ML18289A556

From kanterella
Jump to navigation Jump to search
NRC Inspection Report 05000461/2018051 and Preliminary White Finding (Public)
ML18289A556
Person / Time
Site: Clinton Constellation icon.png
Issue date: 10/15/2018
From: Louden P
Division Reactor Projects III
To: Bryan Hanson
Exelon Generation Co, Exelon Nuclear
References
EA-18-104 IR 2018051
Download: ML18289A556 (41)


See also: IR 05000461/2018051

Text

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

October 15, 2018

EA-18-104

Mr. Bryan C. Hanson

Senior VP, Exelon Generation Company, LLC

President and CNO, Exelon Nuclear

4300 Winfield Road

Warrenville, IL 60555

SUBJECT: CLINTON POWER STATIONNRC INSPECTION REPORT 05000461/2018051

AND PRELIMINARY WHITE FINDING

Dear Mr. Hanson:

On September 24, 2018, the U.S. Nuclear Regulatory Commission (NRC) presented the

preliminary significance assessment results to your staff at Clinton Power Station, Unit 1.

This letter transmits a finding that has preliminarily been determined to be White. A White

finding low to moderate safety significance that may require additional NRC inspections. As

described in this letter, on May 17, 2018, an apparent violation of Title 10 of the Code of Federal

Regulations (10 CFR) Part 50, Appendix B, Criterion V, Instructions, Procedures, and

Drawings, and Technical Specification 3.8.2, Condition B.3, were self-revealed for the

licensees failure to follow multiple procedures that affected quality. This resulted in the

unavailability and inoperability of the Division 2 Emergency Diesel Generator (EDG) when it was

relied upon for plant safety. During part of the time that the Division 2 EDG was unavailable the

Division 1 EDG was already out of service for planned maintenance. During the period when

neither EDG was available a loss of offsite power would have resulted in a station blackout

condition that could have resulted in a long term loss of the ability to cool the reactor core. This

finding was assessed based on the best available information, using the applicable Significance

Determination Process (SDP). Included in the body of the enclosed inspection report is the

basis for the staffs preliminary determination of significance.

Your corrective actions included (1) returning the Division 2 EDG to an operable status; (2)

communicating accountability and emphasis on procedure use and adherence; (3) just in time

training to all operations department staff on the procedure use requirements; (4) conducting a

three-day stand down to discuss case studies and lessons learned; and (5) revising the

equipment operator round points to include the EDG starting air manifold pressures. The

finding is also an apparent violation of NRC requirements and is being considered for escalated

enforcement action in accordance with the Enforcement Policy, which can be found on the

NRCs Web site at http://www.nrc.gov/about-nrc/regulatory/enforcement/enforce-pol.html.

Enclosure contains Sensitive Unclassified

Non-Safeguards Information. When

separated from attachment 2, this

transmittal document is decontrolled.

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

B. Hanson -2-

In accordance with NRC Inspection Manual Chapter 0609, we intend to complete our evaluation

using the best available information and issue our final determination of safety significance

within 90 days of the date of this letter. The significance determination process encourages an

open dialogue between the NRC staff and the licensee; however, the dialogue should not

impact the timeliness of the staffs final determination.

Before we make a final decision on this matter, we are providing you with an opportunity to (1)

attend a Regulatory Conference where you can present to the NRC your perspective on the

facts and assumptions the NRC used to arrive at the finding and assess its significance; or (2)

submit your position on the finding to the NRC in writing. If you request a Regulatory

Conference, it should be held within 40 days of the receipt of this letter and we encourage you

to submit supporting documentation at least one week prior to the conference in an effort to

make the conference more efficient and effective. The focus of the Regulatory Conference is to

discuss the significance of the finding and not necessarily the root cause(s) or corrective

action(s) associated with the finding. If a Regulatory Conference is held, it will be open for

public observation. If you decide to submit only a written response, such submittal should be

sent to the NRC within 40 days of your receipt of this letter. If you decline to request a

Regulatory Conference or to submit a written response, you relinquish your right to appeal the

final SDP determination, in that by not doing either, you fail to meet the appeal requirements

stated in the Prerequisite and Limitation sections of Attachment 2 of NRC Inspection Manual

Chapter 0609.

If you choose to send a response, it should be clearly marked as a Response to An Apparent

Violation; (EA-18-104) and should include for the apparent violation: (1) the reason for the

apparent violation or, if contested, the basis for disputing the apparent violation; (2) the

corrective steps that have been taken and the results achieved; (3) the corrective steps that will

be taken; and (4) the date when full compliance will be achieved. Your response should be

submitted under oath or affirmation and may reference or include previously docketed

correspondence, if the correspondence adequately addresses the required response.

Additionally, your response should be sent to the U.S. Nuclear Regulatory Commission, ATTN:

Document Control Center, Washington, DC 20555-0001 with a copy to K. Stoedter, Chief,

Branch 1, Division of Reactor Projects, U.S. Nuclear Regulatory Commission, Region III,

2443 Warrenville Road, Suite 210, Lisle, IL 60532-4352, within 40 days of the date of this letter.

If an adequate response is not received within the time specified or an extension of time has not

been granted by the NRC, the NRC will proceed with its enforcement decision or schedule a

Regulatory Conference.

Please contact Ms. Karla Stoedter at 630-829-9731, and in writing within 10 days from the

issue date of this letter to notify the NRC of your intentions. If we have not heard from you

within 10 days, we will continue with our significance determination and enforcement decision.

The final resolution of this matter will be conveyed in separate correspondence.

Because the NRC has not made a final determination in this matter, no Notice of Violation is

being issued for these inspection findings at this time. In addition, please be advised that the

characterization of the apparent violation described above may change as a result of further

NRC review.

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

B. Hanson -3-

This letter will be made available for public inspection and copying at

http://www.nrc.gov/reading-rm/adams.html and at the NRC Public Document Room in

accordance with 10 CFR 2.390, Public Inspections, Exemptions, Requests for Withholding.

However, the enclosed report contains Security-Related Information, so the enclosed report

will not be made publically available in accordance with 10 CFR 2.390(d)(1). If you choose

to provide a response that contains Security-Related Information, please mark your entire

response Security-Related Information-Withhold from public disclosure under 10 CFR 2.390

in accordance with 10 CFR 2.390(d)(1) and follow the instructions for withholding in

10 CFR 2.390(b)(1). The NRC is waiving the affidavit requirements for your response in

accordance with 10 CFR 2.390(b)(1)(ii).

Sincerely,

/RA/

Patrick L. Louden, Director

Division of Reactor Projects

Docket No. 50-461

License No. NPF-62

Enclosures:

Inspection Report 05000461/2018051

Attachment 1 (public)

Attachment 2 (non-public)

cc: W. Marsh, Clinton Station Security Manager

A. Khayyat, State Liaison Officer

Illinois Emergency Management Agency

cc w/o attach 2: Distribution via LISTSERV

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

B. Hanson -4-

Letter to Bryan Hanson from Patrick Louden dated October 15, 2018

SUBJECT: CLINTON POWER STATIONNRC INSPECTION REPORT 05000461/2018051

AND PRELIMINARY WHITE FINDING

DISTRIBUTION w/attachments:

Daryl Johnson

Niry Simonian

Eric Wharton

Alonzo Richardson

Raymond McKinley

Binoy Desai

Steven West

Darrell Roberts

Jeremy Groom

DISTRIBUTION:

Christopher Cook

RidsNrrDorlLpl3

RidsNrrPMClinton Resource

RidsNrrDirsIrib Resource

Steven West

Darrell Roberts

Richard Skokowski

Allan Barker

DRSIII

DRPIII

ROPreports.Resource@nrc.gov

ADAMS Accession Number: ML18289A556

OFFICE RIII RIII RIII OE

NAME CPhillips:bw LKozak JHeller for MMarshfield via

KLambert email for JPeralta

DATE 10/11/2018 10/11/2018 10/12/2018 10/12/2018

OFFICE NRR RIII RIII

NAME MFranovich via KStoedter PLouden

email

DATE 10/12/2018 10/15/2018 10/15/2018

OFFICIAL RECORD COPY

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

U.S. NUCLEAR REGULATORY COMMISSION

REGION III

Docket Numbers: 50-461

License Numbers: NPF-62

Report Number: 05000461/2018051

Enterprise Identifier: I-2018-051-0000

Licensee: Exelon Generation Company, LLC

Facility: Clinton Power Station

Location: Clinton, IL

Dates: August 3 through September 4, 2018

Inspectors: C. Phillips, Project Engineer

L. Kozak, Senior Reactor Analyst

J. Mitman, Senior Reliability and Risk Analyst

Approved by: K. Stoedter, Chief

Branch 1

Division of Reactor Projects

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Enclosure

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

SUMMARY

The U.S. Nuclear Regulatory Commission (NRC) completed the preliminary significance

determination associated with an apparent violation in accordance with the Reactor Oversight

Process. The Reactor Oversight Process is the NRCs program for overseeing the safe

operation of commercial nuclear power reactors. Refer to

https://www.nrc.gov/reactors/operating/oversight.html for more information. Findings and

violations being considered in the NRCs assessment are summarized in the table below.

List of Findings and Violations

Failure to Follow Multiple Procedures

Cornerstone Significance Cross-Cutting Report Section

Aspect

Mitigating Preliminary White [H.2] - Human 93812-Special

Systems AV 05000461/2018050-01 Performance, Inspection

Open Field Presence

EA-18-104

On August 23, 2018, the NRC issued Inspection Report 05000461/2018050 which discussed

a self-revealed finding with a To-Be-Determined (TBD) significance and an associated

Apparent Violation of Title 10 of the Code of Federal Regulations (10 CFR) Part 50,

Appendix B, Criterion V, Instructions, Procedures, and Drawings, and Technical

Specification 3.8.2, Condition B.3. The issue involved the licensees failure to follow multiple

procedures that affected quality which resulted in the unavailability and inoperability of the

Division 2 Emergency Diesel Generator when it was relied upon for plant safety.

Additional Tracking Items

None.

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

2

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

INSPECTION SCOPE

Inspections were conducted using the appropriate portions of the inspection procedure (IP) in

effect at the beginning of the inspection unless otherwise noted. Currently approved IPs with

their attached revision histories are located on the public website at http://www.nrc.gov/reading-

rm/doc-collections/insp-manual/inspection-procedure/index.html. Samples were declared

complete when the IP requirements most appropriate to the inspection activity were met

consistent with Inspection Manual Chapter (IMC) 2515, Light-Water Reactor Inspection

Program - Operations Phase. The inspectors reviewed selected procedures and records,

observed activities, and interviewed personnel to assess licensee performance and compliance

with Commission rules and regulations, license conditions, site procedures, and standards.

OTHER ACTIVITIESTEMPORARY INSTRUCTIONS, INFREQUENT AND ABNORMAL

93812Special Inspection

The purpose of this inspection was to complete the preliminary significance determination for an

apparent violation 10 CFR Part 50, Appendix B, Criterion V and Technical Specification 3.8.2,

Condition B.3. documented in NRC Special Inspection Report 05000461/2018050.

INSPECTION RESULTS

93812Special Inspection

Failure to Follow Multiple Procedures

Cornerstone Significance Cross-Cutting Report Section

Aspect

Mitigating Preliminary White [H.2] - Human 93812-Special

Systems AV 05000461/2018050-01 Performance, Field Inspection

Open Presence

EA-18-104

On August 23, 2018, the NRC issued Inspection Report 05000461/2018050 which discussed

a self-revealed finding with a To-Be-Determined (TBD) significance and an associated

Apparent Violation of Title 10 of the Code of Federal Regulations (10 CFR) Part 50,

Appendix B, Criterion V, Instructions, Procedures, and Drawings, and Technical

Specification 3.8.2, Condition B.3. The issue involved the licensees failure to follow multiple

procedures that affected quality which resulted in the unavailability and inoperability of the

Division 2 Emergency Diesel Generator when it was relied upon for plant safety.

Description:

On April 30, 2018, the licensee shut down the reactor as part of a scheduled refueling outage.

During the outage, the licensee performed maintenance on the Division 2 electrical system

which required the Division 2 emergency diesel generator (EDG) to be removed from service.

From May 9-11, 2018, the licensee completed activities to restore the Division 2 EDG to

service. Due to the failure to follow multiple procedures (as discussed in NRC Inspection

Report 05000461/2018050), the Division 2 EDG was not restored to an operable status

because operations personnel had not repositioned starting air valves 1DG160 and 1DG161

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

3

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

from the closed position to the open position. With the starting air valves in the closed

position, the Division 2 EDG was unable to start if needed.

On May 14, 2018, at 12:30 a.m., since the licensee was unaware that the Division 2 EDG was

inoperable and unavailable due to its inability to start caused by the 1DG160 and 1DG161

valves being closed, the licensee began a Division 1 scheduled maintenance window. As a

result of taking the Division 1 480 VAC bus out of service, the Division 1 EDG was declared

inoperable.

On May 17, 2018, at 3:03 p.m., a non-licensed operator performing shift rounds identified that

the 1DG160 and 1DG161 valves were closed and reported this condition to the control room.

The licensee declared the Division 2 EDG inoperable, investigated the condition, and

subsequently returned the Division 2 EDG to an operable status.

Corrective Actions: The licensee initiated several corrective actions including (1)

communicating accountability and emphasis on procedure use and adherence; (2) just in time

training to all operations department staff on the procedure use requirements; (3) conducting

a three-day stand down to discuss case studies and lessons learned; and (4) revising the

equipment operator round points to include the EDG starting air manifold pressures.

Corrective Action Reference: Action Request (AR) 4138790, Division 2 DG Air Receiver

Found Isolated Rounds, dated May 17, 2018.

Performance Assessment:

Performance Deficiency: The licensee failed to perform activities affecting quality in

accordance with prescribed procedures and work instructions as required by 10 CFR Part 50,

Appendix B, Criterion V, Instructions, Procedures and Drawings, that resulted in the

unavailability of the Division 2 EDG when it was relied upon for plant safety.

Screening: The inspectors determined the performance deficiency was more than minor

because it adversely affected the configuration control attribute of the Mitigating Systems

Cornerstone and its objective of ensuring the availability, reliability, and capability of systems

that respond to initiating events to prevent undesirable consequences. Specifically, the failure

to follow station procedures/work instructions resulted in the unavailability of the Division 2

EDG when it was relied upon for plant safety.

Significance: The inspectors evaluated the finding against the guidance of IMC 0609

Appendix G, Attachment 1, Shutdown Operations Significance Determination Process

Phase 1 Initial Screening and Characterization of Findings. The finding impacted the

Mitigating Systems Cornerstone, specifically the Electric Power Availability Safety Function.

The finding represented a loss of system safety function for the EDGs for greater than its

TS 3.8.2, Condition B.3, allowed outage time of Immediately (one of the two EDGs was

required to be returned to an operable status immediately) which required a Phase 2

Appendix G evaluation.

The Phase 2 evaluation was conducted using IMC 0609 Appendix G, Attachment 3, and

Phase 2 Significance Determination Process Template for BWR during Shutdown. A

Region III senior reactor analyst (SRA) completed the Phase 2 evaluation and concluded that

a Phase 3, or detailed risk evaluation, would be needed to refine the Phase 2 evaluation.

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

4

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Summary from Special Inspection Report

The detailed risk evaluation (DRE) covered a 6.5 day period when the Division 2 EDG was

inadvertently unavailable during a refueling outage.

The Division 2 EDG had been inoperable and unavailable as part of planned Division 2

480 VAC electrical distribution and Emergency Service Water (SX) systems maintenance

activities. When the Division 2 systems work was completed and the systems restored on

May 11, 2018 (at 2:30 a.m.), operators incorrectly declared the Division 2 EDG available. At

this time, the Division 2 EDG starting air isolation valves (1DG160 and 1DG161) remained

closed, which would prevent starting air from reaching the EDG air start motors, making the

EDG inoperable, unavailable, and non-functional because it would not and could not be

started on any demand signal.

On May 14, 2018, at 12:30 a.m., as the licensee was unaware that the Division 2 EDG was

unavailable, the licensee began a scheduled maintenance window on the Division 1 480 VAC

bus 1A1. As a result of taking the bus out of service, the Division 1 EDG was declared

inoperable. At this time neither Division 1 nor 2 EDG was functional.

On May 17, 2018, at 3:03 p.m., a non-licensed operator performing shift rounds identified the

1DG160 and 1DG161 valves were inappropriately closed and reported this condition to the

control room. The licensee declared the Division 2 EDG inoperable and investigated the

condition. The licensee restored the valves to the open position and declared the Division 2

EDG available at 3:45 p.m. After the licensee performed OP-AA-108-106, the licensee

declared the Division 2 EDG operable at 9:04 p.m.

During the 6.5 day period the Division 2 EDG was not operable, available, or functional as the

licensee expected. During the 3.5 day period from May 14th to May 17th, neither the Division 1

nor 2 EDG was available to deal with a Loss of Offsite Power (LOOP) if one occurred.

As described in Inspection Report 2018050, a Phase 1 Significance Determination Process

(SDP) screening and a phase 2 SDP evaluation were completed for the finding using the

guidance of IMC 0609 Appendix G, Shutdown Operations Significance Determination

Process. As a result, the NRC determined that a detailed risk evaluation was needed to

further evaluate recovery strategies. These strategies included 1) restoration of the Division 2

EDG; 2) plant-specific mitigating system strategies such as the Division 3 cross-tie to Division

2; 3) use of Diverse and Flexible Coping Strategies (FLEX), and 4) the recovery of offsite

power. As a result the inspection report initially characterized the significance of this finding

as to be determined.

Summary of Preliminary (Phase 3) Significance Determination

The Clinton SPAR model, revision 8.54 was modified to add a shutdown Mode 4 cold

shutdown Loss of Offsite Power (LOOP) event tree based on the existing Grand Gulf

shutdown SPAR model. The model was further modified to use Clinton specific system fault

trees and to refine diesel generator recovery, incorporate FLEX electrical, FLEX suppression

pool cooling, FLEX injection, potential recovery of high pressure core spray (HPCS) pump,

recovery of reactor core isolation cooling (RCIC), use of alternate injection systems such as

installed fire pumps, B.5.b fire pumps, B.5.b reactor depressurization methods, manual

containment venting capability, and the cross-tie of the Division 3 EDG to Division 2 electrical

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

5

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

distribution system. Human error probabilities in addition to equipment failure probabilities

were added for all actions requiring manual alignment and operation.

The detailed risk evaluation considers the many different core cooling methods potentially

available. However, the results indicate that successful mitigation of the event relies on

operator action to restore AC power by one of several methods - recovery of the Division 2

EDG, FLEX electrical, Division 3 to Division 2 cross-tie, or offsite power recovery. The

analysis is complex since mitigation of a LOOP event in the degraded condition significantly

relies on operator actions and the decision making involving the interaction of these four

recovery strategies. The risk results are driven by human error.

None of the many operator actions modeled to mitigate the postulated LOOP/SBO event were

assumed to be resource limited. This is in recognition that the plant was in a refueling outage

with extra operations, maintenance and engineering staff available. Few of the many actions

modeled to mitigate the postulated LOOP/SBO were assumed to be limited by time available.

However, the overall sequence was modeled assuming operators have one hour to recover

the Division 2 EDG before an extended loss of AC power (ELAP) is declared. Once ELAP is

declared, plant procedures direct the operators to pursue the FLEX method to re-power

Division 2. If FLEX fails, procedures supply guidance on using the Division 3 cross-tie. For

the dominant core damage sequence, the time to core damage is approximately 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br />,

this was considered to be adequate time with some margin, but not extra or expansive time,

given the level of manual effort required and the number of concurrent methods of mitigation

that were modeled.

The finding exposure time that was quantitatively assessed was the 3.5 day period that both

emergency diesel generators were unavailable. The full exposure time was approximately

6.5 days. However, the risk results are dominated by the 3.5 days when neither diesel was

available.

The result of the detailed risk evaluation is a finding of low to moderate safety significance

(White). The best estimate change (i.e., delta) in core damage frequency for the 3.5 day

period, using reasonable and realistic assumptions, was estimated to be 3.8E-6 per year.

The dominant sequence was a loss of offsite power, failure to recover the Division 2 EDG

leading to an Extended Loss of AC Power (ELAP) declaration, failure to maintain the reactor

depressurized, failure to inject at high pressure, and the failure to cross-tie the Division 4KV

bus to the Division 2 4kV bus. Sensitivity evaluations were performed to understand the

influence of important assumptions. The results of the sensitivity evaluations showed a range

of outcomes from very low safety significance (Green) to substantial safety significance

(Yellow). The sensitivity evaluations were used to confirm the best estimate outcome - low to

moderate (White) safety significance. See Table 1. The specific important assumptions of

the detailed risk evaluation, the event tree, fault trees, and dominant core damage cut-sets

are included in the Enclosure.

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

6

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Table 1: Risk Results Including Sensitivity Cases

Delta

Old BE New BE

Notes BE Adjusted CDF

Value Value

Results

Best Case Analysis n/a n/a n/a 3.8E-06

Sensitivity Cases:

No change set

Div. 2 EDG available required, simply use TRUE

1 EPS-XHE-XR-DG1B 1.00E-03 5.4E-07

(i.e., no PD) value for base case (1.0)

no PD

Div. 2 EDG non-

2 recovery based on EPS-XHE-LR-NR10H 2.0E-02 8.80E-01 1.7E-05

data 88%

Note that using

Exelon's values

reduces the CDF to

Div. 2 EDG non-

less than the no PD

3 recovery based EPS-XHE-LR-NR10H 2.0E-02 5.0E-03 1.0E-07

case because the

Exelon estimate

NRP is lower than

the base EDG failure

probability

HPCS pump available

TRUE False

4 during entire 3.5 day HCS-XHE-XR-MDP 6.2E-07

(1.0) (0.0)

exposure time

Single Human Error

5 Probability (HEP) for Multiple BE 5.3E-05 1.0E-03 3.5E-06

all injection methods

Decrease RCIC HEP

6 SD-XHE-XM-FRCIC 7.5E-01 1.0E-01 3.7E-06

to 0.1

Decrease FLEX

7 Electrical HEP to SD-XHE-XM-FELEC 2.5E-01 1.0E-01 2.4E-06

Exelon value to 0.1

Reduce all FLEX Decrease

8 Multiple BE Various 6.7E-08

HEPS by factor of 10 by 10X

Set all FLEX HEPs to False

9 Multiple BE Various 2.5E-08

False (0.0) (0.0)

Increase all FLEX Increase RCIC value Increase

10 Multiple BE Various 2.9E-05

HEPs by Factor of 2 from 0.75 to 1.0 by 2X

Exelon modified the

IEF because the

Using Exelon

switchyard was

Initiating Event

11 protected Note: SD-MFL-LOOP 1.7E-1 1.2E-1 2.8E-06

Frequency (IEF) of

EDG2 was protected

0.12 per year

during 6.5 days of

unavailability

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

7

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Cross-cutting Aspect: As discussed in Inspection Report 05000461/2018050, the finding

had a cross-cutting aspect in the Field Presence component of the Human Performance

cross-cutting area. (H.2)

Enforcement:

Apparent Violation: Title 10 CFR Part 50, Appendix B, Criterion V, Instructions, Procedures,

and Drawings, requires, in part, that activities affecting quality be prescribed by documented

procedures of a type appropriate to the circumstances and be accomplished in accordance

with these procedures.

Clearance Order 139455 instructions required the performance of CPS 3506.01P002,

Division 2 Diesel Generator Operations, Revision 3a, in conjunction with the removal of

out-of-service tags on May 9, 2018.

Procedure OP-AA-108-103, Locked Equipment Program, Revision 2, Step 4.1.5, stated, If

plant conditions require a locked component to be positioned in a manner other than that

indicated on the locked equipment checklist or approved procedure, then UNLOCK and

REPOSITION equipment in accordance with OP-AA-108-101, Control of Equipment and

System Status. Procedure OP-AA-108-101, Control of Equipment and System Status,

Revision 14, Step 4.1.1.1, stated, Utilize an ACPS for aligning equipment outside of routine

operations.

Procedure OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.3, required

that if equipment will not be restored to the Equipment Line-up/Restoration position or the

original condition, then another approved equipment status control mechanism shall be used

to document equipment status (i.e. Equipment Status Tag, administrative clearance/tagout).

Procedure OP-AA-108-101, Control of Equipment and System Status, shall be used to

document abnormal equipment configuration and shall be immediately applied following

equipment restoration.

Procedure OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.4.9, which

stated, Applicable Operating procedures are complete and any equipment line-ups directed

to be completed by the Operating Procedures are completed.

Procedure OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.4.14, stated,

The system/equipment has been walked down as appropriate to verify that it can be safely

operated to fulfill its design function.

Procedure OP-AA-109-101, Clearance and Tagging, Revision 12, Step 10.2.1 stated, If a

lift position is determined to be different from the normal lineup position for the present plant

condition and not tracked by another C/O or procedure, then the Shift Management shall be

notified and equipment tracking initiated.

Technical Specification 3.8.2, AC Sources-Shutdown, Condition B.3, states, in part, that an

inoperable EDG be restored to an operable status immediately.

Between May 9 and May 17, 2018, the licensee apparently failed to:

Perform CPS 3506.01P002, Division 2 Diesel Generator Operations, Revision 3a, in

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

8

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

conjunction with the removal of C/O 139455 as required by the C/O restoration instructions.

Perform OP-AA-108-103, Locked Equipment Program, Revision 2, Step 4.3, valves

1DG160 and 1DG161 were normally locked open valves and an ACPS was not utilized to

track valve status.

Perform OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.3, when valves

1DG160 and 1DG161 were left in an abnormal position an approved equipment status control

mechanism was not used to track equipment status.

Perform OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.4.9, when the

equipment was declared operable the applicable operating procedure CPS 3506.01P002 had

not been completed and equipment line-ups directed to be completed by the operating

procedures were not completed.

Perform OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.4.14, when the

system was declared operable without being walked down.

Perform OP-AA-109-101, Clearance and Tagging, Revision 12, Step 10.2.1, when the lift

position was different from the normal lineup for the present plant condition and equipment

tracking was not initiated.

Additionally, because the licensee was not aware of the EDGs inoperability the required

action in Technical Specification 3.8.2, Condition B.3 was not followed.

EXIT MEETINGS AND DEBRIEFS

The inspectors confirmed that proprietary information was controlled to protect from public

disclosure. No proprietary information was documented in this report.

  • On September 24, 2018, Mr. P. Louden presented the preliminary significance assessment

results to Mr. T. Stoner, Clinton Power Station, Site Vice President.

DOCUMENTS REVIEWED

93812Special Inspection

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

9

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Detailed Risk Evaluation Assumptions

Plant Conditions during the Conditions Assessed

Clinton is a General Electric Boiling Water Reactor 6 with a Mark III containment. It has three

divisions of Emergency Core Cooling (ECCS). Divisions 1 and 2 have residual heat removal

(RHR) capability, each with an RHR train that contains a heat exchanger. Each division has its

own emergency diesel generator (EDG) and 4kV safety bus. In addition, Division 3 contains a

High Pressure Core Spray (HPCS) pump dedicated safety bus, and EDG, but does not contain

an RHR train.

The Division 2 EDG unplanned unavailability started after the reactor had been refueled and the

associated reactor cavity was full. That is, there was over 23 feet of water above the reactor

core. Early in the unavailability, the licensee installed the reactor pressure vessel (RPV)

internals, lowered water level to about six inches below the RPV flange, installed and tensioned

the reactor vessel head. The unit entered cold shutdown or Mode 4 when the last reactor head

bolt was tensioned. See Figure 1 for a time line of these events.

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Attachment 1

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

2

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

The following assumptions were made in performing the detailed risk evaluation.

1. The time to boil in the reactor coolant system was assumed to be approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />,

based on Exelon document CL-SDP-010 Rev. 1. This calculation assumes the starting

water level is approximately six inches below the RPV flange.

2. The time to top of active fuel, a surrogate for core damage, varies from approximately 10

to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> depending on plant configuration assumptions. These values were based

on Exelon document CL-SDP-010 Rev. 1. If the reactor is maintained at low pressure,

then the time to core uncovery is about 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If the reactor pressure increases then

the time to uncovery is estimated between 10 and 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br />. Both calculations assume

the starting water level is approximately six inches below the RPV flange.

3. Core uncovery is the normal at-power surrogate for core damage. During shutdown,

core damage is expected between 1/3 and 2/3 core height which is somewhat after core

uncovery, therefore, using core uncovery as a surrogate for core damage is

conservative.

4. The following equipment was out of service and was considered to be unavailable and

non-recoverable:

  • 480v AC bus 1A;
  • 480v AC bus A;
  • NSPS 120v Power distribution panel bus A;
  • Division 1 normal 125v DC battery charger 1A; and

5. The following equipment was available:

  • RHR heat exchanger A;
  • Both suppression pool cleanup (SF) pumps and the associated piping (Note:

there was a very short period at the beginning of the 3.5 days when one SF

pump was not available. Because this availability was short and with the

knowledge that the results are not driven by mitigating system availability, this

unavailability was ignored.);

  • All B5b equipment;
  • 480v AC aux. building bus 1L;
  • 480v AC aux. building bus 1M;
  • 480v AC aux. building bus 1D;
  • 480v AC aux. building bus 1E (feed to 125v DC battery charger 1F); and
  • 125v DC battery (swing) charger 1F (feed from 480v AC aux. building bus 1E).

6. The NRC used the SPAR-H Human Reliability Method to evaluate the many operator

actions in the model. For all of the human error probabilities evaluated, the performance

shaping factor stress was considered to be high for both diagnosis and action

because the plant would be in a station blackout condition. In many of the Human Error

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

3

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Probability (HEP) evaluations, complexity was determined to be either moderate or

high because the operators would be in multiple procedures in multiple plant locations.

Many of the actions are local, infrequently or never performed, and some have very

limited training. In many cases, ergonomics was also rated as poor because the local

actions may be physically demanding and in difficult SBO conditions (on emergency

lighting at best and without any ventilation). Table 2 below contains a summary of the

dominant HEPs.

7. None of the many actions modeled to mitigate the postulated LOOP/SBO event were

assumed to be resource limited. This is in recognition that the plant was in a refueling

outage with extra operations, maintenance and engineering staff available. The detailed

risk evaluation models operator action for four different methods to re-establish electrical

power to Division 2 (EDG recovery, offsite power recovery, FLEX, Division 3 to Division

2 crosstie), two additional (beyond the normal use of SRVs after restoring emergency

power) methods to maintain the reactor de-pressurized (FLEX and B.5.b), three

additional methods (beyond using ECCS after restoring emergency power) to inject to

the Reactor Coolant System (RCS) at low pressure (two FLEX methods and the diesel

driven fire pumps), two methods to inject to the RCS at high pressure (HPCS and RCIC),

and two additional methods to remove decay heat (FLEX suppression pool cooling and

containment venting). All of these require operator action. Many require significant

operator effort. In addition to these actions there are other important, non-modeled

actions that would also be in progress, such as actions to establish primary and

secondary containment and actions for emergency response such as accountability and

notifications.

8. Few of the many actions modeled to mitigate the postulated LOOP/Station Black Out

(SBO) were assumed to be limited by time available. However, the overall sequence

was modeled assuming operators have 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to recover the Division 2 EDG before

ELAP is declared. Once ELAP is declared, operators will pursue the FLEX method to

re-power Division 2. If FLEX fails, the Division 3 cross-tie, is modeled. For the dominant

sequence, the time to core damage is approximately 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br />, this was considered to be

adequate time with some margin, but not extra or expansive time, given the level of

manual effort required and the number of concurrent methods of mitigation that were

modeled.

9. The high pressure core spray system was unavailable during most of the 3.5 day

exposure period due to planned maintenance. Initially, for a period of 49 hours5.671296e-4 days <br />0.0136 hours <br />8.101852e-5 weeks <br />1.86445e-5 months <br />, it was

not recoverable. Later, for a duration of 34 hours3.935185e-4 days <br />0.00944 hours <br />5.621693e-5 weeks <br />1.2937e-5 months <br />, it was modeled as recoverable, and in

the last 4.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> of the exposure period, the system was fully available. The impact of

the status of HPCS over the exposure period was addressed by running three separate

cases - HPCS unavailable, HPCS recoverable, and HPCS at nominal failure

probabilities. The results were combined in a spreadsheet to obtain the final result. To

estimate the HEP for the operator failure to recover HPCS during the 44 hours5.092593e-4 days <br />0.0122 hours <br />7.275132e-5 weeks <br />1.6742e-5 months <br /> it was

recoverable, the performance shaping factors that were determined to be performance

drivers were stress for diagnosis, and stress and complexity for action. Stress was

evaluated as high because the plant would be in a station blackout condition.

Complexity was rated as moderate. Under normal conditions, this would not be a

complex task, but in response to a station blackout with multiple procedures and

mitigating strategies in progress, complexity is increased.

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

4

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

10. The RCIC system was unavailable due to plant conditions. During the 3.5 days of

interest, the plant was in cold shutdown with reactor coolant system water level above

the steam lines. However, the RCIC system was not undergoing any maintenance and

could have been put into service if an event had occurred, steam was available due to

RCS heat-up and boiling, and water level had decreased below the steam line. While

possible, extensive work would be required to prepare the RCS for operations at normal

pressure and temperature. Licensee procedure CPS 3002.01 controlled this process.

This 40 page document is the normal startup procedure. It assumes normal electrical

power is available to realign systems. While much of this procedure would not be

required to prepare the RCS for RCIC operation and extensive amount of procedure

triage would be required. The HEP for the operator failure to put RCIC into service

under the postulated conditions is 7.5E-1. The HEP was dominated by failure to

perform the action. The performance drivers were considered to be time (this is one of

the few HEPs that was impacted by time available), stress, complexity,

experience/training, and ergonomics. The time available was assumed to be about

equal to the time required, stress was considered to be high, complexity was high,

experience/training was low, and ergonomics was poor.

11. Electrical power recovery to Division 2 could be successful via offsite power recovery,

recovery of Division 2 diesel generator, use of FLEX, or crosstie of the Division 3 diesel

generator to the Division 2 4kV bus. The detailed risk evaluation assumes that the

operators will initially try to recover the diesel generator. If recovery is not successful,

operators will transition to FLEX implementation, and if FLEX fails, the evaluation

models the potential to implement the crosstie.

12. The Division 2 EDG was recoverable and the risk evaluation shows that the operators

would be very likely to recover it. However, the potential for operators failing to recover

the diesel generator was evaluated. The failure to recover the diesel generator was

assigned a human error probability of 0.202 (20 percent failure, 80 percent success

rate). This is a factor of 4 lower than the data/statistically derived failure to recover

probability. The NRC assumed that 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> was available to recover AC power to

Division 2 by recovering the EDG. At 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, ELAP declaration and implementation of

FLEX electrical power to Division 2 would commence. Diesel generator recovery is

further complicated by station blackout load shedding that removes all DC control power

from the diesel generator and the FLEX electrical alignment which also impacts Division

2 EDG components. Recovery of the Division 2 EDG after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> into an SBO does not

represent successful recovery of Division 2 AC power. Operator actions to back out of

ELAP, FLEX implementation, and load shedding to restore the EDG is not governed by

procedures, is not a simple, skill of the craft task, and has no training. It was not

credited in the risk evaluation consistent with general PRA/HRA assumptions and the

Risk Assessment Standardization Project (RASP) guidance.

13. The human error probability for the failure to recover Division 2 EDG was estimated at

0.202. The performance shaping factors that were determined to be performance

drivers were Stress and Experience/Training for Diagnosis, and Stress for Action.

Stress was considered to be high because the plant would be in a station blackout

condition. Experience/Training for Diagnosis was considered to low. Plant staff

perform troubleshooting as a regular job task, however, operators have not trained on,

experienced or been exposed to troubleshooting a failure of the protected diesel

generator during a shutdown SBO.

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

5

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

14. The human error probability for the failure to implement the FLEX electrical line-up was

estimated at 2.5E-1. The performance shaping factors that were determined to be

performance drivers were stress for diagnosis and action, and complexity and

experience/training for action. Stress was considered to be high because the plant

would be in a station blackout condition. The action to align the FLEX electrical system

was considered to be both highly complex and was assigned low experience/training.

The procedure requires many in-plant actions under difficult conditions and the

alignment has never been implemented.

15. The human error probability for the failure to implement the Division 3 to Division 2

crosstie was estimated at 2.7E-1. The performance shaping factors that were

determined to be performance drivers were stress for diagnosis and action, and

complexity, experience/training, and ergonomics for action. Stress was considered to be

high because the plant would be in a station blackout condition. The action to

implement the cross-tie was considered to be highly complex and was assigned low

experience/training and poor ergonomics. The procedure has both in-plant and control

room actions in multiple locations and has received very little training.

16. Offsite power recovery is also modeled but is complicated by electrical system

re-alignment when FLEX or the Division 3 cross-tie are attempted but fail. These

strategies significantly alter the electrical distribution system. The detailed risk

evaluation models offsite power non-recovery at 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br /> or 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, depending on the

sequence. The offsite power recovery curve is used along with a human error

probability for the failure to realign the electrical system once other sources of power

have been attempted but failed. The performance shaping factors that were considered

to be performance drivers for the failure to realign the electrical system were stress for

diagnosis and action and procedures for action. Stress was considered to be high

because the plant would be in a station blackout condition. Procedures were considered

to be incomplete as there are procedures for aligning offsite power sources but they

would not specifically address the electrical alignment that would exist after FLEX and

the crosstie have been attempted but not successfully implemented. The HEP was

estimated at 7.61E-2.

17. Alignment of alternate suppression pool cooling using FLEX equipment was modeled.

The human error probability was estimated at 2.33E-1. The performance shaping

factors that were determined to be performance drivers were stress for diagnosis and

action, and complexity, experience/training, and ergonomics for action. Diagnosis was

considered to be obvious as the need for suppression pool cooling during SBO events

is well understood. Stress was considered to be high because the plant would be in a

station blackout condition. The action was considered to be moderately complex, have

low experience/training, and poor ergonomics. The steps to perform the action are

performed outside the control room in poor lighting and there is infrequent training and

no actual experience. The procedure describes some of the steps as physically

demanding and some are in high radiation areas.

18. Two methods of RCS Injection using FLEX equipment were modeled. The easier

method would be to re-align the FLEX SPC method for injection. The human error

probability for this action was estimated at 4E-3. The less preferred method, using the

diesel-driven FLEX pumps, was estimated at 1.1E-1. For the easier method, the

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

6

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

performance shaping factors that were determined to be performance drivers were

stress for diagnosis and action. The diagnosis was also assumed to be obvious, given

that the FLEX suppression pool cooling alignment would already be in place and working

successfully. Minimal additional action would be required to re-align the system for

injection. The actions to use the less preferred method of direct injection from the lake

with the diesel driven pumps was not an important action driving the results of the

analysis.

19. Alignment of the ultimate heat sink using FLEX equipment was modeled. The human

error probability was estimated at 1.39E-2. The performance shaping factors that were

determined to be performance drivers were stress for diagnosis and action and time,

complexity, experience/training, and ergonomics for action. Diagnosis was considered

to be obvious similar to the rating for aligning suppression pool cooling. Stress was

considered to be high because the plant would be in station blackout condition. The

time available for the action was considered to be greater than 5x the time required.

Complexity was considered to be moderate, experience/training low, and ergonomics

poor. The steps to perform the action are performed outside the control room in poor

lighting and there is infrequent training and no actual experience. The procedure

describes some of the steps as physically demanding and some are in high radiation

areas.

20. Use of B.5.b equipment and strategies to maintain the reactor depressurized was

modeled with an operator action that was highly dependent on the operator action to use

FLEX strategies. The FLEX strategy to maintain the reactor depressurized was

assumed to be the preferred method. The human error probability for the dependent

operator action was 5.2E-1.

21. Primary containment was open during the exposure time. However, procedures would

instruct operators to take action to establish primary containment. The detailed risk

evaluation assumes that operators would take this action and would establish primary

containment. If suppression pool cooling is not established, then containment venting

would be required, consistent with at-power PRA model assumptions. Manual venting of

containment was credited. These are long sequences containing success of core

cooling via injection but failure to establish suppression pool cooling. These

assumptions did not impact the dominant core damage sequences.

22. Alternate injection with fire water system was modeled with equipment failures and an

operator action for the failure to align the system. This method was assumed to be the

least preferred method of low pressure injection. The operator failure to align fire water

injection was assigned an HEP of 1.2E-1 and was not modeled as dependent on

previous operator actions, a possible non-conservative assumption. These assumptions

did not impact the dominant core damage sequences.

23. The FLEX diesel generators were assigned a failure to start of 7.2E-2 and a failure to

run for the mission time of 1.5E-1. The failure to start was based on actual plant

operating experience. The run time data for the diesel generators was very limited and

could not be used to estimate the failure to run probability. The failure to run for

emergency diesel generators was multiplied by a factor of 5 based on analyst judgement

to obtain the failure to run rate of the FLEX diesel generator.

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

7

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

24. The FLEX diesel-driven pumps were assigned a failure to start of 1E-2 and a failure to

run of 2.1E-1. Based on analyst judgment these failure rates we set at five times the

corresponding failure rates for permanently installed diesel driven fire pumps.

25. FLEX equipment was assigned a failure probability due to design or construction of

5E-2. The FLEX strategies, although carefully developed and reviewed for the Mitigating

Strategies Order, have never been fully demonstrated. Latent design or construction

errors could exist.

26. The Division 3 to the Division 2 cross-tie was assigned a failure probability due to design

error of 2E-2. Both divisions are normally in-service but never cross-tied and the

cross-tie has never been fully demonstrated.

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

8

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Table 2: Summary of Dominant HRA Results

Mean Mean Total

Human Error Event Description Procedure Time Needed Time Available Diagnos Action Mean

is HEP HEP HEP

Operator Fails to Perform Cross-Tie between Div. 3

SD-XHE-XM-XTIE-S1 and Div. 2 Electrical during Short Time to Core 4303.01P023 5 to 6 Hours 5 Hours 4.0E-2 7.5E-1 7.9E-1

Uncovery

Operator Fails to Perform Cross-Tie between Div. 3 Between 10 and 24

SD-XHE-XM-XTIE 4303.01P023 5 to 6 Hours 4.0E-2 2.3E-1 2.7E-1

and Div. 2 Electrical Hours

Operator Fails to Setup and Run FLEX DG and 10 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />

SD-XHE-XM-FELEC 4306.01P001 3 Hours 2.0E-2 2.3E-1 2.5E-1

Electrical Distribution depending on sequence

10 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />

SD-XHE-XM-FUHS Operator Fails UHS Water Supply using FLEX 4306.01P002 6 Hours 2.0E-3 1.2E-1 1.4E-1

depending on sequence

SD-XHE-XM-FSPC Operator Fails Suppression Pool Cooling using FLEX 4306.01P003 6 Hours Minimum of 24 Hours 2.0E-3 2.3E-1 2.3E-1

Operator Fails to Injection into RCS using FLEX 10 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />

SD-XHE-XM-FRCS 4306.01P004 6 Hours 2.0E-3 1.1E-1 1.1E-1

Diesel Driven Pumps depending on sequence

SD-XHE-XM-DCLS Operator Fails to Performs DC Load Shed 4200.01C002 0.5 Hours 1 Hour 4.0E-2 2.0E-2 6.0E-2

OPERATOR FAILS TO ALIGN FIREWATER during

FWS-XHE-XM-INJLT 4411.03 4 Hours 10 to 13 Hours 2.0E-2 4.0E-3 2.4E-2

Shutdown ELAP (includes check valve disassembly)

Operator Fails to Operate RCIC during ELAP from

SD-XHE-XM-FRCIC 3002.01 10 Hours 10 to 13 Hours 2.0E-3 7.5E-1 7.5E-1

Shutdown

Operator Fails RCS Injection using FLEX SPC (This 4306.01P004

SD-XHE-XM-FINJ 1 Hour 4 Hours 2.0E-3 2.0E-3 4.0E-3

requires FLEX UHS to be already available) Section 4.1

Operator Fails to Manual Vent Containment with CPS

FC-XHE-XM-MCV 4 Hours >24 Hours 4.0E-3 2.0E-4 4.2E-3

Valves 1FC012A & B 4303.01P001

Operator Fails to Restore HPCS Pump from Outage 10 to 24 Hours

HCS-XHE-XR-MDP 3309.01 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> 2E-2 4E-3 2.4E-2

Maintenance depending on sequence

CPS 5061.07

Non Recovery Probability of EDG2 in 1 Hour due to

SD-EPS-XHE-XM-NR01H CPS 5285 0.5 Hours 1 Hour 2.0E-1 2.0E-3 2.0E-1

Closed Air Start Valves

CPS 3506.01

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

9

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Operator fails to recovery electrical distribution

SD-XHE-XL-ELAP None 7.6E-2

system after offsite power recovery

Operator Fails to setup B5b Equipment for

SD-XHE-XM-DEPB5B Depressurization (This is an HEP that is dependent 4303.01P004 Several Hours 10 to 13 Hours 2.0E-2 2E-3 5.1E-1

on failure to depressurize using FLEX equipment)

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

10

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

References

1. Clinton SPAR Model, Revision 8.54 with Modifications

2. NUREG-1842, Good Practices for Implementing Human Reliability Analysis.

April 2005

3. NUREG/CR-6595 Revision 1, An Approach for Estimating the Frequencies of Various

Containment Failure Modes and Bypass Events. October 2004

4. NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method

5. INL/EXT-10-18533, SPAR-H Step-by-Step Guidance

6. RASP Manual Volume 1 - Internal Events, Revision 2.02 date December 2017

7. NUREG/CR-1278, Handbook of HRA with Emphasis on Nuclear Power Plant

Applications, August 1983

8. Analysis of Loss-of Offsite-Power Events 1987-2016, INL/EXT-17-42376

August 2017 (https://nrcoe.inl.gov/resultsdb/publicdocs/LOSP/loop-summary-update-

2016.pdf)

9. IMC 0609 Appendix G, Shutdown Operations SDP

10. NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management.

December 1991

11. CPS 3002.01 R32e Heatup and Pressurization

12. CPS 3312.03 R11d SDC and FPC Assist

13. CPS 3501.01 High Voltage Auxiliary Power System

14. CPS 3506.01 EDG and Support Systems

15. CPS 3506.01P002 Division 2 Diesel Generator Operations

16. CPS 4006.01 Loss of SDC

17. CPS 4200.01 Loss of AC Power

18. CPS 4200.01C002 DC Load Shedding during SBO

19. CPS 4303.01P001 Containment Venting Without AC Power Available

20. CPS 4303.01P004 SRV Operation With External DC Power

21. CPS 4303.01P023 Cross-Connecting Div. 3 DG to Div. 1(2) ECCS Electrical Busses

22. CPS 4306.01P001 FLEX Electrical Connection

23. CPS 4306.01P002 FLEX UHS Water Supply

24. CPS 4306.01P003 FLEX Suppression Pool Cooling

25. CPS 4306.01P004 FLEX Low Pressure RPV Makeup

26. CPS 4306.01P017 ELAP During Modes 4 and 5

27. CPS 5285_R27c Alarm Panel 5285 Annunciators at 1PL12JB

28. CPS 5061.07 Alarm Panel 5061 Annunciators - Row 7

29. CPS 4411.03 Injection Flooding Sources

30. CPS 4411.06 Emergency Containment Venting, Purging and Vacuum Relief

31. CPS 9065.01 Secondary Containment Access Integrity

32. EOP-1 RPV Control

33. EOP-2 RPV Flooding

34. EOP-3 Emergency RPV Depressurization (Blowdown)

35. EOP-6 Primary Containment Control

36. EOP-8 Secondary Containment Control

37. CC-AA-118 Corporate FLEX Process Guidance

38. OU-AA-103 Shutdown Safety Management Program

39. OU-CL-104 Shutdown Safety Management Program (Clinton Power Station)

40. CL-SDP-010 Risk Assessment - May 2018 Outage: Division 2 DG 1B Unavailable

with Division 1 Bus Unavailable, Rev. 0

41. DB430301 DBIG-Extensive Damage Mitigation Guide, Rev. 5

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

11

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

42. N-CL-OPS-DB430601, FLEX, Rev. 0

43. SE-LOP-162, Extensive Damage Mitigation, Rev. 0

44. SE-LOR-4306, FLEX Event, Rev. 0

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

12

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Event Tree and Fault Tree Figures

Figure 2: LOOP Event Tree 1

Loss of Offsite Power - M4 EMERGENCY POWER AC POWER RECOVERY - 24 # End State

LATE SUPPLY - (DIV I AND II) / 1 Hours (Phase - CD)

SD-M4L-LOOP SD-EPS SD-AC-REC-24H

1 SD-M4L-LOOP-T

2 SD-M4L-LOOP-T

3 SD-M4L-LOOP-T

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

13

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Figure 3: LOOP Event Tree 2

SDC (no FLEX credit here - MANUAL REACTOR LOW PRESSURE COOLANT ALTERNATE INJECTION - HI PRESSURE INJECTIONS HEAT REMOVAL USING ALTERNATE HEAT REMOVAL CONTAINMENT VENTING - Electrical Connection Div. 3 Power Recovery Correction # End State

Always Fails during ELAP) DEPRESS (include credit for INJECTION (no FLEX credit CDS SWS FWS and FLEX (HCS/CRD) SUPPRESSION POOL (Always Fails during ELAP) SD to Div. 2 Factor for Different Time to (Phase - CD)

FLEX DC Power) here - Always Fails during including FLEX Core Uncovery

<DUMMY-FT> SD-SDC SD-DEP SD-LPI ELAP)) SD-ALT-INJ SD-HPI SD-SPC-EXT SD-ALT-HEAT SD-CVS ELEC_XTIE TTCU

1 OK

2 OK

3 OK

Low pressure injection 4 OK

5 OK

GT 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to CD 6 CD-SD

7 OK

8 OK

Low pressure injection 9 OK

Low pressure

10 OK

GT 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to CD 11 CD-SD

12 OK

13 OK

High pressure injection @ low temperature

14 OK

GT 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to CD 15 CD-SD

16 OK

No injection

24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to CD 17 CD-SD

18 OK

19 OK

Injection @ high pressure

20 OK

High pressure GT 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to CD 21 CD-SD

22 OK

No injection 23 OK

10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> to CD

24 CD-SD

TTCU-10H

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

14

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Figure 4: AC Power Recovery Fault Tree

AC POWER RECOVERY - 24 / 1

Hours

SD-AC-REC-24H

OPERATOR FAILS TO RECOVER

EMERGENCY DIESEL IN 1 HOUR

EPS-XHE-XL-NR01H

SD-AC-REC-24H3 8.88E-01

OPERATOR FAILS TO RECOVER EDG

B IN 1 HOUR due to Start Air Iss ue

EPS-XHE-XM-NR01H

OPERATOR FAILS TO RECOVER

2.02E-01

OFFSITE POWER IN 24 HOURS

OEP-XHE-XL-NR24H

5.91E-02

Operator fails to recovery electrical

dis tribution s ys tem after offsite

power recovery

SD-XHE-XL-ELAP

7.60E-02

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

15

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Figure 5: Manual Depressurization Fault Tree

MANUAL REACTOR DEPRESS

SD-DEP

ADS SRV FAILURE DUE TO SEISMIC ADS VALVES FAIL FROM COMMON

EVENT CAUSE

ADS-SRV-EQ ADS-SRV-CF-VALVS

External 1.58E-06

CLINTON ADS SUPPORT SYSTEMS OPERATOR FAILS TO Manually

FAIL Depressurize Reactor

DEP-SS ADS-XHE-XM-MDEPR

External 5.00E-04

OPERATOR FAILS TO INITIATE

REACTOR DEPRESSURIZATION

GIVEN SEISMIC EVENT

ADS-XHE-DPR-EQK

External

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

16

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Figure 6: Division I 125 Power Fault Tree (shows FLEX linkage)

CLINTON DIVISION I 125 VDC

POWER IS UNAVAILABLE

DCP-125V-1A-LT

Normal DC Power FLEX DC Power

DCP-125V-1A-LT5 DCP-125V-1A-LT1

CLINTON DIVISION I AC POWER FAILURE OF DIVISION I 125VDC BUS FLEX AC Electrical Sys tem CCF OF 125VDC BATTERYS (3)

SYSTEM FAULT TREE 1A

ACP-4KVBUS-1A1 DCP-BDC-LP-1A FLEX-ELEC DCP-BAT-CF-ALL

External 5.21E-06 External 3.85E-08

DC BATT CHARGERS FAILURE FROM FAILURE OF DIVISION I 125VDC FAILURE OF DIVISION I 125VDC

SEISMIC EVENT BATTERY CHARGER BATTERY

DCP-BCH-EQ DCP-BCH-LP-1A DCP-BAT-LP-1A

External 6.17E-05 7.97E-06

BATTERY CHARGERS FAIL FROM FAILURE OF DIVISION I 125VDC BUS

COMMON CAUSE 1A

DCP-BCH-CF-CHRS DCP-BDC-LP-1A

2.10E-07 5.21E-06

DIVISION I 125VDC BATTERY FAILURE OF BOP 125VDC BATTERY

CHARGER in Test and Maintenance CHARGER 1E

DCP-BCH-TM-1A DCP-BCH-LP-1E

2.00E-03 6.17E-05

BATTERY CHARGERS FAIL FROM

COMMON CAUSE

DCP-BCH-CF-CHRS

2.10E-07

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

17

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Figure 7: FLEX Electrical Fault Tree

FLEX AC Electrical System

FLEX-ELEC

FLEX Diesel Generators FLEX AC Bus Equipment Failures

ACP-FLEX-BUS

FLEX-ELEC4 2.29E-05

Operator Fails to Setup and Run

FLEX DG and Electrical Distribution

SD-XHE-XM-FELEC

FLEX Diesel 1 (permanently installed) FLEX Diesel 2 (portable)

2.50E-01

FLEX Electrical Connection Fails due

to Des ign or Construction

FLEX-ELEC41 FLEX-ELEC42

FLEX-ELEC-CONNECT

5.00E-02

CCF of FLEX Diesel Generators 1 and

2 to Run

FLEX Diesel Generator 1 Fails to Run FLEX Diesel Generator 2 Fails to Run

EPS-FDGN-CF-FR

2.37E-03

EPS-DGN-FR-FDG1 EPS-DGN-FR-FDG2 CCF of FLEX Diesel Generators 1 and

1.50E-01 1.50E-01 2 to Start

FLEX Dies el Generator 1 Fails to FLEX Dies el Generator 2 Fails to

Start Start EPS-FDGN-CF-FS

6.90E-04

EPS-DGN-FS-FDG1 EPS-DGN-FS-FDG2 FLEX Feed Breaker to 1FX07E (CB

7.20E-02 7.20E-02 762 el.. west stairway)

FLEX Diesel Generator 1 Unavailable FLEX Diesel Generator 2 Unavailable

because of Test or Maintenance because of Test or Maintenance ACP-FLEX-CRB-FX01E-CB02

1.03E-03

EPS-DGN-TM-FDG1 EPS-DGN-TM-FDG2

1.48E-02 1.48E-02

FLEX Diesel 2 (portable) Fails due to

Improper Transport or Setup

EPS-DGN-XR-FDG

5.00E-02

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

18

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Figure 8: Alternate Injection Fault Tree (includes FLEX)

ALTERNATE INJECTION - CDS SWS

FWS and FLEX

SD-ALT-INJ

All FLEX Injection Fails due to

Dependent Failure

SD-XHE-XM-FLEXINJFAIL

SD-ALT-INJ5 Ignore

CONDENSATE

CDS

External

CLINTON SSW INJECTION FAULT

TREE

SS1

External

CLINTON FIREWATER SYSTEM

FAULT TREE during Shutdown ELAP

SD-FWS

External

FLEX RCS Injection using Diesel FLEX

Pumps (CPS 4306.01P004 Section

4.4 and 4306.01P002)

FLEX-RCS-INJ

External

FLEX Suppression Pool Cleanup

Inject into RCS (4306.01P004

Section 4.1)

FLEX-SPC-INJ

External

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

19

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Figure 9: RCS Injection using FLEX Diesel Driven FLEX Pumps Fault Tree

FLEX RCS Injection us ing Dies el FLEX

Pumps (CPS 4306.01P004 Section

4.4 and 4306.01P002)

FLEX-RCS-INJ

FLEX UHS Sys tem (4306.01P002) FLEX RCS Injection vis LPI FLEX RCS Injection Connection Fails

due to Design or Cons truction

SD-FUHS FLEX-RCS-CONNECT

External FRCS-INJ13 5.00E-02

Injection into RCS us ing FLEX Dies el

Driven Pumps (4306.01P002

Sections 4.3 and 4.4)

SD-XHE-XM-FRCS

FLEX Injection Via LPCS FLEX Injection Via RHR C

1.10E-01

FRCS-INJ130 FRCS-INJ131

LPCS INJECTION CKV F006 FAILS TO LPCI TRAIN C INJECTION MOV

OPEN RHR42C FAILS TO OPEN

LCS-CKV-CC-F006 RHR-MOV-CC-F042C

9.24E-06 8.16E-04

LPCS INJECTION MOV F005 FAILS LPCI INJECTION CKV F041C FAILS

TO OPEN TO OPEN

LCS-MOV-CC-F005 RHR-CKV-CC-41C

8.16E-04 9.24E-06

LPCI CKVS F041C, LCS F006 FAIL LPCI CKVS F041C, LCS F006 FAIL

FROM COMMON CAUSE FROM COMMON CAUSE

LCS-CKV-CF-FINJEC LCS-CKV-CF-FINJEC

1.94E-07 1.94E-07

LPCI Train C Vent Valve Fails to LPCS Vent Valve Fails to Open (FLEX

Open (FLEX connection point) connection point)

LPCI-MV-CC-F088 LPSC-MV-CC-F374

4.59E-04 4.59E-04

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

20

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Figure 10: FLEX Ultimate Heat Sink System Fault Tree

FLEX UHS Sys tem (4306.01P002)

SD-FUHS

FLEX Engine Driven Pumps SSW A TIE TO PSW MOV SSW 14A

FAILS TO CLOSE

SSW-MOV-OO-SSW14A

SD-FUHS1 8.16E-04

Operator Fails to Setup and Run

FLEX Ultimate Heat Sink Sys tem

(4306.01P002)

SD-XHE-XM-FUHS

FLEX Pump 1 Fails FLEX Pump 2 Fails

1.40E-01

FLEX PUMPS FAIL FROM COMMON

CAUSE TO RUN

SD-FUHS10 SD-FUHS11

FLEX-EDP-CF-FR

6.12E-03

FLEX PUMPS FAIL FROM COMMON

CAUSE TO START

FLEX ENGINE DRIVEN PUMP 1 FAILS FLEX ENGINE DRIVEN PUMP 2 FAILS

TO RUN TO RUN FLEX-EDP-CF-FS

2.90E-04

FLEX-EDP-FR-1 FLEX-EDP-FR-2 FLEX Diesel Driven Pump Connection

2.00E-01 2.00E-01 Fails due to Design or Cons truction

FLEX ENGINE DRIVEN PUMP 1 FAILS FLEX ENGINE DRIVEN PUMP 2 FAILS

TO START TO START FLEX-EDP-CONNECT

5.00E-02

FLEX-EDP-FS-1 FLEX-EDP-FS-2 FLEX Manifold Isolation Valve Fails

1.00E-02 1.00E-02 Closed

FLEX-MV-CC-1XF003

4.59E-04

FLEX Pipe Manifold Is olation Valve to

SX Div. 1 or 2 Fails Closed

FLEX-MV-CC-1XF001C

4.59E-04

FLEX Water Injection to SX Valve

Div. 1 or 2 Fails Clos ed

SSW-MV-CC-SXF354

4.59E-04

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

21

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Figure 11: RCS Injection using FLEX Suppression Pool Cleanup Fault Tree

FLEX Suppres s ion Pool Cleanup

Inject into RCS (4306.01P004

Section 4.1)

FLEX-SPC-INJ

FLEX Suppres s ion Pool Cleanup and FLEX Injection Paths Fail LPCI INJECTION MOVS RHR 42A,B,C

Transfer FAIL FROM COMMON CAUSE

FLEX-SPC RHR-MOV-CF-F042

External FLEX-SPC-INJ2 3.57E-06

LPCI CKVS 41A,B,C FAIL FROM

COMMON CAUSE

RHR-CKV-CF-F041

FLEX Injectin Path via Train A FLEX Injectin Path via Train B

6.07E-08

Operator Fails RCS Injection us ing

FLEX SPC (4306.01P004 Section 4.1)

FLEX-SPC-INJ20 FLEX-SPC-INJ21

SD-XHE-XM-FINJ

4.00E-03

RHR A MOV 27A FAILS TO OPEN LPCI TRAIN B INJECTION MOV

RHR42B FAILS TO OPEN

RHR-MOV-CC-F027A RHR-MOV-CC-F042B

8.16E-04 8.16E-04

LPCI TRAIN A INJECTION MOV LPCI INJECTION CKV F041B FAILS

RHR42A FAILS TO OPEN TO OPEN

RHR-MOV-CC-F042A RHR-CKV-CC-41B

8.16E-04 9.24E-06

LPCI INJECTION CKV F041A FAILS RHR A MOV 27B FAILS TO OPEN

TO OPEN

RHR-CKV-CC-41A RHR-MOV-CC-F027B

9.24E-06 8.16E-04

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

22

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Figure 12: FLEX Suppression Pool Cleanup and Transfer Fault Tree

FLEX Suppression Pool Cleanup and

Transfer

FLEX-SPC

Suppression Pool Cleanup (FS) RHR Heat Exchangers Not Available FLEX AC Electrical System CCF OF SF MDPS TO RUN

Pumps Not Available

FLEX-ELEC SF-MDP-CF-FR

FFC2 FFC8 External 9.81E-07

FLEX UHS System (4306.01P002) CCF OF SF MDP'S TO START

SD-FUHS SF-MDP-CF-STRT

Suppress ion Pool Cleanup (FS) PUMP Suppress ion Pool Cleanup (FS) PUMP CLINTON FLEX SPC LOOP B IS

External 4.58E-06

A IS UNAVAILABLE B IS UNAVAILABLE UNAVAILABLE

SF COOLING SUCTION MOV F004

FSPC-B

FFC64 FFC73 External

SF-MOV-CC-F004

CLINTON FLEX SPC LOOP A IS

8.16E-04

UNAVAILABLE

SF COOLING SUCTION Manual F003

FSPC-A

Suppression Pool Cleanup and Suppression Pool Cleanup and

External

Transfer MDP 1A FAILS TO START Transfer MDP 1B FAILS TO START SF-VLV-CC-F003

8.16E-04

SF-MDP-FS-1A SF-MDP-FS-1B SF COOLING Discharge AOV F011

1.09E-03 1.09E-03

Suppressioin Pool Cleanup and Suppressioin Pool Cleanup and

Transfer MDP 1A FAILS TO RUN Transfer MDP 1B FAILS TO RUN SF-AOV-CC-F011

7.55E-04

SF-MDP-FR-1A SF-MDP-FR-1B SF COOLING Valve F041

9.00E-05 9.00E-05

SF MDP 6A DISCHARGE CHECK SF MDP 6B DISCHARGE CHECK

VALVE FAILS TO OPEN VALVE FAILS TO OPEN SF-MOV-CC-F041

8.16E-04

SF-CKV-CC-6A SF-CKV-CC-6B Operator Fails Suppression Pool

9.24E-06 9.24E-06 Cooling using FLEX

SF MDP 1A UNAVAILABLE DUE TO SF MDP 1B UNAVAILABLE DUE TO

TEST AND MAINTENANCE TEST AND MAINTENANCE SD-XHE-XM-FSPC

2.33E-01

SF-MDP-TM-1A SF-MDP-TM-1B FLEX Suppression Pool Cooling

4.56E-03 4.56E-03 Connection Fails due to Design or

SF COOLING Discharge MOV F010A SF COOLING Discharge MOV F010B Construction

FLEX-SPC-CONNECT

5.00E-02

SF-MOV-CC-F010A SF-MOV-CC-F010B

8.16E-04 8.16E-04

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

23

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Figure 13: FLEX Suppression Pool Cooling using RHR Heat Exchanger A Fault Tree

CLINTON FLEX SPC LOOP A IS

UNAVAILABLE

FSPC-A

RHR/SSW HEAT EXCHANGE FAILS LOOP A SPC INJECT MOV RHR 24A

FAILS TO OPEN

RHR-FLEX-HXA RHR-MOV-CC-F024A

External 8.16E-04

SP INJECTION MOVS 24A,B

COMMON CAUSE FAIL TO OPEN

RHR-MOV-CF-F024

1.15E-05

RHR PUMP MINFLOW MOVS A,B,C

FAIL FROM COMMON CAUSE

RHR-MOV-CF-MINFL

3.57E-06

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

24

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Figure 14: RHR Heat Exchanger A for FLEX SPC Fault Tree

RHR/SSW HEAT EXCHANGE FAILS

RHR-FLEX-HXA

RHR HTXS FAIL FROM COMMON

CAUSE

RHR-HTX-CF-RHRHX

2.41E-07

RHR HTX BYPASS VALVES FAIL

FROM COMMON CAUSE

RHR-MOV-CF-HXBPS

1.15E-05

RHR LOOP A HTX BYPASS MOV RHR

48A FAILS TO CLOSE

RHR-MOV-OO-BYPSA

8.16E-04

RHR MOVS F003A,B FAIL FROM

COMMON CAUSE

RHR-MOV-CF-HXDIS

1.15E-05

RHR HTX A DISCHARGE MOV 3A

FAILS TO OPEN

RHR-MOV-CC-F003A

8.16E-04

RHR HTX A FAILS

RHR-HTX-PG-HTXA

8.88E-06

RHR HTX SSW SUPPLY VALVE F014A

FAILS TO OPEN

SSW-MOV-CC-F014A

8.16E-04

RHR HTX SSW OUTLET ISOLATION

VLV F068A FAILS TO OPEN

SSW-MOV-CC-F068A

8.16E-04

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

25

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Figure 15: Containment Venting Fault Tree

CONTAINMENT VENTING - SD

SD-CVS

CONTAINMENT (SUPPRESSION Venting of Containment with Manual Containment Failure Causes

POOL) VENTING Valves (CPS 4303.01P001) Injection Failure

CVS CF-IF

External SD-CVS4 2.00E-01

IFC012B Containment Pools Drain

Valve to Spent Fuel Pool Closed Fails

Closed

FC-MV-CC-12B

4.59E-04

IFC012A Containment Pools Drain

Valve to Surge Tank Closed Fails

Closed

FC-MV-CC-12A

4.59E-04

Operator Fails to Manually Vent

Containment with 1FC012A & B (CPS

4303.01P001)

FC-XHE-XM-MCV

4.20E-03

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

26

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Figure 16: Electrical Cross-Tie Division 3 to Division 2 Fault Tree

Electrical Connection Div. 3 to Div. 2

ELEC_XTIE

CLINTON DIVISION III AC POWER Operator Fails to Establish Div. 3 to

SYSTEM FAULT TREE Div. 2 Electrical Cross Tie

ACP-4KVBUS-1C1 SD-XHE-XM-CROSSTIE

External 2.70E-01

CLINTON DIVISION II AC POWER Div. 3 to Div. 2 Cross Tie Fails due to

SYSTEM FAULT TREE Cross Tie (no Design

FLEX Elect.)

ACP-4KVBUS-1B1-XTIE2 XTIE-ELEC-CONNECT

External 2.00E-02

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

27

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

Figure 17: Division 2 AC Power Fault Tree

CLINTON DIVISION II AC POWER

SYSTEM FAULT TREE Cros s Tie (no

FLEX Elect.)

ACP-4KVBUS-1B1-XTIE2

4.1 KV BUS FAILURE FROM SEISMIC FAILURE TO RECOVER BREAKER 4160 V DIVISION II BUS (1B1)

EVENT CCF DURING BATTERY LIFE HARDWARE FAILURES

ACP-4KV-EQ ACP-BAC-LP-1B1

External ACP-4KVBUS-1B1-XTIE215 2.29E-05

FAILURE OF DIV2 SWITCHGEAR

COOLING

HVC-SWGR-DIV2-COOL

DC BATTEREIS FAILURE FROM CCF OF 125VDC BATTERYS (3)

External

SEISMIC EVENT

DCP-BAT-EQ DCP-BAT-CF-ALL

External 3.85E-08

FAILURE OF DIVISION II 125VDC

BATTERY

DCP-BAT-LP-1B

7.97E-06

FAILURE OF CIRCUIT BREAKER

201B1 TO OPEN (RAT)

ACP-CRB-CC-201B1

2.49E-03

CCF OF CIRCUIT BREAKERS 201A1

& 201B1 TO OPEN

ACP-CRB-CF-201

4.13E-05

FAILURE OF CIRCUIT BREAKER

221B1 TO CLOSE

ACP-CRB-OO-221B1

2.05E-03

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

28