has been modified to enablethe risk evaluation of the ESD event. These modeling updates are discussed below indetail.

Subsequent to the updating of the SPAR model, both initiating event assessment andcondition assessment have been performed to evaluate the risk impact of the K7 relayfailure and the resulting ESD event. In the initiating event assessment, the actual reactorscram in the midst of the K7 relay failure was evaluated using the LOMFW event tree;the generation of the initial SIAS was also accounted for in this assessment. On theother hand, the condition assessment was performed for the failure condition of the K7relay for 240 days with consideration of all potential initiating events as mentionedearlier.

! Modeling Assumptions Summary

Key modeling assumptions. The key modeling assumptions are listed below anddiscussed in detail in the following sections. These assumptions are importantcontributors to the overall risk.

S The operators would not be able to diagnose the cause of the excessive steamdemand because of the complicated nature of the cause and the relatively shorttime available in the midst of the stressful situation. Therefore, the alternateRRS channel [2 is not given credit.

S The K7 relay of the Reactor Regulating System successfully functioned when thereactor tripped on May 28, 2003. However, the under-rated relay would havefailed to open the next time the relay de-energized following the May reactor trip[2]. Therefore, in the condition assessment that was compared with the initiatingevent assessment, the K7 relay was assumed in failure, from the last successfulfunction until this event on January 23, 2004 (i.e., 240 days).

S The function of the TBVs and ADVs following turbine trip is modeled together inthe event trees by the top event of excessive steam demand to evaluate the risk

LER 318/04-001

5 If wide range SG level in both SGs is less than -350 inches or the RCS cold leg temperature (i.e., TC) risesuncontrollably 5oF or greater, the emergency operating procedures (e.g., Contingency Action 9.1 of the Loss of All FeedwaterRecovery Guideline) instruct the operators to establish RCS heat removal via once-through-cooling.

6

impact of the K7 relay failure. Closure of the MSIVs isolates steam flow from thesteam generators to the TBVs. Therefore, the impact of the open TBVs on theplant was modeled by specifically accounting for all the possible functional statesof the MSIVs upon reaching SGIS setpoint, namely: (1) both MSIVs successfullyclose, (2) only one MSIV successfully closes, and (3) no MSIV closes. On theother hand, the impact of the open ADVs on the plant was considered along withthe MSIV states in evaluating the available time for the operator to carry out oncethrough cooling.

S When both MSIVs are closed upon SGIS, the steam demand is only from openADVs (5% of the total steam flow) and the failure of AFW (i.e., SG cooling)would necessitate OTC. In this case, the operators must initiate OTC uponrecognition of lowering SG levels (due to no MFW and AFW) prior to SG dryoutand subsequent RCS pressure rise to greater than the HPSI shutoff head.5 Theoperator performance in this case is modeled in terms of human error eventOTC3 as shown in Figure 1 of Appendix B. The plant behavior as predicted bythe thermal-hydraulic (T/H) analyses for similar conditions was considered indeveloping the associated sequence modeling and estimating the human errorprobability for OTC3. The T/H analyses by both the plant simulator and the plant-specific RELAP-5 model for Calvert Cliffs are discussed in Appendix C, and thehuman performance modeling by the SPAR-H method [4] in Appendix D.

S When only one MSIV closes upon SGIS, the operators first should block theAFW flow path to the affected steam generator (i.e., with the associated MSIVfailing open) and then ensure that the RCS heat is properly removed by the AFWflow into the intact steam generator with the steam removed through the ADVs.Based on a review of the T/H analyses (Appendix C) for similar situations, it wasassumed that core damage could be prevented if secondary cooling isestablished whether or not the affected SG is blocked. Further, it was alsoassumed that the performance requirements for operator action would be almostthe same regardless of success or failure of blocking the affected SG. As aresult, the two operator actions for OTC given blocking success or failure of theaffected SG were modeled in terms of an identical human error event (i.e.,OTC4). The estimation of the human error probability for OTC4 is discussed inAppendix D.

S Where both MSIVs fail to close upon SGIS, a review of the detailed plant-specificT/H analyses performed for this case indicates that core damage can beprevented as long as SG cooling is properly established (e.g., by motor-drivenAFW flow into a SG). In this case, the results of the RELAP-5 runs show that SGlevel will first drop rapidly due to release of the large amount of steam throughthe open valves (i.e., TBVs and ADVs), but will increase to the normal level in

LER 318/04-001

7

about one and a half hours as a result of the AFW flow due to the decreasingcore heat. Consequently, the RCS temperature suddenly drops due to theovercooling cased by the ESD, but stays low as a result of the effective SGcooling (Appendix C). In addition, the results from the plant simulator also pointout the effectiveness of the AFW flow under these circumstances (Appendix C).In light of these plant-specific T/H analyses, credit was taken for the motor-drivenAFW pumps, but not for the turbine-driven AFW pumps because of insufficientsteam pressure to drive them under these circumstances. If both motor-drivenAFW pumps (i.e., AFW MDP-13 and MDP-23) or associated flow paths areunavailable for operation, the plant operators need to initiate OTC; this operatoraction is modeled by human error event OTC5 (Appendix D). Finally, also note inthis case that credit was not taken for an interlock signal for closure of all theTBVs upon loss of condenser vacuum, nor for the operator intervention to closethe TBVs and/or ADVs, based on the following insights from a review of the T/Hruns (Appendix C):

a) The plant simulator runs indicate that wide range SG level in both SGs isexpected to drop below -350 inches within 10 minutes, and as a result,OTC will have to be initiated before the main condenser loses vacuum.The loss of condenser vacuum supposedly will take at least half an houraccording to an ex-SRO (senior reactor operator) at Calvert Cliffs .

b) The RELAP-5 runs predict that only a small amount of steam will bereleased through the TBVs after 10 minutes into the ESD event, and as aresult, the operator intervention to close the TBVs (which is unlikely tohappen before 10 minutes into the ESD event) is not expected tosignificantly change the potential outcome of the event.

S In the cases where an anticipated transient without scram (ATWS) occurs inconcurrence with an excessive steam demand (especially given that the cause ofthe ESD is unknown to the operators), it is conservatively assumed that coredamage will result. The reason for this conservative assumption is as follows:

a) The operators might be able to manually trip the reactor by injecting boricacid into the core in the event of mechanical rods failure, provided thatthe core was not at the beginning of the fuel cycle and the operators werenot in a very stressful situation due to other co-existing or on-goingfailures.

b) However, it is expected that the operators would be subjected toextremely high stress in a very rapidly developing accident caused by thesimultaneous occurrence of an ATWS and an excess steam demand(due to the K7 relay failure, unknown to the operators during the event).Therefore, even though credit is taken for the operator recovery action toinject borated water into the core in the specific case where the RPSfailed due to immovable control rods during a fuel cycle other than the

LER 318/04-001

8

early stage, the incorporation of this recovery action is not expected tohave significant impact on the conditional core damage probability.

S The reactor vessel is subjected to a pressurized thermal shock (PTS) when anextended cooling transient to the vessel wall is accompanied by systempressurization. According to PTS experiments, a crack may initiate andpropagate entirely through the vessel wall, involving large openings in the reactorvessel and also significant additional deformation of the vessel. However, therecurrently is an incomplete understanding concerning the progression of anaccident following a postulated PTS-induced vessel failure. In light of theuncertainty about the PTS occurrence and also the subsequent accidentpropagation especially given lack of the plant-specific probabilistic fracturemechanics for the ESD event, a check was made to see how much impact theoccurrence of a potential PTS will have on the likelihood of the two mostdominant scenarios, i.e., Transient Sequence 51 and SGTR Sequence 38,shown in Figures 2 and 3, respectively. These scenarios contribute about 25%and 15% to the event CCDP (Table 1). The examination of these scenariosindicates that the likelihood of these dominant scenarios is essentially insensitiveto the potential occurrence of a PTS during the event progression:

a) First, consider Transient Sequence 51 where a transient occurs followedby failure of a reactor trip and occurrence of an excessive steamdemand. In this case, core damage was already assumed in thesequence modeling for this event assessment (see Figure 2). Therefore,this sequence modeling is still valid even if the core damage is caused byoccurrence of a PTS in the midst of the ATWS and ESD conditions.

b) Second, consider the SGTR Sequence 38 where an SGTR occursfollowed by a successful reactor trip, an excessive steam demand,closure of both MSIVs, successful SG cooling and high pressureinjection, operator failure to depressurize the RCS below SG relief valvesetpoint, and subsequent operator failure to depressurize the RCS givena SG relief valve opened. Considering that the closure of MSIVs and theSG cooling will generally take place in the very early stage by theautomatic signals (i.e., SGIS and AFAS), the potential occurrence of aPTS may be contemplated for two periods: 1) before HPSI operation, and2) after operator failure to depressurize the RCS given a SG relief valveopened. For the first period, the PTS is not likely to happen because thelarge amount of steam release through the TBVs was isolated early bythe closure of both MSIVs, and as a result, the RCS will not beconsiderably overcooled. For the second period, even if a PTS occurs, acore damage is already assumed in Figure 3.

S Natural circulation cooling would not have been threatened during the eventsequences (e.g., loss of offsite power) involving an excessive steam demand,because of the initial high differential temperature between the hot leg and thecold leg of the RCS which promotes natural circulation.

LER 318/04-001

9

S The generation of the second SIAS signal during the recovery phase of the eventdoes not have significant impact on core damage frequency (CDF).

! Event Tree Modifications

All the Event Trees But LLOCA and MLOCA Event Trees (e.g., TRANS, LOMFW,SGTR, LOOP, etc.) The following three new top events have been added to all theevent trees of the original SPAR model other than those for large LOCA and mediumLOCA initiating events:

a) “Excessive Steam Demand (ESD)” to model the considerable steam releasethrough the widely open TBVs and ADVs as a result of the K7 relay failure;

b) “Main Steam Isolation Valves Closed (MSIV)” to model the function of the MSIVssubsequent to the excessive steam demand; and

c) “One AFW Flow-Path Blocked” (SGBLOCK) to model the inefficiency of thesteam generator with the associated MSIV open in the presence of all the TBVsfully open.

The second top event (i.e., MSIV) is associated with three alternatives, namely: (1) bothMSIVs successfully closed; (2) only one MSIV closed; and (3) failure of both MSIVs toclose. Therefore, the following rule has been added to the existing event tree linkagerules, so that an appropriate fault tree may be applied for each of the three casesimplemented in terms of triple branches in the event trees:

if always then /MSIV = MSIV MSIV[1] = MSIV-1 MSIV[2] = MSIV-2endif

The first fault tree in the above rule (i.e., MSIV) models the success of both MSIVsbeing closed on demand, and the second and the third fault trees (i.e., MSIV-1 andMSIV-2) model successful closure of only one MSIV and failure of both MSIVs to closeupon demand, respectively.

In addition, the event tree linkage rules such as the following also have been added tothe event trees modified to incorporate the ESD event, so that an appropriate fault treefor steam generator cooling and once through cooling may be applied depending on thespecific circumstances:

if /RPS*ESD*MSIV[2] then SGC = SGC-ESD;endif

LER 318/04-001

10

if /RPS*ESD*/MSIV*SGC then OTC = OTC3;endif

if/RPS*ESD*MSIV[1]*/SGBLOCK*SGC then OTC = OTC4;endif

if /RPS*ESD*MSIV[1]*SGBLOCK*SGC then OTC = OTC4;endif

if /RPS*ESD*MSIV[2]*SGC then OTC = OTC5;endif

The salient features in the modification of the original event trees are briefly summarizedbelow using the revised event tree for general transients (i.e., TRANS) as an example(see Figure 2 in Appendix B):

a) TRANS sequences 1-17 in the revised event tree are the same as TRANSsequences 1-17 of the original event tree, because excessive steam demanddoes not occur.

b) TRANS sequences 18-34 in the revised event tree show the cases where bothMSIVs are closed upon receipt of the steam generator isolation signal (SGIS). Ifsteam generator cooling (SGC) is established through AFW prior to SG dryout,the subsequent sequences are essentially the same as for TRANS sequences1-13. If SGC fails, the operators should initiate OTC to prevent core damage.

c) TRANS sequences 35-44 reflect the cases where only one MSIV closes uponSGIS. In these circumstances, the operators first need to block the AFW flowpath to the affected steam generator with the associated MSIV failed open sothat the intact SG can be used for RCS heat removal by controlling the SG waterlevel through the ADVs. Hence, the new top event SGBLOCK is asked followingthe MSIV top event. If the SG cooling cannot be properly established, theoperators then should initiate OTC to avert core damage.

d) TRANS sequences 45-49 show the cases where both MSIVs fail to close uponSGIS. Based on the plant-specific T/H analyses (Appendix C), the operatorsneed to ensure SG cooling has been properly established; otherwise, they mustinitiate OTC to prevent core damage.

e) TRANS sequence 50 transfers to ATWS event tree as in the original TRANSevent tree because of the RPS failure and no demand for excessive steam.

LER 318/04-001

11

f) TRANS sequence 51 is assumed to lead to core damage because of theexcessive steam demand in the midst of the ATWS condition caused by the RPSfailure.

A similar modification has been made to all the event trees other than LLOCA andMLOCA event trees, because in these LOCA conditions the RCS average temperature(i.e., Tave) is expected to be less than 557EF following reactor trip, and as a result, thequick open signal will not be generated. The modified event trees are shown in Figures1-10 (Appendix B).

! Fault Tree Modifications

Fourteen new fault trees for the following top events have been developed and added tothe SPAR model for CCNPP [3] in order to enable assessment of the excessive steamdemand event:

S ESD: Excessive steam demandS MSIV: Both MSIVs closed on demandS MSIV-1: Only one MSIV closed on demandS MSIV-2: No MSIV closed on demandS SGBLOCK: AFW block fails on demandS OTC3: Once through cooling when both MSIVs close on demandS OTC4: Once through cooling when only one MSIV closes on demandS OTC5: Once through cooling when both MSIVs fail to close on demandS SGC-ESD: Steam generator coolingS AFW-ESD: AFW flow from Unit 1 AFW systemS AFW-SG-11-ESD: Steam generator 11 coolingS AFW-SG-12-ESD: Steam generator 12 coolingS AFW-TDP-11-ESD: AFW TDP 11 flowS AFW-TDP-12-ESD: AFW TDP 12 flow

These fault trees are shown in Figures 11-24 (Appendix B). Human error probabilitiesassociated with initiating OTC under different conditions were quantified using SPAR-H[4] as mentioned before (Appendix D). The last six fault trees were added to modelfailure of the turbine-driven AFW pumps due to insufficient steam pressure.

! Recovery Rule Modifications

The recovery rules in the original SPAR model contain a number of dependencycorrection factors for human error probabilities to take into account the dependency ofthe operator failures in a sequence cut set. The recovery rules including the operatoraction for once through cooling in the original model (i.e, HPI-XHE-XM-OTC) weremodified such that they also apply to other OTC actions defined for the eventassessment. For example, the following recovery rule, i.e.,

LER 318/04-001

12

elsif MFW-XHE-XO-ERROR * CDS-XHE-XM-LTSUPP * AFW-XHE-XL-LTSUPP* MFW-XHE-XM-LPFLCHS * HPI-XHE-XM-OTC then DeleteEvent = MFW-XHE-XM-LPFLCHS; AddEvent = MFW-XHE-XM-LPFLCHS1; DeleteEvent = HPI-XHE-XM-OTC; AddEvent = HPI-XHE-XM-OTC1;

was expanded to include:

elsif MFW-XHE-XO-ERROR * CDS-XHE-XM-LTSUPP * AFW-XHE-XL-LTSUPP* MFW-XHE-XM-LPFLCHS * HPI-XHE-XM-OTC3 then DeleteEvent = MFW-XHE-XM-LPFLCHS; AddEvent = MFW-XHE-XM-LPFLCHS1; DeleteEvent = HPI-XHE-XM-OTC3; AddEvent = HPI-XHE-XM-OTC1;

elsif MFW-XHE-XO-ERROR * CDS-XHE-XM-LTSUPP * AFW-XHE-XL-LTSUPP* MFW-XHE-XM-LPFLCHS * HPI-XHE-XM-OTC4 then DeleteEvent = MFW-XHE-XM-LPFLCHS; AddEvent = MFW-XHE-XM-LPFLCHS1; DeleteEvent = HPI-XHE-XM-OTC4; AddEvent = HPI-XHE-XM-OTC1;

elsif MFW-XHE-XO-ERROR * CDS-XHE-XM-LTSUPP * AFW-XHE-XL-LTSUPP* MFW-XHE-XM-LPFLCHS * HPI-XHE-XM-OTC5 then DeleteEvent = MFW-XHE-XM-LPFLCHS; AddEvent = MFW-XHE-XM-LPFLCHS1; DeleteEvent = HPI-XHE-XM-OTC5; AddEvent = HPI-XHE-XM-OTC1;

Note that the human error probability for once through cooling is increased to the humanerror probability for HPI-XHE-XM-OTC1 (i.e., 1.0), when such multiple human errors asspecified by the recovery rules above are included in a sequence cut set.

! Basic Event Probability Changes

Table 4 provides all the basic events that are included in the dominant sequences ofTable 3, or have been generated as part of this analysis in order to model eventsequences associated with the excessive steam demand.

! Other Items of Interest

S Common cause failure (CCF) of the MSIVs was modeled using SPAR modelvalues [3] for alpha factor parameters for two air operated valves with staggered

LER 318/04-001

6 The alpha factor parameters for air operated valves were used for MSIVs as per suggestion from the Idaho NationalLaboratories (INL), because the SPAR CCF database does not include the specific parameters for MSIVs.

13

testing.6

S Process flag “I” (indicating the use of the system logic for failure and the use ofthe complement of the system logic for success) was attached to the basic eventfor excessive steam demand (i.e., ESD-BE) in order to appropriately account forsuccess event when the associated probability is relatively large (e.g., as insensitivity analyses).

S The re-quantification of the base case CDF by the revised SPAR model (with theassumed failure probability of 1 x 10-4 for the excessive steam demand basicevent) yields a value of 8.144 x 10-6 per year which is essentially identical to thebaseline CDF as obtained by the original SPAR model (i.e., 8.145 x 10-6 peryear).

! Sensitivity Analyses

Sensitivity analyses were performed to determine the effects of model uncertainties onresults based on best estimate assumptions. The following table provides the results ofthe sensitivity analyses.

Sensitivity Case Importance

Case A: Increase the failure probability for the excess steam demandbasic event (ESD-BE) from 1E-4 to 1E-3 in the revised baselinemodel incorporating event sequences associated with the excessivesteam demand (Base Case)

8.1E-6

Case B: Increase the fault exposure time for the K7 relay from 240days to 365 days (Condition Assessment) 1.8E-6

Case C: Compute the conditional probability of core damage, giventhat the K7 relay was in failure and this condition would only bediscovered through an excessive steam demand following someinitiating event. This calculation assumes that the failure conditionlasts as long as it takes to discover it through an initiating event, andis independent of actual duration. (Initiating Event Assessment)

1.1E-5

Case D: Increase the failure probability of each MSIV to close ondemand by an order of magnitude (i.e., from 1.5E-3 to 1.5E-2)(Initiating Event Assessment)

4.1E-6

LER 318/04-001

Sensitivity Case Importance

14

Case E: Increase the common cause failure probability for MSIVs toclose on demand by a factor of 2 (i.e., from 4.6E-5 to 9.2E-5)(Initiating Event Assessment)

4.0E-6

Case F: Increase the failure probability for RCS-PHN-MODPOOR(Moderator Temperature Coefficient Not Enough Negative) by anorder of magnitude (i.e., from 1.4E-2 to 1.4E-1) (Initiating EventAssessment)

4.0E-6

Case G: Compute the conditional probability of core damageassuming that the human actions for once through cooling in themidst of excessive steam demand (i.e., OTC3, OTC4, and OTC5)involve a significant amount of diagnosis activity in addition to theactual action needed (Initiating Event Assessment)

4.3E-6

! Case A shows that the change in the failure probability for the ESD-BE event byan order of magnitude has insignificant impact on the risk impact, because thedominant sequences involve no demand for excessive steam (i.e., the result isnot influenced by whether the success probability for ESD-BE is 9.999 x 10-1 or9.99 x 10-1).

! Case B shows that the condition assessment using the extended fault exposuretime of 365 days (as opposed to 240 days) yields an importance (i.e., ∆CDP) of1.8 x 10-6 , which is still smaller than the best estimate importance for the event(i.e., a CCDP of 4.0 x 10-6).

! Case C represents a special situation to estimate the conditional probability thatcore damage will occur, given that the K7 relay contacts were stuck, assumingthat the condition is discovered through the occurrence of some initiating eventleading to excessive steam demand. Within this thought process, “duration”does not matter; it is assumed that the failure condition is discovered onlythrough the occurrence of an initiating event leading to excessive steamdemand. This calculation was done by the artifice of defining a change set inwhich the initiating event frequencies were proportionately scaled upward so thatthey summed to unity, and the ESD-BE event was set to True. This change setwas run with a duration of one year. Arithmetically, this equates to multiplyingeach initiating-event CCDP by the conditional probability of that initiating event,given that some initiator occurred. This sensitivity analysis yields a CCDP of 1.1x 10-5 that is a factor of about 2.8 greater than the initiating event assessmentCCDP of 4.0 x 10-6.

! Case D shows that the independent failure probability for each MSIV to close ondemand (i.e., MSS-MSIV-OO-HV11 and MSS-MSIV-OO-HV12) has insignificantimpact on the CCDP, because of diverse means of coping with the excess steam

LER 318/04-001

15

demand event such as auxiliary feedwater or once through cooling.

! Case E shows that the double increase in the CCF probability for MSIVs to closeon demand (i.e., MSS-MSIV-CF-CLOSE) has no impact on the CCDP primarilydue to the effectiveness of the motor-driven auxiliary feedwater flow in avertingcore uncovery in the midst of an ESD event coupled by failure of both MSIVsbeing closed.

! Case F shows that the variance in the moderator temperature coefficient asrepresented by the RCS-PHN-MODPOOR basic event has a negligible impacton the final result.

! Case G represents a special case where it has been assumed that the humanactions for once through cooling in the midst of excessive steam demand (i.e.,HPI-XHE-XM-OTC3, HPI-XHE-XM-OTC4, and HPI-XHE-XM-OTC5) involve asignificant amount of diagnosis activity in addition to the actual action needed.The performance shaping factors (PSFs) used for this case are shown below:

HumanErrorEvent

Multiplier for Diagnosis Multiplier for Action TotalHEPTime Stress Complexity Time Stress Complexity

OTC3 1 2 2 10 2 2 0.08

OTC4 10 2 5 10 2 2 0.87

OTC5 10 5 5 10 2 2 0.97

The total human error probabilities (HEPs) for those situations (either diagnosisor action) involving multiple (i.e., 3 or more) non-nominal PSFs in the above tablewere calculated by applying an adjustment factor in accordance to the formulaprovided in the SPAR-H documentation [4] in order to represent the compositePSF influence. Note that the total HEPs used for OTC3, OTC4, and OTC5 in thebest estimate evaluation are 0.04, 0.09, and 0.20, respectively, as shown inTable 4 and Appendix D. The initiating event assessment for this sensitivity caseyields a CCDP of 4.3 x 10-6 that is just slightly greater than the best estimateevent assessment CCDP (i.e., 4.0 x 10-6). This relatively small sensitivity of OTChuman actions on the CCDP results from the fact that once through cooling isnecessary only when steam generator cooling cannot be properly maintained byuse of auxiliary feedwater in most failure cases involving an excessive steamdemand.

LER 318/04-001

16

References

1. LER 318/04-001, Revision 00, “Reactor Trip Due to Low Steam Generator Water LevelAfter Feed Pump Trip,” Event Date: January 23, 2004.

2. NRC Special Inspection (SI) Team Report, EA-04110, “Calvert Cliffs Nuclear PowerPlant, Unit 1 and Unit 2 - NRC Inspection Report 05000317/2004008 and05000318/2004008,” July 29, 2004.

3. Idaho National Engineering and Environmental Laboratory, “Standardized Plant AnalysisRisk Model for Calvert Cliffs 1 & 2,” Revision 3.12, February 2, 2005.

4. Idaho National Engineering and Environmental Laboratory, “The SPAR-H HumanReliability Analysis Method,” INEEL/EXT-02-01307, May 2004.

5. B. Mrowca, et al., “Calvert Cliffs Nuclear Power Plant Probabilistic Risk Assessment —Individual Plant Examination,” December 1993.

LER 318/04-001

17

Table 1. Conditional core damage probabilities of dominating sequences.Event tree

nameSequence

no. CCDP1 Contribution

LOMFW 51 2.0E-6 50.0

LOMFW 34 1.9E-6 47.5

Total (all sequences)2 4.0E-6 100

1. Values are point estimates.2. Total CCDP includes all sequences (including those not shown in this table).

Table 2a. Event tree sequence logic for dominating sequences.Event tree

nameSequence

no.Logic

(“/” denotes success; see Table 2b for top event names)

LOMFW 51 RPS, ESD

LOMFW 34 /RPS, ESD, /MSIV, SGC, OTC3

Table 2b. Definitions of top events listed in Table 2a.Top Event Definition

ESDMSIVOTC3RPSSGC

Excessive steam demand occursMain steam isolation valves fail to closeOnce through cooling fails Reactor trip failsSteam generator cooling fails

LER 318/04-001

18

Table 3. Conditional cut sets for the dominant sequences.

CCDP PercentContribution Minimum Cut Sets (of basic events)

Event Tree: LOMFW, Sequence 51

1.2E-6 58.7 RPS-VCF-FO-MECH

7.0E-7 34.4 RPS-RTB-FC-FTO RPS-XHE-ERROR

1.4E-6 6.9 RPS-XHE-XM-SCRAM RPS-VCF-FO-ELEC

2.0E-6 100 Total (all cutsets)1

Event Tree: LOMFW, Sequence 34

1.4E-6 72.8 CDS-XHE-XM-LTSUPP AFW-XHE-XL-LTSUPP1 HPI-XHE-XM-OTC1MFW-XHE-XM-LPFLFW1

2.8E-7 14.6 CDS-XHE-XM-LTSUPP LPF-SYS-FC-LOMFW AFW-XHE-XL-LTSUPP1HPI-XHE-XM-OTC1

1.1E-7 5.7 AFW-CKV-CF-SGS HPI-XHE-XM-OTC3

9.6E-8 5.0 CDS-TNK-FC-CST12 HPI-XHE-XM-OTC3

1.9E-6 100 Total (all cutsets)1

1. Total Importance includes all cutsets (including those not shown in this table).

Table 4. Definitions and probabilities for modified and dominant basic events.

Event Name DescriptionProbability/Frequency(per hour)

Modified

AFW-BLOCK1 AFW BLOCK FAILS ON DEMAND 1.5E-4 N/A

AFW-CKV-CF-SGS CCF OF STEAM GENERATOR INLET CHECK VALVES 2.8E-6 No

AFW-XHE-XL-LTSUPP1 OPERATOR FAILS TO RECOVER FROM CST 12 LOWLEVEL (DEPENDENT EVENT) 1.4E-1 No

CDS-TNK-FC-CST12 CONDENSATE STORAGE TANK 12 IS UNAVAILABLE 2.4E-6 No

CDS-XHE-XM-LTSUPP OPERATOR FAILS TO ALIGN A LONG-TERM WATERSUPPLY TO AFW SUCTION 1.0E-5 No

ESD-BE2 EXCESSIVE STEAM DEMAND EVENT OCCURS 1.0E-4 N/A

HPI-XHE-XM-OTC1 OPERATOR FAILS TO INITIATE ONCE THROUGHCOOLING (DEPENDENT EVENT) 1.0E+0 No

HPI-XHE-XM-OTC33 FAILURE TO INITIATE OTC WITH BOTH MSIVSSUCCESSFULLY CLOSED 4.0E-2 N/A

HPI-XHE-XM-OTC43 FAILURE TO INITIATE OTC WITH ONE MSIV OPEN 9.0E-2 N/A

LER 318/04-001

Event Name DescriptionProbability/Frequency(per hour)

Modified

19

HPI-XHE-XM-OTC53 FAILURE TO INITIATE OTC WITH BOTH MSIVS OPEN 2.0E-1 N/A

LPF-SYS-FC-LOMFW LOW PRESSURE FEED HARDWARE FAILED GIVENLOSS OF FEEDWATER 2.0E-1 No

MFW-XHE-XM-LPFLFW1 OPERATOR FAILS TO ESTABLISH LOW PRESSUREFEED TO SGs (DEPENDENT EVENT) 1.0E-2 No

MSS-MSIV-CF-CLOSE4 CCF OF MSIVS TO CLOSE 4.6E-5 N/A

MSS-MSIV-OO-HV115 MSIV HV11 FAILS TO CLOSE 1.5E-3 N/A

MSS-MSIV-OO-HV125 MSIV HV12 FAILS TO CLOSE 1.5E-3 N/A

RPS-RTB-FC-FTO TRIP CIRCUIT BREAKERS FAIL TO OPEN 1.6E-6 No

RPS-VCF-FO-ELEC ELECTRICAL (UV & ST) RPS FAILURE TO OPEN TRIPCIRCUIT BREAKERS 1.4E-5 No

RPS-VCF-FO-MECH CONTROL ROD ASSEMBLIES FAIL TO INSERT 1.2E-6 No

RPS-XHE-ERROR OPERATOR FAILS TO DE-ENERGIZE CEDM POWERSUPPLY (RECOVERY EVENT) 4.4E-1 No

RPS-XHE-XM-SCRAM OPERATOR FAILS TO MANUALLY TRIP THE REACTOR 1.0E-2 No

1. This basic event has been generated to model the inefficiency of the steam generator with the associated MSIV open in thepresence of all the TBVs fully open. The failure probability of 1.5E-4 for this event was taken from the IPE for Calvert Cliffs NuclearPower Plant [5].2. This basic event has been generated to model the excessive steam demand as part of event sequences following a reactor trip;however, no detailed system model (e.g., including specific relays) was developed in this analysis. The failure probability of 1.0E-4has been assumed for the ESD-BE basic event based on engineering judgment. Note that the assumption of this value has noeffect on the results of this analysis, because the ESD-BE basic event was set to True in both the initiating event assessment andthe condition assessment for the base case (i.e., 240 days of fault exposure time for the K7 relay).3. Refer to the SPAR HRA worksheet in Appendix C.4. The CCF probability for MSIVs is based on the alpha factors for air operated valves with staggered testing scheme.5. These basic events for MSIVs have been generated to model the event sequences following the excessive steam demand. Thefailure probability of 1.5E-3 for these events was taken from the IPE for Calvert Cliffs Nuclear Power Plant [5].

LER 318/04-001

20

Appendix A

Sequences of Key Events

LER 318/04-001

21

From NRC Special Inspection Team Report 50/317/318-2004-008:

15:26.02 Initial Conditions100% Reactor Power. 24 CWP secured for planned maintenance. RTCBs 1&5open due to problems experienced earlier in the day during the performance ofan IM STP Reactor Reg System selected to Channel X.

15:26.37 22 SGFP Trips (With direction from the CRS, the CRO attempts multiple resetsof the 22 SGFP per plant stabilizing actions IAW AOP-3G. None of the resetsare successful and the CRS orders a manual reactor trip when S/G Low LevelPre-Trips are received (coincident with -40” S/G levels per narrow range levelindication).)

15:27.48 RPS Steam Generator Low Level Channel A & D Trip. RTCB’s 2, 3, 4, 6, 7, 8open. RPS manual reactor trip from 1C05 due to action of RO.

15:28.20 ADVs and TBVs are not responding as designed as they are still full open andRCS average temperature is well below 557EF.

15:28.26 All pressurizer backup and proportional heater banks automatically secure due topressurizer level falling below 101". The RO places all heater hand switches inOFF shortly afterwards.

15:28.34 AFAS B actuation. ESFAS SIAS A & B actuation.

15:28.52 2B EDG, 21 & 22 LPSI pumps, 21 & 22 CS pumps, 21 HPSI pump all start.

15:28.53 22 Component cooling pump starts, 23 HPSI pump all start.

15:28.54 21 & 22 Boric acid pumps, 21/22/23 IRU, 24 CAC Fan all start.

15:28.57 ESFAS SGIS A & B Actuation.

15:28.59 Letdown secured. 2A & 2B EDG start.

15:29.00 21 & 22 MSIVs shut (with the MSIVs shut due to the SGIS actuation, the TBVsare no longer contributing to the excess steam demand event. Forapproximately the next seven minutes the RCS continues to cooldown at a rateof approximately 160EF/hr.

15:29.13 Pressurizer level goes off-scale low.

15:32.15 21B & 22A RCP secured in accordance with RCP Trip Strategy for SIASactuation.

15:37.00 The Quick Open Dump Signal from RRS is removed from both ADVs when theTBO shifts the hand transfer valves in the 45’ switchgear room to align ADV

LER 318/04-001

22

control to 2C43. Over the next 32 minutes, an RCS heatup at approximately57EF/hr takes place until RCS cold leg temperatures are restored to 515EF.

15:39.50 Pressurizer level returns to scale

15:47.30 The operating crew reduces AFW flow to each S/G from 300gpm to 150gpm.Summary of EOP-O, Post Trip Immediate Actions:Safety Function StatusReactivity Control - CompleteVital Auxiliaries - CompleteRCS Pressure and Inventory Control - Not MetCore and RCS Heat Removal - Not MetContainment Environment - CompleteRad Levels External to Containment - CompleteSafety System ActuationsAFAS - VerifiedSIAS - VerifiedSGIS - Verified

15:55.00 EOP-1, Reactor Trip, is implemented from EOP-0. Upon entry, the crewrecognizes the high RCS pressure and the rapidly rising pressurizer level andprepares to take stabilizing actions.

15:56.00 The RO takes manual control of the Main Spray Controller, 2HIC100, (which hasbeen greatly reduced due to only having one RCP operating in the spray lineloops) and places the output at approximately 30-35% to stop the RCS pressurerise at 2335 psia. Subsequent minor manual Main Spray Controllermanipulations results in a stable RCS pressure at around 2318psia. Note - themain spray valves, 1CV100E and 1CV100F, did not start to open until 2300 psia(based on a pressurizer controller setpoint of 2250 psia).

15:58.00 Due to the insurge from the RCS heatup, along with approximately 4100 gallonsof injection from the Charging system, Pressurizer level has reached ~210” andthe Pressurizer temperature has reached a minimum value of 514EF (saturationfor 771 psia).

15:59.00 The Pressurizer insurge continues as full Charging is still present at 128 GPMand the 57EF/hr RCS heatup continues. At this point, due to the large volume of“cold” water in the Pressurizer and the lack of full heater capability, RCSpressure begins to rapidly drop from ~2318 to ~1800 psia over the next 22minutes.

16:01.46 22 & 23 charging pump are secured (H/S placed in PTL).

16:05.00 Based on Operator recall, the Main Spray Controller, 2HIC100, output signal islowered from 30 – 35% to approximately -2% (although 2HIC100 can be driven

LER 318/04-001

23

to an output as low as -20%, an output of 0% should represent a signal at whichboth Main Spray valves are full shut).

16:06.50 21 Charging pump is secured.

16:08.00 The RCS heatup is temporarily secured per the operating crew’s decision to holdRCS cold leg temperature at 515EF.

16:09.00 Based on Operator recall, both Pressurizer Proportional Heaters are returned toAUTO and Backup Heaters 22 and 24 are placed in ON. Backup Heater 24 onlyhas a capacity of 225 KW (normal capacity is 300 KW) due to a previous CMFthat had one bank of heaters removed from service. Backup Heaters 21 and 23can not be returned to service at this time due to the active SIAS signals.

16:17.28 SIAS A is reset remotely from the Control Room. SIAS B can not be reset fromthe Control Room due to a problem with the reset pushbutton.

16:27.36 SIAS B is reset locally from the Cable Spreading Room.

16:33.35 21 Charging Pump is started per OI-2A in an effort to restore Letdown to restorePressurizer level. For approximately the next five minutes, the Operating Crewattempts to restore Letdown, but problems associated with the Control Roomposition indication for one of the Letdown isolation valves, 2-CV-516, delays thesuccessful restoration.

16:38.50 21 Charging Pump is secured when the Operating Crew believes that theLetdown isolation valve, 2-CV-516, is not opening when attempts are madeusing the hand switch.

16:39.00 Based on Operator recall, Pressurizer Backup Heaters 21 and 23 are restoredand placed in ON now that SIAS has been reset and both heater breakers havebeen closed locally.

16:45.30 A second heatup of the RCS at approximately 35EF/hr is commenced to returnRCS cold leg temperatures to the EOP-1 acceptable range of 525 - 535EF. Theheatup and resulting Pressurizer insurge contributes to RCS pressure loweringfrom ~1800 psia to ~1750 psia over the next 30 minutes. The combination ofLetdown and the RCS heatup result in the RCS Pressure lowering to 1750 psiaand a second SIAS actuation.

16:48.29 21 Charging pump is started per OI-2A in a second effort to restore Letdown torestore pressurizer level.

16:48.40 Letdown is successfully placed in service and raised to approximately 105gpmover the next nine minutes.

16:57.23 Letdown is maintained between 100 & 115gpm until about 17:14.34.

LER 318/04-001

24

17:04.00 Per CRS/SM direction, the RO lowers the Main Spray Controller, 2HIC100,output signal to -20% (lowest possible output signal) to ensure that the MainSpray valves are fully closed in an attempt to minimize any leakby on the valves.

17:14.34 Letdown flow is reduced to ~70 GPM as the Operating Crew recognizes thatRCS pressure is steadily lowering and re-approaching the SIAS setpoint.

17:18.01 ESFAS SIAS B actuation (lose capability to use pressurizer backup heater 23).

17:18.02 ESFAS SIAS A actuation (lose capability to use pressurizer backup heater 21).

17:20.53 21 charging pump is secured.

17:49.00 After using procedure guidance from EOP-4 and blocking SIAS, the OperatingCrew resets SIAS A remotely from the Control Room. The decision to block andreset SIAS is made in order to recover full Pressurizer heater capability in anattempt to restore RCS pressure which has remained between 1750 and 1780psia for the previous 50 to 60 minutes.

17:53.29 SIAS B is reset locally from the Cable Spreading Room.

17:58.00 Based on Operator recall, Pressurizer Backup Heaters 21 and 23 are restoredand placed in ON now that SIAS has again been reset and both heater breakershave been closed locally. The Operating Crew now has full Pressurizer heateroutput. The Operating Crew decides to not attempt to reinitiate Charging andLetdown until RCS pressure reaches 2100 psia in order to assure that anotherRCS depressurization does not occur.

18:22.00 Based on Operator recall, the Main Spray Controller, 2HIC100, is returned toautomatic control.

18:25.00 SGIS is reset using guidance from EOP-3.

18:29.20 AFAS A & B are reset in accordance with OI-32B.

18:32.29 21 Charging pump is started in preparation for restoring letdown.

18:33.35 Charging and Letdown is restored in attempt to return Pressurizer level to theEOP-1 acceptable band of 130 to 180”. Letdown is established at approximately45 – 50 GPM.

19:26.00 The Operating Crew exits EOP-1 and implements OP-2 and OP-4.

19:30.00 The 21B and 22A RCPs are restarted in accordance with OI-1A. The 21 AFWpump is secured.

19:50.00 Both MSIVs are reopened in accordance with OP-2.

LER 318/04-001

25

19:55.00 Secured 21 AFW pump.

20.00.00 RCS parameters have reached normal post-trip levels and are consideredsteady state.

LER 318/04-001

26

Appendix B

Event Tree and Fault Tree Figures

LER 318-04-001

27

CSR

CONT AI NME NTCOO LING

H PR

SUM PR ECIRC

SDC

SHUT DOW NCO OLI NG

SSC

SEC ONDA RYSIDE

COO LDOW N

OTC

ONCETHRO UGHCOO LING

HPI

HIGHPRES S UREINJE CTIO N

RC PS L

RC P SEA LI NTEGRITY

M A INTA INED

P ORV

P ORV sA RE

CLO SED

S GC

S TE AMGENE RATOR

COO LING

SG BL OCK

ONE A FWFLOW P ATHBL OCKED

M SIV

M AIN ST EA MISO LA TIO N

VA LVES

ES D

EX CES S S TE A MDE M AND

(A DV S & TB V S )

RP S

RE AC TORTRIP

IE-LOM FW

LOS S O F M A INFE E WA TER

# ENDSTA TE

1 OK

2 OK3 CD

4 CD5 CD

6 OK

7 OK

8 CD9 CD

10 OK11 CD

12 CD

13 CD

14 OK15 CD

16 CD17 CD

18 OK

19 OK

20 CD21 CD

22 CD

23 OK24 OK

25 CD

26 CD27 OK

28 CD

29 CD

30 CD31 OK

32 CD33 CD

34 CD

35 OK

36 OK37 CD

38 CD39 CD

40 OK

41 OK

42 CD43 CD

44 CD

45 OK46 OK

47 CD

48 CD49 CD

50 T ATW S

51 CD

B ot h C losed

O ne Open

B ot h O pen

OTC 3

OTC 4

OTC 4

OTC 5S GC-ESD

OTC

LOMFW - Calvert Cliffs 1 & 2 loss of m ain feedwater transient 2006/05/25

Figure 1. Event tree for loss of main feedwater transient.

LER 318-04-001

28

CSR

CONT AI NMENTCOO LING

HPR

SUMPRECIRC

SDC

SHUTDO WNCOOLING

SSC

SECONDARYSI DE

COOL DOWN

OT C

ONCETHRO UGHCOO LING

HPI

HIGHP RESSUREI NJECT ION

RCPSL

RCP SEALINT EGRITY

MAINT AINED

PORV

PORVsARE

CLOSED

SGC

STEAMG ENERATOR

CO OLING

SG BLO CK

ONE AFWFLO WPATHBLO CKED

M SI V

M AI N STEAMIS OLATI ON

VALVES

ESD

EXCESS STEAMDEMAND

(ADVs & TBVs)

RPS

REACTORTRIP

I E-T RANS

G ENERA LPLANT

T RANSIE NT

# ENDSTATE

1 O K

2 O K3 CD

4 CD

5 CD

6 O K7 O K

8 CD

9 CD10 O K

11 CD

12 CD13 CD

14 O K

15 CD

16 CD17 CD

18 O K19 O K

20 CD

21 CD

22 CD23 O K

24 O K

25 CD

26 CD27 O K

28 CD29 CD

30 CD

31 O K

32 CD33 CD

34 CD

35 O K

36 O K37 CD

38 CD39 CD

40 O K

41 O K

42 CD43 CD

44 CD

45 O K

46 O K47 CD

48 CD49 CD

50 T ATW S

51 CD

B oth Closed

One Open

B oth Open

O TC

O TC3

O TC4

O TC4

O TC5SGC-ESD

TRANS - Calver t Cliffs 1 & 2 general plant transient 2006/05/03

Figure 2. Event tree for general plant transient.

LER 318-04-001

29

CSR

CO NTAIN MENTCO OL IN G

HPR

SUM PREC IRC

SD C

SH UT DO WNCO O LIN G

SSC

SEC ON DAR YSID E

CO O LD OW N

O PR- 06 H

O F FS IT EPO W ER

R ECO VERYIN 6 HR S

O PR-02 H

O F FS IT EPO W ER

R ECO VERYIN 2 HR S

O TC

O NC ETHR OU GHC OO LI NG

H PI

H IG HPR ESSU REIN JEC TION

L O SC

R CP SEALC OO L ING

M AI NT AIN ED

POR V

POR VsARE

CLO SED

AF W

AUXIL IAR YFE EDW AT ER

EPS

EM ERG ENC YPOW ER

SGB LO CK

ON E AFWFL O WP ATHBLO CK ED

M SIV

M AIN ST EAMISO LATIO N

VAL VES

ESD

EXC ESS S TE AMDEMAN D

(A DVs & TBVs)

RP S

RE ACTO RTRIP

IE- LO O P

L OSS O FO FFSI TE PO WE R

# END -STATE

1 OK2 T LO O P-13 OK4 OK5 CD6 CD7 OK8 CD9 CD1 0 OK1 1 CD1 2 CD1 3 CD1 4 OK1 5 OK1 6 CD1 7 CD1 8 OK1 9 CD2 0 CD2 1 CD2 2 T SBO2 3 OK2 4 T LO O P-12 5 OK2 6 OK2 7 CD2 8 CD2 9 OK3 0 CD3 1 CD3 2 OK3 3 CD3 4 CD3 5 CD3 6 OK3 7 OK3 8 CD3 9 CD4 0 OK4 1 CD4 2 CD4 3 CD4 4 T SBO4 5 OK4 6 T LO O P-14 7 OK4 8 OK4 9 CD5 0 CD5 1 OK5 2 CD5 3 CD5 4 OK5 5 CD5 6 CD5 7 CD5 8 OK5 9 OK6 0 CD6 1 CD6 2 OK6 3 CD6 4 CD6 5 CD6 6 T SBO6 7 OK6 8 OK6 9 OK7 0 CD7 1 CD7 2 OK7 3 CD7 4 CD7 5 CD7 6 SBO7 7 OK7 8 OK7 9 OK8 0 CD8 1 CD8 2 OK8 3 CD8 4 CD8 5 CD8 6 SBO8 7 T ATWS8 8 CD

H PI-LHPR -L

CSR -L

HPR -LCSR -L

O TC-L

A FW -L

PO R V-L

L OS C-L

A FW -L

PO R V-L

L OS C-L

H PI-L

O TC-3

HPR -LCSR -L

HPR -LCSR -L

A FW -L

PO R V-L

L OS C-L

H PI-L

O TC-4

HPR -LCSR -L

HPR -LCSR -L

O TC-4

O TC-5

Bot h C los ed

On e Op en

Bot h O p enS GC -ESD

L OOP - Calvert Cliffs 1 & 2 loss of offsite power 2006/05/03

Figure 3. Event tree for loss of offsite power.

LER 318-04-001

30

CS R

CONT AINMENTCOO LING

HP R

SUMPRE CIRC

SDC

SHUTDO WNCOOLI NG

SS C

SE CONDARYSIDE

COOL DOWN

OT C

ONCETHRO UGHCOO LING

HP I

HI GHP RE SS UREI NJECT ION

RCPS L

RCP S EA LINT EGRITY

MA INT AINED

P ORV

P ORVsA RE

CLOS E D

S GC

S TEA MG ENERA TOR

CO OLI NG

SG BLO CK

ONE A FWFLO WP ATHBLO CKED

M SIV

M AIN S TE AMISOLATION

V ALV E S

E S D

E X CES S STE AMDE M AND

(ADVs & TB Vs)

RPS

REACTORTRIP

I E-LO CHS

LO SS O FCO NDENS ER

HE AT S INK

# E NDS TATE

1 O K

2 O K3 CD

4 CD

5 CD

6 O K7 O K

8 CD

9 CD10 O K

11 CD

12 CD13 CD

14 O K

15 CD

16 CD17 CD

18 O K19 O K

20 CD

21 CD

22 CD23 O K

24 O K

25 CD

26 CD27 O K

28 CD29 CD

30 CD

31 O K

32 CD33 CD

34 CD

35 O K

36 O K37 CD

38 CD39 CD

40 O K

41 O K

42 CD43 CD

44 CD

45 O K

46 O K47 CD

48 CD49 CD

50 T A TW S

51 CD

Both Closed

One Open

Both Open

O TC

O TC3

O TC4

O TC4

O TC5SGC-E SD

L OCHS - Calvert Cl iffs 1 & 2 loss of condenser heat sink transient 2006/05/03

Figure 4. Event tree for loss of condenser heat sink transient.

LER 318-04-001

31

CSR

CO NT A INM EN TCO O LIN G

H PR

S UM PR EC IRC

SD C

SH UTD O WNC O OL IN G

R CS-DE P

SEC O ND ARY SID ETO D EPR ESSR CS T O SDCC ON DI TIO NS

T H RO TT L E

T H RO TT L EHP I TO

RE DU CEPR ESSU RE

SG ISO L

RU PT U REDSG

ISO L ATED

SG -D EP

PRI MA RY S IDEHAR DW AR E

T O DEP RESSRC S T O < S GR V

DEP- R EC

OPE RAT O RDEPR ESS

AF TER SG RVLIF T

R CS -SG

O PER ATO RD EPR ESSR CS TO< SGR V

O T C

O NC ETH RO UG HC OO L IN G

H PI

H IGHPR ESSU REIN JEC T IO N

SG C

STEAMG ENER ATO R

CO O L ING

SG BLO C K

ON E A FWF LO W PATHBL OC KED

MS IV

MA IN ST EAMISO LA TION

VAL VES

E SD

E XCES S STEA MD EMAN D

( AD Vs & TBVs )

R PS

R EAC T ORTR IP

IE- SG T R

ST E AMG EN ERAT O R

TU BE R UP T UR E

# EN D-ST AT E

1 O K2 O K3 C D4 C D5 C D6 O K7 O K8 C D9 C D10 C D11 C D12 O K13 C D14 C D15 O K16 C D17 C D18 C D19 O K20 O K21 C D22 C D23 O K24 C D25 C D26 C D27 C D28 O K29 O K30 C D31 C D32 C D33 O K34 O K35 C D36 C D37 C D38 C D39 O K40 C D41 C D42 O K43 C D44 C D45 C D46 O K47 O K48 C D49 C D50 O K51 C D52 C D53 C D54 C D55 O K56 O K57 O K58 C D59 C D60 O K61 C D62 C D63 C D64 C D65 O K66 O K67 C D68 C D69 O K70 C D71 C D72 C D73 C D74 O K75 O K76 O K77 C D78 C D79 O K80 C D81 C D82 C D83 C D84 C D85 C D

SG ISO L1

R CS-SG 1

SG ISO L1

SG C0 4

SG C0 4

R CS-SG 1SG ISO L1

SG ISO L1

B ot h Clo se d

O n e O pe n

B ot h Op e n

O TC

O TC3

O TC4

O TC4

O TC5

SG C-ESD

SGTR - Calvert Cliffs 1 & 2 steam generator tube rupture 2006/05/03

Figure 5. Event tree for steam generator tube rupture.

LER 318-04-001

32

CS R

CO NTA INM ENTCO OLI NG

HPR

SUM PRECI RC

S DC

S HUTDOW NCOO LING

S S C

S E CONDARYS IDE

CO OLDOW N

OTC

ONCETHROUG HCOOLI NG

HP I

HIG HP RES SUREINJE CTIO N

RCP SL

RCP SE ALI NTE GRIT Y

PO RV

PO RV sARE

CLOS ED

AF W

AUXIL IA RYFE EDW A TER

S GB LOCK

ONE AF WF LOWP A THB LOCK ED

M S IV

M A IN STE A MI SO LAT IO N

V A LVES

ES D

EX CE SS S TEA MDEM AND

(ADV s & T BV s)

RP S

RE ACT ORTRIP

I E-LDC11

LO SS O F DC B US11

# END-S TA TE

1 OK2 OK3 CD4 CD5 CD6 OK7 OK8 CD9 CD10 OK11 CD12 CD13 CD14 OK15 OK16 CD17 CD18 CD19 OK20 OK21 CD22 CD23 CD24 OK25 OK26 CD27 CD28 OK29 CD30 CD31 CD32 OK33 OK34 CD35 CD36 CD37 OK38 OK39 OK40 CD41 CD42 CD43 OK44 OK45 OK46 CD47 CD48 CD49 OK50 OK51 OK52 CD53 CD54 CD55 CD56 CD

B oth Closed

O ne O pen

B oth O pen

OTC

OTC3

OTC4

OTC4

OTC5

SGC-ESD

L DC11 - Calver t Cliffs 1 & 2 loss of vital dc bus 11 2006/05/03

Figure 6. Event tree for loss of vital dc bus 11.

LER 318-04-001

33

CS R

CON TA INM ENTCOO LING

LP R

LOWP RE SS URE

RE CIRC

HP R

HIG HPR ES S URE

RE CIRC

SD C

SH UTDOW NCOOL ING

LPI

LOWPRE S S UREINJECTIO N

S SC

S ECON DARYS IDE

C OOLD OWN

O TC

O NCET HROUG HCO OLING

HPI

HIGHP RE S SUR EINJECT ION

SGC

STE AMG ENE RA TO R

CO OLING

SGB LOCK

ONE AF WFL OW PA THBLOCK E D

M SIV

M AIN S TEA MIS OL AT ION

VAL VE S

ESD

EXCES S S TE AMDE MAND

(AD Vs & TB V s)

RP S

RE ACT ORTRIP

IE-SL OCA

SM A LL L OCA

# E NDS TATE

1 OK

2 OK3 CD

4 CD

5 OK6 CD

7 CD

8 OK9 OK

10 CD11 CD

12 CD

13 CD14 OK

15 CD

16 CD

17 CD18 OK

19 OK20 CD

21 CD

22 OK

23 CD24 CD

25 OK26 OK

27 CD

28 CD29 CD

30 CD

31 OK32 CD

33 CD

34 CD35 OK

36 OK

37 CD38 CD

39 CD

40 OK41 OK

42 CD

43 CD44 CD

45 OK

46 OK47 CD

48 CD

49 CD50 CD

51 CD

SS C01

SS C01

B oth Closed

One Op en

B oth Op en

O TC

O TC3

O TC4

O TC4

O TC5S GC-E S D

SLOCA - Calvert Cliffs 1 & 2 small LOCA 2006/05/03

Figure 7. Event tree for small LOCA.

LER 318-04-001

34

CS R

CONTA INMENTCOOLING

HP R

SUMPRE CIRC

SDC

SHUTDOWNCOOLING

SS C

SE CONDARYSI DE

COOLDOWN

OTC

ONCETHROUGHCOOLING

HPI

HIGHPRE SS UREINJECTION

CCWR

CCWRECOV ERY

RCPSL

RCP SEA LSSURVIVE LOSSOF COOLING

P ORV

P ORVsA RE

CLOSED

SGC

STEA MGE NERATOR

COOLING

SGBLOCK

ONE A FWFLOWPA THBLOCKED

MSIV

MAIN STE AMIS OLATION

VA LV ES

ESD

EXCE SS STE AMDEMA ND

(ADVs & TBV s)

RPS

REACTORTRIP

IE -LOCCW

LOSS OFCOMP ONE NT

COOLING WA TER

# END-S TATE

1 OK2 OK3 OK4 CD5 CD6 OK7 CD8 CD9 CD10 CD11 OK12 OK13 CD14 CD15 OK16 CD17 CD18 CD19 CD20 OK21 CD22 CD23 CD24 CD25 OK26 OK27 OK28 CD29 CD30 OK31 CD32 CD33 CD34 CD35 OK36 OK37 CD38 CD39 OK40 CD41 CD42 CD43 CD44 OK45 CD46 CD47 CD48 CD49 OK50 OK51 CD52 CD53 CD54 OK55 OK56 CD57 CD58 CD59 OK60 OK61 CD62 CD63 CD64 CD65 CD

SGC02

P ORV03

RCPS L02

SGC02

P ORV03

RCPS L02

OTC

OTC3

OTC4

OTC4

OTC5

Both Closed

One Open

Both Open

SGC-E SD

L OCCW - Calvert Cliffs 1 & 2 loss component cooling water 2006/05/03

Figure 8. Event tree for loss of component cooling water.

LER 318-04-001

35

CS R

CONT AINMENTCOO LING

HP R

SUMPRE CIRC

SDC

SHUTDO WNCOOLI NG

SS C

SE CONDARYSIDE

COOL DOWN

OT C

ONCETHRO UGHCOO LING

HP I

HI GHP RE SS UREI NJECT ION

RCPS L

RCP S EA LINT EGRITY

MA INT AINED

P ORV

P ORVsA RE

CLOS E D

S GC

S TEA MG ENERA TOR

CO OLI NG

SG BLO CK

ONE A FWFLO WP ATHBLO CKED

M SIV

M AIN S TE AMISOLATION

V ALV E S

E S D

E X CES S STE AMDE M AND

(ADVs & TB Vs)

RPS

REACTORTRIP

I E-LO IA S

LO SS O FI NST RUMENT AI R

S YSTEM

# E NDS TATE

1 O K

2 O K3 CD

4 CD

5 CD

6 O K7 O K

8 CD

9 CD10 O K

11 CD

12 CD13 CD

14 O K

15 CD

16 CD17 CD

18 O K19 O K

20 CD

21 CD

22 CD23 O K

24 O K

25 CD

26 CD27 O K

28 CD29 CD

30 CD

31 O K

32 CD33 CD

34 CD

35 O K

36 O K37 CD

38 CD39 CD

40 O K

41 O K

42 CD43 CD

44 CD

45 O K

46 O K47 CD

48 CD49 CD

50 CD

51 CD

Both Closed

One Open

Both Open

O TC

O TC3

O TC4

O TC4

O TC5SGC-E SD

L OIAS - Calvert Cliffs 1 & 2 loss of instrument air system transient 2006/05/03

Figure 9. Event tree for loss of instrument air system transient.

LER 318-04-001

36

CS R

CONTA INMENTCOOLING

HP R

SUMPRE CIRC

SDC

SHUTDOWNCOOLING

SS C

SE CONDARYSI DE

COOLDOWN

OTC

ONCETHROUGHCOOLING

HPI

HIGHPRE SS UREINJECTION

S WSR

S WSRECOV ERY

RCPSL

RCP SEA LSSURVIVE LOSSOF COOLING

P ORV

P ORVsA RE

CLOSED

SGC

STEA MGE NERATOR

COOLING

SGBLOCK

ONE A FWFLOWPA THBLOCKED

MSIV

MAIN STE AMIS OLATION

VA LV ES

ESD

EXCE SS STE AMDEMA ND

(ADVs & TBV s)

RPS

REACTORTRIP

IE -LOS WS

LOSS OF SALTWA TER SYSTE M

# END-S TATE

1 OK2 OK3 OK4 CD5 CD6 OK7 CD8 CD9 CD10 CD11 OK12 OK13 CD14 CD15 OK16 CD17 CD18 CD19 CD20 OK21 CD22 CD23 CD24 CD25 OK26 OK27 OK28 CD29 CD30 OK31 CD32 CD33 CD34 CD35 OK36 OK37 CD38 CD39 OK40 CD41 CD42 CD43 CD44 OK45 CD46 CD47 CD48 CD49 OK50 OK51 CD52 CD53 CD54 OK55 OK56 CD57 CD58 CD59 OK60 OK61 CD62 CD63 CD64 CD65 CD

SGC01

P ORV02

RCPS L01

SGC01

P ORV02

RCPS L01

Both Closed

One Open

Both Open

OTC

OTC3

OTC4

OTC4

OTC5SGC-E SD

L OSWS - Calvert Cliffs 1 & 2 loss of salt water system 2006/05/03

Figure 10. Event tree for loss of salt water system.

LER 318-04-001

37

ESD

1.000E-4

ESD-BE

EXCESS STEAMDEMAND (ADVS

& TBVS)

EXCESSIVE STEAMDEMAND EVENT

OC CURS

ESD - EXCESS STEAM DEMAND (ADVs & TBVs) 2005/08/04 Page 59

Figure 11. Fault tree for excess steam demand.

LER 318-04-001

38

MS IV

9.960E-1

MSIV-SUC-BE

MSIVS CLO SED

M SIVS ACTUALLYCLO SE

MSIV - MAIN STEAM ISOLATION VALVES 2005/08/04 Page 64

Figure 12. Fault tree for main steam isolation valves closed.

LER 318-04-001

39

MS IV-1

1.5 20E-3

MSS-MSIV-OO-HV1 1

1.520 E-3

MSS-MSIV-OO-H V12

ON E MS IVFAIL S TO

CLOSE

MSIV HV12 FAILSTO CLOSE

MS IV HV 11 FAIL STO CL OS E

MSIV-1 - ONE MSIV FAILS T O CLOSE 2005/08/04 Page 136

Figure 13. Fault tree for one MSIV closed.

LER 318-04-001

40

M SIV-2

4 .636E -5

M SS -M SI V-CF-CLO SE MS IV-2-1

1.520E-3

M SS -M S IV-OO -HV11

1 .520E -3

M SS-M SIV -O O-HV12

INDE PE NDE NTFA ILURES OF MS IVS

TO CLOS E

BOT H MS IVS FAILTO CLOSE

MS IV HV 12 FAILSTO CLO SE

M SIV HV11 FA ILSTO CLOSE

CCF OF MS IVSTO CLO SE

MSIV-2 - BOTH MSIVS FAIL TO CLOSE 2005/08/04 Page 137

Figure 14. Fault tree for when both MSIVs fail to close.

LER 318-04-001

41

SGBLOCK

1.540E-4

AFW -BLOCK

AFW BLOCK FAILSON DE MA ND

ONE AFWFL OW P ATHBLO CKED

SGBLOCK - ONE AFW FLOW PATH BLOCKED 2005/08/01 Page 65

Figure 15. Fault tree for one AFW flow path blocked.

LER 318-04-001

42

OTC 3

1.000E+0

BLEED

1.000E+0

HPI

4.000E-2

HPI-XHE-XM -OTC3

FAILURE TO PROVIDEBLEED PORTIONOF F&B COO LING

ONC E-TH ROUGHC OOLING

NO OR IN SUFFICIENTHPI FLOW

FAILURE TO INIT IATEOTC W ITH BOTH

MSIVS SUC CLOSED

OTC3 - ONCE-THROUGH COOLING 2006/05/24 Page 139

Figure 16. Fault tree for once-through cooling when both MSIVs close on demand.

LER 318-04-001

43

OTC4

9.000E-2

HPI-XHE-XM-OTC4

1.000E+0

BLEED

1.000E+0

HPI

FAILURE TO PROVIDEBLEED PORTIONOF F&B COOLING

FAILURE OF OTCWITH ONE MSIV

STILL OPEN

NO OR INSUFFICIENTHPI FLOW

FAILURE TO INITOTC W ITH ONE

MSIV OPEN

OTC4 - FAILURE OF OTC WITH ONE MSIV STILL OPEN 2005/08/18 Page 147

Figure 17. Fault tree for once-through cooling when only one MSIV closes on demand.

LER 318-04-001

44

OTC5

2.000E-1

HPI-XHE-XM-OTC5

1.000E+0

BLEED

1.000E+0

HPI

FAILURE TO PROVIDEBLEED PORTIONOF F&B COOLING

FAILURE TO INITOTC WITH BOTH

MSIVS OPEN

NO OR INSUFFICIENTHPI FLOW

FAILURE TO INITOTC WITH BOTH

MSIVS OPEN

OTC5 - FAILURE TO INIT OTC WITH BOTH MSIVS OPEN 2005/08/18 Page 155

Figure 18. Fault tree for once-through cooling when both MSIVs fail to close on demand.

LER 318-04-001

45

SGC-ESD

130

MFW

195

AFW-ESD

STEAMGENERATOR COOLING

IS UNAVAILBLE

MAINFEEDWATER COOLING

IS UNAVAILABLE

INSUFFICIENT AFW FLOWFROM UNIT 1 AFW

SYSTEM

SGC-ESD - STEAM GENERATOR COOLING IS UNAVAILBLE 2006/05/24 Page 2 11

Figure 19. Fault tree for steam generator cooling.

LER 318-04-001

46

AFW-ESD

179

AFW-SG-11-ESD

184

AFW-SG-12-ESD

INSUFFICIENTAFW FLOW FROM

UNIT 1 AFW SYSTEM

STEAM GENERATOR 11 ISUNAVAILABLE

STEAM GENERATOR 12 ISUNAVAILABLE

AFW -ESD - INSUFFICIENT AFW FLOW FROM UNIT 1 AFW SYSTEM 2006/05/24 Page 1 95

Figure 20. Fault tree for AFW flow from Unit 1 AFW system.

LER 318-04-001

47

A F W-S G- 11- E SD

2.7 60E -6

AF W- CK V- CF- S GS

AF W- SG -11 -4AF W- S G-1 1-3

1 9

AF W -M DP -13

A F W-SG- 11- 6

3 .34 8E -5

AF W- AO V- CF- S TM

A FW -SG-1 1- 1

1 .000 E -4

A F W-CK V -CC- S G11

1.0 00 E- 4

AFW -CK V-CC- S1 03

2.7 60E - 6

A FW -CKV -CF -S TM

AF W - ST M1 2

A F W -S G- 11- 8

1 34

M SS - ST M- 11

AF W -S G -11 -5

20

AF W- MDP-2 3

156

AF W -T DP-1 1-ES D

17 8

AFW -TDP - 12- ESD

AF W - SG -11 -7

14

A FW- FCV - S G11M

1 5

A FW -F CV -S G11 T

3 .90 4E -7

AF W -P M P -CF -ALL

9.00 0E-4

AF W - AOV- CC-S40 70

1.0 00E - 4

A FW- CK V -CC-S 1 06

9 .00 0E-4

AF W-A OV- CC-S40 71

A FW- S TM 11

NO F LOW TO SG -11F ROM TDPs

NO FL OWTO S G -11

FRO M M DPs

AF WMDP -1 3

IS UNAV AILA B LE

CCF OF TDP S TE A MSUPP L Y AOV s

F A ILURE O F ST EA MS UP P LY

NO F LOW TO SG 11

S TE A MGENE RA TO R 11IS UNAVA ILA BLE

S T E AM GE NERAT OR11 INLE T CHE CK

VA LV E F AIL S

CCF O F S T E AMG E NERA T OR INL ET

CHE CK V AL V ES

CCF OF S TE A M S UPP LYCHE CK V A LV E S

FA ILU RE OFAF W S T EA M

SU PPLY T O T DPs

ST E AM GENE RATOR11 ST E AM RE LIE F

P AT H IS UNA V AIL ABL E

AFWMD P- 23

IS UNA V AIL AB L E

NO FL OW F ROMP UM P 13 AND P UM P 23

NO FL OWFRO M T DPS

MDP DISCHF LOW CONTRO L V A LV E

T O SG- 11 FA ILS

T DP DISCHF LOW CONT ROL V A LV E

TO SG -11 F AIL S

COM MON CAUS EFA IL URE OF AF W

PUMP S

FA ILURE O F SG -11S TE AM SUP P LY A OV

40 70

F AIL URE OF SG-1 1S TE A M SUPP LY AOV

4 070

F A ILURE O F SG- 12ST E AM SUP PL Y AO V

407 1

F AIL URE OF S G-1 2STEA M S UP PLY CKV

1 06

F AIL URE OF S G-1 2S TE AM S UP P LY A OV

F AIL URE OF S G-1 1S TE A M S UP PLY A OV

AF W T DP 11 ISUNAV A ILA B LE

A FW TDP -1 2 ISUNA V AIL A BL E

AFW-SG-11-ESD - STEAM GENERATOR 11 IS UNAVAILABLE 2006/05/24 Page 179

Figure 21. Fault tree for steam generator 11 cooling.

LER 318-04-001

48

AF W - SG -12 -4

1 9

A F W -M DP -13

AF W- SG-1 2-3

A F W-S G- 12- 6

3 .34 8E -5

AF W - AO V- CF- S TM

A F W-S G- 12- ESD

1 .000 E -4

A F W-CKV -CC- S G12A FW- S G-1 2-1

2.7 60E - 6

AFW -CK V -CF -S TM

A FW- S TM 11- A AF W - ST M1 2-A

A F W-S G- 12- 8

13 5

M SS - ST M- 12

2.76 0E -6

AF W - CKV - CF- S GS

AF W -S G -12 -5

20

AF W- MDP -2 3

156

AF W-T DP-1 1-E SD

17 8

A FW -TDP - 12- E SD

AF W- SG -12 -7

16

A FW- FCV - S G12M

1 7

A FW -F CV -S G12 T

3 .90 4E -7

AF W-P M P -CF -A LL

9.00 0E -4

AF W- AOV - CC-S 40 70

1.0 00 E- 4

A FW -CK V -CC- S1 03

9 .00 0E-4

A F W -AOV - CC-S 40 71

1.0 00E - 4

A FW- CK V- CC-S 1 06

NO F LOW TO SG -12F ROM TDP s

NO F LOW TO SG -12FRO M M DP

AF WMDP -1 3

IS UNAV A ILA B LE

CCF OF TDP S T EA MS UPPL Y AO Vs

F A ILURE O F ST EAMS UPP LY

ST E AMGE NE RATO R 12I S UNAV A ILA B LE

S T EA M GE NE RAT OR12 I NLE T CHE CK

V A LV E FA IL S

NO F LOW TO S G 12

CCF OF S TE A M SUP P LYCHE CK VA LVE S

FA ILU RE OFAF W S T EA M

SU PPLY T O T DP s

ST E AM GE NE RA TOR12 S T EA M RE LIE F

P AT H IS UNA V AIL AB L E

CCF O F S T EAMG EN ERA T OR INL ET

CHE CK V AL V ES

AFWMD P- 23

IS UNA V AIL ABL E

NO F LO W F ROMPU MP S 13 AND PUM P 23

NO F LOWFRO M T DP s

MDP DIS CHFE E D CO NTROL VAL VETO S G-1 2 F AIL S

TDP D ISCHA RGEF E E D CONT ROL VA LV E

T O S G- 12 FA ILS

COM MON CAUS EFA IL URE OF AF W

P UMP S

FA ILURE O F SG -11S TE A M S UP PLY A OV

40 70

F AIL URE OF SG-1 1S TE A M SUP P LY A OV

4 070

F A ILURE O F S G- 12ST EAM S UP PL Y AO V

407 1

FA IL URE OF S G-1 2S TE A M S UP PLY CK V

1 06

F AIL URE OF S G-1 1S TEA M S UP P LY A OV

F AIL URE OF S G-1 2S TE A M S UP P LY AOV

AF W T DP 11 ISUNAV A ILA B LE

A FW TDP -1 2 ISUNA V AIL A BL E

AFW -SG-12-ESD - STEAM GENERATOR 12 IS UNAVAILABLE 2006/05/24 Page 184

Figure 22. Fault tree for steam generator 12 cooling.

LER 318-04-001

49

AF W -TD P- 11-ESD

1.000E -4

AFW- CK V- CC- DI S102

1. 000E-4

AFW- CKV -C C- STM 110

2. 760E-6

AFW- CKV -C F- STM INL

2. 760E-6

AFW- CKV -C F- TDPD IS

3. 904E-7

A FW- PMP -C F- ALL

3. 442E-5

A FW- TDP- CF -R UN

4. 986E-5

A FW-TD P- CF- STA RT

5. 000E-3

AF W-TD P- TM- 11

12

AF W-C ST- TDP -11 AF W-TD P- 11-1

6. 000E- 3

AF W -TD P-FS-11

TRUE

AFW- XH E-XL-TDPF S

AFW - TDP -1 1-2

4.141 E- 3

AFW- TD P-FR- 11

TRUE

AFW- XH E-XL- TDPF R

AFW- TDP -11- 3

5.000E -4

AFW- XHE -X M- TDP RM AFW- TDP -11- 4

2.500E -2

AFW- XH E- XO-TDP

F ALSE

LOSP -S BO

AFW -TDP- 11-5

2. 500E -2

AFW- XHE -X O-LCTR L AFW- TDP- 11- 6

1 .563E -7

AFW- FCV -C F-FRVS AFW- TDP -11- 7

7.200E -5

AFW- FCV -F C- SG11 M

7. 200E-5

AFW- FCV -FC - SG11T

A FW- TDP- 11- 8

7. 200E- 5

AFW -FCV -FC - SG12M

7. 200E- 5

A FW -FCV -FC -S G12T

10 4

I AS

FA LSE

E SD- HO USE -E VEN T

A FW P UMP C OND ENS ATES UPP LY IS UN AVAI LAB LE

SG -12 OV ERFI LLSG -11 O VERF ILL

FLO W C ONTR OLVALV ES FAI L O PEN

M ORE FA ILU RES

A FW TD P 11 I SUNA VAI LABL E

INS TRUM ENT AI RS YSTE M IS U NAVA ILA BLE

O PERA TIN G TDPF AILS F ROM S G

O VERF ILL

FAI LURE O F A FWTDP -11 TO RU N

FAI LUR E OF AFWTDP-11 FAI LST O START

STATI ON BLA CKO UT

OP ERAT OR AC TIO NTO CO NTRO L F LOWBE CAUS E OF LOS S

O F IA

AFW FLOW CO NTRO LVALV ES FAI L FROM

CO MM ON CA USE

TDP DI SC HAR GEFLO W C ONTR OLVAL VE TO SG-12

FAI LS

M DP D IS CHAR GEFLO W C ONTR OLVALV E TO SG-12

FAI LS

TDP D ISC HAR GEFLO W C ONTR OLVA LVE TO SG- 11

FAI LS

MD P D IS CHA RGEFLO W C ONTR OL

V ALVES TO S G- 11FAI L

O PER ATOR FA ILSTO CO NTRO L SG

LEVE L FO LLOW I NGLO SS FCV S

C CF OF AFW TDPD ISC HAR GE CH ECKV ALVE S A F- 102/11 6

OPE RATO R FAI LSTO C ONT ROL AFW

TDP FLO W G IV ENSBO A ND LOS S

OF I NST. AIR

S TATI ON BLA CKO UTFLA G

C OM MO N CAU SEFA ILU RE OF TDP s

TO STA RT

COM MO N CAU SEFA ILU RE OF TDP s

TO RU N

CCF O F S TEAMI NLE T C HEC K V ALVE S

M S- 108/ 110

OPE RATO R FAI LS

TO OPE N DOU BLEDO ORS I N TUR.

BU ILD . OR AL IG NB ACK UP CO OLI NG

AFW TDP- 11 UNA VAI LABLEDU E T O T & M

OP ERAT OR FAI LSTO R ECO VER AF W

TD P (F AILS TOSTAR T)

A FW T DP- 11 FAI LSTO STAR T

A FW TD P-11 F AIL STO RUN

OPE RATO R FAI LSTO R ECO VER AF W

TD P ( FA ILS TORUN)

FAI LURE O F A FWTDP D ISC HAR GE

CHE CK VALV E AF-102

FAI LURE O F S TEAMI NLET CH ECK V ALVE

M S- 110

COM MO N CAU SEFA ILU RE OF AFW

PU MPS

EXC ESSI VE ST EAMD EMA ND EVE NT

O CCU RS

AFW -TDP-11-ESD - AFW T DP 11 IS UNAVAILABLE 2006/05/24 Page 156

Figure 23. Fault tree for AFW TDP 11 flow.

LER 318-04-001

50

A FW - T DP -12- E SD

1 .0 00E -4

AF W- C KV -C C - DI S1 16

1. 00 0E-4

A FW -C K V- C C- S TM 10 8

2. 760E -6

A FW -C KV - CF - STM I N L

2 .76 0E -6

AF W- CK V- C F- T DP DI S

3. 904 E-7

A FW -P M P- C F- A LL

3 .4 42E -5

A FW -TD P -C F- R UN

4. 98 6E- 5

AF W- TD P- C F- ST AR T

5. 000E -3

A FW -T DP - TM - 12

4 .0 00E -3

AF W- XH E- X M - TD P12

5. 000 E-4

A FW -X HE - XM - T DP RM

13

A FW -C ST -T D P- 12 AF W- TD P1 2-FR

4. 141 E-3

A FW -T DP - FR - 12

T RU E

A FW -X HE -X L- TD P FR

AF W - TD P1 2- FS

6. 000 E- 3

A FW -T DP -FS -12

T R UE

A FW - X HE -X L-TD P FS

AF W- TD P1 2- SB O

2. 500 E- 2

A FW -X HE - XO - TD P

F AL SE

LO S P- S BO

FA LSE

E SD - HO U SE - EV EN T

AF W PU M P CO N D EN SA TES UP PLY IS UN AV AI LA BL E

S TA TI O N BL AC KO U TO P ER A TO R A CT IO N

T O C O NT RO L F LO WBE CA U SE O F L OS S

OF IA

AF W TD P-12 I SUN AV AI LA BL E

FA I LUR E O F A FWTD P -1 2 TO RU N

FA I LUR E O F A FWT DP - 12 FA IL S

TO ST AR T

C CF O F A FW T DPDI S CH AR G E C HE CK

VA LV ES A F- 10 2/ 116

O P ER A TO R F AI LSTO C ON TR O L AF W

TD P FL OW G I VE NSB O A N D LO S SO F I NS T. AI R

S TA TI O N B LAC K O UTFL AG

C O M M ON CA US EFA IL UR E O F TD P s

TO S TA RT

C O M M O N C AU SEFA I LUR E O F T DP s

TO RU N

CC F O F S TEA MI NLE T C HE CK VA LV ES

M S-1 08/ 110

O P ER AT O R FA I LST O O P EN D O UB LE

DO O R S I N TU R .BU I LD . O R A LI G N

B AC KU P C O OL IN G

A FW T DP - 12 UN AV A IL AB LEDU E TO T & M

F AI LU RE OF AFWT D P DI S CH AR G E

CH EC K V AL VE A F- 11 6

O P ER AT OR FA IL STO RE CO V ER AF W

TD P ( FA I LS T OST AR T)

AF W TD P- 12 F AI LSTO ST AR T

AF W TD P- 12 F AI LSTO R UN

O PE R AT OR FA IL STO R E CO V ER AFW

TD P (FA I LS T OR U N)

F AI LU RE O F ST EA MI NL ET C HE CK VA LV E

M S - 108

CO M M O N C AU SEFA IL UR E O F AF W

P UM P S

O PE RA TO R F AI LST O S TA RT A FW

TD P-12

E X CE SS IV E S TE AMD EM A ND EV EN T

O CC U RS

AFW -TDP-12-ESD - AFW T DP-12 IS UNAVAILABLE 2006/05/24 Page 178

Figure 24. Fault tree for AFW TDP 12 flow.

LER 318-04-001

51

Appendix C

Plant Response to Excessive Steam Demand

LER 318-04-001

1 Letter from Mr. J. A. Spina to NRC (Document Control Center), “Response to Preliminary Accident Sequence Precursor(ASP) Analysis for the Unit 2 January 2004 Operational Event,” March 31, 2006.

52

The preliminary event assessment was performed using a conservative assumption such thatauxiliary feedwater (AFW) alone cannot provide sufficient steam generator (SG) cooling toprevent core damage in the following two cases of an excessive steam demand (ESD) event:

1) Both MSIVs fail to close upon Steam Generator Isolation Signals (SGIS), and

2) Only one MSIV succeeds to close upon SGIS.

In the first case, it was assumed that the ESD event is not recovered; namely, TBVs are notautomatically closed by an interlock signal upon loss of condenser vacuum approximately halfan hour into the transient due to failure of condenser air removal units on loss of service wateras a result of Safety Injection Actuation Signals (SIAS), nor manually closed by the operators.In the second case, it was assumed that the AFW flow path to the affected SG is not properlyblocked. Note that SG cooling by AFW and thereby prevention of core damage was credited inthe preliminary event assessment, only in the case where the AFW flow path to the affected SGis properly blocked. The event assessment with the aforementioned conservative assumptionsresulted in a conditional core damage probability (CCDP) of 1.2 x 10-5 (i.e., low yellow).

A peer review of this preliminary event assessment was conducted by Constellation Energyoperating CCNPP.1 During this review process, a simulator run was made with the quick opensignal failing to clear and with the MSIVs failing to close on SGIS in order to evaluate plantresponse and operator actions. The simulation results (Figure C.1) indicate the following:

1. Upon receipt of Auxiliary Feedwater Actuation Signals (AFAS), all the AFWpumps were initially started. The turbine-driven AFW pumps functioned untilsteam pressure dropped to approximately 50 psia in the steam generators andthey were secured at this point. Auxiliary feedwater flow, using the motor-drivenAFW pump, was maintained during the entire transient after the AFAS actuation.

2. During the first 15~20 minutes into the transient, the High Pressure SafetyInjection System (HPSI) provided significant flow into the Reactor CoolantSystem (RCS) following SIAS actuation.

3. The reactor core was not uncovered. There was an indication of lowering reactorcoolant level as observed on the Reactor Vessel Level Monitoring System in the5 to 12 minute time frame. At the lowest point, there was approximately 7 feet ofwater above the active fuel.

4. The RCS temperature leveled out above 350oF.

5. Pressure in the RCS leveled out at approximately 1000 psia. Pressure wascontrolled using operator actions to secure HPSI flow, charging flow, andpressurizer heaters. Auxiliary spray was also used to maintain pressure.

LER 318-04-001

2 The RELAP-5 model for Calvert Cliffs, originally developed in the early 1980s by EG&G Idaho, was updated in 2001 aspart of the NRC’s Pressurized Thermal Shock (PTS) Rebaselining Study to reflect the current plant configurations and operatingprocedures, including system setpoints and control logic.

53

6. For purposes of simulation, the TBVs remained open. However, the TBVs will beclosed on a loss of condenser vacuum which is expected to take place about halfan hour into the transient because the condenser air removal units will fail onloss of service water as a result of the SIAS generation, as mentioned earlier.

In short, the most important conclusion from the simulator run is that auxiliary feedwater cansuccessfully prevent core uncovery without once through cooling (OTC). However, thesimulation results show that wide range SG level in both SGs drops to approximately -400inches within the first 10 minutes into the transient and remains at this very low level for theentire time period shown by the results (i.e., ~30 minutes). Given the fact that auxiliaryfeedwater kept on injecting into the SGs and the core continuously cooled down, the water inthe shell side of the SGs remaining at such a low level implies that the RCS heat was removedprimarily by the injected AFW flashing into steam.

In view of a significance of properly understanding the plant behavior expected in the event ofan excess steam demand, an independent thermal hydraulic (T/H) analysis was also performedusing the Calvert Cliffs RELAP-5 model2 for the following cases involving failure of both MSIVsupon SGIS:

1) Reactor/turbine trip with stuck-opening of MSIVs, TBVs and ADVs (all valves)2) Reactor/turbine trip with stuck-opening of MSIVs, TBVs and ADVs (all valves)

and a single Safety Relief Valve (SRV) in each SG3) Reactor/turbine trip with stuck-opening of MSIVs, TBVs and ADVs (all valves)

and all SRVs in each SG

In the first case (Figure C.2), the water level drops to a minimum of about -320 inches and AFWis able to recover SG water level. In the second case, the water level drops to a minimum ofabout -370 inches and again, AFW is able to recover SG water level. Finally, in case 3, thewater level drops completely (no water left in the SGs) and again, AFW is able to recover SGwater level, establishing SG cooling and consequently preventing core damage. Hence, theindependent T/H analysis also points out that AFW (300 gpm per SG) can recover SG levelbecause the primary water is relatively cool due to the RCS overcooling cased by the ESD andthe declining decay heat.

Note that there are several discrepancies between the simulator runs and the RELAP-5 runs,among others:

• The SG level drops below -350 inches (a triggering condition for OTC in theemergency operating procedures) within 10 minutes according to the simulatorrun; however, the RELAP-5 run (the first case) shows that the SG leveldecreases only down to -320 inches in about 15 minutes into the transient.

LER 318-04-001

54

• The SG level is recovered by AFW after ~45 minutes as per the RELAP-5 run,but levels out at approximately -400 inches as per the simulator run.

In spite of these differences in the SG level prediction, both T/H analyses (i.e., by the plantsimulator and the independent RELAP-5 model) conclude that AFW can prevent core damagewithout OTC. Therefore, the updated event assessment presented herein was carried outtaking into account this conclusion.

LER 318-04-001

55

Figure C.1 Simulator run for excessive steam demand with both MSIVs failing to close

LER 318-04-001

56

Figure C.1 (Cont’d)

LER 318-04-001

57

Figure C.1 (Cont’d)

LER 318-04-001

58

Figure C.1 (Cont’d)

LER 318-04-001

59

Figure C.2 RELAP-5 run for excessive steam demand with both MSIVs failing to close

LER 318-04-001

60

Figure C.2 (Cont’d)

LER 318-04-001

61

Figure C.2 (Cont’d)

LER 318-04-001

62

Figure C.2 (Cont’d)

LER 318-04-001

63

Figure C.2 (Cont’d)

LER 318-04-001

64

Appendix D

Human Performance Modeling

LER 318-04-001

1 HPI-XHE-XM-OTC3 is similar to human error event HPI-XHE-XM-FB (Operator fails to initiate feed and bleed cooling) inthe original SPAR model for CCNPP which assumes that an excessive steam demand event does not occur. Because both MSIVswill close upon the SGIS within about 2-3 minutes following the ESD, the human performance requirements for HPI-XHE-XM-OTC3and HPI-XHE-XM-FB are considered to be almost identical (i.e., the same performance shaping factors for both cases), and as aresult, the same human error probability was estimated for these human actions.

2 Example EOPs requiring OTC include: 1) Contingency Action 31.1 in the HR-1 Functional Recovery Guideline, 2)Contingency Action 9.1 in the Loss of All Feedwater Recovery Guideline, and 3) Contingency Action 19.1 in the Excess SteamDemand Recovery Guideline.

3 NRC Special Inspection (SI) Team Report, EA-04110, “Calvert Cliffs Nuclear Power Plant, Unit 1 and Unit 2 - NRCInspection Report 05000317/2004008 and 05000318/2004008,” July 29, 2004.

65

The event assessment necessitates evaluating the human actions required to initiate oncethrough cooling (OTC) under various circumstances relevant to the MSIV performance uponactuation of Steam Generator Isolation Signals (SGIS): 1) both MSIVs succeed to close, 2) onlyone MSIV succeeds to close, and 3) both MSIVs fail to close. The corresponding humanactions are modeled in terms of human error events HPI-XHE-XM-OTC3,1 HPI-XHE-XM-OTC4,and HPI-XHE-XM-OTC5, respectively.

It was assumed in evaluating these human error events that a significant amount of diagnosisactivity would not be required for the operators to identify the need to initiate OTC, because theoperators are typically familiar with the requirement of emergency operating procedures (EOPs)such that OTC should be initiated when wide range SG level in both SGs reaches -350 inchesor the RCS cold leg temperature (i.e., TC) rises uncontrollably 5 0F or greater2.

A summary of the human performance evaluation is provided in Table D.1 with the quantifiedhuman error probabilities (HEPs) in the last column. More details can be found in the SPAR-Hworksheets of this appendix.

Table D.1 shows that three different types of performance shaping factors (i.e., time, stress,and complexity) were adjusted to capture the increased failure probability for the OTC humanactions. In particular, it may be noted that higher complexity was applied to actions HPI-XHE-XM-OTC4 and HPI-XHE-XM-OTC5 as compared to action HPI-XHE-XM-OTC3; the reason isdiscussed below.

Human factors and procedural issues were identified at Calvert Cliffs during the inspection forthe excess steam demand event. In particular, the inspection report3 indicates that:

“Calvert Cliffs has increased the time allowed to execute EOP-0, to allow the operatorsto concurrently implement procedure steps from other EOPs, without executing theentire EOP. Calvert Cliffs allows this practice while in EOP-0, so that key plantparameters can be restored to normal operating bands. This philosophy resulted in theoperators performing actions using knowledge-based skills as opposed to procedure-base skills during high stress condition. This practice significantly increased the potentialfor operator errors, and in the case of the January 23, 2004 event, it resulted inimproper transitions in the EOP procedures.”

LER 318-04-001

4 Idaho National Engineering and Environmental Laboratory, “The SPAR-H Human Reliability Analysis Method,”INEEL/EXT-02-01307, May 2004.

66

Especially because of the operational practice which was in place at Calvert Cliffs during theevent (i.e., performing actions using knowledge-based skills as opposed to procedure-basedskills), actions HPI-XHE-XM-OTC4 and HPI-XHE-XM-OTC5 for the cases where at least oneMSIV failed to close are expected to be more difficult to perform, as compared to action HPI-XHE-XM-OTC3 for the case where both MSIVs successfully closed upon SGIS.

In addition, actions HPI-XHE-XM-OTC4 and HPI-XHE-XM-OTC5 are determined to be morecomplex than action HPI-XHE-XM-OTC3 to perform particularly because of multiple faults,multiple equipment unavailable, and more likelihood of parallel tasks and transitioning betweenmultiple procedures due to an increased possibility of not satisfying safety functions (seeSection 2.4.4.3 of the SPAR-H report4).

Finally, it is also notable that the OTC human actions were modeled as not requiring asignificant amount of diagnosis activity even though the Calvert Cliffs Unit 2 operators actuallymis-diagnosed plant conditions during their response to the ESD event, because:

a) The term diagnosis in the SPAR-H method generally has to do with attributingthe most likely causes of the abnormal event to the level required to identifythose systems or components whose status can be changed to reduce oreliminate the problem.

b) The operators mis-diagnosed the actual plant conditions; however, this mis-diagnosis relates to not the OTC human actions, but other actions to return thekey plant parameters to normal operating bands.

c) In the actual event, the operators did not need to diagnose in connection withOTC, since the OTC operation was not required due to the early termination ofthe ESD by the automatic closure of both MSIVs about one minute after thereactor trip, and the subsequent SG cooling by the motor-driven AFW pump andthe ADVs.

LER 318-04-001

67

Table D.1 Summary of human performance evaluation

Note: Each of these human error events involves multiple (i.e., 3 or more) non-nominal PSFs, and therefore, the human error probabilities (HEPs) were calculatedby applying an adjustment factor in accordance to the formula provided in the SPAR-H report in order to represent the composite PSF influence.

Time Stress Compl-exity

Exper-ience

Proce-dure

Ergono-mics Fitness Work

Process

HPI-XHE-XM-OTC3Operator fails to initiate once through cooling (given excessive steam demand and both MSIVs succeed to close upon SGIS)

10 2 2 1 1 1 1 1 4.0E-02

HPI-XHE-XM-OTC4Operator fails to initiate once through cooling (given excessive steam demand and only one MSIV closes upon SGIS)

10 2 5 1 1 1 1 1 9.0E-02

HPI-XHE-XM-OTC5Operator fails to initiate once through cooling (given excessive steam demand and both MSIVs fail to close upon SGIS)

10 5 5 1 1 1 1 1 2.0E-01

HUMANERROREVENT

DescriptionPerformance Shaping Factors (PSFs)

HEP

LER 318-04-001

68

SPAR Model Human Error Worksheet (Page 1 of 3)

Plant: Calvert Cliffs 1 & 2 Event Name: HPI-XHE-XM-OTC3

Task Error Description: Operator fails to initiate once through cooling (given excessive steam demand and both MSIVs succeed to close uponSGIS) Does this task contain a significant amount of diagnosis activity ? YES NO U If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2.

Table 1. Diagnosis worksheet.

PSFs PSF LevelsMultiplier forDiagnosis

If non-nominal PSF levels are selected, please note specificreasons in this column

1. Available Time Inadequate 1.0a

Barely adequate < 20 m 10Nominal . 30 m 1Extra > 60 m 0.1Expansive > 24 h 0.01

2. Stress Extreme 5High 2Nominal 1

3. Complexity Highly 5Moderately 2Nominal 1

4. Experience/Training

Low 10Nominal 1High 0.5

5. Procedures Not available 50Available, but poor 5Nominal 1Diagnostic/symptom oriented 0.5

6. Ergonomics Missing/Misleading 50Poor 10

LER 318-04-001

PSFs PSF LevelsMultiplier forDiagnosis

If non-nominal PSF levels are selected, please note specificreasons in this column

69

Nominal 1Good 0.5

7. Fitness for Duty Unfit 1.0a

Degraded Fitness 5Nominal 1

8. Work Processes Poor 2Nominal 1Good 0.8

a. Task failure probability is 1.0 regardless of other PSFs.

SPAR Model Human Error Worksheet (Page 2 of 3)

Table 2. Action worksheet.

PSFs PSF LevelsMultiplier

for ActionIf non-nominal PSF levels are selected, please note specificreasons in this column

1. Available Time Inadequate 1.0a It is assumed there is just enough available time for the operatorsto initiate feed and bleed cooling.Time available . time required 10U

Nominal 1Available > 50x time required 0.01

2. Stress Extreme 5 It is assumed that the stress level is greater than nominal.High 2UNominal 1

3. Complexity Highly 5 It is assumed that the complexity level is greater than nominal.Moderately 2UNominal 1

4. Experience/Training

Low 3Nominal 1UHigh 0.5

5. Procedures Not available 50

LER 318-04-001

70

Available, but poor 5Nominal 1U

6. Ergonomics Missing/Misleading 50Poor 10Nominal 1UGood 0.5

7. Fitness for Duty Unfit 1.0a

Degraded Fitness 5Nominal 1U

8. Work Processes Poor 2Nominal 1UGood 0.8

a. Task failure probability is 1.0 regardless of other PSFs.

Table 3. Task failure probability without formal dependence worksheet.TaskPortion

Nom.Prob.

Time Stress Compl. Exper./Train.

Proced. Ergon. Fitness WorkProcess

Prob.

Diag. N/A

Action 1.0E-3 x 10 x 2.0 x 2.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 4.0E-2a

Total 4.0E-2

a. The human error probability was adjusted following a special formula of SPAR-H to represent the composite PSF influence, because multiple (i.e., three ormore) non-nominal PSFs are involved .

SPAR Model Human Error Worksheet (Page 3 of 3)

For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability WithFormal Dependence.

LER 318-04-001

71

Table 4. Dependency condition worksheet.ConditionNumber

Crew (same ordifferent)

Location (same ordifferent)

Time (close in timeor not close in

time)

Cues (additional ornot additional)

Dependency Number of Human Action Failures Rule

1 s s c – complete If this error is the 3rd error in the sequence,then the dependency is at least moderate.

If this error is the 4th error in the sequence,then the dependency is at least high.

This rule may be ignored only if there iscompelling evidence for less dependence

with the previous tasks.

2 s s nc na high3 s s nc a moderate4 s d c – high5 s d nc na moderate6 s d nc a low7 d s c – moderate8 d s nc na low9 d s nc a low

10 d d c – moderate11 d d nc na low12 d d nc a low

13 U zero

Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):

For Complete Dependence the probability of failure = 1.0For High Dependence the probability of failure = (1 + P)/2For Moderate Dependence the probability of failure = (1 +6P)/7For Low Dependence the probability of failure = (1 + 19P)/20

U For Zero Dependence the probability of failure = P

Task Failure Probability With Formal Dependence = (1 + ( * )) / = 4.0E-2

Additional Notes:

LER 318-04-001

72

SPAR Model Human Error Worksheet (Page 1 of 3)

Plant: Calvert Cliffs 1 & 2 Event Name: HPI-XHE-XM-OTC4

Task Error Description: Operator fails to initiate once through cooling (given excessive steam demand and only one MSIV closes upon SGIS)

Does this task contain a significant amount of diagnosis activity ? YES NO U If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2.

Table 1. Diagnosis worksheet.

PSFs PSF LevelsMultiplier forDiagnosis

If non-nominal PSF levels are selected, please note specificreasons in this column

1. Available Time Inadequate 1.0a

Barely adequate < 20 m 10Nominal . 30 m 1Extra > 60 m 0.1Expansive > 24 h 0.01

2. Stress Extreme 5High 2Nominal 1

3. Complexity Highly 5Moderately 2Nominal 1

4. Experience/Training

Low 10Nominal 1High 0.5

5. Procedures Not available 50Available, but poor 5Nominal 1Diagnostic/symptom oriented 0.5

6. Ergonomics Missing/Misleading 50Poor 10

LER 318-04-001

PSFs PSF LevelsMultiplier forDiagnosis

If non-nominal PSF levels are selected, please note specificreasons in this column

73

Nominal 1Good 0.5

7. Fitness for Duty Unfit 1.0a

Degraded Fitness 5Nominal 1

8. Work Processes Poor 2Nominal 1Good 0.8

a. Task failure probability is 1.0 regardless of other PSFs.

SPAR Model Human Error Worksheet (Page 2 of 3)

Table 2. Action worksheet.

PSFs PSF LevelsMultiplier

for ActionIf non-nominal PSF levels are selected, please note specificreasons in this column

1. Available Time Inadequate 1.0a It is assumed there is just enough available time for theoperators to initiate feed and bleed cooling.Time available . time required 10U

Nominal 1Available > 50x time required 0.01

2. Stress Extreme 5 It is assumed that the stress level is greater than nominal.High 2UNominal 1

3. Complexity Highly 5U It is assumed that the complexity level is much higher thannominal due to the sustained excessive steam demand throughthe open MSIV and TBVs.

Moderately 2Nominal 1

4. Experience/Training

Low 3Nominal 1UHigh 0.5

5. Procedures Not available 50

LER 318-04-001

PSFs PSF LevelsMultiplier

for ActionIf non-nominal PSF levels are selected, please note specificreasons in this column

74

Available, but poor 5Nominal 1U

6. Ergonomics Missing/Misleading 50Poor 10Nominal 1UGood 0.5

7. Fitness for Duty Unfit 1.0a

Degraded Fitness 5Nominal 1U

8. Work Processes Poor 2Nominal 1UGood 0.8

a. Task failure probability is 1.0 regardless of other PSFs.

Table 3. Task failure probability without formal dependence worksheet.TaskPortion

Nom.Prob.

Time Stress Compl. Exper./Train.

Proced. Ergon. Fitness WorkProcess

Prob.

Diag. N/A

Action 1.0E-3 x 10 x 2.0 x 5.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 9.0E-2a

Total 9.0E-2

a. The human error probability was adjusted following a special formula of SPAR-H to represent the composite PSF influence, because multiple (i.e., three ormore) non-nominal PSFs are involved.

LER 318-04-001

75

SPAR Model Human Error Worksheet (Page 3 of 3)

For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability WithFormal Dependence.

Table 4. Dependency condition worksheet.ConditionNumber

Crew (same ordifferent)

Location (same ordifferent)

Time (close in timeor not close in

time)

Cues (additional ornot additional)

Dependency Number of Human Action Failures Rule

1 s s c – complete If this error is the 3rd error in the sequence,then the dependency is at least moderate.

If this error is the 4th error in the sequence,then the dependency is at least high.

This rule may be ignored only if there iscompelling evidence for less dependence

with the previous tasks.

2 s s nc na high3 s s nc a moderate4 s d c – high5 s d nc na moderate6 s d nc a low7 d s c – moderate8 d s nc na low9 d s nc a low

10 d d c – moderate11 d d nc na low12 d d nc a low

13 U zero

Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):For Complete Dependence the probability of failure = 1.0For High Dependence the probability of failure = (1 + P)/2For Moderate Dependence the probability of failure = (1 +6P)/7For Low Dependence the probability of failure = (1 + 19P)/20

U For Zero Dependence the probability of failure = P

Task Failure Probability With Formal Dependence = (1 + ( * )) / = 9.0E-2

LER 318-04-001

76

SPAR Model Human Error Worksheet (Page 1 of 3)

Plant: Calvert Cliffs 1 & 2 Event Name: HPI-XHE-XM-OTC5 Task Error Description: Operator fails to initiate once through cooling (given excessive steam demand and both MSIVs fail to close uponSGIS) Does this task contain a significant amount of diagnosis activity ? YES NO U If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2.

Table 1. Diagnosis worksheet.

PSFs PSF LevelsMultiplier forDiagnosis

If non-nominal PSF levels are selected, please note specificreasons in this column

1. Available Time Inadequate 1.0a

Barely adequate < 20 m 10Nominal . 30 m 1Extra > 60 m 0.1Expansive > 24 h 0.01

2. Stress Extreme 5High 2Nominal 1

3. Complexity Highly 5Moderately 2Nominal 1

4. Experience/Training

Low 10Nominal 1High 0.5

5. Procedures Not available 50Available, but poor 5Nominal 1Diagnostic/symptom oriented 0.5

6. Ergonomics Missing/Misleading 50Poor 10Nominal 1

LER 318-04-001

PSFs PSF LevelsMultiplier forDiagnosis

If non-nominal PSF levels are selected, please note specificreasons in this column

77

Good 0.57. Fitness for Duty Unfit 1.0a

Degraded Fitness 5Nominal 1

8. Work Processes Poor 2Nominal 1Good 0.8

a. Task failure probability is 1.0 regardless of other PSFs.

SPAR Model Human Error Worksheet (Page 2 of 3)

Table 2. Action worksheet.PSFs PSF Levels Multiplier

for ActionIf non-nominal PSF levels are selected, please note specificreasons in this column

1. Available Time Inadequate 1.0a It is assumed there is just enough available time for theoperators to initiate feed and bleed cooling.Time available . time required 10U

Nominal 1Available > 50x time required 0.01

2. Stress Extreme 5U It is assumed that the stress level is much higher than nominaldue to the excessive steam demand and the failure of bothMSIVs to close upon SGIS.

High 2Nominal 1

3. Complexity Highly 5U It is assumed that the complexity level is much higher thannominal due to the sustained excessive steam demand throughthe open MSIVs and TBVs.

Moderately 2Nominal 1

4. Experience/Training

Low 3Nominal 1UHigh 0.5

5. Procedures Not available 50

LER 318-04-001

PSFs PSF Levels Multiplier for Action

If non-nominal PSF levels are selected, please note specificreasons in this column

78

Available, but poor 5Nominal 1U

6. Ergonomics Missing/Misleading 50Poor 10Nominal 1UGood 0.5

7. Fitness for Duty Unfit 1.0a

Degraded Fitness 5Nominal 1U

8. Work Processes Poor 2Nominal 1UGood 0.8

a. Task failure probability is 1.0 regardless of other PSFs.

Table 3. Task failure probability without formal dependence worksheet.TaskPortion

Nom.Prob.

Time Stress Compl. Exper./Train.

Proced. Ergon. Fitness WorkProcess

Prob.

Diag. N/A

Action 1.0E-3 x 10 x 5.0 x 5.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 2.0E-1a

Total 2.0E-1

a. The human error probability was adjusted following a special formula of SPAR-H to represent the composite PSF influence, because multiple (i.e., three ormore) non-nominal PSFs are involved.

SPAR Model Human Error Worksheet (Page 3 of 3)

For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability WithFormal Dependence.

LER 318-04-001

79

Table 4. Dependency condition worksheet.ConditionNumber

Crew (same ordifferent)

Location (same ordifferent)

Time (close in timeor not close in

time)

Cues (additional ornot additional)

Dependency Number of Human Action Failures Rule

1 s s c – complete If this error is the 3rd error in the sequence,then the dependency is at least moderate.

If this error is the 4th error in the sequence,then the dependency is at least high.

This rule may be ignored only if there iscompelling evidence for less dependence

with the previous tasks.

2 s s nc na high3 s s nc a moderate4 s d c – high5 s d nc na moderate6 s d nc a low7 d s c – moderate8 d s nc na low9 d s nc a low

10 d d c – moderate11 d d nc na low12 d d nc a low

13 U zero

Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):

For Complete Dependence the probability of failure = 1.0For High Dependence the probability of failure = (1 + P)/2For Moderate Dependence the probability of failure = (1 +6P)/7For Low Dependence the probability of failure = (1 + 19P)/20

U For Zero Dependence the probability of failure = P

Task Failure Probability With Formal Dependence = (1 + ( * )) / = 2.0E-1

Additional Notes: