ML18289A556
ML18289A556 | |
Person / Time | |
---|---|
Site: | Clinton |
Issue date: | 10/15/2018 |
From: | Louden P Division Reactor Projects III |
To: | Bryan Hanson Exelon Generation Co, Exelon Nuclear |
References | |
EA-18-104 IR 2018051 | |
Download: ML18289A556 (41) | |
See also: IR 05000461/2018051
Text
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
October 15, 2018
Mr. Bryan C. Hanson
Senior VP, Exelon Generation Company, LLC
President and CNO, Exelon Nuclear
4300 Winfield Road
Warrenville, IL 60555
SUBJECT: CLINTON POWER STATIONNRC INSPECTION REPORT 05000461/2018051
Dear Mr. Hanson:
On September 24, 2018, the U.S. Nuclear Regulatory Commission (NRC) presented the
preliminary significance assessment results to your staff at Clinton Power Station, Unit 1.
This letter transmits a finding that has preliminarily been determined to be White. A White
finding low to moderate safety significance that may require additional NRC inspections. As
described in this letter, on May 17, 2018, an apparent violation of Title 10 of the Code of Federal
Regulations (10 CFR) Part 50, Appendix B, Criterion V, Instructions, Procedures, and
Drawings, and Technical Specification 3.8.2, Condition B.3, were self-revealed for the
licensees failure to follow multiple procedures that affected quality. This resulted in the
unavailability and inoperability of the Division 2 Emergency Diesel Generator (EDG) when it was
relied upon for plant safety. During part of the time that the Division 2 EDG was unavailable the
Division 1 EDG was already out of service for planned maintenance. During the period when
neither EDG was available a loss of offsite power would have resulted in a station blackout
condition that could have resulted in a long term loss of the ability to cool the reactor core. This
finding was assessed based on the best available information, using the applicable Significance
Determination Process (SDP). Included in the body of the enclosed inspection report is the
basis for the staffs preliminary determination of significance.
Your corrective actions included (1) returning the Division 2 EDG to an operable status; (2)
communicating accountability and emphasis on procedure use and adherence; (3) just in time
training to all operations department staff on the procedure use requirements; (4) conducting a
three-day stand down to discuss case studies and lessons learned; and (5) revising the
equipment operator round points to include the EDG starting air manifold pressures. The
finding is also an apparent violation of NRC requirements and is being considered for escalated
enforcement action in accordance with the Enforcement Policy, which can be found on the
NRCs Web site at http://www.nrc.gov/about-nrc/regulatory/enforcement/enforce-pol.html.
Enclosure contains Sensitive Unclassified
Non-Safeguards Information. When
separated from attachment 2, this
transmittal document is decontrolled.
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
B. Hanson -2-
In accordance with NRC Inspection Manual Chapter 0609, we intend to complete our evaluation
using the best available information and issue our final determination of safety significance
within 90 days of the date of this letter. The significance determination process encourages an
open dialogue between the NRC staff and the licensee; however, the dialogue should not
impact the timeliness of the staffs final determination.
Before we make a final decision on this matter, we are providing you with an opportunity to (1)
attend a Regulatory Conference where you can present to the NRC your perspective on the
facts and assumptions the NRC used to arrive at the finding and assess its significance; or (2)
submit your position on the finding to the NRC in writing. If you request a Regulatory
Conference, it should be held within 40 days of the receipt of this letter and we encourage you
to submit supporting documentation at least one week prior to the conference in an effort to
make the conference more efficient and effective. The focus of the Regulatory Conference is to
discuss the significance of the finding and not necessarily the root cause(s) or corrective
action(s) associated with the finding. If a Regulatory Conference is held, it will be open for
public observation. If you decide to submit only a written response, such submittal should be
sent to the NRC within 40 days of your receipt of this letter. If you decline to request a
Regulatory Conference or to submit a written response, you relinquish your right to appeal the
final SDP determination, in that by not doing either, you fail to meet the appeal requirements
stated in the Prerequisite and Limitation sections of Attachment 2 of NRC Inspection Manual
Chapter 0609.
If you choose to send a response, it should be clearly marked as a Response to An Apparent
Violation; (EA-18-104) and should include for the apparent violation: (1) the reason for the
apparent violation or, if contested, the basis for disputing the apparent violation; (2) the
corrective steps that have been taken and the results achieved; (3) the corrective steps that will
be taken; and (4) the date when full compliance will be achieved. Your response should be
submitted under oath or affirmation and may reference or include previously docketed
correspondence, if the correspondence adequately addresses the required response.
Additionally, your response should be sent to the U.S. Nuclear Regulatory Commission, ATTN:
Document Control Center, Washington, DC 20555-0001 with a copy to K. Stoedter, Chief,
Branch 1, Division of Reactor Projects, U.S. Nuclear Regulatory Commission, Region III,
2443 Warrenville Road, Suite 210, Lisle, IL 60532-4352, within 40 days of the date of this letter.
If an adequate response is not received within the time specified or an extension of time has not
been granted by the NRC, the NRC will proceed with its enforcement decision or schedule a
Please contact Ms. Karla Stoedter at 630-829-9731, and in writing within 10 days from the
issue date of this letter to notify the NRC of your intentions. If we have not heard from you
within 10 days, we will continue with our significance determination and enforcement decision.
The final resolution of this matter will be conveyed in separate correspondence.
Because the NRC has not made a final determination in this matter, no Notice of Violation is
being issued for these inspection findings at this time. In addition, please be advised that the
characterization of the apparent violation described above may change as a result of further
NRC review.
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
B. Hanson -3-
This letter will be made available for public inspection and copying at
http://www.nrc.gov/reading-rm/adams.html and at the NRC Public Document Room in
accordance with 10 CFR 2.390, Public Inspections, Exemptions, Requests for Withholding.
However, the enclosed report contains Security-Related Information, so the enclosed report
will not be made publically available in accordance with 10 CFR 2.390(d)(1). If you choose
to provide a response that contains Security-Related Information, please mark your entire
response Security-Related Information-Withhold from public disclosure under 10 CFR 2.390
in accordance with 10 CFR 2.390(d)(1) and follow the instructions for withholding in
10 CFR 2.390(b)(1). The NRC is waiving the affidavit requirements for your response in
accordance with 10 CFR 2.390(b)(1)(ii).
Sincerely,
/RA/
Patrick L. Louden, Director
Division of Reactor Projects
Docket No. 50-461
License No. NPF-62
Enclosures:
Inspection Report 05000461/2018051
Attachment 1 (public)
Attachment 2 (non-public)
cc: W. Marsh, Clinton Station Security Manager
A. Khayyat, State Liaison Officer
Illinois Emergency Management Agency
cc w/o attach 2: Distribution via LISTSERV
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
B. Hanson -4-
Letter to Bryan Hanson from Patrick Louden dated October 15, 2018
SUBJECT: CLINTON POWER STATIONNRC INSPECTION REPORT 05000461/2018051
DISTRIBUTION w/attachments:
DISTRIBUTION:
RidsNrrDorlLpl3
RidsNrrPMClinton Resource
RidsNrrDirsIrib Resource
DRSIII
DRPIII
ROPreports.Resource@nrc.gov
ADAMS Accession Number: ML18289A556
OFFICE RIII RIII RIII OE
NAME CPhillips:bw LKozak JHeller for MMarshfield via
KLambert email for JPeralta
DATE 10/11/2018 10/11/2018 10/12/2018 10/12/2018
OFFICE NRR RIII RIII
NAME MFranovich via KStoedter PLouden
DATE 10/12/2018 10/15/2018 10/15/2018
OFFICIAL RECORD COPY
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
U.S. NUCLEAR REGULATORY COMMISSION
REGION III
Docket Numbers: 50-461
License Numbers: NPF-62
Report Number: 05000461/2018051
Enterprise Identifier: I-2018-051-0000
Licensee: Exelon Generation Company, LLC
Facility: Clinton Power Station
Location: Clinton, IL
Dates: August 3 through September 4, 2018
Inspectors: C. Phillips, Project Engineer
L. Kozak, Senior Reactor Analyst
J. Mitman, Senior Reliability and Risk Analyst
Approved by: K. Stoedter, Chief
Branch 1
Division of Reactor Projects
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Enclosure
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
SUMMARY
The U.S. Nuclear Regulatory Commission (NRC) completed the preliminary significance
determination associated with an apparent violation in accordance with the Reactor Oversight
Process. The Reactor Oversight Process is the NRCs program for overseeing the safe
operation of commercial nuclear power reactors. Refer to
https://www.nrc.gov/reactors/operating/oversight.html for more information. Findings and
violations being considered in the NRCs assessment are summarized in the table below.
List of Findings and Violations
Failure to Follow Multiple Procedures
Cornerstone Significance Cross-Cutting Report Section
Aspect
Mitigating Preliminary White [H.2] - Human 93812-Special
Systems AV 05000461/2018050-01 Performance, Inspection
Open Field Presence
On August 23, 2018, the NRC issued Inspection Report 05000461/2018050 which discussed
a self-revealed finding with a To-Be-Determined (TBD) significance and an associated
Apparent Violation of Title 10 of the Code of Federal Regulations (10 CFR) Part 50,
Appendix B, Criterion V, Instructions, Procedures, and Drawings, and Technical
Specification 3.8.2, Condition B.3. The issue involved the licensees failure to follow multiple
procedures that affected quality which resulted in the unavailability and inoperability of the
Division 2 Emergency Diesel Generator when it was relied upon for plant safety.
Additional Tracking Items
None.
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
2
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
INSPECTION SCOPE
Inspections were conducted using the appropriate portions of the inspection procedure (IP) in
effect at the beginning of the inspection unless otherwise noted. Currently approved IPs with
their attached revision histories are located on the public website at http://www.nrc.gov/reading-
rm/doc-collections/insp-manual/inspection-procedure/index.html. Samples were declared
complete when the IP requirements most appropriate to the inspection activity were met
consistent with Inspection Manual Chapter (IMC) 2515, Light-Water Reactor Inspection
Program - Operations Phase. The inspectors reviewed selected procedures and records,
observed activities, and interviewed personnel to assess licensee performance and compliance
with Commission rules and regulations, license conditions, site procedures, and standards.
OTHER ACTIVITIESTEMPORARY INSTRUCTIONS, INFREQUENT AND ABNORMAL
93812Special Inspection
The purpose of this inspection was to complete the preliminary significance determination for an
apparent violation 10 CFR Part 50, Appendix B, Criterion V and Technical Specification 3.8.2,
Condition B.3. documented in NRC Special Inspection Report 05000461/2018050.
INSPECTION RESULTS
93812Special Inspection
Failure to Follow Multiple Procedures
Cornerstone Significance Cross-Cutting Report Section
Aspect
Mitigating Preliminary White [H.2] - Human 93812-Special
Systems AV 05000461/2018050-01 Performance, Field Inspection
Open Presence
On August 23, 2018, the NRC issued Inspection Report 05000461/2018050 which discussed
a self-revealed finding with a To-Be-Determined (TBD) significance and an associated
Apparent Violation of Title 10 of the Code of Federal Regulations (10 CFR) Part 50,
Appendix B, Criterion V, Instructions, Procedures, and Drawings, and Technical
Specification 3.8.2, Condition B.3. The issue involved the licensees failure to follow multiple
procedures that affected quality which resulted in the unavailability and inoperability of the
Division 2 Emergency Diesel Generator when it was relied upon for plant safety.
Description:
On April 30, 2018, the licensee shut down the reactor as part of a scheduled refueling outage.
During the outage, the licensee performed maintenance on the Division 2 electrical system
which required the Division 2 emergency diesel generator (EDG) to be removed from service.
From May 9-11, 2018, the licensee completed activities to restore the Division 2 EDG to
service. Due to the failure to follow multiple procedures (as discussed in NRC Inspection
Report 05000461/2018050), the Division 2 EDG was not restored to an operable status
because operations personnel had not repositioned starting air valves 1DG160 and 1DG161
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
3
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
from the closed position to the open position. With the starting air valves in the closed
position, the Division 2 EDG was unable to start if needed.
On May 14, 2018, at 12:30 a.m., since the licensee was unaware that the Division 2 EDG was
inoperable and unavailable due to its inability to start caused by the 1DG160 and 1DG161
valves being closed, the licensee began a Division 1 scheduled maintenance window. As a
result of taking the Division 1 480 VAC bus out of service, the Division 1 EDG was declared
On May 17, 2018, at 3:03 p.m., a non-licensed operator performing shift rounds identified that
the 1DG160 and 1DG161 valves were closed and reported this condition to the control room.
The licensee declared the Division 2 EDG inoperable, investigated the condition, and
subsequently returned the Division 2 EDG to an operable status.
Corrective Actions: The licensee initiated several corrective actions including (1)
communicating accountability and emphasis on procedure use and adherence; (2) just in time
training to all operations department staff on the procedure use requirements; (3) conducting
a three-day stand down to discuss case studies and lessons learned; and (4) revising the
equipment operator round points to include the EDG starting air manifold pressures.
Corrective Action Reference: Action Request (AR) 4138790, Division 2 DG Air Receiver
Found Isolated Rounds, dated May 17, 2018.
Performance Assessment:
Performance Deficiency: The licensee failed to perform activities affecting quality in
accordance with prescribed procedures and work instructions as required by 10 CFR Part 50,
Appendix B, Criterion V, Instructions, Procedures and Drawings, that resulted in the
unavailability of the Division 2 EDG when it was relied upon for plant safety.
Screening: The inspectors determined the performance deficiency was more than minor
because it adversely affected the configuration control attribute of the Mitigating Systems
Cornerstone and its objective of ensuring the availability, reliability, and capability of systems
that respond to initiating events to prevent undesirable consequences. Specifically, the failure
to follow station procedures/work instructions resulted in the unavailability of the Division 2
EDG when it was relied upon for plant safety.
Significance: The inspectors evaluated the finding against the guidance of IMC 0609
Appendix G, Attachment 1, Shutdown Operations Significance Determination Process
Phase 1 Initial Screening and Characterization of Findings. The finding impacted the
Mitigating Systems Cornerstone, specifically the Electric Power Availability Safety Function.
The finding represented a loss of system safety function for the EDGs for greater than its
TS 3.8.2, Condition B.3, allowed outage time of Immediately (one of the two EDGs was
required to be returned to an operable status immediately) which required a Phase 2
Appendix G evaluation.
The Phase 2 evaluation was conducted using IMC 0609 Appendix G, Attachment 3, and
Phase 2 Significance Determination Process Template for BWR during Shutdown. A
Region III senior reactor analyst (SRA) completed the Phase 2 evaluation and concluded that
a Phase 3, or detailed risk evaluation, would be needed to refine the Phase 2 evaluation.
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
4
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Summary from Special Inspection Report
The detailed risk evaluation (DRE) covered a 6.5 day period when the Division 2 EDG was
inadvertently unavailable during a refueling outage.
The Division 2 EDG had been inoperable and unavailable as part of planned Division 2
480 VAC electrical distribution and Emergency Service Water (SX) systems maintenance
activities. When the Division 2 systems work was completed and the systems restored on
May 11, 2018 (at 2:30 a.m.), operators incorrectly declared the Division 2 EDG available. At
this time, the Division 2 EDG starting air isolation valves (1DG160 and 1DG161) remained
closed, which would prevent starting air from reaching the EDG air start motors, making the
EDG inoperable, unavailable, and non-functional because it would not and could not be
started on any demand signal.
On May 14, 2018, at 12:30 a.m., as the licensee was unaware that the Division 2 EDG was
unavailable, the licensee began a scheduled maintenance window on the Division 1 480 VAC
bus 1A1. As a result of taking the bus out of service, the Division 1 EDG was declared
inoperable. At this time neither Division 1 nor 2 EDG was functional.
On May 17, 2018, at 3:03 p.m., a non-licensed operator performing shift rounds identified the
1DG160 and 1DG161 valves were inappropriately closed and reported this condition to the
control room. The licensee declared the Division 2 EDG inoperable and investigated the
condition. The licensee restored the valves to the open position and declared the Division 2
EDG available at 3:45 p.m. After the licensee performed OP-AA-108-106, the licensee
declared the Division 2 EDG operable at 9:04 p.m.
During the 6.5 day period the Division 2 EDG was not operable, available, or functional as the
licensee expected. During the 3.5 day period from May 14th to May 17th, neither the Division 1
nor 2 EDG was available to deal with a Loss of Offsite Power (LOOP) if one occurred.
As described in Inspection Report 2018050, a Phase 1 Significance Determination Process
(SDP) screening and a phase 2 SDP evaluation were completed for the finding using the
guidance of IMC 0609 Appendix G, Shutdown Operations Significance Determination
Process. As a result, the NRC determined that a detailed risk evaluation was needed to
further evaluate recovery strategies. These strategies included 1) restoration of the Division 2
EDG; 2) plant-specific mitigating system strategies such as the Division 3 cross-tie to Division
2; 3) use of Diverse and Flexible Coping Strategies (FLEX), and 4) the recovery of offsite
power. As a result the inspection report initially characterized the significance of this finding
as to be determined.
Summary of Preliminary (Phase 3) Significance Determination
The Clinton SPAR model, revision 8.54 was modified to add a shutdown Mode 4 cold
shutdown Loss of Offsite Power (LOOP) event tree based on the existing Grand Gulf
shutdown SPAR model. The model was further modified to use Clinton specific system fault
trees and to refine diesel generator recovery, incorporate FLEX electrical, FLEX suppression
pool cooling, FLEX injection, potential recovery of high pressure core spray (HPCS) pump,
recovery of reactor core isolation cooling (RCIC), use of alternate injection systems such as
installed fire pumps, B.5.b fire pumps, B.5.b reactor depressurization methods, manual
containment venting capability, and the cross-tie of the Division 3 EDG to Division 2 electrical
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
5
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
distribution system. Human error probabilities in addition to equipment failure probabilities
were added for all actions requiring manual alignment and operation.
The detailed risk evaluation considers the many different core cooling methods potentially
available. However, the results indicate that successful mitigation of the event relies on
operator action to restore AC power by one of several methods - recovery of the Division 2
EDG, FLEX electrical, Division 3 to Division 2 cross-tie, or offsite power recovery. The
analysis is complex since mitigation of a LOOP event in the degraded condition significantly
relies on operator actions and the decision making involving the interaction of these four
recovery strategies. The risk results are driven by human error.
None of the many operator actions modeled to mitigate the postulated LOOP/SBO event were
assumed to be resource limited. This is in recognition that the plant was in a refueling outage
with extra operations, maintenance and engineering staff available. Few of the many actions
modeled to mitigate the postulated LOOP/SBO were assumed to be limited by time available.
However, the overall sequence was modeled assuming operators have one hour to recover
the Division 2 EDG before an extended loss of AC power (ELAP) is declared. Once ELAP is
declared, plant procedures direct the operators to pursue the FLEX method to re-power
Division 2. If FLEX fails, procedures supply guidance on using the Division 3 cross-tie. For
the dominant core damage sequence, the time to core damage is approximately 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br />,
this was considered to be adequate time with some margin, but not extra or expansive time,
given the level of manual effort required and the number of concurrent methods of mitigation
that were modeled.
The finding exposure time that was quantitatively assessed was the 3.5 day period that both
emergency diesel generators were unavailable. The full exposure time was approximately
6.5 days. However, the risk results are dominated by the 3.5 days when neither diesel was
available.
The result of the detailed risk evaluation is a finding of low to moderate safety significance
(White). The best estimate change (i.e., delta) in core damage frequency for the 3.5 day
period, using reasonable and realistic assumptions, was estimated to be 3.8E-6 per year.
The dominant sequence was a loss of offsite power, failure to recover the Division 2 EDG
leading to an Extended Loss of AC Power (ELAP) declaration, failure to maintain the reactor
depressurized, failure to inject at high pressure, and the failure to cross-tie the Division 4KV
bus to the Division 2 4kV bus. Sensitivity evaluations were performed to understand the
influence of important assumptions. The results of the sensitivity evaluations showed a range
of outcomes from very low safety significance (Green) to substantial safety significance
(Yellow). The sensitivity evaluations were used to confirm the best estimate outcome - low to
moderate (White) safety significance. See Table 1. The specific important assumptions of
the detailed risk evaluation, the event tree, fault trees, and dominant core damage cut-sets
are included in the Enclosure.
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
6
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Table 1: Risk Results Including Sensitivity Cases
Delta
Old BE New BE
Notes BE Adjusted CDF
Value Value
Results
Best Case Analysis n/a n/a n/a 3.8E-06
Sensitivity Cases:
No change set
Div. 2 EDG available required, simply use TRUE
1 EPS-XHE-XR-DG1B 1.00E-03 5.4E-07
(i.e., no PD) value for base case (1.0)
no PD
Div. 2 EDG non-
2 recovery based on EPS-XHE-LR-NR10H 2.0E-02 8.80E-01 1.7E-05
data 88%
Note that using
Exelon's values
reduces the CDF to
Div. 2 EDG non-
less than the no PD
3 recovery based EPS-XHE-LR-NR10H 2.0E-02 5.0E-03 1.0E-07
case because the
Exelon estimate
NRP is lower than
the base EDG failure
probability
HPCS pump available
TRUE False
4 during entire 3.5 day HCS-XHE-XR-MDP 6.2E-07
(1.0) (0.0)
exposure time
Single Human Error
5 Probability (HEP) for Multiple BE 5.3E-05 1.0E-03 3.5E-06
all injection methods
6 SD-XHE-XM-FRCIC 7.5E-01 1.0E-01 3.7E-06
to 0.1
Decrease FLEX
7 Electrical HEP to SD-XHE-XM-FELEC 2.5E-01 1.0E-01 2.4E-06
Exelon value to 0.1
Reduce all FLEX Decrease
8 Multiple BE Various 6.7E-08
HEPS by factor of 10 by 10X
9 Multiple BE Various 2.5E-08
False (0.0) (0.0)
Increase all FLEX Increase RCIC value Increase
10 Multiple BE Various 2.9E-05
HEPs by Factor of 2 from 0.75 to 1.0 by 2X
Exelon modified the
IEF because the
Using Exelon
switchyard was
Initiating Event
11 protected Note: SD-MFL-LOOP 1.7E-1 1.2E-1 2.8E-06
Frequency (IEF) of
EDG2 was protected
0.12 per year
during 6.5 days of
unavailability
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
7
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Cross-cutting Aspect: As discussed in Inspection Report 05000461/2018050, the finding
had a cross-cutting aspect in the Field Presence component of the Human Performance
cross-cutting area. (H.2)
Enforcement:
Apparent Violation: Title 10 CFR Part 50, Appendix B, Criterion V, Instructions, Procedures,
and Drawings, requires, in part, that activities affecting quality be prescribed by documented
procedures of a type appropriate to the circumstances and be accomplished in accordance
with these procedures.
Clearance Order 139455 instructions required the performance of CPS 3506.01P002,
Division 2 Diesel Generator Operations, Revision 3a, in conjunction with the removal of
out-of-service tags on May 9, 2018.
Procedure OP-AA-108-103, Locked Equipment Program, Revision 2, Step 4.1.5, stated, If
plant conditions require a locked component to be positioned in a manner other than that
indicated on the locked equipment checklist or approved procedure, then UNLOCK and
REPOSITION equipment in accordance with OP-AA-108-101, Control of Equipment and
System Status. Procedure OP-AA-108-101, Control of Equipment and System Status,
Revision 14, Step 4.1.1.1, stated, Utilize an ACPS for aligning equipment outside of routine
operations.
Procedure OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.3, required
that if equipment will not be restored to the Equipment Line-up/Restoration position or the
original condition, then another approved equipment status control mechanism shall be used
to document equipment status (i.e. Equipment Status Tag, administrative clearance/tagout).
Procedure OP-AA-108-101, Control of Equipment and System Status, shall be used to
document abnormal equipment configuration and shall be immediately applied following
equipment restoration.
Procedure OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.4.9, which
stated, Applicable Operating procedures are complete and any equipment line-ups directed
to be completed by the Operating Procedures are completed.
Procedure OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.4.14, stated,
The system/equipment has been walked down as appropriate to verify that it can be safely
operated to fulfill its design function.
Procedure OP-AA-109-101, Clearance and Tagging, Revision 12, Step 10.2.1 stated, If a
lift position is determined to be different from the normal lineup position for the present plant
condition and not tracked by another C/O or procedure, then the Shift Management shall be
notified and equipment tracking initiated.
Technical Specification 3.8.2, AC Sources-Shutdown, Condition B.3, states, in part, that an
inoperable EDG be restored to an operable status immediately.
Between May 9 and May 17, 2018, the licensee apparently failed to:
Perform CPS 3506.01P002, Division 2 Diesel Generator Operations, Revision 3a, in
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
8
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
conjunction with the removal of C/O 139455 as required by the C/O restoration instructions.
Perform OP-AA-108-103, Locked Equipment Program, Revision 2, Step 4.3, valves
1DG160 and 1DG161 were normally locked open valves and an ACPS was not utilized to
track valve status.
Perform OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.3, when valves
1DG160 and 1DG161 were left in an abnormal position an approved equipment status control
mechanism was not used to track equipment status.
Perform OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.4.9, when the
equipment was declared operable the applicable operating procedure CPS 3506.01P002 had
not been completed and equipment line-ups directed to be completed by the operating
procedures were not completed.
Perform OP-AA-108-106, Equipment Return to Service, Revision 5, Step 4.4.14, when the
system was declared operable without being walked down.
Perform OP-AA-109-101, Clearance and Tagging, Revision 12, Step 10.2.1, when the lift
position was different from the normal lineup for the present plant condition and equipment
tracking was not initiated.
Additionally, because the licensee was not aware of the EDGs inoperability the required
action in Technical Specification 3.8.2, Condition B.3 was not followed.
EXIT MEETINGS AND DEBRIEFS
The inspectors confirmed that proprietary information was controlled to protect from public
disclosure. No proprietary information was documented in this report.
- On September 24, 2018, Mr. P. Louden presented the preliminary significance assessment
results to Mr. T. Stoner, Clinton Power Station, Site Vice President.
DOCUMENTS REVIEWED
93812Special Inspection
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
9
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Detailed Risk Evaluation Assumptions
Plant Conditions during the Conditions Assessed
Clinton is a General Electric Boiling Water Reactor 6 with a Mark III containment. It has three
divisions of Emergency Core Cooling (ECCS). Divisions 1 and 2 have residual heat removal
(RHR) capability, each with an RHR train that contains a heat exchanger. Each division has its
own emergency diesel generator (EDG) and 4kV safety bus. In addition, Division 3 contains a
High Pressure Core Spray (HPCS) pump dedicated safety bus, and EDG, but does not contain
an RHR train.
The Division 2 EDG unplanned unavailability started after the reactor had been refueled and the
associated reactor cavity was full. That is, there was over 23 feet of water above the reactor
core. Early in the unavailability, the licensee installed the reactor pressure vessel (RPV)
internals, lowered water level to about six inches below the RPV flange, installed and tensioned
the reactor vessel head. The unit entered cold shutdown or Mode 4 when the last reactor head
bolt was tensioned. See Figure 1 for a time line of these events.
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Attachment 1
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
2
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
The following assumptions were made in performing the detailed risk evaluation.
1. The time to boil in the reactor coolant system was assumed to be approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />,
based on Exelon document CL-SDP-010 Rev. 1. This calculation assumes the starting
water level is approximately six inches below the RPV flange.
2. The time to top of active fuel, a surrogate for core damage, varies from approximately 10
to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> depending on plant configuration assumptions. These values were based
on Exelon document CL-SDP-010 Rev. 1. If the reactor is maintained at low pressure,
then the time to core uncovery is about 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If the reactor pressure increases then
the time to uncovery is estimated between 10 and 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br />. Both calculations assume
the starting water level is approximately six inches below the RPV flange.
3. Core uncovery is the normal at-power surrogate for core damage. During shutdown,
core damage is expected between 1/3 and 2/3 core height which is somewhat after core
uncovery, therefore, using core uncovery as a surrogate for core damage is
conservative.
4. The following equipment was out of service and was considered to be unavailable and
non-recoverable:
- EDG 1A;
- 480v AC bus 1A;
- 480v AC bus A;
- NSPS 120v Power distribution panel bus A;
- Division 1 normal 125v DC battery charger 1A; and
- RHR pump A.
5. The following equipment was available:
- All FLEX equipment;
- RHR train B;
- RHR heat exchanger A;
- Both suppression pool cleanup (SF) pumps and the associated piping (Note:
there was a very short period at the beginning of the 3.5 days when one SF
pump was not available. Because this availability was short and with the
knowledge that the results are not driven by mitigating system availability, this
unavailability was ignored.);
- All B5b equipment;
- 480v AC aux. building bus 1L;
- 480v AC aux. building bus 1M;
- 480v AC aux. building bus 1D;
6. The NRC used the SPAR-H Human Reliability Method to evaluate the many operator
actions in the model. For all of the human error probabilities evaluated, the performance
shaping factor stress was considered to be high for both diagnosis and action
because the plant would be in a station blackout condition. In many of the Human Error
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
3
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Probability (HEP) evaluations, complexity was determined to be either moderate or
high because the operators would be in multiple procedures in multiple plant locations.
Many of the actions are local, infrequently or never performed, and some have very
limited training. In many cases, ergonomics was also rated as poor because the local
actions may be physically demanding and in difficult SBO conditions (on emergency
lighting at best and without any ventilation). Table 2 below contains a summary of the
dominant HEPs.
7. None of the many actions modeled to mitigate the postulated LOOP/SBO event were
assumed to be resource limited. This is in recognition that the plant was in a refueling
outage with extra operations, maintenance and engineering staff available. The detailed
risk evaluation models operator action for four different methods to re-establish electrical
power to Division 2 (EDG recovery, offsite power recovery, FLEX, Division 3 to Division
2 crosstie), two additional (beyond the normal use of SRVs after restoring emergency
power) methods to maintain the reactor de-pressurized (FLEX and B.5.b), three
additional methods (beyond using ECCS after restoring emergency power) to inject to
the Reactor Coolant System (RCS) at low pressure (two FLEX methods and the diesel
driven fire pumps), two methods to inject to the RCS at high pressure (HPCS and RCIC),
and two additional methods to remove decay heat (FLEX suppression pool cooling and
containment venting). All of these require operator action. Many require significant
operator effort. In addition to these actions there are other important, non-modeled
actions that would also be in progress, such as actions to establish primary and
secondary containment and actions for emergency response such as accountability and
notifications.
8. Few of the many actions modeled to mitigate the postulated LOOP/Station Black Out
(SBO) were assumed to be limited by time available. However, the overall sequence
was modeled assuming operators have 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to recover the Division 2 EDG before
ELAP is declared. Once ELAP is declared, operators will pursue the FLEX method to
re-power Division 2. If FLEX fails, the Division 3 cross-tie, is modeled. For the dominant
sequence, the time to core damage is approximately 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br />, this was considered to be
adequate time with some margin, but not extra or expansive time, given the level of
manual effort required and the number of concurrent methods of mitigation that were
modeled.
9. The high pressure core spray system was unavailable during most of the 3.5 day
exposure period due to planned maintenance. Initially, for a period of 49 hours5.671296e-4 days <br />0.0136 hours <br />8.101852e-5 weeks <br />1.86445e-5 months <br />, it was
not recoverable. Later, for a duration of 34 hours3.935185e-4 days <br />0.00944 hours <br />5.621693e-5 weeks <br />1.2937e-5 months <br />, it was modeled as recoverable, and in
the last 4.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> of the exposure period, the system was fully available. The impact of
the status of HPCS over the exposure period was addressed by running three separate
cases - HPCS unavailable, HPCS recoverable, and HPCS at nominal failure
probabilities. The results were combined in a spreadsheet to obtain the final result. To
estimate the HEP for the operator failure to recover HPCS during the 44 hours5.092593e-4 days <br />0.0122 hours <br />7.275132e-5 weeks <br />1.6742e-5 months <br /> it was
recoverable, the performance shaping factors that were determined to be performance
drivers were stress for diagnosis, and stress and complexity for action. Stress was
evaluated as high because the plant would be in a station blackout condition.
Complexity was rated as moderate. Under normal conditions, this would not be a
complex task, but in response to a station blackout with multiple procedures and
mitigating strategies in progress, complexity is increased.
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
4
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
10. The RCIC system was unavailable due to plant conditions. During the 3.5 days of
interest, the plant was in cold shutdown with reactor coolant system water level above
the steam lines. However, the RCIC system was not undergoing any maintenance and
could have been put into service if an event had occurred, steam was available due to
RCS heat-up and boiling, and water level had decreased below the steam line. While
possible, extensive work would be required to prepare the RCS for operations at normal
pressure and temperature. Licensee procedure CPS 3002.01 controlled this process.
This 40 page document is the normal startup procedure. It assumes normal electrical
power is available to realign systems. While much of this procedure would not be
required to prepare the RCS for RCIC operation and extensive amount of procedure
triage would be required. The HEP for the operator failure to put RCIC into service
under the postulated conditions is 7.5E-1. The HEP was dominated by failure to
perform the action. The performance drivers were considered to be time (this is one of
the few HEPs that was impacted by time available), stress, complexity,
experience/training, and ergonomics. The time available was assumed to be about
equal to the time required, stress was considered to be high, complexity was high,
experience/training was low, and ergonomics was poor.
11. Electrical power recovery to Division 2 could be successful via offsite power recovery,
recovery of Division 2 diesel generator, use of FLEX, or crosstie of the Division 3 diesel
generator to the Division 2 4kV bus. The detailed risk evaluation assumes that the
operators will initially try to recover the diesel generator. If recovery is not successful,
operators will transition to FLEX implementation, and if FLEX fails, the evaluation
models the potential to implement the crosstie.
12. The Division 2 EDG was recoverable and the risk evaluation shows that the operators
would be very likely to recover it. However, the potential for operators failing to recover
the diesel generator was evaluated. The failure to recover the diesel generator was
assigned a human error probability of 0.202 (20 percent failure, 80 percent success
rate). This is a factor of 4 lower than the data/statistically derived failure to recover
probability. The NRC assumed that 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> was available to recover AC power to
Division 2 by recovering the EDG. At 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, ELAP declaration and implementation of
FLEX electrical power to Division 2 would commence. Diesel generator recovery is
further complicated by station blackout load shedding that removes all DC control power
from the diesel generator and the FLEX electrical alignment which also impacts Division
2 EDG components. Recovery of the Division 2 EDG after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> into an SBO does not
represent successful recovery of Division 2 AC power. Operator actions to back out of
ELAP, FLEX implementation, and load shedding to restore the EDG is not governed by
procedures, is not a simple, skill of the craft task, and has no training. It was not
credited in the risk evaluation consistent with general PRA/HRA assumptions and the
Risk Assessment Standardization Project (RASP) guidance.
13. The human error probability for the failure to recover Division 2 EDG was estimated at
0.202. The performance shaping factors that were determined to be performance
drivers were Stress and Experience/Training for Diagnosis, and Stress for Action.
Stress was considered to be high because the plant would be in a station blackout
condition. Experience/Training for Diagnosis was considered to low. Plant staff
perform troubleshooting as a regular job task, however, operators have not trained on,
experienced or been exposed to troubleshooting a failure of the protected diesel
generator during a shutdown SBO.
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
5
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
14. The human error probability for the failure to implement the FLEX electrical line-up was
estimated at 2.5E-1. The performance shaping factors that were determined to be
performance drivers were stress for diagnosis and action, and complexity and
experience/training for action. Stress was considered to be high because the plant
would be in a station blackout condition. The action to align the FLEX electrical system
was considered to be both highly complex and was assigned low experience/training.
The procedure requires many in-plant actions under difficult conditions and the
alignment has never been implemented.
15. The human error probability for the failure to implement the Division 3 to Division 2
crosstie was estimated at 2.7E-1. The performance shaping factors that were
determined to be performance drivers were stress for diagnosis and action, and
complexity, experience/training, and ergonomics for action. Stress was considered to be
high because the plant would be in a station blackout condition. The action to
implement the cross-tie was considered to be highly complex and was assigned low
experience/training and poor ergonomics. The procedure has both in-plant and control
room actions in multiple locations and has received very little training.
16. Offsite power recovery is also modeled but is complicated by electrical system
re-alignment when FLEX or the Division 3 cross-tie are attempted but fail. These
strategies significantly alter the electrical distribution system. The detailed risk
evaluation models offsite power non-recovery at 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br /> or 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, depending on the
sequence. The offsite power recovery curve is used along with a human error
probability for the failure to realign the electrical system once other sources of power
have been attempted but failed. The performance shaping factors that were considered
to be performance drivers for the failure to realign the electrical system were stress for
diagnosis and action and procedures for action. Stress was considered to be high
because the plant would be in a station blackout condition. Procedures were considered
to be incomplete as there are procedures for aligning offsite power sources but they
would not specifically address the electrical alignment that would exist after FLEX and
the crosstie have been attempted but not successfully implemented. The HEP was
estimated at 7.61E-2.
17. Alignment of alternate suppression pool cooling using FLEX equipment was modeled.
The human error probability was estimated at 2.33E-1. The performance shaping
factors that were determined to be performance drivers were stress for diagnosis and
action, and complexity, experience/training, and ergonomics for action. Diagnosis was
considered to be obvious as the need for suppression pool cooling during SBO events
is well understood. Stress was considered to be high because the plant would be in a
station blackout condition. The action was considered to be moderately complex, have
low experience/training, and poor ergonomics. The steps to perform the action are
performed outside the control room in poor lighting and there is infrequent training and
no actual experience. The procedure describes some of the steps as physically
demanding and some are in high radiation areas.
18. Two methods of RCS Injection using FLEX equipment were modeled. The easier
method would be to re-align the FLEX SPC method for injection. The human error
probability for this action was estimated at 4E-3. The less preferred method, using the
diesel-driven FLEX pumps, was estimated at 1.1E-1. For the easier method, the
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
6
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
performance shaping factors that were determined to be performance drivers were
stress for diagnosis and action. The diagnosis was also assumed to be obvious, given
that the FLEX suppression pool cooling alignment would already be in place and working
successfully. Minimal additional action would be required to re-align the system for
injection. The actions to use the less preferred method of direct injection from the lake
with the diesel driven pumps was not an important action driving the results of the
analysis.
19. Alignment of the ultimate heat sink using FLEX equipment was modeled. The human
error probability was estimated at 1.39E-2. The performance shaping factors that were
determined to be performance drivers were stress for diagnosis and action and time,
complexity, experience/training, and ergonomics for action. Diagnosis was considered
to be obvious similar to the rating for aligning suppression pool cooling. Stress was
considered to be high because the plant would be in station blackout condition. The
time available for the action was considered to be greater than 5x the time required.
Complexity was considered to be moderate, experience/training low, and ergonomics
poor. The steps to perform the action are performed outside the control room in poor
lighting and there is infrequent training and no actual experience. The procedure
describes some of the steps as physically demanding and some are in high radiation
areas.
20. Use of B.5.b equipment and strategies to maintain the reactor depressurized was
modeled with an operator action that was highly dependent on the operator action to use
FLEX strategies. The FLEX strategy to maintain the reactor depressurized was
assumed to be the preferred method. The human error probability for the dependent
operator action was 5.2E-1.
21. Primary containment was open during the exposure time. However, procedures would
instruct operators to take action to establish primary containment. The detailed risk
evaluation assumes that operators would take this action and would establish primary
containment. If suppression pool cooling is not established, then containment venting
would be required, consistent with at-power PRA model assumptions. Manual venting of
containment was credited. These are long sequences containing success of core
cooling via injection but failure to establish suppression pool cooling. These
assumptions did not impact the dominant core damage sequences.
22. Alternate injection with fire water system was modeled with equipment failures and an
operator action for the failure to align the system. This method was assumed to be the
least preferred method of low pressure injection. The operator failure to align fire water
injection was assigned an HEP of 1.2E-1 and was not modeled as dependent on
previous operator actions, a possible non-conservative assumption. These assumptions
did not impact the dominant core damage sequences.
23. The FLEX diesel generators were assigned a failure to start of 7.2E-2 and a failure to
run for the mission time of 1.5E-1. The failure to start was based on actual plant
operating experience. The run time data for the diesel generators was very limited and
could not be used to estimate the failure to run probability. The failure to run for
emergency diesel generators was multiplied by a factor of 5 based on analyst judgement
to obtain the failure to run rate of the FLEX diesel generator.
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
7
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
24. The FLEX diesel-driven pumps were assigned a failure to start of 1E-2 and a failure to
run of 2.1E-1. Based on analyst judgment these failure rates we set at five times the
corresponding failure rates for permanently installed diesel driven fire pumps.
25. FLEX equipment was assigned a failure probability due to design or construction of
5E-2. The FLEX strategies, although carefully developed and reviewed for the Mitigating
Strategies Order, have never been fully demonstrated. Latent design or construction
errors could exist.
26. The Division 3 to the Division 2 cross-tie was assigned a failure probability due to design
error of 2E-2. Both divisions are normally in-service but never cross-tied and the
cross-tie has never been fully demonstrated.
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
8
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Table 2: Summary of Dominant HRA Results
Mean Mean Total
Human Error Event Description Procedure Time Needed Time Available Diagnos Action Mean
Operator Fails to Perform Cross-Tie between Div. 3
SD-XHE-XM-XTIE-S1 and Div. 2 Electrical during Short Time to Core 4303.01P023 5 to 6 Hours 5 Hours 4.0E-2 7.5E-1 7.9E-1
Uncovery
Operator Fails to Perform Cross-Tie between Div. 3 Between 10 and 24
SD-XHE-XM-XTIE 4303.01P023 5 to 6 Hours 4.0E-2 2.3E-1 2.7E-1
and Div. 2 Electrical Hours
Operator Fails to Setup and Run FLEX DG and 10 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />
SD-XHE-XM-FELEC 4306.01P001 3 Hours 2.0E-2 2.3E-1 2.5E-1
Electrical Distribution depending on sequence
10 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />
SD-XHE-XM-FUHS Operator Fails UHS Water Supply using FLEX 4306.01P002 6 Hours 2.0E-3 1.2E-1 1.4E-1
depending on sequence
SD-XHE-XM-FSPC Operator Fails Suppression Pool Cooling using FLEX 4306.01P003 6 Hours Minimum of 24 Hours 2.0E-3 2.3E-1 2.3E-1
Operator Fails to Injection into RCS using FLEX 10 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />
SD-XHE-XM-FRCS 4306.01P004 6 Hours 2.0E-3 1.1E-1 1.1E-1
Diesel Driven Pumps depending on sequence
SD-XHE-XM-DCLS Operator Fails to Performs DC Load Shed 4200.01C002 0.5 Hours 1 Hour 4.0E-2 2.0E-2 6.0E-2
OPERATOR FAILS TO ALIGN FIREWATER during
FWS-XHE-XM-INJLT 4411.03 4 Hours 10 to 13 Hours 2.0E-2 4.0E-3 2.4E-2
Shutdown ELAP (includes check valve disassembly)
Operator Fails to Operate RCIC during ELAP from
SD-XHE-XM-FRCIC 3002.01 10 Hours 10 to 13 Hours 2.0E-3 7.5E-1 7.5E-1
Shutdown
Operator Fails RCS Injection using FLEX SPC (This 4306.01P004
SD-XHE-XM-FINJ 1 Hour 4 Hours 2.0E-3 2.0E-3 4.0E-3
requires FLEX UHS to be already available) Section 4.1
Operator Fails to Manual Vent Containment with CPS
FC-XHE-XM-MCV 4 Hours >24 Hours 4.0E-3 2.0E-4 4.2E-3
Valves 1FC012A & B 4303.01P001
Operator Fails to Restore HPCS Pump from Outage 10 to 24 Hours
HCS-XHE-XR-MDP 3309.01 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> 2E-2 4E-3 2.4E-2
Maintenance depending on sequence
CPS 5061.07
Non Recovery Probability of EDG2 in 1 Hour due to
SD-EPS-XHE-XM-NR01H CPS 5285 0.5 Hours 1 Hour 2.0E-1 2.0E-3 2.0E-1
Closed Air Start Valves
CPS 3506.01
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
9
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Operator fails to recovery electrical distribution
SD-XHE-XL-ELAP None 7.6E-2
system after offsite power recovery
Operator Fails to setup B5b Equipment for
SD-XHE-XM-DEPB5B Depressurization (This is an HEP that is dependent 4303.01P004 Several Hours 10 to 13 Hours 2.0E-2 2E-3 5.1E-1
on failure to depressurize using FLEX equipment)
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
10
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
References
1. Clinton SPAR Model, Revision 8.54 with Modifications
2. NUREG-1842, Good Practices for Implementing Human Reliability Analysis.
April 2005
3. NUREG/CR-6595 Revision 1, An Approach for Estimating the Frequencies of Various
Containment Failure Modes and Bypass Events. October 2004
4. NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method
5. INL/EXT-10-18533, SPAR-H Step-by-Step Guidance
6. RASP Manual Volume 1 - Internal Events, Revision 2.02 date December 2017
7. NUREG/CR-1278, Handbook of HRA with Emphasis on Nuclear Power Plant
Applications, August 1983
8. Analysis of Loss-of Offsite-Power Events 1987-2016, INL/EXT-17-42376
August 2017 (https://nrcoe.inl.gov/resultsdb/publicdocs/LOSP/loop-summary-update-
2016.pdf)
9. IMC 0609 Appendix G, Shutdown Operations SDP
10. NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management.
December 1991
11. CPS 3002.01 R32e Heatup and Pressurization
12. CPS 3312.03 R11d SDC and FPC Assist
13. CPS 3501.01 High Voltage Auxiliary Power System
14. CPS 3506.01 EDG and Support Systems
15. CPS 3506.01P002 Division 2 Diesel Generator Operations
17. CPS 4200.01 Loss of AC Power
18. CPS 4200.01C002 DC Load Shedding during SBO
19. CPS 4303.01P001 Containment Venting Without AC Power Available
20. CPS 4303.01P004 SRV Operation With External DC Power
21. CPS 4303.01P023 Cross-Connecting Div. 3 DG to Div. 1(2) ECCS Electrical Busses
22. CPS 4306.01P001 FLEX Electrical Connection
23. CPS 4306.01P002 FLEX UHS Water Supply
24. CPS 4306.01P003 FLEX Suppression Pool Cooling
25. CPS 4306.01P004 FLEX Low Pressure RPV Makeup
26. CPS 4306.01P017 ELAP During Modes 4 and 5
27. CPS 5285_R27c Alarm Panel 5285 Annunciators at 1PL12JB
28. CPS 5061.07 Alarm Panel 5061 Annunciators - Row 7
29. CPS 4411.03 Injection Flooding Sources
30. CPS 4411.06 Emergency Containment Venting, Purging and Vacuum Relief
31. CPS 9065.01 Secondary Containment Access Integrity
34. EOP-3 Emergency RPV Depressurization (Blowdown)
35. EOP-6 Primary Containment Control
36. EOP-8 Secondary Containment Control
37. CC-AA-118 Corporate FLEX Process Guidance
38. OU-AA-103 Shutdown Safety Management Program
39. OU-CL-104 Shutdown Safety Management Program (Clinton Power Station)
40. CL-SDP-010 Risk Assessment - May 2018 Outage: Division 2 DG 1B Unavailable
with Division 1 Bus Unavailable, Rev. 0
41. DB430301 DBIG-Extensive Damage Mitigation Guide, Rev. 5
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
11
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
42. N-CL-OPS-DB430601, FLEX, Rev. 0
43. SE-LOP-162, Extensive Damage Mitigation, Rev. 0
44. SE-LOR-4306, FLEX Event, Rev. 0
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
12
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Event Tree and Fault Tree Figures
Figure 2: LOOP Event Tree 1
Loss of Offsite Power - M4 EMERGENCY POWER AC POWER RECOVERY - 24 # End State
LATE SUPPLY - (DIV I AND II) / 1 Hours (Phase - CD)
SD-M4L-LOOP SD-EPS SD-AC-REC-24H
1 SD-M4L-LOOP-T
2 SD-M4L-LOOP-T
3 SD-M4L-LOOP-T
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
13
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Figure 3: LOOP Event Tree 2
SDC (no FLEX credit here - MANUAL REACTOR LOW PRESSURE COOLANT ALTERNATE INJECTION - HI PRESSURE INJECTIONS HEAT REMOVAL USING ALTERNATE HEAT REMOVAL CONTAINMENT VENTING - Electrical Connection Div. 3 Power Recovery Correction # End State
Always Fails during ELAP) DEPRESS (include credit for INJECTION (no FLEX credit CDS SWS FWS and FLEX (HCS/CRD) SUPPRESSION POOL (Always Fails during ELAP) SD to Div. 2 Factor for Different Time to (Phase - CD)
FLEX DC Power) here - Always Fails during including FLEX Core Uncovery
<DUMMY-FT> SD-SDC SD-DEP SD-LPI ELAP)) SD-ALT-INJ SD-HPI SD-SPC-EXT SD-ALT-HEAT SD-CVS ELEC_XTIE TTCU
1 OK
2 OK
3 OK
Low pressure injection 4 OK
5 OK
GT 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to CD 6 CD-SD
7 OK
8 OK
Low pressure injection 9 OK
Low pressure
10 OK
GT 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to CD 11 CD-SD
12 OK
13 OK
High pressure injection @ low temperature
14 OK
GT 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to CD 15 CD-SD
16 OK
No injection
24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to CD 17 CD-SD
18 OK
19 OK
Injection @ high pressure
20 OK
High pressure GT 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to CD 21 CD-SD
22 OK
No injection 23 OK
10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> to CD
24 CD-SD
TTCU-10H
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
14
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Figure 4: AC Power Recovery Fault Tree
AC POWER RECOVERY - 24 / 1
Hours
SD-AC-REC-24H
OPERATOR FAILS TO RECOVER
EMERGENCY DIESEL IN 1 HOUR
EPS-XHE-XL-NR01H
SD-AC-REC-24H3 8.88E-01
OPERATOR FAILS TO RECOVER EDG
B IN 1 HOUR due to Start Air Iss ue
EPS-XHE-XM-NR01H
OPERATOR FAILS TO RECOVER
2.02E-01
OFFSITE POWER IN 24 HOURS
OEP-XHE-XL-NR24H
5.91E-02
Operator fails to recovery electrical
dis tribution s ys tem after offsite
power recovery
SD-XHE-XL-ELAP
7.60E-02
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
15
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Figure 5: Manual Depressurization Fault Tree
MANUAL REACTOR DEPRESS
SD-DEP
ADS SRV FAILURE DUE TO SEISMIC ADS VALVES FAIL FROM COMMON
EVENT CAUSE
ADS-SRV-EQ ADS-SRV-CF-VALVS
External 1.58E-06
CLINTON ADS SUPPORT SYSTEMS OPERATOR FAILS TO Manually
FAIL Depressurize Reactor
DEP-SS ADS-XHE-XM-MDEPR
External 5.00E-04
OPERATOR FAILS TO INITIATE
REACTOR DEPRESSURIZATION
GIVEN SEISMIC EVENT
ADS-XHE-DPR-EQK
External
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
16
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Figure 6: Division I 125 Power Fault Tree (shows FLEX linkage)
CLINTON DIVISION I 125 VDC
POWER IS UNAVAILABLE
DCP-125V-1A-LT
DCP-125V-1A-LT5 DCP-125V-1A-LT1
CLINTON DIVISION I AC POWER FAILURE OF DIVISION I 125VDC BUS FLEX AC Electrical Sys tem CCF OF 125VDC BATTERYS (3)
SYSTEM FAULT TREE 1A
ACP-4KVBUS-1A1 DCP-BDC-LP-1A FLEX-ELEC DCP-BAT-CF-ALL
External 5.21E-06 External 3.85E-08
DC BATT CHARGERS FAILURE FROM FAILURE OF DIVISION I 125VDC FAILURE OF DIVISION I 125VDC
SEISMIC EVENT BATTERY CHARGER BATTERY
DCP-BCH-EQ DCP-BCH-LP-1A DCP-BAT-LP-1A
External 6.17E-05 7.97E-06
BATTERY CHARGERS FAIL FROM FAILURE OF DIVISION I 125VDC BUS
COMMON CAUSE 1A
DCP-BCH-CF-CHRS DCP-BDC-LP-1A
2.10E-07 5.21E-06
DIVISION I 125VDC BATTERY FAILURE OF BOP 125VDC BATTERY
CHARGER in Test and Maintenance CHARGER 1E
DCP-BCH-TM-1A DCP-BCH-LP-1E
2.00E-03 6.17E-05
BATTERY CHARGERS FAIL FROM
COMMON CAUSE
DCP-BCH-CF-CHRS
2.10E-07
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
17
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Figure 7: FLEX Electrical Fault Tree
FLEX-ELEC
FLEX Diesel Generators FLEX AC Bus Equipment Failures
ACP-FLEX-BUS
FLEX-ELEC4 2.29E-05
Operator Fails to Setup and Run
FLEX DG and Electrical Distribution
SD-XHE-XM-FELEC
FLEX Diesel 1 (permanently installed) FLEX Diesel 2 (portable)
2.50E-01
FLEX Electrical Connection Fails due
to Des ign or Construction
FLEX-ELEC41 FLEX-ELEC42
FLEX-ELEC-CONNECT
5.00E-02
CCF of FLEX Diesel Generators 1 and
2 to Run
FLEX Diesel Generator 1 Fails to Run FLEX Diesel Generator 2 Fails to Run
EPS-FDGN-CF-FR
2.37E-03
EPS-DGN-FR-FDG1 EPS-DGN-FR-FDG2 CCF of FLEX Diesel Generators 1 and
1.50E-01 1.50E-01 2 to Start
FLEX Dies el Generator 1 Fails to FLEX Dies el Generator 2 Fails to
Start Start EPS-FDGN-CF-FS
6.90E-04
EPS-DGN-FS-FDG1 EPS-DGN-FS-FDG2 FLEX Feed Breaker to 1FX07E (CB
7.20E-02 7.20E-02 762 el.. west stairway)
FLEX Diesel Generator 1 Unavailable FLEX Diesel Generator 2 Unavailable
because of Test or Maintenance because of Test or Maintenance ACP-FLEX-CRB-FX01E-CB02
1.03E-03
EPS-DGN-TM-FDG1 EPS-DGN-TM-FDG2
1.48E-02 1.48E-02
FLEX Diesel 2 (portable) Fails due to
Improper Transport or Setup
EPS-DGN-XR-FDG
5.00E-02
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
18
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Figure 8: Alternate Injection Fault Tree (includes FLEX)
ALTERNATE INJECTION - CDS SWS
FWS and FLEX
SD-ALT-INJ
All FLEX Injection Fails due to
Dependent Failure
SD-XHE-XM-FLEXINJFAIL
SD-ALT-INJ5 Ignore
CONDENSATE
CDS
External
CLINTON SSW INJECTION FAULT
TREE
SS1
External
CLINTON FIREWATER SYSTEM
FAULT TREE during Shutdown ELAP
SD-FWS
External
FLEX RCS Injection using Diesel FLEX
Pumps (CPS 4306.01P004 Section
4.4 and 4306.01P002)
FLEX-RCS-INJ
External
FLEX Suppression Pool Cleanup
Inject into RCS (4306.01P004
Section 4.1)
FLEX-SPC-INJ
External
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
19
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Figure 9: RCS Injection using FLEX Diesel Driven FLEX Pumps Fault Tree
FLEX RCS Injection us ing Dies el FLEX
Pumps (CPS 4306.01P004 Section
4.4 and 4306.01P002)
FLEX-RCS-INJ
FLEX UHS Sys tem (4306.01P002) FLEX RCS Injection vis LPI FLEX RCS Injection Connection Fails
due to Design or Cons truction
SD-FUHS FLEX-RCS-CONNECT
External FRCS-INJ13 5.00E-02
Injection into RCS us ing FLEX Dies el
Driven Pumps (4306.01P002
Sections 4.3 and 4.4)
SD-XHE-XM-FRCS
FLEX Injection Via LPCS FLEX Injection Via RHR C
1.10E-01
FRCS-INJ130 FRCS-INJ131
LPCS INJECTION CKV F006 FAILS TO LPCI TRAIN C INJECTION MOV
OPEN RHR42C FAILS TO OPEN
LCS-CKV-CC-F006 RHR-MOV-CC-F042C
9.24E-06 8.16E-04
LPCS INJECTION MOV F005 FAILS LPCI INJECTION CKV F041C FAILS
TO OPEN TO OPEN
LCS-MOV-CC-F005 RHR-CKV-CC-41C
8.16E-04 9.24E-06
LPCI CKVS F041C, LCS F006 FAIL LPCI CKVS F041C, LCS F006 FAIL
FROM COMMON CAUSE FROM COMMON CAUSE
LCS-CKV-CF-FINJEC LCS-CKV-CF-FINJEC
1.94E-07 1.94E-07
LPCI Train C Vent Valve Fails to LPCS Vent Valve Fails to Open (FLEX
Open (FLEX connection point) connection point)
LPCI-MV-CC-F088 LPSC-MV-CC-F374
4.59E-04 4.59E-04
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
20
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Figure 10: FLEX Ultimate Heat Sink System Fault Tree
FLEX UHS Sys tem (4306.01P002)
SD-FUHS
FLEX Engine Driven Pumps SSW A TIE TO PSW MOV SSW 14A
FAILS TO CLOSE
SSW-MOV-OO-SSW14A
SD-FUHS1 8.16E-04
Operator Fails to Setup and Run
FLEX Ultimate Heat Sink Sys tem
(4306.01P002)
SD-XHE-XM-FUHS
FLEX Pump 1 Fails FLEX Pump 2 Fails
1.40E-01
FLEX PUMPS FAIL FROM COMMON
CAUSE TO RUN
SD-FUHS10 SD-FUHS11
FLEX-EDP-CF-FR
6.12E-03
FLEX PUMPS FAIL FROM COMMON
CAUSE TO START
FLEX ENGINE DRIVEN PUMP 1 FAILS FLEX ENGINE DRIVEN PUMP 2 FAILS
TO RUN TO RUN FLEX-EDP-CF-FS
2.90E-04
FLEX-EDP-FR-1 FLEX-EDP-FR-2 FLEX Diesel Driven Pump Connection
2.00E-01 2.00E-01 Fails due to Design or Cons truction
FLEX ENGINE DRIVEN PUMP 1 FAILS FLEX ENGINE DRIVEN PUMP 2 FAILS
TO START TO START FLEX-EDP-CONNECT
5.00E-02
FLEX-EDP-FS-1 FLEX-EDP-FS-2 FLEX Manifold Isolation Valve Fails
1.00E-02 1.00E-02 Closed
FLEX-MV-CC-1XF003
4.59E-04
FLEX Pipe Manifold Is olation Valve to
SX Div. 1 or 2 Fails Closed
FLEX-MV-CC-1XF001C
4.59E-04
FLEX Water Injection to SX Valve
Div. 1 or 2 Fails Clos ed
SSW-MV-CC-SXF354
4.59E-04
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
21
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Figure 11: RCS Injection using FLEX Suppression Pool Cleanup Fault Tree
FLEX Suppres s ion Pool Cleanup
Inject into RCS (4306.01P004
Section 4.1)
FLEX-SPC-INJ
FLEX Suppres s ion Pool Cleanup and FLEX Injection Paths Fail LPCI INJECTION MOVS RHR 42A,B,C
Transfer FAIL FROM COMMON CAUSE
FLEX-SPC RHR-MOV-CF-F042
External FLEX-SPC-INJ2 3.57E-06
LPCI CKVS 41A,B,C FAIL FROM
COMMON CAUSE
RHR-CKV-CF-F041
FLEX Injectin Path via Train A FLEX Injectin Path via Train B
6.07E-08
Operator Fails RCS Injection us ing
FLEX SPC (4306.01P004 Section 4.1)
FLEX-SPC-INJ20 FLEX-SPC-INJ21
SD-XHE-XM-FINJ
4.00E-03
RHR A MOV 27A FAILS TO OPEN LPCI TRAIN B INJECTION MOV
RHR42B FAILS TO OPEN
RHR-MOV-CC-F027A RHR-MOV-CC-F042B
8.16E-04 8.16E-04
LPCI TRAIN A INJECTION MOV LPCI INJECTION CKV F041B FAILS
RHR42A FAILS TO OPEN TO OPEN
RHR-MOV-CC-F042A RHR-CKV-CC-41B
8.16E-04 9.24E-06
LPCI INJECTION CKV F041A FAILS RHR A MOV 27B FAILS TO OPEN
TO OPEN
RHR-CKV-CC-41A RHR-MOV-CC-F027B
9.24E-06 8.16E-04
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
22
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Figure 12: FLEX Suppression Pool Cleanup and Transfer Fault Tree
FLEX Suppression Pool Cleanup and
Transfer
FLEX-SPC
Suppression Pool Cleanup (FS) RHR Heat Exchangers Not Available FLEX AC Electrical System CCF OF SF MDPS TO RUN
Pumps Not Available
FLEX-ELEC SF-MDP-CF-FR
FFC2 FFC8 External 9.81E-07
FLEX UHS System (4306.01P002) CCF OF SF MDP'S TO START
SD-FUHS SF-MDP-CF-STRT
Suppress ion Pool Cleanup (FS) PUMP Suppress ion Pool Cleanup (FS) PUMP CLINTON FLEX SPC LOOP B IS
External 4.58E-06
A IS UNAVAILABLE B IS UNAVAILABLE UNAVAILABLE
SF COOLING SUCTION MOV F004
FSPC-B
FFC64 FFC73 External
8.16E-04
UNAVAILABLE
SF COOLING SUCTION Manual F003
FSPC-A
Suppression Pool Cleanup and Suppression Pool Cleanup and
External
Transfer MDP 1A FAILS TO START Transfer MDP 1B FAILS TO START SF-VLV-CC-F003
8.16E-04
SF-MDP-FS-1A SF-MDP-FS-1B SF COOLING Discharge AOV F011
1.09E-03 1.09E-03
Suppressioin Pool Cleanup and Suppressioin Pool Cleanup and
Transfer MDP 1A FAILS TO RUN Transfer MDP 1B FAILS TO RUN SF-AOV-CC-F011
7.55E-04
SF-MDP-FR-1A SF-MDP-FR-1B SF COOLING Valve F041
9.00E-05 9.00E-05
SF MDP 6A DISCHARGE CHECK SF MDP 6B DISCHARGE CHECK
VALVE FAILS TO OPEN VALVE FAILS TO OPEN SF-MOV-CC-F041
8.16E-04
SF-CKV-CC-6A SF-CKV-CC-6B Operator Fails Suppression Pool
9.24E-06 9.24E-06 Cooling using FLEX
SF MDP 1A UNAVAILABLE DUE TO SF MDP 1B UNAVAILABLE DUE TO
TEST AND MAINTENANCE TEST AND MAINTENANCE SD-XHE-XM-FSPC
2.33E-01
SF-MDP-TM-1A SF-MDP-TM-1B FLEX Suppression Pool Cooling
4.56E-03 4.56E-03 Connection Fails due to Design or
SF COOLING Discharge MOV F010A SF COOLING Discharge MOV F010B Construction
FLEX-SPC-CONNECT
5.00E-02
SF-MOV-CC-F010A SF-MOV-CC-F010B
8.16E-04 8.16E-04
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
23
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Figure 13: FLEX Suppression Pool Cooling using RHR Heat Exchanger A Fault Tree
UNAVAILABLE
FSPC-A
RHR/SSW HEAT EXCHANGE FAILS LOOP A SPC INJECT MOV RHR 24A
FAILS TO OPEN
RHR-FLEX-HXA RHR-MOV-CC-F024A
External 8.16E-04
SP INJECTION MOVS 24A,B
COMMON CAUSE FAIL TO OPEN
RHR-MOV-CF-F024
1.15E-05
RHR PUMP MINFLOW MOVS A,B,C
FAIL FROM COMMON CAUSE
RHR-MOV-CF-MINFL
3.57E-06
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
24
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Figure 14: RHR Heat Exchanger A for FLEX SPC Fault Tree
RHR/SSW HEAT EXCHANGE FAILS
RHR-FLEX-HXA
RHR HTXS FAIL FROM COMMON
CAUSE
RHR-HTX-CF-RHRHX
2.41E-07
RHR HTX BYPASS VALVES FAIL
FROM COMMON CAUSE
RHR-MOV-CF-HXBPS
1.15E-05
48A FAILS TO CLOSE
RHR-MOV-OO-BYPSA
8.16E-04
RHR MOVS F003A,B FAIL FROM
COMMON CAUSE
RHR-MOV-CF-HXDIS
1.15E-05
FAILS TO OPEN
RHR-MOV-CC-F003A
8.16E-04
RHR HTX A FAILS
RHR-HTX-PG-HTXA
8.88E-06
RHR HTX SSW SUPPLY VALVE F014A
FAILS TO OPEN
SSW-MOV-CC-F014A
8.16E-04
VLV F068A FAILS TO OPEN
SSW-MOV-CC-F068A
8.16E-04
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
25
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Figure 15: Containment Venting Fault Tree
CONTAINMENT VENTING - SD
SD-CVS
CONTAINMENT (SUPPRESSION Venting of Containment with Manual Containment Failure Causes
POOL) VENTING Valves (CPS 4303.01P001) Injection Failure
CVS CF-IF
External SD-CVS4 2.00E-01
IFC012B Containment Pools Drain
Valve to Spent Fuel Pool Closed Fails
Closed
FC-MV-CC-12B
4.59E-04
IFC012A Containment Pools Drain
Valve to Surge Tank Closed Fails
Closed
FC-MV-CC-12A
4.59E-04
Operator Fails to Manually Vent
Containment with 1FC012A & B (CPS
4303.01P001)
FC-XHE-XM-MCV
4.20E-03
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
26
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Figure 16: Electrical Cross-Tie Division 3 to Division 2 Fault Tree
Electrical Connection Div. 3 to Div. 2
ELEC_XTIE
CLINTON DIVISION III AC POWER Operator Fails to Establish Div. 3 to
SYSTEM FAULT TREE Div. 2 Electrical Cross Tie
ACP-4KVBUS-1C1 SD-XHE-XM-CROSSTIE
External 2.70E-01
CLINTON DIVISION II AC POWER Div. 3 to Div. 2 Cross Tie Fails due to
SYSTEM FAULT TREE Cross Tie (no Design
FLEX Elect.)
ACP-4KVBUS-1B1-XTIE2 XTIE-ELEC-CONNECT
External 2.00E-02
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
27
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
Figure 17: Division 2 AC Power Fault Tree
CLINTON DIVISION II AC POWER
SYSTEM FAULT TREE Cros s Tie (no
FLEX Elect.)
ACP-4KVBUS-1B1-XTIE2
4.1 KV BUS FAILURE FROM SEISMIC FAILURE TO RECOVER BREAKER 4160 V DIVISION II BUS (1B1)
EVENT CCF DURING BATTERY LIFE HARDWARE FAILURES
ACP-4KV-EQ ACP-BAC-LP-1B1
External ACP-4KVBUS-1B1-XTIE215 2.29E-05
FAILURE OF DIV2 SWITCHGEAR
COOLING
HVC-SWGR-DIV2-COOL
DC BATTEREIS FAILURE FROM CCF OF 125VDC BATTERYS (3)
External
SEISMIC EVENT
DCP-BAT-EQ DCP-BAT-CF-ALL
External 3.85E-08
FAILURE OF DIVISION II 125VDC
BATTERY
DCP-BAT-LP-1B
7.97E-06
FAILURE OF CIRCUIT BREAKER
201B1 TO OPEN (RAT)
ACP-CRB-CC-201B1
2.49E-03
CCF OF CIRCUIT BREAKERS 201A1
& 201B1 TO OPEN
ACP-CRB-CF-201
4.13E-05
FAILURE OF CIRCUIT BREAKER
221B1 TO CLOSE
ACP-CRB-OO-221B1
2.05E-03
OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION
28