ML18081A602

From kanterella
Jump to navigation Jump to search
Transmittal of Final Cooper Nuclear Station Accident Sequence Precursor Report (Licensee Event Report 298-2017-001-01)
ML18081A602
Person / Time
Site: Cooper Entergy icon.png
Issue date: 04/03/2018
From: Thomas Wengert
Plant Licensing Branch IV
To: Dent J
Nebraska Public Power District (NPPD)
Wengert T, NRR/DORL/LPLIV, 415-4037
References
LER 298-2017-001-01
Download: ML18081A602 (34)
v  d  e


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 April 3, 2018 Mr. John Dent, Jr.

Vice President-Nuclear and CNO Nebraska Public Power District 72676 648A Avenue Brownville, NE 68321

SUBJECT:

TRANSMITTAL OF FINAL COOPER NUCLEAR STATION ACCIDENT SEQUENCE PRECURSOR REPORT (LICENSEE EVENT REPORT 298-2017-001-01)

Dear Mr. Dent:

By letter dated April 5, 2017 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML17354A150), Nebraska Public Power District (the licensee) submitted Licensee Event Report (LER) 298-2017-001-01, "Residual Heat Removal Minimum Flow Valves Out of Position Results in Loss of Safety Function and Condition Prohibited by Technical Specifications," to the U.S. Nuclear Regulatory Commission (NRC) staff for the Cooper Nuclear Station (CNS), pursuant to Title 10 of the Code of Federal Regulations Section 50.73. As part of the Accident Sequence Precursor (ASP) Program, the NRC staff reviewed the event to identify potential precursors and to determine the probability of the event leading to a core damage state. The results of the analysis are provided in the enclosure to this letter.

The NRC does not request a formal analysis review, in accordance with Regulatory Issue Summary 2006-24, "Revised Review and Transmittal Process for Accident Sequence Precursor Analyses," dated December 6, 2006 (ADAMS Accession No. ML060900007), because the analysis resulted in an increase in core damage probability (~CDP) of less than 1 x 1o-4 .

Final ASP Analysis Summary. A brief summary of the final ASP analysis, including the results, is provided below.

Concurrent Unavailabilities-Residua/ Heat Removal Loop A. Reactor Core Isolation Cooling. and Emergency Station Service Transformer. This event is documented in LE Rs 298-2017-001-01, 298-2016-007, and 298-2016-008 (ADAMS Accession No. ML18068A724) and in Inspection Reports (IRs) 05000298/2017001, 05000298/2017009, 05000298/2017010, 05000298/2017011, and 05000298/2017012 (ADAMS Accession Nos. ML17122A362, ML17179A282, ML17219A742, ML17223A459, and ML17354A634, respectively).

Executive Summary. On September 29, 2016, during refueling outage 29, residual heat removal (RHR) minimum flow isolation valves (RHR-V-58 and RHR-V-60) were sealed closed and danger tagged. On October 7, 2016, the danger tags were released and both valves were to be restored to their normal configuration. The danger tags were removed and seals applied to the valves; however, the valves were not opened before the seals were placed. The second verification incorrectly verified that the valves were sealed open. On February 5, 2017, it was

J. Dent, Jr. discovered that RHR-V-58 and RHR-V-60 were sealed closed. At 10:41 a.m., operators opened the valves, independently verified the valve positions, applied the appropriate seals, and declared the valves operable.

A review of CNS LERs and IRs revealed two degraded conditions that were "windowed" with this event. The first event occurred on November 8, 2016, when operators identified a water leak from the lower flange of the reactor core isolation cooling (RCIC) lube oiler cooler. The affected valve had been replaced in the previous refueling outage. A licensee examination revealed that the valve actuator had a closed travel-stop instead of the required open travel-stop, which would prevent over-pressurization of the cooling circuit by limiting the opening stroke distance. Following the valve modification to install an open travel-stop completed on November 10, 2016, RCIC was declared operable, after being unable to fulfill its safety function for approximately 50 hours5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br />.

The second event occurred on January 17, 2017, when the plant experienced a phase-to-phase fault of the nonsegregated bus on the secondary side of the emergency station service transformer (ESST), which resulted in the loss of one of the plant's two offsite power sources.

In addition, the fault resulted in a loss of the nonsafety-related supplemental diesel generator (SDG) because the ESST bus bars are common with the SDG. The bus duct was reenergized on January 22, 2017 (approximately 127 hours0.00147 days <br />0.0353 hours <br />2.099868e-4 weeks <br />4.83235e-5 months <br /> after the event occurred).

The point estimate increase in core damage probability (LlCDP) for this event is 5.6x10-e, which is considered a precursor in the ASP Program. This LlCDP is dominated by concurrent unavailabilities of the RHR loop "A" and the ESST for 127 hours0.00147 days <br />0.0353 hours <br />2.099868e-4 weeks <br />4.83235e-5 months <br /> (LlCDP = 3.7x1Q-6 ,

approximately 66 percent of the total). The 83-day unavailability of RHR loop "A" by itself contributes approximately 29 percent of the total LlCDP, while the RCIC unavailability has a minimal effect on the overall results.

The NRC staff conducted a special inspection for the event associated with the mispositioned RHR manual isolation valves in the RHR loop "A" minimum flow lines. NRC inspectors identified two performance deficiencies associated with the licensee's failure to follow technical specification requirements to ensure the availability, reliability, and capability of the Division 1 RHR subsystem and for the failure to correctly identify and correct out-of-position RHR loop "A" minimum flow isolation valves. An additional finding was identified for the event associated with the licensee's failure to install the correct RCIC pressure control valve mechanical stop and verify proper operation of the system prior to entering a plant mode requiring system operability.

Two inspection findings were identified with the ESST failure. Specifically, the licensee failed to implement maintenance procedures during applicable ESST bus inspections. In addition, the licensee failed to maintain a maintenance procedure with adequate instructions for testing of the ESST bus. All five of these findings were determined to be Green (i.e., very low safety significance).

Summary of Analysis Results. This operational event resulted in a best estimate LlCDP of 6x10-6 .

J. Dent, Jr. If you have any questions, please contact me at 301-415-4037 or via e-mail at Thomas.Wengert@nrc.gov.

Sincerely,

~~~Thomas J. Wengert, S~r Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-298

Enclosure:

Final ASP Analysis cc: Listserv

ENCLOSURE FINAL ACCIDENT SEQUENCE PRECURSOR ANALYSIS COOPER NUCLEAR STATION CONCURRENT UNAVAILABILITIES-RESIDUAL HEAT REMOVAL LOOP A, REACTOR CORE ISOLATION COOLING, AND EMERGENCY STATION SERVICE TRANSFORMER (LER 298-2017-001-01) - PRECURSOR

Final ASP Program Analysis - Precursor Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Concurrent UnavailabilitiesResidual Heat Removal Loop A, Cooper Nuclear Reactor Core Isolation Cooling, and Emergency Station Service Station Transformer LERs: 298-2017-001-01, 298-2016-007, 298-2016-008, Event Date: 2/5/2017 IRs: 05000298/2017001, CDP= 6x10-6 05000298/2017009, 05000298/2017010, 05000298/2017011, 05000298/2017012 Plant Type: General Electric Type 4 Boiling-Water Reactor (BWR) with a Wet Mark I Containment Plant Operating Mode (Reactor Power Level): Mode 1 (100% Reactor Power)

Analyst: Reviewer: Contributors: BC Approved Date:

Keith Tetter Chris Hunter 03/09/2018 EXECUTIVE

SUMMARY

On September 29, 2016, during refueling outage 29, residual heat removal (RHR) minimum flow isolation valves (RHR-V-58 and RHR-V-60) were sealed closed and danger tagged. On October 7, 2016, the danger tags were released and both valves were to be restored to their normal configuration. The danger tags were removed and seals applied to the valves; however, the valves were not opened before the seals were placed. The second verification incorrectly verified that the valves were sealed open. On February 5, 2017 it was discovered that RHR-V-58 and RHR-V-60 were sealed closed. At 10:41 a.m., operators opened the valves, independently verified the valve positions, applied the appropriate seals, and declared the valves operable.

A review of Cooper licensee event reports (LERs) and inspection reports (IRs) revealed two degraded conditions that were windowed with this event. The first event occurred on November 8, 2016, when operators identified a water leak from the lower flange of the reactor core isolation cooling (RCIC) lube oiler cooler. The affected valve had been replaced in the previous refueling outage. A licensee examination revealed that the valve actuator had a closed travel-stop instead of the required open travel-stop, which would prevent over-pressurization of the cooling circuit by limiting the opening stroke distance. Following the valve modification to install an open travel-stop completed on November 10th, RCIC was declared operable after being unable to fulfill its safety function for approximately 50 hours5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br />.

The second event occurred on January 17, 2017, when the plant experienced a phasetophase fault of the nonsegregated bus on the secondary side of the emergency station service transformer (ESST), which resulted in the loss of one of the plants two offsite power sources.

In addition, the fault resulted in a loss of the nonsafety-related supplemental diesel generator (SDG) because the ESST bus bars are common with the SDG. The bus duct was reenergized on January 22nd (approximately 127 hours0.00147 days <br />0.0353 hours <br />2.099868e-4 weeks <br />4.83235e-5 months <br /> after the event occurred).

The point estimate increase in core damage probability (CDP) for this event is 5.6x10-6, which is considered a precursor in the ASP Program. This CDP is dominated by concurrent 1

LER 298-2017-001-01 unavailabilities of the RHR loop A and the ESST for 127 hours0.00147 days <br />0.0353 hours <br />2.099868e-4 weeks <br />4.83235e-5 months <br /> (CDP = 3.7x10-6, approximately 66 percent of the total). The 83-day unavailability of RHR loop A by itself contributes approximately 29 percent of the total CDP, while the RCIC unavailability has a minimal effect on the overall results.

The NRC conducted a special inspection for the event associated with the mispositioned RHR manual isolation valves in the RHR loop A minimum flow lines. NRC inspectors identified two performance deficiencies associated with the licensee failure to follow technical specification (TS) requirements to ensure the availability, reliability, and capability of the division 1 RHR subsystem and for the failure to correctly identify and correct out-of-position RHR loop A minimum flow isolation valves. An additional finding was identified for the event associated with the licensee failure to install the correct RCIC pressure control valve mechanical stop and verify proper operation of the system prior to entering a plant mode requiring system operability. Two inspection findings were identified with the ESST failure. Specifically, the licensee failed to implement maintenance procedures during applicable ESST bus inspections. In addition, the licensee failed to maintain a maintenance procedure with adequate instructions for testing of the ESST bus. All five of these findings were determined to be Green (i.e., very low safety significance).

EVENT DETAILS Event Description. On September 29, 2016, during refueling outage 29, RHR loop A minimum flow isolation valves (RHR-V-58 and RHR-V-60) were sealed closed and danger tagged in accordance with a clearance order to support RHR maintenance. On October 7, 2016, the danger tags for RHR-V-58 and RHR-V-60 were released and the clearance order directed that both valves be restored to their normal configuration. The danger tags were removed and seals applied to the valves; however, the valves were not opened before the seals were placed. The second verification incorrectly verified that the valves were sealed open. A quarterly sealed valve log audit was performed on November 29, 2016, and the seals were verified to be intact. The audit required only that the seals be verified, the audit did not require the valve configuration be checked. On February 5, 2017, during the next quarterly sealed valve log audit, it was discovered that RHR-V-58 and RHR-V-60 were sealed closed. Operators subsequently declared RHR pumps A and C inoperable at 7:56 a.m. At 10:41 a.m. on February 5th, operators opened the valves, independently verified the valve positions, applied the appropriate seals, and declared the valves operable. Additional information on this event is provided in LER 298-2017-001-01 (Ref. 1) and IR 05000298/2017009 (Ref. 2).

On November 8, 2016, at 11:27 am, RCIC was declared inoperable for surveillance testing.

At 11:41 a.m., operators identified a water leak from the lower flange of the RCIC lube oiler cooler. A licensee investigation determined that valve RCIC-AOV-PCV23, which was replaced during refueling outage 29, was fully open causing excessive cooling water pressure. An initial examination revealed that the valve actuator had a closed travel-stop instead of the required open travel-stop, which would prevent over-pressurization of the cooling circuit by limiting the opening stroke distance. At 5:39 a.m. on November 10th, following the valve modification to install an open travel-stop, post-maintenance was completed and RCIC was declared operable.

Additional information on this event is provided in LER 298-2016-008 (Ref. 3) and IR 05000298/2017001 (Ref. 4).

On January 17, 2017, the plant experienced a phasetophase fault of the nonsegregated bus on the secondary side of the ESST. When the fault occurred, the control room received several annunciators alerting the operators to the loss of voltage to the ESST. Shortly thereafter, the 2

LER 298-2017-001-01 control room received a report from the grid operations center that there was an apparent 3-phase fault on the bus bars between the ESST and the plants safety-related 4.16 kilovolt (kV) alternate current (AC) buses. The licensee subsequently identified an area of the nonsegregated ESST bus duct (near the turbine building) was discolored and at an elevated temperature. The ESST was not loaded, and no ESSTrelated switching activities were occurring at the time of the fault. 1 Therefore, the ESST fault resulted in the loss of one of the plants two offsite power sources. In addition, the fault resulted in a loss of the nonsafety-related SDG because the ESST bus bars are common with the SDG. The bus duct was reenergized at 11:42 p.m. on January 22nd. Additional information on this event is provided in IR 05000298/2017011 (Ref. 5), and IR 05000298/2017012 (Ref. 6).

Causes. The licensee performed evaluations to determine the causes of these three events:

  • The root cause evaluation for RHR-V-58 and RHR-V-60 being incorrectly closed determined that operations department standards related to operator human performance and configuration control were inadequate and did not meet industry expectations.
  • The root cause evaluation for the failure of RCIC-AOV-PCV23 determined that an incorrect air-operated valve was purchased because the purchase order and associated drawing did not contain the requirement of an open travel-stop.
  • The direct cause of the ESST bus fault was due to damage associated with corona, a voltage-related phenomenon that can result in insulation breakdown and generation of a white conductive powder residue. Specifically, the licensee determined that corona present at the interface between the ESST nonsegregated bus bar supports and the bus bars caused degradation of the bus bar insulation, which led to tracking across the ESST bus bar supports and an eventual fault. The licensee also recognized that humidity and moisture increase corona tracking. In addition, the licensee concluded that the inspection procedure did not give adequate guidance to support operation of the ESST bus until the next scheduled inspection.

Additional Event Information. The following two events were partially windowed with the degraded conditions described in the previous sections of this report:

  • On October 28, 2016, shutdown cooling (SDC) isolation valves RHR-MO-17 and RHR-MO-18 were open with RHR loop A in a SDC flush lineup and preparing to place loop A in SDC. Work orders were created to replace 27 primary containment isolation system (PCIS) relay coils during refueling outage 29. During post-maintenance testing, the licensee identified that the PCIS-REL-K27 relay did not actuate as expected. The work order was subsequently revised to replace the entire relay instead of just the coil, which required additional wires to be lifted and the relay to be removed from the DIN rail.

RHR loop A was placed in SDC mode at 8:49 a.m. on October 28th. During replacement of the PCIS-REL-K27 relay, the action of installing a new relay onto the shared plastic DIN rail disturbed the mounting rail in a manner that caused the 1-2 contact of the adjacent relay (PCIS-REL-K30) to open. This caused RHR-MO-17 to close, which actuated the logic to trip the running RHR pump A. Operators declared SDC inoperable at 9:24 a.m. on October 28th. The alternate decay heat removal system remained in service throughout the event and the plant remained aligned for natural 1 Station loads are normally powered by the normal transformer, which is fed by the stations main generator (while the plant is at power) or by the startup station service transformer (when the plant is not generating power).

3

LER 298-2017-001-01 circulation. No increase in reactor temperature was observed and no impact to plant operations was observed. While SDC was out of service, replacement of the PCIS-REL-K27 relay was completed. SDC was declared operable and placed into service at 6:30 p.m. on October 29th. NRC inspectors identified a performance deficiency associated with the licensee failure to implement procedure 7.3.16, Low Voltage Relay Removal and Installation, because engineering personnel did not evaluate the potential impact on adjacent components or components that shared a common mounting when relay PCIS-REL-K27 was replaced. This performance deficiency was determined to be Green (i.e., very low safety significance) by the SDP.

The SDP evaluation did not perform a detailed risk evaluation because this event occurred while the plant was in Mode 5 with the refueling cavity flooded. The risk of a short-term unavailability of SDC while the plant is in Mode 5 is negligible and, therefore, is not considered further in this analysis. Additional information on this event is provided in LER 298-2016-007 (Ref. 7) and IR 05000298/2017001. This LER is closed.

  • On February 4, 2017, at 8:38 p.m., the licensee received alarms in the control room that indicated that there was a ground on emergency diesel generator (EDG) 2 motor control center transformer. The licensee discovered that the jacket water heater had failed, which required the operators to secure power to the heater. This action resulted in the jacket water temperature lowering. Operators subsequently began monitoring temperature trends to ensure that the lower temperature limit was not exceeded. At the time of discovery, temperatures were indicating 131°F and 136°F on the inlet and outlet of the heater, respectively. At approximately 4:43 a.m. on February 5th, these temperatures had dropped to 102°F and 118°F. Due to these temperatures approaching the minimum required operability limit of 100°F, EDG 2 was declared inoperable.

Repairs were completed on February 6that 11:25 am after repairs were made. NRC inspectors identified a performance deficiency associated with the licensee failure to demonstrate that the performance/condition of EDG 2 was being effectively controlled through the performance of appropriate preventive maintenance, such that the EDG remained capable of performing its intended function. In addition, the licensee failed to monitor the performance/condition of EDG 2 against licensee established goals. This performance deficiency was determined to be Green (i.e., very low safety significance) by the SDP. The SDP evaluation did not perform a detailed risk evaluation because this event: (1) was not a design deficiency; (2) did not represent a loss of system and/or function; (3) did not represent an actual loss of function; (4) did not represent an actual loss of function of at least a single train for longer than its TS allowed outage time; and (5) did not result in the loss of a high safety-significant non-TS train. The unavailability of EDG 2 is only windowed with the RHR loop A unavailability for approximately 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, which sensitivity analyses show has negligible contribution to the risk and, therefore, is not considered further in this analysis. Additional information on this event is provided in IR 05000298/2017010 (Ref. 8).

MODELING Basis for ASP Analysis/SDP Results. The ASP Program uses SDP results for degraded conditions when available and applicable. However, an independent ASP analysis is performed for concurrent (i.e., windowed) unavailabilities regardless of cause. 2 A review of Cooper LERs 2 Analyses performed as part of the SDP are limited to evaluating the risk of individual licensee performance deficiencies.

4

LER 298-2017-001-01 and IRs revealed concurrent unavailabilities of RHR loop A, RCIC, and the ESST; therefore, an independent ASP analysis was performed.

The NRC conducted a special inspection for the event associated with LER 298-2017-001-01 in accordance with Management Directive 8.3, NRC Incident Investigation Program. 3 NRC inspectors identified two performance deficiencies associated with the licensee failure to follow TS requirements to ensure the availability, reliability, and capability of the division 1 RHR subsystem and for the failure to correctly identify and correct out-of-position RHR loop A minimum flow isolation valves. Both of these inspection findings were determined to be Green (i.e., very low safety significance) and the detailed risk evaluation that was performed resulted in an increase in core damage frequency (CDF) of 4.7x10-7 per year. This LER remains open.

See IR 05000298/2017009 for additional information.

NRC inspectors also identified a finding for the event associated with LER 298-2016-008 for the licensee failure to install the correct RCIC pressure control valve mechanical stop and verify proper operation of the system prior to entering a plant mode requiring system operability.

Inspectors determined that a detailed risk evaluation was required because the performance deficiency resulted in a loss of mitigating system/function. This evaluation calculated an increase in CDF of 8.4x10-8 per year and, therefore, the finding was determined to be Green (i.e., very low safety significance). The LER is closed. See IR 05000298/2017001 for additional information.

Two inspection findings were identified with the ESST failure. Specifically, the licensee failed to implement maintenance procedure 7.3.41, Examination and High Pot Testing of Nonsegregated Buses and Associated Equipment, during inspection of the ESST 4.16 kV bus.

In addition, the licensee failed to maintain maintenance procedure 7.3.41 with adequate instructions for testing of the ESST 4.16 kV bus. A detailed risk evaluation was performed, which resulted in an increase in CDF of 9.3x10-7 per year for both inspection findings.

See IR 05000298/2017011 and IR 05000298/2017012 for additional information.

Analysis Type. A condition assessment for the concurrent unavailabilities was performed using the Cooper standardized plant analysis risk (SPAR) model, Revision 8.55, created in November 2017.

SPAR Model Modifications. The following base SPAR model modifications were required for this condition assessment:

  • Modifications were made to the applicable RHR fault trees. The RHR-A (Cooper RHR loop A fails) fault tree was modified to provide credit for operators aligning an alternate flow path (i.e., suppression pool cooling) and to account for potential common-cause failure (CCF) of the manual valves in the RHR minimum flow lines. A new AND gate RHR-A6 (minimum flow line is isolated) was inserted under existing gate RHR-A (Cooper RHR loop A fails). Gate RHR-A60 (RHR loop A miniflow isolation valves are closed) was inserted under new AND gate RHR-A6. Similar fault tree changes were made to the RHR-B (Cooper RHR loop B fails) fault tree. New basic events, RHR-XVM-FTOC-A (RHR loop A miniflow isolation valves are closed) and RHR-XVM-FTOC-B (RHR loop B miniflow isolation valves are closed), were inserted 3 Two deterministic criteria were met: (a.) a loss of a safety function used to mitigate an actual event and (b.) event involved questions or concerns pertaining to licensee operational performance. A preliminary risk assessment resulting in an estimated CCDP of 3.5x10-6, which is within the band for a special inspection.

5

LER 298-2017-001-01 under gates RHR-A60 and RHR-B60 (RHR loop B miniflow isolation valves are closed),

respectively. The failure probabilities of these valves were set using template event ZT-AVM-FTOC (manual valve fails to open), which has a probability of 4.59x10-4. A new basic event, RHR-XHE-XL-ALTERNATE (operators fail to align alternate RHR flow path), was inserted under gates RHR-A6 and RHR-B6. The failure probability of this basic event was set to 4.0x10-2, per SPAR-H analysis described below, to provide for operator recovery credit to align an alternate RHR flow path. The RHR loop A manual isolation valves for minimum flow that were incorrectly in the closed position were considered to be part of a common-cause component group (CCCG) with the similar valves in RHR loop B. 4 To create the CCF event, basic events RHR-XVM-FTOC-A and RHR-XVM-FTOC-B were used to create a new basic event, RHR-XVM-CF-MINFLW (RHR manual miniflow isolation valves fail due to common-cause), was inserted under gates RHR-A60 and RHR-B60 to account for potential CCF of the manual minimum flow isolation valves for loops A and B. The changes made in the RHR-A and RHR-B fault trees were made to the applicable SPC and low-pressure core injection (LPCI) fault trees. The revised RHR-A, RHR-B, SPC-A (cooper RHR loop A fails), SPC-B (cooper RHR loop B fails), LCI-A (Cooper LPCI train A fails), and LCI (Cooper LPCI train B fails) fault trees are provided in Figures B-1 throughB-6 in Appendix B.

- The SPAR-H Human Reliability Analysis Method (Ref. 9 and 10) was used to estimate non-recovery probability of operators to align an alternate flow path (as represented by basic event RHR-XHE-XL-ALTERNATE). Tables 1 and 2 provide the key qualitative information for this recovery and the performance shaping factor (PSF) adjustments required for quantification of the human error probability for RHR-XHE-XL-ALTERNATE using SPAR-H.

Table 1. Key Qualitative Information for RHR-XHE-XL-ALTERNATE The definition for this human failure event (HFE) is the operators failure to align Definition an alternate flow path given the failure of the minimum flow valves.

Given the incorrectly isolated minimum flow lines for the RHR loop A pumps, Description and operators would have to secure the RHR pumps or align suppression pool Event Context cooling to prevent pump damage.

Operator Action For successful recovery, operators would have to align the RHR pump flow path Success Criteria to provide suppression pool cooling prior to pump damage within 32 minutes.

  • Temperature increase due to inadequate flow.

Nominal Cues

  • Red indicating lights at RHR pump control switch lit.
  • System Operating Procedure 2.2.69.1, RHR LPCI Mode Procedural Guidance
  • System Operating Procedure 2.2.69.3, RHR Suppression Pool Cooling and Containment Spray Diagnosis/Action This recovery action contains diagnosis and action activities.

4 Even though there is a manual isolation valve in each of the four RHR pumps minimum flow isolation lines. It is expected that these valves will be operated in pairs. Therefore, the CCCG size is considered to be two (i.e., one for the RHR loop A manual minimum flow isolation valves and one for the loop B valves).

6

LER 298-2017-001-01 Table 2. SPAR-H Evaluation for RHR-XHE-XL-ALTERNATE Multiplier PSF Notes Diagnosis/Action The most limiting time for this recovery action is 32 minutes based on a licensee calculation determining that the RHR loop A pumps could run this long before pump damage. Training and experience lead operators to establish suppression pool cooling early during an event, usually within approximately 10 minutes. This would leave approximately 20 minutes available for Time Available 1/1 diagnosis, which is sufficient. However, because the time for diagnosis is less than 30 minutes, the diagnosis PSF for available time is set to Nominal.

Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 10 for guidance on apportioning time between the diagnosis and action components of an HFE.

The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2) because there would be a sense of urgency for establishing cooling flow.

Stress 2/1 The PSF for action stress was not determined to be a performance driver for this HFE and, therefore, was assigned a value of Nominal (i.e., x1).

The PSF for diagnosis complexity is assigned a value of Moderately Complex (i.e., x2) because operators would have to deal with few indications of the valve misalignment.

Complexity 2/1 The PSF for action complexity was not determined to be a performance driver for this HFE and, therefore, was assigned a value of Nominal (i.e., x1).

Procedures Experience/Training, No event information is available to warrant a change in Ergonomics/HMI, 1 /1 these PSFs (diagnosis or action) from Nominal for this Fitness for Duty, HFE.

Work Processes The HEP is calculated using the following SPAR-H formula:

Power Recovery HEP = (Product of Diagnosis PSFs

  • Nominal Diagnosis HEP) +

(Product of Action PSFs

  • Nominal Action HEP)

= (4

  • 0.01) + (1
  • 0.001) = 4x10-2 Therefore, the human error probability for RHR-XHE-XL-ALTERNATE was set to 4x10-2.
  • Modifications were made to the ACP-1F-SWY (Cooper switchyard AC service to bus 1F), ACP-1G-SWY (Cooper switchyard AC service to bus 1G), OEP (offsite electrical power), OEP-3 (independent power supply paths fail), DGS (supplemental diesel generator faults), OPR (offsite power recovery), OPR-30M (offsite power recovery in 30 minutes), OPR-04H (offsite power recovery in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />), OPR-08H (offsite power recovery in 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />), and OPR-12H (offsite power recovery in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />) fault trees in a similar manner as in Attachment 2 in IR 05000298/2017011. The revised ACP-1F-SWY, 7

LER 298-2017-001-01 ACP-1G-SWY, OEP, OEP-3, DGS and OPR fault trees are provided in Figures B-7 through B-12 in Appendix B.

- The OEP-3 fault tree was converted to transfer gate within the OEP fault tree.

- The nonsegregated bus work between the motor-operated disconnect associated with the ESST and electrical safety buses 1F and 1G is not included in the base SPAR model and is needed for this analysis. Therefore, new basic event AACP-BUS-ESST-FAILS (ESST bus duct fails) was created in the SPAR model using template ZT-BAC-LP (AC bus fails to operate). This basic event was added to the ACP-1F-SWY and ACP-1G-SWY fault trees under existing OR gates ACP-1F-SWY-2 (emergency station service failure) and ACP-1G-SWY-2 (emergency station service failure). This basic event was also added to the OEP fault tree under existing OR gates OEP22111 (failure of power from ESST to 1F) and OEP222111 (failure of power from ESST to 1G). Similarly, a new basic event, AACP-BUS-SSSTX-FAILS (SSST-X bus duct fails), representing the bus work from the X-winding of the SSST feeding the plant (which did not fail the SDG but was unavailable due to the failure of the ESST bus duct) was created using template ZT-BAC-LP and inserted under fault trees ACP-1F-SWY and ACP-1G-SWY as well under existing OR gates OEP22110 (failure of power from the startup station service transformer to 1F) and OEP222110 (failure of power from the startup station service transformer to 1G) within the OEP-3 fault tree. In addition, basic event AACP-BUS-ESST-FAILS was inserted under the top gate of the DGS fault tree given the supplemental diesel generator would be unavailable given a bus duct failure.

- The bus work for buses 1A and 1B supplied by the main generator and SSST, which provides power to electrical safety buses 1F and 1G, is not included in the base SPAR model and is needed for this analysis. Therefore, existing basic events ACP-CRB-CC-1AN (breaker 1AN fails to open) and ACP-CRB-OO-1AS (switchgear breaker 1AS fails to close on station trip) were added to existing OR gate ACP-1F-SWY-1 (normal and startup station power service failure) within the ACP-1F-SWY fault tree. In addition, these basic events were inserted under existing OR gate OEP22110. Similarly, existing basic events ACP-CRB-CC-1BN (breaker 1BN fails to open) and ACP-CRB-OO-1BS (switchgear breaker 1BS fails to close on station trip) were added to existing OR gate ACP-1G-SWY-1 (normal and startup station power service failure) within the ACP-1G-SWY fault tree. In addition, these basic events were also inserted under existing OR gate OEP222110. Basic event AACP-TFM-TM-SSST (startup transformer in T/M) was added to existing OR gates ACP-1F-SWY-1 and ACP-1G-SWY-1 within the ACP-1F-SWY and ACP-1G-SWY fault trees. In addition, this basic event was inserted under existing OR gates OEP22110 and OEP222110 in the OEP-3 fault tree. The failure probability of this transformer was set using template event ZT-TFM-TM (startup transformer test or maintenance), which has a probability of 1.75x10-3.

- A new CCF basic event, AACP-BUS-CF-FAIL (common-cause failure of transformer bus ducts), representing the CCF of the ESST and SSST-X bus work was created.

The common cause alpha factors, ZA-CCF-RATE-02A01 (alpha factor 1 in group size 2 for component CCF with failure mode rate) and ZA-CCF-RATE-02A02 (alpha factor 2 in group size 2 for component CCF with failure mode rate), were applied.

These generic alpha factors for a CCCG size of two are used because bus-work failure data is not explicitly collected and estimated for the SPAR models. This CCF basic event was inserted under existing OR gates ACP-1F-SWY-1, 8

LER 298-2017-001-01 ACP-1G-SWY-1, OEP22110, OEP222110, OEP22111, and OEP222111 within the OEP-3 fault tree.

- The OEP-3 transfer tree was inserted under the existing top gate for the OPR-30M, OPR-04H, OPR-08H, and OPR-12H fault trees.

  • In ASP analyses, recovery credit for EDG failures is limited to cases where event information supports credit for EDG recovery. Therefore, the DGR (diesel generator recovery) top event (including applicable event tree branching) was eliminated from the station blackout (SBO) event tree. The revised SBO event tree is shown in Figure A-3.
  • The basic event SPC-XHE-XL-NOREC (late recovery of suppression pool cooling fails) was set to TRUE. The base model probability of 0.5 is only used for benchmarking purposes.

Exposure Periods. The following three exposure periods were identified for this analysis:

  • The first exposure period of approximately 83 days, (November 6th through February 5th minus the times for exposure periods two and three) existed when RHR loop A was unavailable because of the closed RHR minimum flow isolation valves. The exposure time during the refueling outage was not considered because the manual valves in the minimum flow line were correctly closed at that time for the shutdown cooling line-up.
  • The second exposure period of 50 hours5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br /> existed when valve RCIC-AOV-PCV23 had a closed travel-stop was installed, rendering the RCIC system unavailable to fulfill its safety function. This exposure period includes the closed RHR loop A minimum flow isolation valves.
  • The third exposure period of 127 hours0.00147 days <br />0.0353 hours <br />2.099868e-4 weeks <br />4.83235e-5 months <br /> existed when the ESST bus and SDG were unavailable due the electrical fault. This exposure period includes the closed RHR loop A minimum flow isolation valves.

Key Modeling Assumptions. The following assumptions were determined to be significant to the modeling of this event:

Exposure Period 1 (83 days)

  • Basic event RHR-XVM-FTOC-A was set to TRUE to model the RHR loop A unavailability caused by the manual minimum flow isolation valves incorrectly positioned as closed.

Exposure Period 2 (50 hours5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br />)

  • Basic event RHR-XVM-FTOC-A was set to TRUE to model the RHR loop A unavailability caused by the manual minimum flow isolation valves incorrectly positioned as closed.
  • Basic event RCI-MOV-CC-INJEC (RCIC injection valve causes failure to start) was set to TRUE because the failed pressure control valve resulted in the RCIC system being unavailable to fulfill its safety function.

9

LER 298-2017-001-01 Exposure Period 3 (127 hours0.00147 days <br />0.0353 hours <br />2.099868e-4 weeks <br />4.83235e-5 months <br />)

  • Basic event RHR-XVM-FTOC-A was set to TRUE to model the RHR loop A unavailability caused by the manual minimum flow isolation valves incorrectly positioned as closed.
  • Basic event AACP-BUS-ESST-FAILS was set to TRUE due to the ESST electrical fault resulting in the failed ESST bus and resulted in the unavailability of the SDG.
  • The probability of basic event AACP-BUS-SSSTX-FAILS was set to 6.0x10-2, down from an initial value of 25 percent that was estimated in the preliminary SDP evaluation due to the fault in the bus work that released a large amount of energy, which resulted in a hole in the bottom of the duct. Charring and arc fault byproducts were present on top of the SSST-X duct. It was assumed that arc faults in other locations could damage the duct housing the SSST-X bus work and rendering it unavailable.

ANALYSIS RESULTS CDP. The point estimate CDP for this event is 5.6x10-6, which is the sum of three exposure periods. The ASP Program acceptance threshold is a CDP of 1x10-6 for degraded conditions.

The CDP for this event exceeds this threshold; therefore, this event is a precursor. The total CDP for this event is dominated by the risk from Exposure Period 3 (CDP of 3.7x10-6).

Whereas, the risk from Exposure Periods 1 and 2 (CDP of 1.9x10-6) contributes approximately 34 percent to the total risk for this event.

Dominant Sequence. The dominant accident sequence is TRANS Sequence 74-37-28 (CDP

= 5.6x10-7) that contributes approximately 10 percent of the total internal events CDP. Figures A-1 through A-3 in Appendix A illustrate this sequence. The dominant sequences that contribute at least 1 percent of the total internal events CCDP are provided in the following table:

Sequence CDP Percentage Description General plant transient initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; safety relief valves (SRVs) open on demand and successfully TRANS 74-37-28 5.6x10-7 10.0% reclose; recirculation pump seal integrity remains intact; RCIC fails; high pressure coolant injection (HPCI) succeeds; operator actions to extend reactor makeup fail; manual reactor depressurization fails; operators fail to restore offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> General plant transient initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; SRVs open on demand and successfully reclose; recirculation pump TRANS 74-37-14 4.5x10-7 8.1%

seal integrity succeeds; RCIC succeeds; operator actions to extend reactor makeup fail; manual reactor depressurization fails; operators fail to restore offsite power within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> 10

LER 298-2017-001-01 Sequence CDP Percentage Description General plant transient initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; SRVs open on demand and successfully reclose; recirculation pump TRANS 74-37-05 4.3x10-7 7.7%

seal integrity remains intact; RCIC succeeds; operator actions to extend reactor makeup succeed; operators fail to restore offsite power within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; containment venting fails; late injection (LI) fails Loss of vital 4.16 kV AC bus G initiating event; successful reactor trip; offsite electrical power succeeds; SRVs open on demand and successfully reclose; high pressure injection (RCIC or HPCI)

LOACG 09 3.8x10-7 6.8% succeeds; suppression pool cooling (SPC) fails; control rod drive (CRD) injection succeeds; SPC recovery fails; containment spray (CS) fails; power conversion system (PCS) recovery fails; containment venting fails; LI fails Loss of vital 4.16 kV AC bus G initiating event; successful reactor trip; offsite electrical power succeeds; SRVs open on demand and successfully reclose; high pressure injection (RCIC or HPCI)

LOACG 17 3.8x10-7 6.8% succeeds; SPC fails; CRD injection fails; manual reactor depressurization succeeds; condensate system succeeds; SPC recovery fails; shutdown cooling (SDC) fails; CS fails; PCS recovery fails; containment venting fails; LI fails General plant transient initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; SRVs open on TRANS 74-37-31-2 3.5x10-7 6.3%

demand and successfully reclose; recirculation pump seal integrity fails; RCIC fails; HPCI fails; operators fail to restore offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> General plant transient initiating event; successful reactor trip; offsite electrical power fails; emergency TRANS 74-37-32-2 3.4x10-7 6.1% power system failure results in SBO; one SRV sticks open; RCIC succeeds; operators fail to restore offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Loss of condenser heat sink initiating event; successful reactor trip; offsite electrical power succeeds; SRVs open on demand and successfully reclose; high pressure injection (RCIC or HPCI)

LOCHS 09 2.3x10-7 4.1%

succeeds; SPC fails; manual reactor depressurization succeeds; CRD injection succeeds; SPC recovery fails; CS fails; PCS recovery fails; containment venting fails; LI fails Loss of main feedwater initiating event; successful reactor trip; offsite electrical power succeeds; SRVs open on demand and successfully reclose; high LOMFW 09 1.2x10-7 2.2% pressure injection (RCIC or HPCI) succeeds; SPC fails; manual reactor depressurization succeeds; CRD injection succeeds; SPC recovery fails; CS fails; PCS recovery fails; containment venting fails; LI fails 11

LER 298-2017-001-01 Sequence CDP Percentage Description Loss of vital 125 VDC bus B initiating event; successful reactor trip; offsite electrical power succeeds; SRVs open on demand and successfully LODCB 09 1.2x10-7 2.1% reclose; RCIC succeeds; SPC fails; manual reactor depressurization succeeds; CRD injection succeeds; SPC recovery fails; CS fails; PCS recovery fails; containment venting fails; LI fails General plant transient initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; SRVs open on TRANS 74-37-30 1.0x10-7 1.9% demand and successfully reclose; recirculation pump seal integrity remains intact; RCIC fails; HPCI fails; operators fail to restore offsite power within 30 minutes General plant transient initiating event; successful reactor trip; offsite electrical power fails; emergency power system succeeds; SRVs open on demand and TRANS 74-09 1.0x10-7 1.8% successfully reclose; HPCI succeeds; SPC fails; manual reactor depressurization succeeds; low pressure injection (LPI) succeeds; SPC recovery fails; SDC fails; CS fails; containment venting fails; LI fails General plant transient initiating event; successful reactor trip; offsite electrical power succeeds; SRVs TRANS 71 9.0x10-8 1.6% open on demand and successfully reclose; PCS fails; high pressure injection (RCIC or HPCI) fails; manual reactor depressurization fails Loss of condenser heat sink initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; SRVs open on demand and successfully reclose; LOCHS 73-37-28 8.3x10-8 1.5% recirculation pump seal integrity remains intact; RCIC fails; HPCI succeeds; operator actions to extend reactor makeup fail; manual reactor depressurization fails; operators fail to restore offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Loss of condenser heat sink initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; SRVs open on demand and successfully reclose; LOCHS 73-37-14 6.7x10-8 1.2%

recirculation pump seal integrity succeeds; RCIC succeeds; operator actions to extend reactor makeup fails; manual reactor depressurization fails; operators fail to restore offsite power within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> General plant transient initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; SRVs open on demand and successfully reclose; recirculation pump seal integrity succeeds; RCIC succeeds; HPCI TRANS 74-37-24 6.4x10-8 1.2%

succeeds; operator actions to extend reactor makeup fail; manual reactor depressurization succeeds; firewater injection succeeds; operators fail to restore offsite power within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; containment venting fails; LI fails 12

LER 298-2017-001-01 Sequence CDP Percentage Description Loss of condenser heat sink initiating event; successful reactor trip; offsite electrical power fails; emergency power system failure results in SBO; SRVs open on demand and successfully reclose; LOCHS 73-37-05 6.4x10-8 1.2%

recirculation pump seal integrity remains intact; RCIC succeeds; operator actions to extend reactor makeup succeed; operators fail to restore offsite power within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; containment venting fails; LI fails Loss of vital 4.16 kV AC bus G initiating event; successful reactor trip; offsite electrical power succeeds; SRVs open on demand and successfully reclose; high pressure injection (RCIC or HPCI) fails; LOACG 45 5.6x10-8 1.0%

manual reactor depressurization succeeds; condensate system succeeds; SPC fails; SDC fails; CS fails; PCS recovery fails; containment venting fails; LI fails General plant transient initiating event; successful reactor trip; offsite electrical power succeeds; SRVs open on demand and successfully reclose; PCS fails; TRANS 10 5.6x10-8 1.0% high pressure injection (RCIC or HPCI) succeeds; SPC fails; manual reactor depressurization succeeds; CRD injection succeeds; SPC recovery fails; CS fails; PCS recovery fails; containment venting fails; LI fails REFERENCES

1. Cooper Nuclear Station, Residual Heat Removal Minimum Flow Valves Out of Position Results in Loss of Safety Function and Condition Prohibited by Technical Specifications, LER 298-2017-001-01, dated December 15, 2017 (ADAMS Accession No. ML17354A150).
2. U.S. Nuclear Regulatory Commission, Cooper Nuclear Station - NRC Special Inspection Report 05000298/2017009, dated June 27, 2017 (ADAMS Accession No. ML17179A282).
3. Cooper Nuclear Station, Purchase and Installation of Incorrect Actuator Results in a Condition Prohibited by Technical Specifications, LER 298-2016-008, dated January 5, 2017 (ADAMS Accession No. ML17025A072).
4. U.S. Nuclear Regulatory Commission, Cooper Nuclear Station - NRC Integrated Inspection Report 05000298/2017001, dated May 1, 2017 (ADAMS Accession No. ML17122A362).
5. U.S. Nuclear Regulatory Commission, Cooper Nuclear Station - NRC Baseline Inspection Report 05000298/2017011 and Preliminary White Finding, dated August 14, 2017 (ADAMS Accession No. ML17223A459).
6. U.S. Nuclear Regulatory Commission, Cooper Nuclear Station - Final Significance Determination of Green Findings; NRC Baseline Inspection Report 05000298/2017012, dated December 20, 2017 (ADAMS Accession No. ML17354A634).
7. Cooper Nuclear Station, Isolation of Shutdown Cooling due to Relay Maintenance Results in a Loss of Safety Function, LER 298-2016-007, dated December 19, 2016 (ADAMS Accession No. ML16365A009).

13

LER 298-2017-001-01

8. U.S. Nuclear Regulatory Commission, Cooper Nuclear Station - NRC Problem Identification and Resolution Inspection Report 05000298/2017010, dated August 7, 2017 (ADAMS Accession No. ML17219A742).
9. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ADAMS Accession No. ML051950061).
10. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ADAMS Accession No. ML112060305).

14

LER 298-2017-001-01 Appendix A: Key Event Trees GENERAL PLANT TRANSIENT REACTOR SHUTDOWN OFFSITE ELECTRICAL SRV'S CLOSE POWER CONVERSION HIGH PRESSURE INJECTION SUPPRESSION POOL MANUAL REACTOR CRD INJECTION (1 PUMP) CONDENSATE LOW PRESSURE INJECTION ALTERNATE LOW PRESS SUPPRESSION POOL SHUTDOWN COOLING CONTAINMENT SPRAY POWER CONVERSION CONTAINMENT VENTING LATE INJECTION # End State POWER SYSTEM (RCIC OR HPCI) COOLING DEPRESS (CS OR LPCI) INJECTION COOLING SYSTEM RECOVERY (Phase - CD)

IE-TRANS RPS OEP SRV PCS HPI SPC DEP CRD CDS LPI VA SPC SDC CSS PCSR CVS LI 1 OK 2 OK 3 CD 4 OK 5 OK 6 OK 7 OK SPCR 8 CD LI00 9 OK 10 CD LI06 11 OK 12 OK 13 OK 14 OK 15 OK SPCR 16 CD LI00 17 OK 18 CD LI06 19 OK 20 OK 21 OK 22 OK 23 OK SPCR 24 CD 25 OK 26 CD LI06 27 OK 28 OK 29 OK 30 OK VA1 31 OK SPCR SD1 32 CD CS1 LI00 33 OK 34 CD LI06 35 OK VA1 36 CD 37 OK 38 OK 39 OK 40 OK SPCR 41 CD LI00 42 OK 43 CD LI06 44 OK 45 CD 46 OK 47 OK 48 OK 49 OK 50 OK 51 CD LI00 52 OK 53 CD LI06 54 OK 55 OK 56 OK 57 OK 58 OK 59 CD 60 OK 61 CD LI06 62 OK 63 OK 64 OK 65 OK 66 OK SP1 SD1 67 CD CS1 LI00 68 OK 69 CD LI06 70 CD 71 CD 72 1SORV P1 73 2SORVS P2 74 LOOPPC 75 ATWS 76 LOOPPC Figure A-1. Cooper Transient Event Tree A-1

LER 298-2017-001-01 LOSS OF OFFSITE POWER REACTOR SHUTDOWN EMERGENCY POWER SRV'S CLOSE HIGH PRESSURE INJECTION SUPPRESSION POOL MANUAL REACTOR LOW PRESSURE INJECTION ALTERNATE LOW PRESS SUPPRESSION POOL SHUTDOWN COOLING CONTAINMENT SPRAY CONTAINMENT VENTING LATE INJECTION # End State INITIATOR (SWITCHYARD- (RCIC OR HPCI) COOLING DEPRESS (CS OR LPCI) INJECTION COOLING (Phase - CD)

CENTERED)

IE-LOOPSC RPS EPS FTF-SBO SRV HPI SPC DEP LPI VA SPC SDC CSS CVS LI 1 OK 2 CD 3 OK 4 OK 5 OK 6 OK SPCR 7 CD 8 OK 9 CD LI06 10 OK 11 OK 12 OK 13 OK VA1 SPCR 14 CD SD1 LI00 CS1 15 OK 16 CD LI06 17 CD VA1 18 CD 19 OK 20 OK 21 OK 22 OK 23 CD 24 OK 25 CD LI06 26 OK 27 OK 28 OK 29 OK SP1 30 CD SD1 LI00 CS1 31 OK 32 CD LI06 33 CD 34 CD 35 LOOP-1 P1 36 LOOP-2 P2 37 SBO 38 ATWS 39 CD Figure A-2. Cooper Plant-centered LOOP Event Tree A-2

LER 298-2017-001-01 EMERGENCY POWER SRV'S CLOSE RECIRC PUMP SEAL RCIC HPCI ACTIONS TO EXTEND MANUAL REACTOR FIREWATER INJECTION OFFSITE POWER RECOVERY CONTAINMENT VENTING LATE INJECTION # End State INTEGRITY REACTOR MAKEUP DEPRESS (Phase - CD)

EPS FTF-SBO SRV RPSL RCI HCI EXT DEP01 FWS OPR CVS LI 1 SBO-OP OPR-12H 2 OK CVS02 3 CD EXT01 LI-EXT OPR-12H 4 OK CVS02 5 CD LI06 6 SBO-OP OPR-12H 7 OK RCI03 CVS02 8 CD LI00 OPR-12H 9 OK CVS02 10 CD EXT01 LI06 11 SBO-OP OPR-08H 12 CD OPR-08H 13 SBO-OP OPR-08H 14 CD OPR-08H 15 SBO-OP OPR-08H 16 OK CVS02 17 CD EXT02 LI-EXT OPR-08H 18 OK CVS02 19 CD LI06 20 SBO-OP OPR-12H 21 OK HCI03 CVS02 22 CD LI00 RCI03 OPR-12H 23 OK CVS02 24 CD EXT02 LI06 25 SBO-OP OPR-04H 26 CD OPR-04H 27 SBO-OP OPR-04H 28 CD OPR-04H 29 SBO-OP OPR-30M HCI03 30 CD OPR-30M 31 SBO-1 32 SBO-1 P1 33 CD P2 Figure A-3. Revised Cooper SBO Event Tree A-3

LER 298-2017-001-01 Appendix B: Modified Fault Trees COOPER RHR LOOP A FAILS RHR-A COOPER DIVISION 1F AC POWER RHR TRAINS FAIL MINIMUM FLOW LINE IS ISOLATED RHR PUMP MIN FLOW LINES FAIL FAILS FROM COMMON CAUSE ACP-1F Ext RHR-A-1 RHR-A6 RHR-MOV-CF-MINFL 7.64E-06 COOPER DIVISION I 125 VDC RHR LOOP A MINFLOW LINE MOV POWER FAILS LONG TERM FAILS TO CLOSE DCP-1-125DC-LT Ext TRAIN A FAILS TRAIN C FAILS RHR LOOP A MANUAL MINIFLOW OPERATORS FAILE TO ALIGN RHR-MOV-OO-MINFA 8.16E-04 RHR LOOP A COOLING FAILS ISOLATION VALVES ARE CLOSED ALTERNATE RHR FLOW PATH RHR-A-2 RHR-A-3 RHR-A60 RHR-XHE-XL-ALTERNATE 4.00E-02 RHR-A-HTX Ext RHR LOOP A MANUAL MINIFLOW ISOLATION VALVES ARE CLOSE RHR-XVM-FTOC-A 4.59E-04 RHR MANUAL MINIFLOW ISOLATION VALVES FAIL DUE TO COMMON CAUSE RHR-XVM-CF-MINFLOW 2.71E-05 Figure B-1. Modified RHR-A Fault Tree B-1

LER 298-2017-001-01 COOPER RHR LOOP B FAILS RHR-B COOPER DIVISION 2 125VDC RHR TRAINS FAIL MINIMUM FLOW LINE IS ISOLATED RHR PUMP MIN FLOW LINES FAIL POWER FAILS LONG TERM FROM COMMON CAUSE DCP-2-125DC-LT Ext RHR-B-1 RHR-B6 RHR-MOV-CF-MINFL 7.64E-06 COOPER DIVISION 1G AC POWER RHR LOOP B MINFLOW LINE MOV FAILS FAILS TO CLOSE ACP-1G Ext TRAIN B FAILS TRAIN D FAILS RHR LOOP B MANUAL MINIFLOW OPERATORS FAILE TO ALIGN RHR-MOV-OO-MINFB 8.16E-04 RHR LOOP B COOLING FAILS ISOLATION VALVES ARE CLOSED ALTERNATE RHR FLOW PATH RHR-B-2 RHR-B-3 RHR-B60 RHR-XHE-XL-ALTERNATE 4.00E-02 RHR-B-HTX Ext RHR MANUAL MINIFLOW ISOLATION VALVES FAIL DUE TO COMMON CAUSE RHR-XVM-CF-MINFLOW 2.71E-05 RHR LOOP B MANUAL MINIFLOW ISOLATION VALVES ARE CLOSE RHR-XVM-FTOC-B 4.59E-04 Figure B-2. Modified RHR-B Fault Tree B-2

LER 298-2017-001-01 COOPER RHR LOOP A FAILS SPC-A COOPER DIVISION 1F AC POWER RHR TRAINS FAIL MINIMUM FLOW LINE IS ISOLATED RHR PUMP MIN FLOW LINES FAIL FAILS FROM COMMON CAUSE ACP-1F Ext SPC-A-1 SPC-A6 RHR-MOV-CF-MINFL 7.64E-06 RHR LOOP A COOLING FAILS RHR LOOP A MINFLOW LINE MOV FAILS TO CLOSE RHR-A-HTX Ext TRAIN A FAILS TRAIN C FAILS RHR LOOP A MANUAL MINIFLOW OPERATORS FAILE TO ALIGN RHR-MOV-OO-MINFA 8.16E-04 ISOLATION VALVES ARE CLOSED ALTERNATE RHR FLOW PATH SPC-A-2 SPC-A-3 SPC-A60 RHR-XHE-XL-ALTERNATE 4.00E-02 RHR LOOP A MANUAL MINIFLOW ISOLATION VALVES ARE CLOSE RHR-XVM-FTOC-A 4.59E-04 RHR MANUAL MINIFLOW ISOLATION VALVES FAIL DUE TO COMMON CAUSE RHR-XVM-CF-MINFLOW 2.71E-05 Figure B-3. Modified SPC-A Fault Tree B-3

LER 298-2017-001-01 COOPER RHR LOOP B FAILS SPC-B COOPER DIVISION 1G AC POWER RHR TRAINS FAIL MINIMUM FLOW LINE IS ISOLATED RHR PUMP MIN FLOW LINES FAIL FAILS FROM COMMON CAUSE ACP-1G Ext SPC-B-1 SPC-B6 RHR-MOV-CF-MINFL 7.64E-06 RHR LOOP B COOLING FAILS RHR LOOP B MINFLOW LINE MOV FAILS TO CLOSE RHR-B-HTX Ext TRAIN B FAILS TRAIN D FAILS RHR LOOP B MANUAL MINIFLOW OPERATORS FAILE TO ALIGN RHR-MOV-OO-MINFB 8.16E-04 ISOLATION VALVES ARE CLOSED ALTERNATE RHR FLOW PATH SPC-B-2 SPC-B-3 SPC-B60 RHR-XHE-XL-ALTERNATE 4.00E-02 RHR MANUAL MINIFLOW ISOLATION VALVES FAIL DUE TO COMMON CAUSE RHR-XVM-CF-MINFLOW 2.71E-05 RHR LOOP B MANUAL MINIFLOW ISOLATION VALVES ARE CLOSE RHR-XVM-FTOC-B 4.59E-04 Figure B-4. Modified SPC-B Fault Tree B-4

LER 298-2017-001-01 COOPER LPCI TRAIN A FAILS LCI-TRNA COOPER DIVISION 1F AC POWER PUMP TRAINS MINIMUM FLOW LINE IS ISOLATED LPCI INJECTION CHECK VALVES FAILS FAIL FROM COMMON CAUSE ACP-1F Ext LCI-TRNA-1 LCI-A6 RHR-CKV-CF-LPI 1.94E-07 COOPER DIVISION 1 250VDC LPCI INJECTION VALVES FAIL FROM POWER FAILS LONG TERM COMMON CAUSE DCP-1-250DC-LT Ext TRAIN A TRAIN C RHR LOOP A MANUAL MINIFLOW OPERATORS FAILE TO ALIGN RHR-MOV-CF-LPI 1.15E-05 ISOLATION VALVES ARE CLOSED ALTERNATE RHR FLOW PATH LPCI LOOP A ISOLATION CKV FAILS TO OPEN LCI-TRNA-2 LCI-TRNA-3 LCI-A60 RHR-XHE-XL-ALTERNATE 4.00E-02 RHR-CKV-CC-AO68A 9.24E-06 LPCI LOOP A ISOLATION MOV FAILS TO OPEN RHR LOOP A MANUAL MINIFLOW ISOLATION VALVES ARE CLOSE RHR-MOV-CC-MO25A 8.16E-04 RHR-XVM-FTOC-A 4.59E-04 RHR MANUAL MINIFLOW ISOLATION VALVES FAIL DUE TO COMMON CAUSE RHR-XVM-CF-MINFLOW 2.71E-05 Figure B-5. Modified LCI-TRNA Fault Tree B-5

LER 298-2017-001-01 COOPER LPCI TRAIN B FAILS LCI-TRNB COOPER DIVISION 1G AC POWER PUMP TRAINS MINIMUM FLOW LINE IS ISOLATED LPCI INJECTION CHECK VALVES FAILS FAIL FROM COMMON CAUSE ACP-1G Ext LCI-TRNB-1 LCI-B6 RHR-CKV-CF-LPI 1.94E-07 COOPER DIVISION 2 250VDC LPCI INJECTION VALVES FAIL FROM POWER FAILS LONG TERM COMMON CAUSE DCP-2-250DC-LT Ext TRAIN B TRAIN D RHR LOOP B MANUAL MINIFLOW OPERATORS FAILE TO ALIGN RHR-MOV-CF-LPI 1.15E-05 ISOLATION VALVES ARE CLOSED ALTERNATE RHR FLOW PATH LPCI LOOP B ISOLATION CKV FAILS TO OPEN LCI-TRNB-2 LCI-TRNB-3 LCI-B60 RHR-XHE-XL-ALTERNATE 4.00E-02 RHR-CKV-CC-AO68B 9.24E-06 LPCI LOOP B ISOLATION MOV FAILS TO OPEN RHR MANUAL MINIFLOW ISOLATION VALVES FAIL DUE TO COMMON RHR-MOV-CC-MO25B 8.16E-04 CAUSE RHR-XVM-CF-MINFLOW 2.71E-05 RHR LOOP B MANUAL MINIFLOW ISOLATION VALVES ARE CLOSE RHR-XVM-FTOC-B 4.59E-04 Figure B-6. Modified LCI-TRNB Fault Tree B-6

LER 298-2017-001-01 OFFSITE ELECTRICAL POWER OEP TRANSIENT CAUSES LOSS OF LOCA CAUSES LOSS OF OFFSITE INDEPENDENT POWER SUPPLY OFFSITE POWER POWER PATHS FAIL OEP-1 OEP-2 OEP-3 Ext CONSEQUENTIAL LOSS OF OFFSITE Complement of: LOCA LOOP LOCA LOOP RESPONSE CONSEQUENTIAL LOSS OF OFFSITE POWER - TRANSIENT RESPONSE POWER - LOCA OEP-VCF-LP-CLOPT 5.30E-03 OEP11 OEP21 OEP-VCF-LP-CLOPL 3.00E-03 HOUSE EVENT - SMALL LOSS-OF- HOUSE EVENT - SMALL LOSS-OF-COOLANT ACCIDENT INITIATOR COOLANT ACCIDENT INITIATOR HE-SLOCA False HE-SLOCA False HOUSE EVENT - MEDIUM LOSS OF HOUSE EVENT - MEDIUM LOSS OF COOLANT ACCIDENT INITIATOR COOLANT ACCIDENT INITIATOR HE-MLOCA False HE-MLOCA False HOUSE EVENT - LARGE LOSS-OF- HOUSE EVENT - LARGE LOSS-OF-COOLANT ACCIDENT INITIATOR COOLANT ACCIDENT INITIATOR HE-LLOCA False HE-LLOCA False Figure B-7. Modified OEP Fault Tree B-7

LER 298-2017-001-01 COOPER SWITCHYARD AC SERVICE TO SWGR BUS 1F ACP-1F-SWY NORMAL AND STARTUP STATION EMERGENCY STATION SERVICE POWER SERVICE FAILURE FAILURE ACP-1F-SWY-1 ACP-1F-SWY-2 COOPER 4160 VAC SWITCHGEAR BREAKER 1AN FAILS TO OPEN EMERGENCY STATION SERVICE BUS 1A IS UNAVAILABLE TRANSFORMER FAILS ACP-4160V-1A Ext ACP-CRB-CC-1AN 2.05E-03 ACP-TFM-FC-EMERG 6.07E-05 SWGR BREAKER 1AS FAILS TO BREAKER 1FS FAILS TO CLOSE CLOSE ON STATION TRIP ACP-CRB-OO-1AS 2.05E-03 ACP-CRB-OO-1FS 2.05E-03 CLOSED BREAKER 1AF FAILS OPEN ESST BUS DUCT FAILS ACP-CRB-CO-1AF 2.76E-06 AACP-BUS-ESST-FAILS 2.29E-05 CLOSED BREAKER 1FA FAILS OPEN COMMON CAUSE FAILURE OF TRANSFORMER BUS DUCTS ACP-CRB-CO-1FA 3.82E-06 AACP-BUS-CF-FAIL 2.44E-07 SSST X BUS DUCT FAILS AACP-BUS-SSSTX-FAILS 7.97E-06 COMMON CAUSE FAILURE OF TRANSFORMER BUS DUCTS AACP-BUS-CF-FAIL 2.44E-07 STARTUP TRANSFORMER IN T/M AACP-TFM-TM-SSST 1.75E-03 Figure B-8. Modified ACP-1F-SWY Fault Tree B-8

LER 298-2017-001-01 COOPER SWITCHYARD AC SERVICE TO SWGR BUS 1G ACP-1G-SWY NORMAL AND STARTUP STATION EMERGENCY STATION SERVICE POWER SERVICE FAILURE FAILURE ACP-1G-SWY-1 ACP-1G-SWY-2 COOPER 4160 VAC SWITCHGEAR BREAKER 1BN FAILS TO OPEN EMERGENCY STATION SERVICE BUS 1B IS UNAVAILABLE TRANSFORMER FAILS ACP-4160V-1B Ext ACP-CRB-CC-1BN 2.05E-03 ACP-TFM-FC-EMERG 6.07E-05 SWGR BREAKER 1BS FAILS TO BREAKER 1GS FAILS TO CLOSE CLOSE ON STATION TRIP ACP-CRB-OO-1BS 2.05E-03 ACP-CRB-OO-1GS 2.05E-03 CLOSED BREAKER 1BG FAILS OPEN ESST BUS DUCT FAILS ACP-CRB-CO-1BG 3.82E-06 AACP-BUS-ESST-FAILS 2.29E-05 CLOSED BREAKER 1GB FAILS OPEN COMMON CAUSE FAILURE OF TRANSFORMER BUS DUCTS ACP-CRB-CO-1GB 3.82E-06 AACP-BUS-CF-FAIL 2.44E-07 SSST X BUS DUCT FAILS AACP-BUS-SSSTX-FAILS 7.97E-06 COMMON CAUSE FAILURE OF TRANSFORMER BUS DUCTS AACP-BUS-CF-FAIL 2.44E-07 STARTUP TRANSFORMER IN T/M AACP-TFM-TM-SSST 1.75E-03 Figure B-9. Modified ACP-1G-SWY Fault Tree B-9

LER 298-2017-001-01 INDEPENDENT POWER SUPPLY PATHS FAIL OEP-3 DIVISION I IS UNAVAILABLE DIVISION II IS UNAVAILABLE OEP-3-2 OEP-3-3 FAILURE OF PWR FROM THE SU FAILURE OF PWR FROM FAILURE OF PWR FROM THE SU FAILURE OF PWR FROM STATION SERVICE TRANSFORMER EMERGENCY STATION SERVICE STATION SERVICE TRANSFORMER EMERGENCY STATION SERVICE TO 1F TRANSFORMER TO 1F TO 1G TRANSFORMER TO 1G OEP22110 OEP22111 OEP222110 OEP222111 BREAKER 1AN FAILS TO OPEN EMERGENCY STATION SERVICE BREAKER 1BN FAILS TO OPEN EMERGENCY STATION SERVICE TRANSFORMER FAILS TRANSFORMER FAILS ACP-CRB-CC-1AN 2.05E-03 ACP-TFM-FC-EMERG 6.07E-05 ACP-CRB-CC-1BN 2.05E-03 ACP-TFM-FC-EMERG 6.07E-05 STARTUP STATION SERVICE BREAKER 1FS FAILS TO CLOSE STARTUP STATION SERVICE BREAKER 1GS FAILS TO CLOSE TRANSFORMER FAILS TRANSFORMER FAILS ACP-TFM-FC-STARTUP 6.07E-05 ACP-CRB-OO-1FS 2.05E-03 ACP-TFM-FC-STARTUP 6.07E-05 ACP-CRB-OO-1GS 2.05E-03 SWGR BREAKER 1AS FAILS TO ESST BUS DUCT FAILS SWGR BREAKER 1BS FAILS TO ESST BUS DUCT FAILS CLOSE ON STATION TRIP CLOSE ON STATION TRIP ACP-CRB-OO-1AS 2.05E-03 AACP-BUS-ESST-FAILS 2.29E-05 ACP-CRB-OO-1BS 2.05E-03 AACP-BUS-ESST-FAILS 2.29E-05 SSST X BUS DUCT FAILS COMMON CAUSE FAILURE OF SSST X BUS DUCT FAILS COMMON CAUSE FAILURE OF TRANSFORMER BUS DUCTS TRANSFORMER BUS DUCTS AACP-BUS-SSSTX-FAILS 7.97E-06 AACP-BUS-CF-FAIL 2.44E-07 AACP-BUS-SSSTX-FAILS 7.97E-06 AACP-BUS-CF-FAIL 2.44E-07 COMMON CAUSE FAILURE OF COMMON CAUSE FAILURE OF TRANSFORMER BUS DUCTS TRANSFORMER BUS DUCTS AACP-BUS-CF-FAIL 2.44E-07 AACP-BUS-CF-FAIL 2.44E-07 STARTUP TRANSFORMER IN T/M STARTUP TRANSFORMER IN T/M AACP-TFM-TM-SSST 1.75E-03 AACP-TFM-TM-SSST 1.75E-03 Figure B-10. Modified OEP-3 Fault Tree B-10

LER 298-2017-001-01 SUPPLEMENTAL DIESEL GENERATOR FAULTS DGS SUPPORT REQUIRED FOR SUPPLEMENTAL DIESEL GENERATOR ALIGNMENT TO DIVISION BUS FAILS FAILS TO LOAD RUN DGS-1 EPS-DGN-LR-SDG 3.70E-03 SUPPLEMENTAL DIESEL GENERATOR FAILS TO START DIESEL GENERATOR 1A SUPPORT DIESEL GENERATOR 1B SUPPORT EPS-DGN-FS-SDG 2.86E-03 POWER FAULTS POWER FAULTS SUPPLEMENTAL DIESEL GENERATOR FAILS TO RUN DGS-2 DGS-3 EPS-DGN-FR-SDG 3.39E-02 SUPPLEMENTAL EDG IS UNAVAILABLE BECAUSE OF MAINTENANCE EPS-DGN-TM-SDG 1.48E-02 OP FAILS TO RESTORE DIESEL GENERATOR 1A EPS-XHE-XR-SDG 1.00E-03 ESST BUS DUCT FAILS AACP-BUS-ESST-FAILS 2.29E-05 Figure B-11. Modified DGS Fault Tree B-11

LER 298-2017-001-01 OFFSITE POWER RECOVERY OPR INDEPENDENT POWER SUPPLY OPERATOR FAILS TO RECOVER OPERATOR FAILS TO RECOVER OPERATOR FAILS TO RECOVER OPERATOR FAILS TO RECOVER OPERATOR FAILS TO RECOVER PATHS FAIL OFFSITE POWER IN 30 MINUTES OFFSITE POWER IN 30 MINUTES OFFSITE POWER IN 30 MINUTES OFFSITE POWER IN 30 MINUTES OFFSITE POWER IN 30 MINUTES (WEATHER RELATED) (SWITCHYARD) (PLANT-CENTERED) (GRID RELATED)

OEP-3 Ext OPR-WR OPR-SC OPR-PC OPR-GR OPR-AVE Figure B-12. Modified OPR Fault Tree (same change made for OPR-30M, OPR-04H, OPR-08H, and OPR-12H Fault Trees)

B-12

Package: ML180868308 Letter ML18081A602 ASP Repo rt ML18068A724 OFFICE NRR/DORL/LPL4/PM NRR/DORL/LPL4/LA NRR/DORL/LPL4/PM NRR/DORL/LPL4/PM NAME TWengert PBlechman RPascarelli TWengert DATE 3/28/18 3/27/18 3/30/18 4/3/18

Retrieved from "https://kanterella.com/w/index.php?title=ML18081A602&oldid=2412457"