IR 05000461/2018092

From kanterella
Jump to navigation Jump to search
EA-18-104 Clinton Power Station - Final Significance Determination of a White Finding with Assessment Follow-Up and Notice of Violation; NRC Inspection Report No. 05000461/2018092
ML19092A212
Person / Time
Site: Clinton Constellation icon.png
Issue date: 04/01/2019
From: Darrell Roberts
NRC/RGN-III
To: Bryan Hanson
Exelon Generation Co, Exelon Nuclear
Lambert K
References
EA-18-104 IR 2018092
Download: ML19092A212 (20)


Text

UNITED STATES ril 1, 2019

SUBJECT:

CLINTON POWER STATION - FINAL SIGNIFICANCE DETERMINATION OF A WHITE FINDING WITH ASSESSMENT FOLLOW-UP AND NOTICE OF VIOLATION; NRC INSPECTION REPORT NO. 05000461/2018092

Dear Mr. Hanson:

This letter provides you the final significance determination of the preliminary White finding discussed in our previous communication, dated November 6, 2018, which included Inspection Report 05000461/2018051. The preliminary finding involved an apparent violation of Title 10 of the Code of Federal Regulations (CFR) Part 50, Appendix B, Criterion V, Instructions, Procedures, and Drawings, and Technical Specification 3.8.2, Condition B.3, concerning the failure to follow multiple procedures regarding the emergency diesel generators (EDGs). The inspection report discussing the preliminary finding can be found in the U.S. Nuclear Regulatory Commissions (NRCs) Agencywide Documents Access and Management System (ADAMS)

under Accession Number ML18311A151.

At your request, a Regulatory Conference was held on November 30, 2018, to discuss your views on this issue. A copy of the handout your staff provided at the meeting was entered into ADAMS under Accession Number ML18333A333. A NRC summary of the Regulatory Conference was entered into ADAMS under Accession Number ML18355A272. During the conference, your staff described your assessment of the significance of the finding, and the corrective actions taken to resolve it, including the root cause evaluation of the finding.

Specifically, your staff agreed with the finding and violation but disagreed with the findings preliminary determination of a White safety significance. Your staff presented their significance determination evaluation which differed from the one performed by the NRC. During the conference, the NRC staff requested additional information that your staff provided in a letter dated December 14, 2018 (ML19023A556).

After considering the information developed during the inspection, the information provided at the regulatory conference, and the supplemental information your staff submitted on December 14, the NRC has concluded that the finding is appropriately characterized as White, a finding of low to moderate safety significance. The risk quantitative estimate represents approximately a two in a million likelihood of core damage per year. The result is largely influenced by human reliability analysis and related assumptions. While the NRC considered the finding to be greater than very low safety significance (Green), the result indicates that plant operators would be very likely to be successful in mitigating the postulated event, if it occurred. This was a complex shutdown significance determination. As first stated in the preliminary significance determination, mitigation of a postulated loss of offsite power event would rely completely on operator action and decision making. For 6 days, the Division 2 emergency diesel generator was not available to respond to a loss of offsite power event. For 3 of the 6 days, no emergency diesel generators were available and if a loss of offsite power had occurred, the plant would have been in a station blackout condition. Recovery of the diesel generator, recovery of offsite power, or use of other power recovery methods were available to mitigate the postulated event and were considered in the significance determination. The NRC used best estimate assumptions as described in both the preliminary and final analyses and considered Exelons perspectives regarding plant staffing levels, operator knowledge and training, plant procedures, and the extensive time available to mitigate the event.

The NRC performed sensitivity evaluations to understand the influence of important assumptions. The sensitivity evaluations showed a range of outcomes from very low safety significance to substantial safety significance. The sensitivity evaluations were used to confirm the best estimate outcome. Enclosure 1, to this letter, Final Significance Determination, provides details of the NRCs risk significance determination.

The NRC has also determined that a violation of 10 CFR Part 50, Appendix B, Criterion V, and Technical Specification 3.8.2, Condition B.3, was identified for the failure to follow multiple procedures involving the emergency diesel generators. The failure to follow the applicable procedures resulted in the unavailability and inoperability of the Division 2 EDG while the Division 1 EDG was already out-of-service for planned maintenance. The violation is cited in the enclosed Notice of Violation (Notice) (Enclosure 2). The circumstances surrounding the violation were described in detail in Inspection Report 05000461/2018051. In accordance with the NRC Enforcement Policy, the Notice is considered escalated enforcement action because it is associated with a White finding.

The NRC has concluded that the information regarding the reason for the violation, the corrective actions taken and planned to correct the violation and prevent recurrence, and the date when full compliance was achieved is already adequately addressed on the docket in NRC Inspection Report 05000461/2018051. Therefore, you are not required to respond to this letter unless the description therein does not accurately reflect your corrective actions or your position.

As a result of our review of Clintons performance, including this White finding, we have assessed Clinton Power Station to be in the Regulatory Response column of the NRCs Action Matrix, effective the third quarter of 2018. Therefore, we plan to conduct a supplemental inspection using Inspection Procedure 95001, Inspection for One or Two White Inputs in a Strategic Performance Area, when your staff has notified us of your readiness for this inspection. This inspection procedure is conducted to provide assurance that the root cause and contributing cause of risk significant performance issues are understood, the extent of condition and the extent of cause are identified, and the corrective actions are sufficient to prevent recurrence. You have 30 calendar days from the date of this letter to appeal the staffs determination of significance for the identified White finding. Such appeals will be considered to have merit only if they meet the criteria given in Inspection Manual Chapter 0609, Attachment 2. An appeal must be sent in writing to the Regional Administrator, Region III, 2443 Warrenville Road, Suite 210, Lisle, IL 60532- 4352.

In accordance with 10 CFR 2.390 of the NRC's Rules of Practice, a copy of this letter, its enclosures, and your response, if you choose to provide one, will be made available electronically for public inspection in the NRC Public Document Room or from the NRCs document system (ADAMS), accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html. If you choose to respond, to the extent possible, your response should not include any personal privacy, proprietary, or safeguards information so that it can be made available to the Public without redaction.

Sincerely,

/RA/

Darrell J. Roberts Regional Administrator Docket No. 050-00461 License No. NPF-62 Enclosures:

1. Final Significance Determination 2. Notice of Violation cc: Distribution via LISTSERV

ML19092A212 OFC RIII-EICS RIII-DRP RIII-DRP RIII-DRP OE DRA NRR RIII-ORA RIII-ORA NAME Lambert Kozak Riemer Lara Peralta 1 Franovich 2 Miller 3 Cameron Roberts DATE 3/20/19 3/21/19 3/21/19 3/21/19 3/26/19 3/25/19 3/25/19 3/26/19 3/28/19

Final Significance Determination A. Summary of Final Significance Determination At the regulatory conference on November 30, 2018, Exelon (the licensee) discussed their perspectives on the preliminary significance determination and provided new information that the NRC had not previously considered. Other discussion topics included a recap of known areas of disagreement on assumptions for which no new information was presented. Exelon and the NRC agreed at the end of the conference that respective staff members would have a separate discussion to specify the new information that needed to be submitted for consideration in the significance determination. On December 4, 2018, the NRC staff held a conference call with Exelon to discuss five areas of new supporting information: battery life, recovery of the diesel generator/declaration of extended loss of AC power (ELAP), isolation of shutdown cooling, pressure control without injection, and the Division 3 to Division 2 cross-tie.

The NRC had also asked several questions during the conference. These questions were also communicated during the December 4 phone call. Exelon submitted the new information including answers to the NRCs questions from the regulatory conference, and a white paper documenting their positions discussed at the conference in a letter dated December 14, 2018 (ML19023A556).

The NRC considered EGCs perspectives and new information contained in the December 14th letter. This new information reduced the NRCs best estimate of the delta CDF associated with the finding from a preliminary estimate of 3.8E-6 per year to a range of 2.2E-6 per year to 1.4E-6 per year. Additional modeling of battery life, isolation of shutdown cooling and pressure control without injection lowered the delta CDF to 2.2E-6 per year. Further consideration of EDG recovery lowered the delta CDF to 1.4E-6 per year. Therefore, although the estimated risk was reduced, the final significance was determined to be White, a finding of low to moderate safety significance.

The new information led to changes to the event tree (ET) structure used to quantify the risk.

This ET is shown in Figure 1 below. The top two dominant core damage sequences were Sequences 18 and 37. Sequence 18 includes: LOOP initiates, failure of the emergency diesel generators (EDG), failure to recover either of the two EDGs and offsite power, successful ELAP diagnosis, successful early reactor depressurization, failure of low pressure injection (including FLEX), failure of high pressure injection, and failure of the Division 3 to Division to cross-tie.

Sequence 37 includes: LOOP initiates, failure of the EDG, failure to recover either of the two EDGs and offsite power, failure to diagnose ELAP, successful early reactor depressurization, failure of high pressure injection, failure to perform the cross-tie.

After considering the information provided by Exelon, the NRC staff made changes to the detailed risk evaluation regarding recovery of the diesel generator, battery life, the isolation of the shutdown cooling and pressure control without injection. The NRC also modified the event tree to model declaration of ELAP and entry into FLEX strategies vs. remaining in the station blackout procedure.

Section B of this attachment discusses in detail the NRCs consideration of the new information provided by Exelon. Section C provides a table similar to Exelons table of Key Points of Disagreement provided at the regulatory conference that summarizes NRCs final view on these points.

Enclosure 1

This was a complex shutdown significance determination. As stated in the preliminary significance determination, successful mitigation of a loss of offsite power event in the degraded plant condition that existed would depend heavily on operator action and decision making involving the interaction of various recovery strategies. Consistent with Inspection Manual Chapter (IMC) 0609 Attachment 1 Significance and Enforcement Panel Review Process the NRC staff performed sensitivity studies to understand the influence of important assumptions.

The sensitivity evaluations indicated a range of outcomes from very low safety significance to substantial safety significance. The sensitivity evaluations were used to confirm the best estimate outcome.

B. Consideration of EGCs new information provided in the regulatory conference and in the follow-up submittal on December 14, 2018 During the development of the preliminary significance determination, the NRC staff routinely communicated with Exelon staff and considered a sizable amount of licensee information, including Exelons risk evaluation of the finding, CL-SDP-010, Risk Assessment - May 2018 Outage: Division 2 DG 1B Unavailable with Division 1 Bus Unavailable, Revision 0, August 3, 2018. This section describes NRCs consideration of the new information and how it was evaluated.

Recovery of the Emergency Diesel Generator (EDG)

A change to the NRCs analysis was the addition of consideration of the licensees ability to recover the EDG between 1 and 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> into the SBO event. This second 4-hour HEP was considered to have expansive time available to diagnose the cause of the EDG failure. It was determined to be dependent on the initial 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> HEP for the failure to recover the EDG. In the 4-hour scenario, if the closed EDG starting air valves were found, a decision would be required to either continue with FLEX alignment (or the crosstie to Division 3) or to back out of the FLEX alignment (or the crosstie) and attempt to start the Division 2 EDG. If the crew decided to back out, the operator would need to realign the plants electrical distribution system due to changes that would be in progress from implementing either the crosstie or FLEX procedures. At the regulatory conference, the licensee emphasized rapid implementation of the cross-tie as a means to provide high assurance of recovery of AC power and suggested that it could be performed very quickly. Realigning the electrical distribution system would be necessary because either the crosstie or FLEX implementation would have begun to modify the configuration of the electrical distribution system, which would impact operation of the EDG.

This realignment is not governed by procedures or training. Modeling of EDG recovery beyond 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> into an SBO event is subject to significant uncertainties because of the high likelihood that other AC power strategies would be pursued, which would complicate further use of the EDG as the Division 2 power source. Varying recovery of the EDG from 1 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> results in a range of delta CDF outcomes from 2.2E-6 per year to 1.4E-6 per year.

Recovery of the EDG was a known area of disagreement prior to the regulatory conference.

Specifically, Exelon disagreed with the NRCs evaluation of the performance shaping factors (PSF) for the EDG recovery HEP. At the regulatory conference, Exelon discussed several positions already considered by the NRC and new information that was available for review.

The new information included training material, shift manager surveys, senior reactor operator (SRO) questionnaires, and a time validation. The licensee provided this information in writing via a letter dated December 14, 2018.

The written information provided by the licensee pertained to diesel generator malfunctions, including the most recent equipment operator (EO) training on the diesel generator air start flow path. It also included training on the different subsystems of the diesel generator, circuit breakers, and the auxiliary power system. Most of the material was generic and unrelated to the diesel generator air start system. The air start flow path training material provided diagrams of the air start system, however, these diagrams did not include the air receiver outlet valves that are the subject of this performance deficiency. The training covered diesel generator trips but did not specifically cover diesel generator failures, nor did it include potential repair or recovery actions. The NRC concluded that no changes were appropriate for the one-hour diesel generator operator recovery action based on the material provided.

Battery Life The NRCs preliminary risk evaluation modeled the direct current (DC) power support function as requiring battery chargers for the batteries to complete the PRA mission based on the information provided by the licensee that battery life with load shedding was approximately 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br />. At the regulatory conference, Exelon discussed the results of a new battery calculation. The NRC requested, and the licensee provided the calculation in the December 14 letter. The calculation showed that the battery life was longer than 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> and that the battery could perform its PRA function for the 24-hour PRA mission time.

The NRC did not review the licensees battery calculation in detail; however, the NRC accepted the conclusion that that the batteries could last for the PRA mission time given that the initial condition of the plant is different from the pre-existing battery calculations that assume an extended loss of AC power event occurs with the plant initially operating at-power.

The NRC modified the shutdown SPAR model by adding in a dependency on the batteries with a failure probability of approximately 8E-6. The impact of this change was to effectively eliminate losses of DC power from risk significance.

Declaration of ELAP The NRC reviewed information presented on declaration of ELAP at 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> if the diesel generator had not been recovered. Specifically, the NRC reviewed the completed surveys of Clinton shift managers and completed questionnaires for 28 SROs from other stations.

The licensee stated that ELAP would not be declared at 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. In reviewing the Clinton shift manager surveys, the NRC found that the shift managers were not provided the NRC postulated scenario. The Clinton shift managers were provided a scenario in which the diesel generator air start valves were identified as the cause of the diesel generator failure to start at 45 minutes into a station blackout event. The NRC is not challenging the licensees assertion that an ELAP would not be declared if the cause of the EDG failure to start was actually known to the operators at 45 minutes. The NRC had discussed this point with licensee staff extensively prior to the regulatory conference. The NRCs risk assessment is driven by the scenario where at 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> the problem with the EDG has not been identified, requiring the operators to decide whether to declare an ELAP.

A second scenario presented to the Clinton shift managers in the survey also lacked information relevant to the PRA analysis. The shift managers were presented with information that offsite power would be restored within 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. Although this scenario was not relevant, some of the Clinton SROs provided comments indicating that they would declare an ELAP at 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> if the problem with the Division 2 diesel generator had not been identified. This is the relevant PRA scenario and the responses are consistent with NRCs assumption in the risk evaluation.

The Clinton shift manager survey had a third scenario in which the diesel generator was recovered but subsequently failed for a different reason. This scenario is also not directly relevant to the NRC evaluation. However, in this scenario, the survey provided information that the technical support center (TSC) would be briefing plant personnel on performing the Division 3 cross-tie procedure and estimated that it could be completed in 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. The survey asked Clinton shift managers if ELAP would be declared in this scenario. The Clinton shift managers generally responded no, ELAP would not be declared in this scenario if they had confidence in the timeline associated with the Division 3 cross-tie. An alternative scenario was provided with a timeline to implement the cross-tie that exceeded 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. In the Scenario 3 alternative, Clinton shift managers indicated that ELAP would be declared.

The NRC determined that that the Clinton shift manager survey results did not provide conclusive information about whether operators would declare ELAP and implement FLEX and/or attempt to implement the Division 3 cross-tie. The surveys were conducted well after the event occurred and do not reliably represent the plant response at the time of the event. The survey question postulated the TSC providing information about planning to implement the cross-tie well before 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, the time at which the TSC is generally estimated to be staffed.

Throughout the NRCs review of this finding, no pre-event information (i.e., procedures or training) indicated that the availability of the Division 3 cross-tie would provide high assurance of the restoration of AC power to Division 1 or Division 2 and should be the preferred option for power recovery rather than declaring ELAP and implementing FLEX.

Other available information also supported the NRC perspective that operators would declare ELAP and implement FLEX before attempting to implement the Division 3 crosstie. The examples below are excerpts from procedures, training, and the licensees risk evaluation of the finding.

The existing Loss of AC Power (CPS 4200.01) procedure requires a decision regarding ELAP at 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> into a station blackout (SBO) and it does not discuss the availability of the cross-tie as a means to provide high assurance of the restoration of power to avoid declaring ELAP. Per procedure, if ELAP is declared the Loss of AC Power procedure is exited and FLEX implementation (via CPS 4306.01) takes precedence over further efforts to recover the diesel generators or offsite power. While the cross-tie is referenced in the Loss of AC procedure, it is the very last step and would not be implemented if the procedure were exited. The cross-tie procedure (CPS 4303.01P023)

was written for extensive damage/beyond design basis events and it appears that it was not well integrated with the Loss of AC Power and FLEX procedures and training to have an overall integrated approach to extended SBO conditions.

Cross-connecting the Division 3 diesel generator is the first option in the FLEX Recovery procedure, CPS 4306.01P020, indicating that its use would be attempted after FLEX phase 2 implementation, not before.

Section 4.2.4.1 of the licensees risk evaluation (CL-SDP-010 dated August 3, 2018)

states, Given a SBO condition and failure to restore the EDG 1B, operators indicated that FLEX would be the initial system pursued for alternate RPV injection given the procedural direction in the Extended Loss of Power procedure. This comports with the NRCs risk evaluation assumptions and does not agree with the Exelons stated position at the regulatory conference.

Appendix C of the licensees risk evaluation documents an HEP evaluation for implementing the cross-tie. The evaluation indicates that an ELAP is in progress at 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and that the crosstie might be the means to determine high assurance that the SBO coping time would not be exceeded. The evaluation showed that it was not clear that the cross-tie capability was considered to be a method of AC power recovery that provides high assurance prior to the discovery of the Division 2 EDG problem and the evaluation of the risk significance of the finding.

The NRC reviewed simulator training for an SBO event in which ELAP was declared (SE-LOR-4306-FLEX). For this at-power scenario, the high pressure core spray (HPCS)

pump was unavailable but the Division 3 EDG was available. Despite the availability of the EDG during the simulator scenario, ELAP was declared and FLEX implementation was pursued, indicating that ELAP/FLEX was a preferred response. This at-power simulator training is very similar to the scenario of interest in this SDP.

Appendix D of the licensees risk evaluation (CL-SDP-010 dated 8/3/2018) documents many HEPs associated with FLEX actions. The licensee developed a cognitive only HEP for the failure to recognize the need for FLEX. The documentation indicates that ELAP is declared at 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> into the event based on discussions with operators and simulator observation.

The responses to the questionnaire for the 28 SROs also supported the NRCs assumption about ELAP. This questionnaire, like the CPS shift manager survey, also presented scenarios that were not relevant to the NRC evaluation because the scenario involved the successful diagnosis of the cause of the EDG failure. In the first two questions to the SROs, the valves were found in the closed position at 15 minutes and at 55 minutes, respectively. However, a third question asked about whether ELAP would be declared if the valves were discovered closed at 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> into an SBO. Although the SROs were instructed to answer yes or no to the question of whether to declare ELAP for these scenarios, a number of SROs provided additional comments on the scenarios. For the third scenario, many of the SROs stated that ELAP would have been declared at 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This is consistent with and supports NRCs assumption regarding the declaration of ELAP and implementation of FLEX before the cross-tie.

Finally, regarding modeling recovery of the EDG, FLEX, and the cross-tie, while some actions for each of these methods can be performed in parallel, they are not independent. That is the electrical distribution system cannot be lined up for FLEX implementation and for the Division 3 to Division 2 cross-tie simultaneously because the procedures conflict.

Based on the above understanding, the NRC concluded that its PRA modeling approach to declaring ELAP is reasonable and realistic. However, the NRCs PRA model was modified to test the assumption that operators declare an ELAP or remain in the station blackout procedure.

The modified ET is shown in Figure 1. A new top event was added to the model as a decision point. If the decision is made to declare ELAP and enter the FLEX procedures, then the FLEX strategies are then tested. If the FLEX strategies fail, then the cross-tie is questioned.

For the revised risk model, if ELAP is not declared, the FLEX strategies are not implemented.

In this case, the risk evaluation models the use of the crosstie. If the crosstie is not successful and offsite AC power is not recovered, then core damage is assumed. FLEX is not considered further in this part of the risk model for two reasons. First, there is no procedural direction to try FLEX in the crosstie procedure. Second, if the crosstie has failed, significant issues may have occurred because of the failure. The cross-tie procedure (CPS 4303.01P023) twice reiterates safety considerations that state in part Steps in this procedure must be performed in order to avoid the risk of personnel injury or equipment damage. The cross-tie procedure would not be exited unless it had failed and per the caution, failure implies damage to the electrical distribution system that is required to implement the FLEX strategies.

In summary, these changes to the NRCs PRA model to specifically consider the ELAP declaration did not have a substantive impact on the risk results.

Isolation of SDC The NRCs preliminary risk evaluation did not model the operator action to close the shutdown cooling isolation valves, similar to the licensees risk evaluation. During the regulatory conference, Exelon stated that operators would take action to isolate shutdown cooling and that if the action was successful the time to core damage would be extended to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for all sequences, including those sequences where core damage occurs with the reactor at high pressure. The NRC asked Exelon to provide the procedure guidance and training for this operator action. The new information was provided in the December 14 letter.

Isolating shutdown cooling prevents the loss of inventory through RHR system relief valves and extends the time to core damage, allowing more time for recovery actions. If the reactor coolant system (RCS) heats up and pressurizes with the RHR system not isolated from RCS, four RHR relief valves will open as designed causing RCS leakage. CPS 3312.03, RHR Shutdown Cooling and Fuel Pool Cooling Assist, Section 8.3 discusses recovering a loss of RHR shutdown cooling flow and clearly requires the RHR suction valves from the reactor recirculation system 1E12-F008 and 1E12-F009 valves remain open if recovery is anticipated. The NRC concluded that procedure guidance existed to isolate the RHR system if Mode 3 entry was anticipated but it alone may not have prompted operators to close the valves if recovery of shutdown cooling was anticipated. A better cue to isolate shutdown cooling was reactor heat-up and pressurization, including an alarm to alert operators to high pressure in the RHR system.

Through discussions with the licensee, the NRC learned that the set-point of this alarm was close to the set-point of the relief valves in the RHR system.

A second cue would occur when RCS level starts to decrease due to the open RHR relief valves. Prior to the RHR relief valves opening, as the RCS heats up, the water inventory expands causing level to increase. When the RHR relief valves open, water level will turn and begin to decrease.

A third cue is received when water level decreases to the Level 3 scram setpoint. In addition, at Level 3 a containment isolation signal for RHR/SDC is received.

The NRC requested training material on the operator action to isolate RHR shutdown cooling.

The licensee provided a simulator scenario for a postulated event that was much different from the scenarios evaluated here. The NRC concluded that the training was not very relevant to the actions under in this scenario.

To incorporate this new information, the NRC modified its risk analysis by adding a new event tree (ET) top event that tested for failure to isolate the RHR/SDC system from the RCS on high reactor pressure and decreasing reactor level. The modified ET is shown in Figure 1. This top event was evaluated using a new fault tree (FT). The FT tests for all three cues discussed above.

HEPs were developed for both isolation cues. It should be noted that the HEP associated with the third and final cue, on reaching Level 3, is always set to fail as the analysts determined that there was insufficient time between receiving the cue to close the F008 valve before core uncovery occurred. Finally, dependency analysis for these HEPs was developed and incorporated into the model recovery rules as appropriate.

If the operators are successful in isolating the RHR/SDC system, then the time to core uncovery is extended from the 10 to 13-hour range to about 18 hours2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br /> allowing more time for other mitigating actions. This 18-hour assumption is based on the following: The licensees Gothic analysis indicates time to core uncovery (TTCU) without isolation at 10 to 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br />. Other Gothic analyses indicate with isolation at 200F (about 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after event initiation), the TTCU is about 26 hours3.009259e-4 days <br />0.00722 hours <br />4.298942e-5 weeks <br />9.893e-6 months <br />. In the scenario of interest, isolation is estimated to occur about 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the first cue at about 100 psig (which occurs about 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> after event initiation) is between the two previous scenarios. If the isolation is unsuccessful, then time to uncovery remains in the 10 to 13-hour range.

Pressure Control The NRCs preliminary significance determination modeled operator failure to maintain the reactor depressurized in conjunction with the FLEX systems injection into the RCS. At the regulatory conference, the licensee stated that operators would maintain reactor vessel pressure between 60 psig and 100 psig using safety-relief valves even if FLEX or other low pressure injection was not available. The NRC reviewed the procedures and training provided by the licensee. The NRC also reviewed the licensees risk evaluation and human probability evaluation for this action.

The licensee provided emergency operating procedures (EOPs) and EOP support procedures, CPS 4200.01, Loss of AC procedure, CPS 4006.01, Loss of Shutdown Cooling, and CPS 4411.09, RPV Pressure Control Sources. In preparation of the preliminary analysis, the NRC had reviewed many procedures with respect to this operator action but had not reviewed CPS 4411.09. Neither of the two initial response procedures, Loss of Shutdown Cooling or Loss of AC Power direct the operator to maintain RCS pressure low. The RPV Pressure Control Sources procedure is to be used as directed by EOPs and the severe accident

guidelines (SAGs). For the postulated scenarios, the EOP entry condition would not be met until RPV level had decreased to Level 3, which would occur very late in the scenarios. The NRC concluded that these procedures did not provide direction to operators to maintain pressure between 60 psig and 100 psig if injection was not available to maintain inventory.

The licensee also provided information that EOP-1 for pressure control would be entered as directed by CPS 4306.01 Extended Loss of AC power/Loss of Ultimate Heat Sink. This procedure does direct RPV pressure control in accordance with EOP-1 but is written from the perspective of an at-power extended Loss of AC power event and provides no specific direction to maintain pressure low absent an available low pressure injection source. Maintaining pressure low using EOP-1 and ELAP procedures conflicts with other licensee statements that ELAP would not be declared or that operators would pursue using RCIC by letting the reactor re-pressurize.

The licensee provided seven simulator training exercises. All the scenarios were at power events focusing on pressure control and/or depressurization. None were relevant to the shutdown station blackout scenario under review.

The licensees risk evaluation, in (CL-SDP-010) Appendix L provided a human error probability evaluation for an operator action to manually control RPV pressure with SRVs. The NRC noted that the licensees HEP evaluation also assumed that low pressure injection had been established and was in operation. The HEP evaluation referenced CPS 4306.01P004, FLEX Low Pressure RPV Make-up which contained instructions to first set up FLEX suppression pool cooling followed by instructions to re-align the system for injection. A procedure step stated the following May need to throttle shut 1E12-F042A(B) RHR Pump 1A(B) Test Ret[urn] to Sup[pression] Pool Valve or further reduce RPV pressure to achieve the required p. This step provides instruction to reduce RPV pressure after injection has been successfully implemented.

It does not provide instruction to open SRVs to maintain pressure low without injection available.

The NRC concluded that the existing procedures and training do not currently support a strategy to extend the time to core damage by maintaining pressure between 60 psig and 100 psig for an extended station blackout event in Mode 4. Nonetheless, the risk model was modified to incorporate early depressurization of the RCS prior to setting up the FLEX or other low pressure systems. See Figure 1 for the event tree. The manual reactor depressurization top event previously associated with FLEX was repurposed to test for early depressurization regardless if FLEX or other low pressure injection was being implemented. (Note in those sequences where FLEX was implemented, a second opportunity to depressurize was given if the depressurization early had failed. This second opportunity was implemented by a modification to the existing FLEX fault tree.)

HEPs were developed for both the early depressurization independent of FLEX and for the late depressurization as part of FLEX. Finally, dependency analysis for these HEPs was developed and incorporated into the model recovery rules as appropriate.

The event tree (see Figure 1) tests for successful depressurization. If depressurization is successful, then time to core uncovery is extended allowing additional time for subsequent mitigation actions.

Division 3 Cross-tie The NRCs preliminary determination assumed the time available to perform the cross-tie was between 5 and 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> based on input found in the licensees risk evaluation (CL-SDP-010).

This activity is controlled by CPS 4303.01P023, Cross-Connecting Division 3 to Division 1(2)

ECCS Electrical Busses. Based on this information, the associated HEP PSF for time was set to nominal. At the regulatory conference, Exelon stated that the action was time-validated at 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> and disagreed with the NRC time required assumption. Exelon provided a copy of the time validation after the regulatory conference.

The portion of CPS 4303.01P023 providing guidance on the Division 3 to Division 2 cross-tie is found in Section 1.2. It takes 39 steps to perform in three plant locations, two of which are outside the MCR. As stated above, the NRC time required assumption was based on information in the licensees risk evaluation (CL-SDP-010). On page 8 of that analysis, it states Based on discussions with Operations, and a time validation study for connecting loads to the division, the cross-connect activities and the subsequent tasks to reload equipment onto the Division 2 bus can be accomplished in approximately 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The NRC views the assumed 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> required in the licensees risk analysis to be reasonable as it incorporates time to plan, perform the actual cross-tie and then restore SDC.

Based on the above re-evaluation and that fact that this cross-tie has never been performed, no changes were made to the NRCs risk evaluation.

C. Key Regulatory Conference Disagreements NRC New Preliminary NRC Disposition in Final Exelon Position information Determination Significance Determination provided Assumptions Air start valves No changes to the diesel found isolated within generator recovery HEP or 12 29 minutes; ELAP Yes assumption about ELAP not declared declaration. See detailed discussion in Section B Load shed recovery Modified the diesel generator proceduralized and recovery HEP. Also modeled does not complicate the additional complexity EDG recovery associated with recovering the EDG beyond 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. Load shed removes control power from the EDG, potentially complicating diagnosis and recovery of the cause of the failure to start. Also, load 12 No shed, FLEX electrical alignment and/or Division 3 cross-tie alignment complicates further EDG recovery. Operator actions to back out of ELAP, FLEX, and load shedding to restore the EDG as the power source to Division 2 is not governed by procedures, is not a simple, skill of the craft task, and has no training.

ELAP not See detailed discussion in declared/FLEX Section B regarding how the 12 Yes staging only PRA model was modified to test this assumption.

EDG air start valve See detailed discussion in position easily Section B.

identified in 13 Yes knowledge-based or procedure-based mode

Operators No changes to diesel extensively trained generator the 13 on EDG malfunctions Yes training/experience PSF.

See detailed discussion in Section B.

Operators will close Operator action modeled with one shutdown the addition of a fault tree cooling valve per with multiple HEPs. For procedure to extend sequences in which the time to TAF from action fails, the time to TAF 2 10.8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> to about Yes remains the same as in the 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. preliminary determination. If the action succeeds, the time to TAF is longer. See detailed discussion in Section B.

NRC inspections No changes to FLEX HEPs.

confirm that FLEX Compliance with regulatory strategy meets requirements establishes regulatory feasibility but not reliability of requirements the FLEX strategy. It does not establish or imply small human error probabilities for 14, 23, 24 No PRA, which must be evaluated on a case by case basis. The HEP analysis in this evaluation does not imply that the FLEX implementation does not meet current regulatory requirements.

FLEX trained in No changes to FLEX HEPs.

accordance with Training quality and Systematic Approach frequency is evaluated as to Training part of the HRA. The NRC agrees FLEX is trained in accordance with the Systematic Approach to 14, 23, 24 No Training. However, because the FLEX actions are trained in accordance with the Systematic Approach to Training does that dictate that the associated HEPs should be small.

FLEX tasks similar to No changes to FLEX HEPs.

normal EO tasks The overall evolution to set-and performed in up FLEX is complex and non-adverse occurs under difficult conditions conditions. Typical HRA methods assign nominal PSF values for control room actions under normal lighting 14, 23, 24 No and environmental conditions. In comparison, actions for establishing FLEX are outside the control room under significant inferior environmental conditions and do not warrant nominal ratings.

Division 3 cross-tie No changes to the Division 3 procedure is cross-tie HEP. The straightforward and procedure has 37 steps in 15 not complex No multiple plant locations, under poor lighting conditions and thus does warrant a complex rating. See Section B.

Division 3 cross-tie is No changes to the cross-tie time-validated at HEP. The original licensee 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> risk evaluation assumed 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> was required to perform these complex actions. This assumption 15 Yes appears more appropriate than the optimistic licensee position discussed at the regulatory conference. See Section B above for more details.

Figure 1: Loss of Ofsite Power (LOOP) Event Tree

- 13 -

NOTICE OF VIOLATION Exelon Generation Company, LLC Docket No. 050-00461 Clinton Power Station License No. NPF-62 EA-18-104 During a U.S. Nuclear Regulatory Commission (NRC) inspection conducted August 3 through September 4, 2018, a violation of NRC requirements was identified. In accordance with the NRC Enforcement Policy, the violation is listed below:

Title 10 of the Code of Federal Regulations (CFR) Part 50, Appendix B, Criterion V, Instructions, Procedures, and Drawings, requires, in part, that activities affecting quality be prescribed by documented procedures of a type appropriate to the circumstances and be accomplished in accordance with these procedures.

Clearance Order (C/O) 139455 instructions required the performance of CPS 3506.01P002, Division 2 Diesel Generator Operations, Revision 3a, in conjunction with the removal of out-of-service tags on May 9, 2018.

Procedure OP-AA-108-103, Locked Equipment Program, Revision 2, Step 4.1.5, stated, If plant conditions require a locked component to be positioned in a manner other than that indicated on the locked equipment checklist or approved procedure, then UNLOCK and REPOSITION equipment in accordance with OP-AA-108-101, Control of Equipment and System Status.

Procedure OP-AA-108-101, Control of Equipment and System Status, Revision 14, Step 4.1.1.1, stated, Utilize an ACPS for aligning equipment outside of routine operations.

Procedure OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.3, required that if equipment will not be restored to the Equipment Line-up/Restoration position or the original condition, then another approved equipment status control mechanism shall be used to document equipment status (i.e., Equipment Status Tag, administrative clearance/tagout).

Procedure OP-AA-108-101, Control of Equipment and System Status, shall be used to document abnormal equipment configuration and shall be immediately applied following equipment restoration.

Procedure OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.4.9, which stated, Applicable Operating procedures are complete and any equipment line-ups directed to be completed by the Operating Procedures are completed.

Procedure OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.4.14, stated, The system/equipment has been walked down as appropriate to verify that it can be safely operated to fulfill its design function.

Procedure OP-AA-109-101, Clearance and Tagging, Revision 12, Step 10.2.1 stated, If a lift position is determined to be different from the normal lineup position for the present plant condition and not tracked by another C/O or procedure, then the Shift Management shall be notified and equipment tracking initiated.

Enclosure 2

Technical Specification 3.8.2, AC Sources-Shutdown, Condition B.3, requires, in part, that an inoperable EDG be restored to an operable status immediately.

Contrary to the above, between May 9 and May 17, 2018, the licensee failed to accomplish activities affecting quality in accordance with the following procedures:

Perform CPS 3506.01P002, Division 2 Diesel Generator Operations, Revision 3a, in conjunction with the removal of C/O 139455 as required by the C/O restoration instructions.

Perform OP-AA-108-103, Locked Equipment Program, Revision 2, Step 4.3, valves 1DG160 and 1DG161, normally locked open, were repositioned and an ACPS was not utilized to track valve status in accordance with procedure OP-AA-108-101.

Perform OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.3, when valves 1DG160 and 1DG161 were left in an abnormal position an approved equipment status control mechanism was not used to track equipment status.

Perform OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.4.9, when the equipment was declared operable the applicable operating procedure CPS 3506.01P002 had not been completed and equipment line-ups directed to be completed by the operating procedures were not completed.

Perform OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.4.14, when the system was declared operable without being walked down.

Perform OP-AA-109-101, Clearance and Tagging, Revision 12, Step 10.2.1, when the as left position was different from the normal lineup for the present plant condition and equipment tracking was not initiated.

Additionally, because the licensee was not aware of the Division 2 EDGs inoperability between May 14 and May 17, 2018, the licensee failed to meet Technical Specification 3.8.2.b limiting condition for operation of one DG operable and the required action in Technical Specification 3.8.2, Condition B.3 was not followed.

This violation is associated with a White SDP finding.

The NRC has concluded that information regarding the reason for the violation, the corrective actions taken and planned to correct the violation and prevent recurrence, and the date when full compliance was achieved is already adequately addressed on the docket in NRC Inspection Report No. 05000461/2018051. However, you are required to submit a written statement or explanation pursuant to 10 CFR 2.201 if the description therein does not accurately reflect your corrective actions or your position. In that case, or if you choose to respond, clearly mark your response as a Reply to a Notice of Violation, EA-18-104 and send it to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Desk, Washington, DC 20555-0001 with a copy to the Regional Administrator, Region III, 2443 Warrenville Road, Suite 210, Lisle, IL 60532-4352, and a copy to the NRC Resident Inspector at the Clinton Power Station, within 30 days of the date of the letter transmitting this Notice of Violation (Notice).

If you choose to respond, your response will be made available electronically for public inspection in the NRC Public Document Room or from the NRCs document system (ADAMS),

accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html. Therefore, to the extent possible, the response should not include any personal privacy, proprietary, or safeguards information so that it can be made available to the Public without redaction.

In accordance with 10 CFR 19.11, you may be required to post this Notice within two working days of receipt.

Dated this 1st day of April 2019 3