ML18068A724

From kanterella
Jump to navigation Jump to search
Final Accident Sequence Precursor Analysis - Cooper Nuclear Station, Concurrent Unavailabilities-Residual Heat Removal Loop a, Reactor Core Isolation Cooling, and Emergency Station Service Transformer (LER 298-2017-001-01) - Precursor
ML18068A724
Person / Time
Site: Cooper Entergy icon.png
Issue date: 03/09/2018
From: Keith Tetter
NRC/RES/DRA/PRB
To:
References
LER 298-2017-001-01
Download: ML18068A724 (36)
v  d  e


Text

1 Final ASP Program Analysis - Precursor Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Cooper Nuclear Station Concurrent UnavailabilitiesResidual Heat Removal Loop A, Reactor Core Isolation Cooling, and Emergency Station Service Transformer Event Date: 2/5/2017 LERs: 298-2017-001-01, 298-2016-007, 298-2016-008, IRs: 05000298/2017001, 05000298/2017009, 05000298/2017010, 05000298/2017011, 05000298/2017012 CDP= 6x10-6 Plant Type: General Electric Type 4 Boiling-Water Reactor (BWR) with a Wet Mark I Containment Plant Operating Mode (Reactor Power Level): Mode 1 (100% Reactor Power)

Analyst:

Keith Tetter Reviewer:

Chris Hunter Contributors:

BC Approved Date:

03/09/2018 EXECUTIVE

SUMMARY

On September 29, 2016, during refueling outage 29, residual heat removal (RHR) minimum flow isolation valves (RHR-V-58 and RHR-V-60) were sealed closed and danger tagged. On October 7, 2016, the danger tags were released and both valves were to be restored to their normal configuration. The danger tags were removed and seals applied to the valves; however, the valves were not opened before the seals were placed. The second verification incorrectly verified that the valves were sealed open. On February 5, 2017 it was discovered that RHR-V-58 and RHR-V-60 were sealed closed. At 10:41 a.m., operators opened the valves, independently verified the valve positions, applied the appropriate seals, and declared the valves operable.

A review of Cooper licensee event reports (LERs) and inspection reports (IRs) revealed two degraded conditions that were windowed with this event. The first event occurred on November 8, 2016, when operators identified a water leak from the lower flange of the reactor core isolation cooling (RCIC) lube oiler cooler. The affected valve had been replaced in the previous refueling outage. A licensee examination revealed that the valve actuator had a closed travel-stop instead of the required open travel-stop, which would prevent over-pressurization of the cooling circuit by limiting the opening stroke distance. Following the valve modification to install an open travel-stop completed on November 10th, RCIC was declared operable after being unable to fulfill its safety function for approximately 50 hours5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br />.

The second event occurred on January 17, 2017, when the plant experienced a phasetophase fault of the nonsegregated bus on the secondary side of the emergency station service transformer (ESST), which resulted in the loss of one of the plants two offsite power sources.

In addition, the fault resulted in a loss of the nonsafety-related supplemental diesel generator (SDG) because the ESST bus bars are common with the SDG. The bus duct was reenergized on January 22nd (approximately 127 hours0.00147 days <br />0.0353 hours <br />2.099868e-4 weeks <br />4.83235e-5 months <br /> after the event occurred).

The point estimate increase in core damage probability (CDP) for this event is 5.6x10-6, which is considered a precursor in the ASP Program. This CDP is dominated by concurrent

LER 298-2017-001-01 2

unavailabilities of the RHR loop A and the ESST for 127 hours0.00147 days <br />0.0353 hours <br />2.099868e-4 weeks <br />4.83235e-5 months <br /> (CDP = 3.7x10-6, approximately 66 percent of the total). The 83-day unavailability of RHR loop A by itself contributes approximately 29 percent of the total CDP, while the RCIC unavailability has a minimal effect on the overall results.

The NRC conducted a special inspection for the event associated with the mispositioned RHR manual isolation valves in the RHR loop A minimum flow lines. NRC inspectors identified two performance deficiencies associated with the licensee failure to follow technical specification (TS) requirements to ensure the availability, reliability, and capability of the division 1 RHR subsystem and for the failure to correctly identify and correct out-of-position RHR loop A minimum flow isolation valves. An additional finding was identified for the event associated with the licensee failure to install the correct RCIC pressure control valve mechanical stop and verify proper operation of the system prior to entering a plant mode requiring system operability. Two inspection findings were identified with the ESST failure. Specifically, the licensee failed to implement maintenance procedures during applicable ESST bus inspections. In addition, the licensee failed to maintain a maintenance procedure with adequate instructions for testing of the ESST bus. All five of these findings were determined to be Green (i.e., very low safety significance).

EVENT DETAILS Event Description. On September 29, 2016, during refueling outage 29, RHR loop A minimum flow isolation valves (RHR-V-58 and RHR-V-60) were sealed closed and danger tagged in accordance with a clearance order to support RHR maintenance. On October 7, 2016, the danger tags for RHR-V-58 and RHR-V-60 were released and the clearance order directed that both valves be restored to their normal configuration. The danger tags were removed and seals applied to the valves; however, the valves were not opened before the seals were placed. The second verification incorrectly verified that the valves were sealed open. A quarterly sealed valve log audit was performed on November 29, 2016, and the seals were verified to be intact. The audit required only that the seals be verified, the audit did not require the valve configuration be checked. On February 5, 2017, during the next quarterly sealed valve log audit, it was discovered that RHR-V-58 and RHR-V-60 were sealed closed. Operators subsequently declared RHR pumps A and C inoperable at 7:56 a.m. At 10:41 a.m. on February 5th, operators opened the valves, independently verified the valve positions, applied the appropriate seals, and declared the valves operable. Additional information on this event is provided in LER 298-2017-001-01 (Ref. 1) and IR 05000298/2017009 (Ref. 2).

On November 8, 2016, at 11:27 am, RCIC was declared inoperable for surveillance testing.

At 11:41 a.m., operators identified a water leak from the lower flange of the RCIC lube oiler cooler. A licensee investigation determined that valve RCIC-AOV-PCV23, which was replaced during refueling outage 29, was fully open causing excessive cooling water pressure. An initial examination revealed that the valve actuator had a closed travel-stop instead of the required open travel-stop, which would prevent over-pressurization of the cooling circuit by limiting the opening stroke distance. At 5:39 a.m. on November 10th, following the valve modification to install an open travel-stop, post-maintenance was completed and RCIC was declared operable.

Additional information on this event is provided in LER 298-2016-008 (Ref. 3) and IR 05000298/2017001 (Ref. 4).

On January 17, 2017, the plant experienced a phasetophase fault of the nonsegregated bus on the secondary side of the ESST. When the fault occurred, the control room received several annunciators alerting the operators to the loss of voltage to the ESST. Shortly thereafter, the

LER 298-2017-001-01 3

control room received a report from the grid operations center that there was an apparent 3-phase fault on the bus bars between the ESST and the plants safety-related 4.16 kilovolt (kV) alternate current (AC) buses. The licensee subsequently identified an area of the nonsegregated ESST bus duct (near the turbine building) was discolored and at an elevated temperature. The ESST was not loaded, and no ESSTrelated switching activities were occurring at the time of the fault.1 Therefore, the ESST fault resulted in the loss of one of the plants two offsite power sources. In addition, the fault resulted in a loss of the nonsafety-related SDG because the ESST bus bars are common with the SDG. The bus duct was reenergized at 11:42 p.m. on January 22nd. Additional information on this event is provided in IR 05000298/2017011 (Ref. 5), and IR 05000298/2017012 (Ref. 6).

Causes. The licensee performed evaluations to determine the causes of these three events:

The root cause evaluation for RHR-V-58 and RHR-V-60 being incorrectly closed determined that operations department standards related to operator human performance and configuration control were inadequate and did not meet industry expectations.

The root cause evaluation for the failure of RCIC-AOV-PCV23 determined that an incorrect air-operated valve was purchased because the purchase order and associated drawing did not contain the requirement of an open travel-stop.

The direct cause of the ESST bus fault was due to damage associated with corona, a voltage-related phenomenon that can result in insulation breakdown and generation of a white conductive powder residue. Specifically, the licensee determined that corona present at the interface between the ESST nonsegregated bus bar supports and the bus bars caused degradation of the bus bar insulation, which led to tracking across the ESST bus bar supports and an eventual fault. The licensee also recognized that humidity and moisture increase corona tracking. In addition, the licensee concluded that the inspection procedure did not give adequate guidance to support operation of the ESST bus until the next scheduled inspection.

Additional Event Information. The following two events were partially windowed with the degraded conditions described in the previous sections of this report:

On October 28, 2016, shutdown cooling (SDC) isolation valves RHR-MO-17 and RHR-MO-18 were open with RHR loop A in a SDC flush lineup and preparing to place loop A in SDC. Work orders were created to replace 27 primary containment isolation system (PCIS) relay coils during refueling outage 29. During post-maintenance testing, the licensee identified that the PCIS-REL-K27 relay did not actuate as expected. The work order was subsequently revised to replace the entire relay instead of just the coil, which required additional wires to be lifted and the relay to be removed from the DIN rail.

RHR loop A was placed in SDC mode at 8:49 a.m. on October 28th. During replacement of the PCIS-REL-K27 relay, the action of installing a new relay onto the shared plastic DIN rail disturbed the mounting rail in a manner that caused the 1-2 contact of the adjacent relay (PCIS-REL-K30) to open. This caused RHR-MO-17 to close, which actuated the logic to trip the running RHR pump A. Operators declared SDC inoperable at 9:24 a.m. on October 28th. The alternate decay heat removal system remained in service throughout the event and the plant remained aligned for natural 1

Station loads are normally powered by the normal transformer, which is fed by the stations main generator (while the plant is at power) or by the startup station service transformer (when the plant is not generating power).

LER 298-2017-001-01 4

circulation. No increase in reactor temperature was observed and no impact to plant operations was observed. While SDC was out of service, replacement of the PCIS-REL-K27 relay was completed. SDC was declared operable and placed into service at 6:30 p.m. on October 29th. NRC inspectors identified a performance deficiency associated with the licensee failure to implement procedure 7.3.16, Low Voltage Relay Removal and Installation, because engineering personnel did not evaluate the potential impact on adjacent components or components that shared a common mounting when relay PCIS-REL-K27 was replaced. This performance deficiency was determined to be Green (i.e., very low safety significance) by the SDP.

The SDP evaluation did not perform a detailed risk evaluation because this event occurred while the plant was in Mode 5 with the refueling cavity flooded. The risk of a short-term unavailability of SDC while the plant is in Mode 5 is negligible and, therefore, is not considered further in this analysis. Additional information on this event is provided in LER 298-2016-007 (Ref. 7) and IR 05000298/2017001. This LER is closed.

On February 4, 2017, at 8:38 p.m., the licensee received alarms in the control room that indicated that there was a ground on emergency diesel generator (EDG) 2 motor control center transformer. The licensee discovered that the jacket water heater had failed, which required the operators to secure power to the heater. This action resulted in the jacket water temperature lowering. Operators subsequently began monitoring temperature trends to ensure that the lower temperature limit was not exceeded. At the time of discovery, temperatures were indicating 131°F and 136°F on the inlet and outlet of the heater, respectively. At approximately 4:43 a.m. on February 5th, these temperatures had dropped to 102°F and 118°F. Due to these temperatures approaching the minimum required operability limit of 100°F, EDG 2 was declared inoperable.

Repairs were completed on February 6that 11:25 am after repairs were made. NRC inspectors identified a performance deficiency associated with the licensee failure to demonstrate that the performance/condition of EDG 2 was being effectively controlled through the performance of appropriate preventive maintenance, such that the EDG remained capable of performing its intended function. In addition, the licensee failed to monitor the performance/condition of EDG 2 against licensee established goals. This performance deficiency was determined to be Green (i.e., very low safety significance) by the SDP. The SDP evaluation did not perform a detailed risk evaluation because this event: (1) was not a design deficiency; (2) did not represent a loss of system and/or function; (3) did not represent an actual loss of function; (4) did not represent an actual loss of function of at least a single train for longer than its TS allowed outage time; and (5) did not result in the loss of a high safety-significant non-TS train. The unavailability of EDG 2 is only windowed with the RHR loop A unavailability for approximately 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, which sensitivity analyses show has negligible contribution to the risk and, therefore, is not considered further in this analysis. Additional information on this event is provided in IR 05000298/2017010 (Ref. 8).

MODELING Basis for ASP Analysis/SDP Results. The ASP Program uses SDP results for degraded conditions when available and applicable. However, an independent ASP analysis is performed for concurrent (i.e., windowed) unavailabilities regardless of cause.2 A review of Cooper LERs 2

Analyses performed as part of the SDP are limited to evaluating the risk of individual licensee performance deficiencies.

LER 298-2017-001-01 5

and IRs revealed concurrent unavailabilities of RHR loop A, RCIC, and the ESST; therefore, an independent ASP analysis was performed.

The NRC conducted a special inspection for the event associated with LER 298-2017-001-01 in accordance with Management Directive 8.3, NRC Incident Investigation Program.3 NRC inspectors identified two performance deficiencies associated with the licensee failure to follow TS requirements to ensure the availability, reliability, and capability of the division 1 RHR subsystem and for the failure to correctly identify and correct out-of-position RHR loop A minimum flow isolation valves. Both of these inspection findings were determined to be Green (i.e., very low safety significance) and the detailed risk evaluation that was performed resulted in an increase in core damage frequency (CDF) of 4.7x10-7 per year. This LER remains open.

See IR 05000298/2017009 for additional information.

NRC inspectors also identified a finding for the event associated with LER 298-2016-008 for the licensee failure to install the correct RCIC pressure control valve mechanical stop and verify proper operation of the system prior to entering a plant mode requiring system operability.

Inspectors determined that a detailed risk evaluation was required because the performance deficiency resulted in a loss of mitigating system/function. This evaluation calculated an increase in CDF of 8.4x10-8 per year and, therefore, the finding was determined to be Green (i.e., very low safety significance). The LER is closed. See IR 05000298/2017001 for additional information.

Two inspection findings were identified with the ESST failure. Specifically, the licensee failed to implement maintenance procedure 7.3.41, Examination and High Pot Testing of Nonsegregated Buses and Associated Equipment, during inspection of the ESST 4.16 kV bus.

In addition, the licensee failed to maintain maintenance procedure 7.3.41 with adequate instructions for testing of the ESST 4.16 kV bus. A detailed risk evaluation was performed, which resulted in an increase in CDF of 9.3x10-7 per year for both inspection findings. See IR 05000298/2017011 and IR 05000298/2017012 for additional information.

Analysis Type. A condition assessment for the concurrent unavailabilities was performed using the Cooper standardized plant analysis risk (SPAR) model, Revision 8.55, created in November 2017.

SPAR Model Modifications. The following base SPAR model modifications were required for this condition assessment:

Modifications were made to the applicable RHR fault trees. The RHR-A (Cooper RHR loop A fails) fault tree was modified to provide credit for operators aligning an alternate flow path (i.e., suppression pool cooling) and to account for potential common-cause failure (CCF) of the manual valves in the RHR minimum flow lines. A new AND gate RHR-A6 (minimum flow line is isolated) was inserted under existing gate RHR-A (Cooper RHR loop A fails). Gate RHR-A60 (RHR loop A miniflow isolation valves are closed) was inserted under new AND gate RHR-A6. Similar fault tree changes were made to the RHR-B (Cooper RHR loop B fails) fault tree. New basic events, RHR-XVM-FTOC-A (RHR loop A miniflow isolation valves are closed) and RHR-XVM-FTOC-B (RHR loop B miniflow isolation valves are closed), were inserted 3

Two deterministic criteria were met: (a.) a loss of a safety function used to mitigate an actual event and (b.) event involved questions or concerns pertaining to licensee operational performance. A preliminary risk assessment resulting in an estimated CCDP of 3.5x10-6, which is within the band for a special inspection.

LER 298-2017-001-01 6

under gates RHR-A60 and RHR-B60 (RHR loop B miniflow isolation valves are closed),

respectively. The failure probabilities of these valves were set using template event ZT-AVM-FTOC (manual valve fails to open), which has a probability of 4.59x10-4. A new basic event, RHR-XHE-XL-ALTERNATE (operators fail to align alternate RHR flow path), was inserted under gates RHR-A6 and RHR-B6. The failure probability of this basic event was set to 4.0x10-2, per SPAR-H analysis described below, to provide for operator recovery credit to align an alternate RHR flow path. The RHR loop A manual isolation valves for minimum flow that were incorrectly in the closed position were considered to be part of a common-cause component group (CCCG) with the similar valves in RHR loop B.4 To create the CCF event, basic events RHR-XVM-FTOC-A and RHR-XVM-FTOC-B were used to create a new basic event, RHR-XVM-CF-MINFLW (RHR manual miniflow isolation valves fail due to common-cause), was inserted under gates RHR-A60 and RHR-B60 to account for potential CCF of the manual minimum flow isolation valves for loops A and B. The changes made in the RHR-A and RHR-B fault trees were made to the applicable SPC and low-pressure core injection (LPCI) fault trees. The revised RHR-A, RHR-B, SPC-A (cooper RHR loop A fails), SPC-B (cooper RHR loop B fails), LCI-A (Cooper LPCI train A fails), and LCI (Cooper LPCI train B fails) fault trees are provided in Figures B-1 throughB-6 in Appendix B.

The SPAR-H Human Reliability Analysis Method (Ref. 9 and 10) was used to estimate non-recovery probability of operators to align an alternate flow path (as represented by basic event RHR-XHE-XL-ALTERNATE). Tables 1 and 2 provide the key qualitative information for this recovery and the performance shaping factor (PSF) adjustments required for quantification of the human error probability for RHR-XHE-XL-ALTERNATE using SPAR-H.

Table 1. Key Qualitative Information for RHR-XHE-XL-ALTERNATE Definition The definition for this human failure event (HFE) is the operators failure to align an alternate flow path given the failure of the minimum flow valves.

Description and Event Context Given the incorrectly isolated minimum flow lines for the RHR loop A pumps, operators would have to secure the RHR pumps or align suppression pool cooling to prevent pump damage.

Operator Action Success Criteria For successful recovery, operators would have to align the RHR pump flow path to provide suppression pool cooling prior to pump damage within 32 minutes.

Nominal Cues Temperature increase due to inadequate flow.

Red indicating lights at RHR pump control switch lit.

Procedural Guidance System Operating Procedure 2.2.69.1, RHR LPCI Mode System Operating Procedure 2.2.69.3, RHR Suppression Pool Cooling and Containment Spray Diagnosis/Action This recovery action contains diagnosis and action activities.

4 Even though there is a manual isolation valve in each of the four RHR pumps minimum flow isolation lines. It is expected that these valves will be operated in pairs. Therefore, the CCCG size is considered to be two (i.e., one for the RHR loop A manual minimum flow isolation valves and one for the loop B valves).

LER 298-2017-001-01 7

Table 2. SPAR-H Evaluation for RHR-XHE-XL-ALTERNATE PSF Multiplier Diagnosis/Action Notes Time Available 1 / 1 The most limiting time for this recovery action is 32 minutes based on a licensee calculation determining that the RHR loop A pumps could run this long before pump damage. Training and experience lead operators to establish suppression pool cooling early during an event, usually within approximately 10 minutes. This would leave approximately 20 minutes available for diagnosis, which is sufficient. However, because the time for diagnosis is less than 30 minutes, the diagnosis PSF for available time is set to Nominal.

Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 10 for guidance on apportioning time between the diagnosis and action components of an HFE.

Stress 2 / 1 The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2) because there would be a sense of urgency for establishing cooling flow.

The PSF for action stress was not determined to be a performance driver for this HFE and, therefore, was assigned a value of Nominal (i.e., x1).

Complexity 2 / 1 The PSF for diagnosis complexity is assigned a value of Moderately Complex (i.e., x2) because operators would have to deal with few indications of the valve misalignment.

The PSF for action complexity was not determined to be a performance driver for this HFE and, therefore, was assigned a value of Nominal (i.e., x1).

Procedures Experience/Training, Ergonomics/HMI, Fitness for Duty, Work Processes 1 /1 No event information is available to warrant a change in these PSFs (diagnosis or action) from Nominal for this HFE.

The HEP is calculated using the following SPAR-H formula:

Power Recovery HEP = (Product of Diagnosis PSFs

  • Nominal Diagnosis HEP) +

(Product of Action PSFs

  • Nominal Action HEP)

= (4

  • 0.01) + (1
  • 0.001) = 4x10-2 Therefore, the human error probability for RHR-XHE-XL-ALTERNATE was set to 4x10-2.

Modifications were made to the ACP-1F-SWY (Cooper switchyard AC service to bus 1F), ACP-1G-SWY (Cooper switchyard AC service to bus 1G), OEP (offsite electrical power), OEP-3 (independent power supply paths fail), DGS (supplemental diesel generator faults), OPR (offsite power recovery), OPR-30M (offsite power recovery in 30 minutes), OPR-04H (offsite power recovery in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />), OPR-08H (offsite power recovery in 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />), and OPR-12H (offsite power recovery in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />) fault trees in a similar manner as in Attachment 2 in IR 05000298/2017011. The revised ACP-1F-SWY,

LER 298-2017-001-01 8

ACP-1G-SWY, OEP, OEP-3, DGS and OPR fault trees are provided in Figures B-7 through B-12 in Appendix B.

The OEP-3 fault tree was converted to transfer gate within the OEP fault tree.

The nonsegregated bus work between the motor-operated disconnect associated with the ESST and electrical safety buses 1F and 1G is not included in the base SPAR model and is needed for this analysis. Therefore, new basic event AACP-BUS-ESST-FAILS (ESST bus duct fails) was created in the SPAR model using template ZT-BAC-LP (AC bus fails to operate). This basic event was added to the ACP-1F-SWY and ACP-1G-SWY fault trees under existing OR gates ACP-1F-SWY-2 (emergency station service failure) and ACP-1G-SWY-2 (emergency station service failure). This basic event was also added to the OEP fault tree under existing OR gates OEP22111 (failure of power from ESST to 1F) and OEP222111 (failure of power from ESST to 1G). Similarly, a new basic event, AACP-BUS-SSSTX-FAILS (SSST-X bus duct fails), representing the bus work from the X-winding of the SSST feeding the plant (which did not fail the SDG but was unavailable due to the failure of the ESST bus duct) was created using template ZT-BAC-LP and inserted under fault trees ACP-1F-SWY and ACP-1G-SWY as well under existing OR gates OEP22110 (failure of power from the startup station service transformer to 1F) and OEP222110 (failure of power from the startup station service transformer to 1G) within the OEP-3 fault tree. In addition, basic event AACP-BUS-ESST-FAILS was inserted under the top gate of the DGS fault tree given the supplemental diesel generator would be unavailable given a bus duct failure.

The bus work for buses 1A and 1B supplied by the main generator and SSST, which provides power to electrical safety buses 1F and 1G, is not included in the base SPAR model and is needed for this analysis. Therefore, existing basic events ACP-CRB-CC-1AN (breaker 1AN fails to open) and ACP-CRB-OO-1AS (switchgear breaker 1AS fails to close on station trip) were added to existing OR gate ACP-1F-SWY-1 (normal and startup station power service failure) within the ACP-1F-SWY fault tree. In addition, these basic events were inserted under existing OR gate OEP22110. Similarly, existing basic events ACP-CRB-CC-1BN (breaker 1BN fails to open) and ACP-CRB-OO-1BS (switchgear breaker 1BS fails to close on station trip) were added to existing OR gate ACP-1G-SWY-1 (normal and startup station power service failure) within the ACP-1G-SWY fault tree. In addition, these basic events were also inserted under existing OR gate OEP222110. Basic event AACP-TFM-TM-SSST (startup transformer in T/M) was added to existing OR gates ACP-1F-SWY-1 and ACP-1G-SWY-1 within the ACP-1F-SWY and ACP-1G-SWY fault trees. In addition, this basic event was inserted under existing OR gates OEP22110 and OEP222110 in the OEP-3 fault tree. The failure probability of this transformer was set using template event ZT-TFM-TM (startup transformer test or maintenance), which has a probability of 1.75x10-3.

A new CCF basic event, AACP-BUS-CF-FAIL (common-cause failure of transformer bus ducts), representing the CCF of the ESST and SSST-X bus work was created.

The common cause alpha factors, ZA-CCF-RATE-02A01 (alpha factor 1 in group size 2 for component CCF with failure mode rate) and ZA-CCF-RATE-02A02 (alpha factor 2 in group size 2 for component CCF with failure mode rate), were applied.

These generic alpha factors for a CCCG size of two are used because bus-work failure data is not explicitly collected and estimated for the SPAR models. This CCF basic event was inserted under existing OR gates ACP-1F-SWY-1,

LER 298-2017-001-01 9

ACP-1G-SWY-1, OEP22110, OEP222110, OEP22111, and OEP222111 within the OEP-3 fault tree.

The OEP-3 transfer tree was inserted under the existing top gate for the OPR-30M, OPR-04H, OPR-08H, and OPR-12H fault trees.

In ASP analyses, recovery credit for EDG failures is limited to cases where event information supports credit for EDG recovery. Therefore, the DGR (diesel generator recovery) top event (including applicable event tree branching) was eliminated from the station blackout (SBO) event tree. The revised SBO event tree is shown in Figure A-3.

The basic event SPC-XHE-XL-NOREC (late recovery of suppression pool cooling fails) was set to TRUE. The base model probability of 0.5 is only used for benchmarking purposes.

Exposure Periods. The following three exposure periods were identified for this analysis:

The first exposure period of approximately 83 days, (November 6th through February 5th minus the times for exposure periods two and three) existed when RHR loop A was unavailable because of the closed RHR minimum flow isolation valves. The exposure time during the refueling outage was not considered because the manual valves in the minimum flow line were correctly closed at that time for the shutdown cooling line-up.

The second exposure period of 50 hours5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br /> existed when valve RCIC-AOV-PCV23 had a closed travel-stop was installed, rendering the RCIC system unavailable to fulfill its safety function. This exposure period includes the closed RHR loop A minimum flow isolation valves.

The third exposure period of 127 hours0.00147 days <br />0.0353 hours <br />2.099868e-4 weeks <br />4.83235e-5 months <br /> existed when the ESST bus and SDG were unavailable due the electrical fault. This exposure period includes the closed RHR loop A minimum flow isolation valves.

Key Modeling Assumptions. The following assumptions were determined to be significant to the modeling of this event:

Exposure Period 1 (83 days)

Basic event RHR-XVM-FTOC-A was set to TRUE to model the RHR loop A unavailability caused by the manual minimum flow isolation valves incorrectly positioned as closed.

Exposure Period 2 (50 hours5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br />)

Basic event RHR-XVM-FTOC-A was set to TRUE to model the RHR loop A unavailability caused by the manual minimum flow isolation valves incorrectly positioned as closed.

Basic event RCI-MOV-CC-INJEC (RCIC injection valve causes failure to start) was set to TRUE because the failed pressure control valve resulted in the RCIC system being unavailable to fulfill its safety function.

LER 298-2017-001-01 10 Exposure Period 3 (127 hours0.00147 days <br />0.0353 hours <br />2.099868e-4 weeks <br />4.83235e-5 months <br />)

Basic event RHR-XVM-FTOC-A was set to TRUE to model the RHR loop A unavailability caused by the manual minimum flow isolation valves incorrectly positioned as closed.

Basic event AACP-BUS-ESST-FAILS was set to TRUE due to the ESST electrical fault resulting in the failed ESST bus and resulted in the unavailability of the SDG.

The probability of basic event AACP-BUS-SSSTX-FAILS was set to 6.0x10-2, down from an initial value of 25 percent that was estimated in the preliminary SDP evaluation due to the fault in the bus work that released a large amount of energy, which resulted in a hole in the bottom of the duct. Charring and arc fault byproducts were present on top of the SSST-X duct. It was assumed that arc faults in other locations could damage the duct housing the SSST-X bus work and rendering it unavailable.

ANALYSIS RESULTS CDP. The point estimate CDP for this event is 5.6x10-6, which is the sum of three exposure periods. The ASP Program acceptance threshold is a CDP of 1x10-6 for degraded conditions.

The CDP for this event exceeds this threshold; therefore, this event is a precursor. The total CDP for this event is dominated by the risk from Exposure Period 3 (CDP of 3.7x10-6).

Whereas, the risk from Exposure Periods 1 and 2 (CDP of 1.9x10-6) contributes approximately 34 percent to the total risk for this event.

Dominant Sequence. The dominant accident sequence is TRANS Sequence 74-37-28 (CDP

= 5.6x10-7) that contributes approximately 10 percent of the total internal events CDP. Figures A-1 through A-3 in Appendix A illustrate this sequence. The dominant sequences that contribute at least 1 percent of the total internal events CCDP are provided in the following table:

Sequence CDP Percentage Description TRANS 74-37-28 5.6x10-7 10.0%

General plant transient initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; safety relief valves (SRVs) open on demand and successfully reclose; recirculation pump seal integrity remains intact; RCIC fails; high pressure coolant injection (HPCI) succeeds; operator actions to extend reactor makeup fail; manual reactor depressurization fails; operators fail to restore offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> TRANS 74-37-14 4.5x10-7 8.1%

General plant transient initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; SRVs open on demand and successfully reclose; recirculation pump seal integrity succeeds; RCIC succeeds; operator actions to extend reactor makeup fail; manual reactor depressurization fails; operators fail to restore offsite power within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />

LER 298-2017-001-01 11 Sequence CDP Percentage Description TRANS 74-37-05 4.3x10-7 7.7%

General plant transient initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; SRVs open on demand and successfully reclose; recirculation pump seal integrity remains intact; RCIC succeeds; operator actions to extend reactor makeup succeed; operators fail to restore offsite power within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; containment venting fails; late injection (LI) fails LOACG 09 3.8x10-7 6.8%

Loss of vital 4.16 kV AC bus G initiating event; successful reactor trip; offsite electrical power succeeds; SRVs open on demand and successfully reclose; high pressure injection (RCIC or HPCI) succeeds; suppression pool cooling (SPC) fails; control rod drive (CRD) injection succeeds; SPC recovery fails; containment spray (CS) fails; power conversion system (PCS) recovery fails; containment venting fails; LI fails LOACG 17 3.8x10-7 6.8%

Loss of vital 4.16 kV AC bus G initiating event; successful reactor trip; offsite electrical power succeeds; SRVs open on demand and successfully reclose; high pressure injection (RCIC or HPCI) succeeds; SPC fails; CRD injection fails; manual reactor depressurization succeeds; condensate system succeeds; SPC recovery fails; shutdown cooling (SDC) fails; CS fails; PCS recovery fails; containment venting fails; LI fails TRANS 74-37-31-2 3.5x10-7 6.3%

General plant transient initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; SRVs open on demand and successfully reclose; recirculation pump seal integrity fails; RCIC fails; HPCI fails; operators fail to restore offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> TRANS 74-37-32-2 3.4x10-7 6.1%

General plant transient initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; one SRV sticks open; RCIC succeeds; operators fail to restore offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> LOCHS 09 2.3x10-7 4.1%

Loss of condenser heat sink initiating event; successful reactor trip; offsite electrical power succeeds; SRVs open on demand and successfully reclose; high pressure injection (RCIC or HPCI) succeeds; SPC fails; manual reactor depressurization succeeds; CRD injection succeeds; SPC recovery fails; CS fails; PCS recovery fails; containment venting fails; LI fails LOMFW 09 1.2x10-7 2.2%

Loss of main feedwater initiating event; successful reactor trip; offsite electrical power succeeds; SRVs open on demand and successfully reclose; high pressure injection (RCIC or HPCI) succeeds; SPC fails; manual reactor depressurization succeeds; CRD injection succeeds; SPC recovery fails; CS fails; PCS recovery fails; containment venting fails; LI fails

LER 298-2017-001-01 12 Sequence CDP Percentage Description LODCB 09 1.2x10-7 2.1%

Loss of vital 125 VDC bus B initiating event; successful reactor trip; offsite electrical power succeeds; SRVs open on demand and successfully reclose; RCIC succeeds; SPC fails; manual reactor depressurization succeeds; CRD injection succeeds; SPC recovery fails; CS fails; PCS recovery fails; containment venting fails; LI fails TRANS 74-37-30 1.0x10-7 1.9%

General plant transient initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; SRVs open on demand and successfully reclose; recirculation pump seal integrity remains intact; RCIC fails; HPCI fails; operators fail to restore offsite power within 30 minutes TRANS 74-09 1.0x10-7 1.8%

General plant transient initiating event; successful reactor trip; offsite electrical power fails; emergency power system succeeds; SRVs open on demand and successfully reclose; HPCI succeeds; SPC fails; manual reactor depressurization succeeds; low pressure injection (LPI) succeeds; SPC recovery fails; SDC fails; CS fails; containment venting fails; LI fails TRANS 71 9.0x10-8 1.6%

General plant transient initiating event; successful reactor trip; offsite electrical power succeeds; SRVs open on demand and successfully reclose; PCS fails; high pressure injection (RCIC or HPCI) fails; manual reactor depressurization fails LOCHS 73-37-28 8.3x10-8 1.5%

Loss of condenser heat sink initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; SRVs open on demand and successfully reclose; recirculation pump seal integrity remains intact; RCIC fails; HPCI succeeds; operator actions to extend reactor makeup fail; manual reactor depressurization fails; operators fail to restore offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> LOCHS 73-37-14 6.7x10-8 1.2%

Loss of condenser heat sink initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; SRVs open on demand and successfully reclose; recirculation pump seal integrity succeeds; RCIC succeeds; operator actions to extend reactor makeup fails; manual reactor depressurization fails; operators fail to restore offsite power within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> TRANS 74-37-24 6.4x10-8 1.2%

General plant transient initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; SRVs open on demand and successfully reclose; recirculation pump seal integrity succeeds; RCIC succeeds; HPCI succeeds; operator actions to extend reactor makeup fail; manual reactor depressurization succeeds; firewater injection succeeds; operators fail to restore offsite power within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; containment venting fails; LI fails

LER 298-2017-001-01 13 Sequence CDP Percentage Description LOCHS 73-37-05 6.4x10-8 1.2%

Loss of condenser heat sink initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; SRVs open on demand and successfully reclose; recirculation pump seal integrity remains intact; RCIC succeeds; operator actions to extend reactor makeup succeed; operators fail to restore offsite power within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; containment venting fails; LI fails LOACG 45 5.6x10-8 1.0%

Loss of vital 4.16 kV AC bus G initiating event; successful reactor trip; offsite electrical power succeeds; SRVs open on demand and successfully reclose; high pressure injection (RCIC or HPCI) fails; manual reactor depressurization succeeds; condensate system succeeds; SPC fails; SDC fails; CS fails; PCS recovery fails; containment venting fails; LI fails TRANS 10 5.6x10-8 1.0%

General plant transient initiating event; successful reactor trip; offsite electrical power succeeds; SRVs open on demand and successfully reclose; PCS fails; high pressure injection (RCIC or HPCI) succeeds; SPC fails; manual reactor depressurization succeeds; CRD injection succeeds; SPC recovery fails; CS fails; PCS recovery fails; containment venting fails; LI fails REFERENCES

1. Cooper Nuclear Station, Residual Heat Removal Minimum Flow Valves Out of Position Results in Loss of Safety Function and Condition Prohibited by Technical Specifications, LER 298-2017-001-01, dated December 15, 2017 (ADAMS Accession No. ML17354A150).
2. U.S. Nuclear Regulatory Commission, Cooper Nuclear Station - NRC Special Inspection Report 05000298/2017009, dated June 27, 2017 (ADAMS Accession No. ML17179A282).
3. Cooper Nuclear Station, Purchase and Installation of Incorrect Actuator Results in a Condition Prohibited by Technical Specifications, LER 298-2016-008, dated January 5, 2017 (ADAMS Accession No. ML17025A072).
4. U.S. Nuclear Regulatory Commission, Cooper Nuclear Station - NRC Integrated Inspection Report 05000298/2017001, dated May 1, 2017 (ADAMS Accession No. ML17122A362).
5. U.S. Nuclear Regulatory Commission, Cooper Nuclear Station - NRC Baseline Inspection Report 05000298/2017011 and Preliminary White Finding, dated August 14, 2017 (ADAMS Accession No. ML17223A459).
6. U.S. Nuclear Regulatory Commission, Cooper Nuclear Station - Final Significance Determination of Green Findings; NRC Baseline Inspection Report 05000298/2017012, dated December 20, 2017 (ADAMS Accession No. ML17354A634).
7. Cooper Nuclear Station, Isolation of Shutdown Cooling due to Relay Maintenance Results in a Loss of Safety Function, LER 298-2016-007, dated December 19, 2016 (ADAMS Accession No. ML16365A009).

LER 298-2017-001-01 14

8. U.S. Nuclear Regulatory Commission, Cooper Nuclear Station - NRC Problem Identification and Resolution Inspection Report 05000298/2017010, dated August 7, 2017 (ADAMS Accession No. ML17219A742).
9. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ADAMS Accession No. ML051950061).
10. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ADAMS Accession No. ML112060305).

LER 298-2017-001-01 A-1 Appendix A: Key Event Trees Figure A-1. Cooper Transient Event Tree IE-TRANS GENERAL PLANT TRANSIENT RPS REACTOR SHUTDOWN OEP OFFSITE ELECTRICAL POWER SRV SRV'S CLOSE PCS POWER CONVERSION SYSTEM HPI HIGH PRESSURE INJECTION (RCIC OR HPCI)

SPC SUPPRESSION POOL COOLING DEP MANUAL REACTOR DEPRESS CRD CRD INJECTION (1 PUMP)

CDS CONDENSATE LPI LOW PRESSURE INJECTION (CS OR LPCI)

VA ALTERNATE LOW PRESS INJECTION SPC SUPPRESSION POOL COOLING SDC SHUTDOWN COOLING CSS CONTAINMENT SPRAY PCSR POWER CONVERSION SYSTEM RECOVERY CVS CONTAINMENT VENTING LI LATE INJECTION End State (Phase - CD) 1 OK 2

OK 3

CD 4

OK SPCR 5

OK 6

OK 7

OK LI00 8

CD 9

OK LI06 10 CD 11 OK SPCR 12 OK 13 OK 14 OK 15 OK LI00 16 CD 17 OK LI06 18 CD 19 OK SPCR 20 OK 21 OK 22 OK 23 OK 24 CD 25 OK LI06 26 CD VA1 27 OK SPCR 28 OK SD1 29 OK CS1 30 OK 31 OK LI00 32 CD 33 OK LI06 34 CD VA1 35 OK 36 CD 37 OK SPCR 38 OK 39 OK 40 OK LI00 41 CD 42 OK LI06 43 CD 44 OK 45 CD 46 OK 47 OK 48 OK 49 OK 50 OK LI00 51 CD 52 OK LI06 53 CD 54 OK 55 OK 56 OK 57 OK 58 OK 59 CD 60 OK LI06 61 CD 62 OK SP1 63 OK SD1 64 OK CS1 65 OK 66 OK LI00 67 CD 68 OK LI06 69 CD 70 CD 71 CD P1 72 1SORV P2 73 2SORVS 74 LOOPPC 75 ATWS 76 LOOPPC

LER 298-2017-001-01 A-2 Figure A-2. Cooper Plant-centered LOOP Event Tree IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED)

RPS REACTOR SHUTDOWN FTF-SBO EPS EMERGENCY POWER SRV SRV'S CLOSE HPI HIGH PRESSURE INJECTION (RCIC OR HPCI)

SPC SUPPRESSION POOL COOLING DEP MANUAL REACTOR DEPRESS LPI LOW PRESSURE INJECTION (CS OR LPCI)

VA ALTERNATE LOW PRESS INJECTION SPC SUPPRESSION POOL COOLING SDC SHUTDOWN COOLING CSS CONTAINMENT SPRAY CVS CONTAINMENT VENTING LI LATE INJECTION End State (Phase - CD) 1 OK 2

CD 3

OK SPCR 4

OK 5

OK 6

OK 7

CD 8

OK LI06 9

CD VA1 10 OK SPCR 11 OK SD1 12 OK CS1 13 OK LI00 14 CD 15 OK LI06 16 CD VA1 17 CD 18 CD 19 OK 20 OK 21 OK 22 OK 23 CD 24 OK LI06 25 CD 26 OK SP1 27 OK SD1 28 OK CS1 29 OK LI00 30 CD 31 OK LI06 32 CD 33 CD 34 CD P1 35 LOOP-1 P2 36 LOOP-2 37 SBO 38 ATWS 39 CD

LER 298-2017-001-01 A-3 Figure A-3. Revised Cooper SBO Event Tree FTF-SBO EPS EMERGENCY POWER SRV SRV'S CLOSE RPSL RECIRC PUMP SEAL INTEGRITY RCI RCIC HCI HPCI EXT ACTIONS TO EXTEND REACTOR MAKEUP DEP01 MANUAL REACTOR DEPRESS FWS FIREWATER INJECTION OPR OFFSITE POWER RECOVERY CVS CONTAINMENT VENTING LI LATE INJECTION End State (Phase - CD)

RCI03 EXT01 OPR-12H 1

SBO-OP OPR-12H CVS02 2

OK LI-EXT 3

CD CVS02 4

OK LI06 5

CD EXT01 OPR-12H 6

SBO-OP OPR-12H CVS02 7

OK LI00 8

CD CVS02 9

OK LI06 10 CD OPR-08H 11 SBO-OP OPR-08H 12 CD OPR-08H 13 SBO-OP OPR-08H 14 CD RCI03 HCI03 EXT02 OPR-08H 15 SBO-OP OPR-08H CVS02 16 OK LI-EXT 17 CD CVS02 18 OK LI06 19 CD EXT02 OPR-12H 20 SBO-OP OPR-12H CVS02 21 OK LI00 22 CD CVS02 23 OK LI06 24 CD OPR-04H 25 SBO-OP OPR-04H 26 CD OPR-04H 27 SBO-OP OPR-04H 28 CD HCI03 OPR-30M 29 SBO-OP OPR-30M 30 CD 31 SBO-1 P1 32 SBO-1 P2 33 CD

LER 298-2017-001-01 B-1 Appendix B: Modified Fault Trees Figure B-1. Modified RHR-A Fault Tree RHR-A COOPER RHR LOOP A FAILS Ext ACP-1F COOPER DIVISION 1F AC POWER FAILS Ext DCP-1-125DC-LT COOPER DIVISION I 125 VDC POWER FAILS LONG TERM Ext RHR-A-HTX RHR LOOP A COOLING FAILS RHR-A-1 RHR TRAINS FAIL RHR-A-2 TRAIN A FAILS RHR-A-3 TRAIN C FAILS RHR-A6 MINIMUM FLOW LINE IS ISOLATED RHR-A60 RHR LOOP A MANUAL MINIFLOW ISOLATION VALVES ARE CLOSED 4.59E-04 RHR-XVM-FTOC-A RHR LOOP A MANUAL MINIFLOW ISOLATION VALVES ARE CLOSE 2.71E-05 RHR-XVM-CF-MINFLOW RHR MANUAL MINIFLOW ISOLATION VALVES FAIL DUE TO COMMON CAUSE 4.00E-02 RHR-XHE-XL-ALTERNATE OPERATORS FAILE TO ALIGN ALTERNATE RHR FLOW PATH 7.64E-06 RHR-MOV-CF-MINFL RHR PUMP MIN FLOW LINES FAIL FROM COMMON CAUSE 8.16E-04 RHR-MOV-OO-MINFA RHR LOOP A MINFLOW LINE MOV FAILS TO CLOSE

LER 298-2017-001-01 B-2 Figure B-2. Modified RHR-B Fault Tree RHR-B COOPER RHR LOOP B FAILS Ext DCP-2-125DC-LT COOPER DIVISION 2 125VDC POWER FAILS LONG TERM Ext ACP-1G COOPER DIVISION 1G AC POWER FAILS Ext RHR-B-HTX RHR LOOP B COOLING FAILS RHR-B-1 RHR TRAINS FAIL RHR-B-2 TRAIN B FAILS RHR-B-3 TRAIN D FAILS RHR-B6 MINIMUM FLOW LINE IS ISOLATED RHR-B60 RHR LOOP B MANUAL MINIFLOW ISOLATION VALVES ARE CLOSED 2.71E-05 RHR-XVM-CF-MINFLOW RHR MANUAL MINIFLOW ISOLATION VALVES FAIL DUE TO COMMON CAUSE 4.59E-04 RHR-XVM-FTOC-B RHR LOOP B MANUAL MINIFLOW ISOLATION VALVES ARE CLOSE 4.00E-02 RHR-XHE-XL-ALTERNATE OPERATORS FAILE TO ALIGN ALTERNATE RHR FLOW PATH 7.64E-06 RHR-MOV-CF-MINFL RHR PUMP MIN FLOW LINES FAIL FROM COMMON CAUSE 8.16E-04 RHR-MOV-OO-MINFB RHR LOOP B MINFLOW LINE MOV FAILS TO CLOSE

LER 298-2017-001-01 B-3 Figure B-3. Modified SPC-A Fault Tree SPC-A COOPER RHR LOOP A FAILS Ext ACP-1F COOPER DIVISION 1F AC POWER FAILS Ext RHR-A-HTX RHR LOOP A COOLING FAILS SPC-A-1 RHR TRAINS FAIL SPC-A-2 TRAIN A FAILS SPC-A-3 TRAIN C FAILS SPC-A6 MINIMUM FLOW LINE IS ISOLATED SPC-A60 RHR LOOP A MANUAL MINIFLOW ISOLATION VALVES ARE CLOSED 4.59E-04 RHR-XVM-FTOC-A RHR LOOP A MANUAL MINIFLOW ISOLATION VALVES ARE CLOSE 2.71E-05 RHR-XVM-CF-MINFLOW RHR MANUAL MINIFLOW ISOLATION VALVES FAIL DUE TO COMMON CAUSE 4.00E-02 RHR-XHE-XL-ALTERNATE OPERATORS FAILE TO ALIGN ALTERNATE RHR FLOW PATH 7.64E-06 RHR-MOV-CF-MINFL RHR PUMP MIN FLOW LINES FAIL FROM COMMON CAUSE 8.16E-04 RHR-MOV-OO-MINFA RHR LOOP A MINFLOW LINE MOV FAILS TO CLOSE

LER 298-2017-001-01 B-4 Figure B-4. Modified SPC-B Fault Tree SPC-B COOPER RHR LOOP B FAILS Ext ACP-1G COOPER DIVISION 1G AC POWER FAILS Ext RHR-B-HTX RHR LOOP B COOLING FAILS SPC-B-1 RHR TRAINS FAIL SPC-B-2 TRAIN B FAILS SPC-B-3 TRAIN D FAILS SPC-B6 MINIMUM FLOW LINE IS ISOLATED SPC-B60 RHR LOOP B MANUAL MINIFLOW ISOLATION VALVES ARE CLOSED 2.71E-05 RHR-XVM-CF-MINFLOW RHR MANUAL MINIFLOW ISOLATION VALVES FAIL DUE TO COMMON CAUSE 4.59E-04 RHR-XVM-FTOC-B RHR LOOP B MANUAL MINIFLOW ISOLATION VALVES ARE CLOSE 4.00E-02 RHR-XHE-XL-ALTERNATE OPERATORS FAILE TO ALIGN ALTERNATE RHR FLOW PATH 7.64E-06 RHR-MOV-CF-MINFL RHR PUMP MIN FLOW LINES FAIL FROM COMMON CAUSE 8.16E-04 RHR-MOV-OO-MINFB RHR LOOP B MINFLOW LINE MOV FAILS TO CLOSE

LER 298-2017-001-01 B-5 Figure B-5. Modified LCI-TRNA Fault Tree LCI-TRNA COOPER LPCI TRAIN A FAILS Ext ACP-1F COOPER DIVISION 1F AC POWER FAILS Ext DCP-1-250DC-LT COOPER DIVISION 1 250VDC POWER FAILS LONG TERM LCI-TRNA-1 PUMP TRAINS LCI-TRNA-2 TRAIN A LCI-TRNA-3 TRAIN C LCI-A6 MINIMUM FLOW LINE IS ISOLATED LCI-A60 RHR LOOP A MANUAL MINIFLOW ISOLATION VALVES ARE CLOSED 4.59E-04 RHR-XVM-FTOC-A RHR LOOP A MANUAL MINIFLOW ISOLATION VALVES ARE CLOSE 2.71E-05 RHR-XVM-CF-MINFLOW RHR MANUAL MINIFLOW ISOLATION VALVES FAIL DUE TO COMMON CAUSE 4.00E-02 RHR-XHE-XL-ALTERNATE OPERATORS FAILE TO ALIGN ALTERNATE RHR FLOW PATH 1.94E-07 RHR-CKV-CF-LPI LPCI INJECTION CHECK VALVES FAIL FROM COMMON CAUSE 1.15E-05 RHR-MOV-CF-LPI LPCI INJECTION VALVES FAIL FROM COMMON CAUSE 9.24E-06 RHR-CKV-CC-AO68A LPCI LOOP A ISOLATION CKV FAILS TO OPEN 8.16E-04 RHR-MOV-CC-MO25A LPCI LOOP A ISOLATION MOV FAILS TO OPEN

LER 298-2017-001-01 B-6 Figure B-6. Modified LCI-TRNB Fault Tree LCI-TRNB COOPER LPCI TRAIN B FAILS Ext ACP-1G COOPER DIVISION 1G AC POWER FAILS Ext DCP-2-250DC-LT COOPER DIVISION 2 250VDC POWER FAILS LONG TERM LCI-TRNB-1 PUMP TRAINS LCI-TRNB-2 TRAIN B LCI-TRNB-3 TRAIN D LCI-B6 MINIMUM FLOW LINE IS ISOLATED LCI-B60 RHR LOOP B MANUAL MINIFLOW ISOLATION VALVES ARE CLOSED 2.71E-05 RHR-XVM-CF-MINFLOW RHR MANUAL MINIFLOW ISOLATION VALVES FAIL DUE TO COMMON CAUSE 4.59E-04 RHR-XVM-FTOC-B RHR LOOP B MANUAL MINIFLOW ISOLATION VALVES ARE CLOSE 4.00E-02 RHR-XHE-XL-ALTERNATE OPERATORS FAILE TO ALIGN ALTERNATE RHR FLOW PATH 1.94E-07 RHR-CKV-CF-LPI LPCI INJECTION CHECK VALVES FAIL FROM COMMON CAUSE 1.15E-05 RHR-MOV-CF-LPI LPCI INJECTION VALVES FAIL FROM COMMON CAUSE 9.24E-06 RHR-CKV-CC-AO68B LPCI LOOP B ISOLATION CKV FAILS TO OPEN 8.16E-04 RHR-MOV-CC-MO25B LPCI LOOP B ISOLATION MOV FAILS TO OPEN

LER 298-2017-001-01 B-7 Figure B-7. Modified OEP Fault Tree OEP OFFSITE ELECTRICAL POWER OEP-1 TRANSIENT CAUSES LOSS OF OFFSITE POWER 5.30E-03 OEP-VCF-LP-CLOPT CONSEQUENTIAL LOSS OF OFFSITE POWER - TRANSIENT OEP11 Complement of: LOCA LOOP

RESPONSE

False HE-SLOCA HOUSE EVENT - SMALL LOSS-OF-COOLANT ACCIDENT INITIATOR False HE-MLOCA HOUSE EVENT - MEDIUM LOSS OF COOLANT ACCIDENT INITIATOR False HE-LLOCA HOUSE EVENT - LARGE LOSS-OF-COOLANT ACCIDENT INITIATOR OEP-2 LOCA CAUSES LOSS OF OFFSITE POWER OEP21 LOCA LOOP RESPONSE False HE-SLOCA HOUSE EVENT - SMALL LOSS-OF-COOLANT ACCIDENT INITIATOR False HE-MLOCA HOUSE EVENT - MEDIUM LOSS OF COOLANT ACCIDENT INITIATOR False HE-LLOCA HOUSE EVENT - LARGE LOSS-OF-COOLANT ACCIDENT INITIATOR 3.00E-03 OEP-VCF-LP-CLOPL CONSEQUENTIAL LOSS OF OFFSITE POWER - LOCA Ext OEP-3 INDEPENDENT POWER SUPPLY PATHS FAIL

LER 298-2017-001-01 B-8 Figure B-8. Modified ACP-1F-SWY Fault Tree ACP-1F-SWY COOPER SWITCHYARD AC SERVICE TO SWGR BUS 1F ACP-1F-SWY-1 NORMAL AND STARTUP STATION POWER SERVICE FAILURE Ext ACP-4160V-1A COOPER 4160 VAC SWITCHGEAR BUS 1A IS UNAVAILABLE 2.05E-03 ACP-CRB-CC-1AN BREAKER 1AN FAILS TO OPEN 2.05E-03 ACP-CRB-OO-1AS SWGR BREAKER 1AS FAILS TO CLOSE ON STATION TRIP 2.76E-06 ACP-CRB-CO-1AF CLOSED BREAKER 1AF FAILS OPEN 3.82E-06 ACP-CRB-CO-1FA CLOSED BREAKER 1FA FAILS OPEN 7.97E-06 AACP-BUS-SSSTX-FAILS SSST X BUS DUCT FAILS 2.44E-07 AACP-BUS-CF-FAIL COMMON CAUSE FAILURE OF TRANSFORMER BUS DUCTS 1.75E-03 AACP-TFM-TM-SSST STARTUP TRANSFORMER IN T/M ACP-1F-SWY-2 EMERGENCY STATION SERVICE FAILURE 6.07E-05 ACP-TFM-FC-EMERG EMERGENCY STATION SERVICE TRANSFORMER FAILS 2.05E-03 ACP-CRB-OO-1FS BREAKER 1FS FAILS TO CLOSE 2.29E-05 AACP-BUS-ESST-FAILS ESST BUS DUCT FAILS 2.44E-07 AACP-BUS-CF-FAIL COMMON CAUSE FAILURE OF TRANSFORMER BUS DUCTS

LER 298-2017-001-01 B-9 Figure B-9. Modified ACP-1G-SWY Fault Tree ACP-1G-SWY COOPER SWITCHYARD AC SERVICE TO SWGR BUS 1G ACP-1G-SWY-1 NORMAL AND STARTUP STATION POWER SERVICE FAILURE Ext ACP-4160V-1B COOPER 4160 VAC SWITCHGEAR BUS 1B IS UNAVAILABLE 2.05E-03 ACP-CRB-CC-1BN BREAKER 1BN FAILS TO OPEN 2.05E-03 ACP-CRB-OO-1BS SWGR BREAKER 1BS FAILS TO CLOSE ON STATION TRIP 3.82E-06 ACP-CRB-CO-1BG CLOSED BREAKER 1BG FAILS OPEN 3.82E-06 ACP-CRB-CO-1GB CLOSED BREAKER 1GB FAILS OPEN 7.97E-06 AACP-BUS-SSSTX-FAILS SSST X BUS DUCT FAILS 2.44E-07 AACP-BUS-CF-FAIL COMMON CAUSE FAILURE OF TRANSFORMER BUS DUCTS 1.75E-03 AACP-TFM-TM-SSST STARTUP TRANSFORMER IN T/M ACP-1G-SWY-2 EMERGENCY STATION SERVICE FAILURE 6.07E-05 ACP-TFM-FC-EMERG EMERGENCY STATION SERVICE TRANSFORMER FAILS 2.05E-03 ACP-CRB-OO-1GS BREAKER 1GS FAILS TO CLOSE 2.29E-05 AACP-BUS-ESST-FAILS ESST BUS DUCT FAILS 2.44E-07 AACP-BUS-CF-FAIL COMMON CAUSE FAILURE OF TRANSFORMER BUS DUCTS

LER 298-2017-001-01 B-10 Figure B-10. Modified OEP-3 Fault Tree OEP-3 INDEPENDENT POWER SUPPLY PATHS FAIL OEP-3-2 DIVISION I IS UNAVAILABLE OEP22110 FAILURE OF PWR FROM THE SU STATION SERVICE TRANSFORMER TO 1F 2.05E-03 ACP-CRB-CC-1AN BREAKER 1AN FAILS TO OPEN 6.07E-05 ACP-TFM-FC-STARTUP STARTUP STATION SERVICE TRANSFORMER FAILS 2.05E-03 ACP-CRB-OO-1AS SWGR BREAKER 1AS FAILS TO CLOSE ON STATION TRIP 7.97E-06 AACP-BUS-SSSTX-FAILS SSST X BUS DUCT FAILS 2.44E-07 AACP-BUS-CF-FAIL COMMON CAUSE FAILURE OF TRANSFORMER BUS DUCTS 1.75E-03 AACP-TFM-TM-SSST STARTUP TRANSFORMER IN T/M OEP22111 FAILURE OF PWR FROM EMERGENCY STATION SERVICE TRANSFORMER TO 1F 6.07E-05 ACP-TFM-FC-EMERG EMERGENCY STATION SERVICE TRANSFORMER FAILS 2.05E-03 ACP-CRB-OO-1FS BREAKER 1FS FAILS TO CLOSE 2.29E-05 AACP-BUS-ESST-FAILS ESST BUS DUCT FAILS 2.44E-07 AACP-BUS-CF-FAIL COMMON CAUSE FAILURE OF TRANSFORMER BUS DUCTS OEP-3-3 DIVISION II IS UNAVAILABLE OEP222110 FAILURE OF PWR FROM THE SU STATION SERVICE TRANSFORMER TO 1G 2.05E-03 ACP-CRB-CC-1BN BREAKER 1BN FAILS TO OPEN 6.07E-05 ACP-TFM-FC-STARTUP STARTUP STATION SERVICE TRANSFORMER FAILS 2.05E-03 ACP-CRB-OO-1BS SWGR BREAKER 1BS FAILS TO CLOSE ON STATION TRIP 7.97E-06 AACP-BUS-SSSTX-FAILS SSST X BUS DUCT FAILS 2.44E-07 AACP-BUS-CF-FAIL COMMON CAUSE FAILURE OF TRANSFORMER BUS DUCTS 1.75E-03 AACP-TFM-TM-SSST STARTUP TRANSFORMER IN T/M OEP222111 FAILURE OF PWR FROM EMERGENCY STATION SERVICE TRANSFORMER TO 1G 6.07E-05 ACP-TFM-FC-EMERG EMERGENCY STATION SERVICE TRANSFORMER FAILS 2.05E-03 ACP-CRB-OO-1GS BREAKER 1GS FAILS TO CLOSE 2.29E-05 AACP-BUS-ESST-FAILS ESST BUS DUCT FAILS 2.44E-07 AACP-BUS-CF-FAIL COMMON CAUSE FAILURE OF TRANSFORMER BUS DUCTS

LER 298-2017-001-01 B-11 Figure B-11. Modified DGS Fault Tree DGS SUPPLEMENTAL DIESEL GENERATOR FAULTS DGS-1 SUPPORT REQUIRED FOR ALIGNMENT TO DIVISION BUS FAILS DGS-2 DIESEL GENERATOR 1A SUPPORT POWER FAULTS DGS-3 DIESEL GENERATOR 1B SUPPORT POWER FAULTS 3.70E-03 EPS-DGN-LR-SDG SUPPLEMENTAL DIESEL GENERATOR FAILS TO LOAD RUN 2.86E-03 EPS-DGN-FS-SDG SUPPLEMENTAL DIESEL GENERATOR FAILS TO START 3.39E-02 EPS-DGN-FR-SDG SUPPLEMENTAL DIESEL GENERATOR FAILS TO RUN 1.48E-02 EPS-DGN-TM-SDG SUPPLEMENTAL EDG IS UNAVAILABLE BECAUSE OF MAINTENANCE 1.00E-03 EPS-XHE-XR-SDG OP FAILS TO RESTORE DIESEL GENERATOR 1A 2.29E-05 AACP-BUS-ESST-FAILS ESST BUS DUCT FAILS

LER 298-2017-001-01 B-12 Figure B-12. Modified OPR Fault Tree (same change made for OPR-30M, OPR-04H, OPR-08H, and OPR-12H Fault Trees)

OPR OFFSITE POWER RECOVERY Ext OEP-3 INDEPENDENT POWER SUPPLY PATHS FAIL OPR-WR OPERATOR FAILS TO RECOVER OFFSITE POWER IN 30 MINUTES (WEATHER RELATED)

OPR-SC OPERATOR FAILS TO RECOVER OFFSITE POWER IN 30 MINUTES (SWITCHYARD)

OPR-PC OPERATOR FAILS TO RECOVER OFFSITE POWER IN 30 MINUTES (PLANT-CENTERED)

OPR-GR OPERATOR FAILS TO RECOVER OFFSITE POWER IN 30 MINUTES (GRID RELATED)

OPR-AVE OPERATOR FAILS TO RECOVER OFFSITE POWER IN 30 MINUTES

Retrieved from "https://kanterella.com/w/index.php?title=ML18068A724&oldid=5016200"