ML19050A510

From kanterella
Jump to navigation Jump to search
Final Accident Sequence Precursor Analysis - Clinton Power Station, Division 1 Transformer Failure Leads to Instrument Air Isolation to Containment Requiring a Manual Reactor Scram (LER 461-2017-010) - Precursor
ML19050A510
Person / Time
Site: Clinton Constellation icon.png
Issue date: 03/21/2019
From:
NRC/RES/DRA
To:
Chris Hunter 415-1394
References
LER 2017-010-002 IR 2017012
Download: ML19050A510 (20)
v  d  e


Text

Final ASP Program Analysis - Precursor Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Clinton Power Division 1 Transformer Failure Leads to Instrument Air Isolation Station to Containment Requiring a Manual Reactor Scram LER: 461-2017-010-02 Event Date: 12/9/2017 CCDP = 8x10-6 IR: 05000461/2017012 General Electric Type 6 Boiling-Water Reactor (BWR) with a Mark III Plant Type:

Containment Plant Operating Mode Mode 1 (97% Reactor Power)

(Reactor Power Level):

Analyst: Reviewer: Contributors: Approval Date:

Christopher Hunter Dale Yeilding N/A 3/21/2019 EXECUTIVE

SUMMARY

On December 9, 2017, multiple alarms were received in the Clinton Power Station control room due to the unexpected opening of the 4.16 kilovolt (kV) alternating current (AC) bus 1 A1 breaker (1AP07EJ), which feeds the division 1 480-volt (V) AC buses. The loss of division 1 480 V AC power caused the outboard instrument air containment isolation valve to close and resulted in a subsequent loss of containment instrument air. In addition, the loss of the division 1 480 V AC buses resulted in the unavailability of the low-pressure core spray (LPCS) pump, residual heat removal (RHR) pump A, the division 1 emergency diesel generator (EDG)

A, normal battery charging to the division 1 batteries. Approximately 4 minutes after the breaker 1AP07EJ opened, the control room operators inserted a manual scram in accordance with procedures for low scram pilot air header pressure and control rod drift annunciator alarms.

Operators performed a reactor cooldown of the reactor by directing steam to the main condenser using the main steam bypass valves and auxiliary steam equipment. Due to the loss of containment instrument air, the main steam isolation valves (MSIVs) began to close. In response to the expected closure of the MSIVs, operators aligned the main steam line (MSL) drains to maintain pressure control. These drains were used in conjunction with the reactor core isolation cooling (RCIC) turbine to continue to cooldown to Mode 4.

According to the risk analysis modeling assumptions used in this accident sequence precursor (ASP) analysis, the most likely core damage sequence is reactor transient with a consequential loss of offsite power (LOOP) and postulated failures of the division 2 EDG B result in a subsequent station blackout (SBO). Although high-pressure core spray (HPCS) is initially successful, operators fail to recover offsite power within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> resulting in the inability to vent containment, which results in the loss of all injection. This accident sequence accounts for approximately 17 percent of the conditional core damage probability (CCDP) for the event.

Two Green (i.e., very low safety significance) findings were identified for this event. The first finding was associated with the licensee failure to perform corrective action to preclude repetition for a similar transformer failure that occurred in December 2013. The second finding 1

LER 461-2017-010-02 was associated with the licensee failure to follow procedure that would classify three nonsafety-related 4.16 kV and 480 V transformers as operationally critical components.

EVENT DETAILS Event Description. On December 9, 2017, multiple alarms were received in the Clinton Power Station control room due to the unexpected opening of the 4.16 kV AC bus 1 A1 breaker (1AP07EJ), which feeds 480-volt (V) AC unit substation 1A and 480 V AC unit substation 1A.

The loss of 480 V AC power caused the outboard instrument air containment isolation valve to close and resulted in a subsequent loss of containment instrument air. Approximately 4 minutes after the breaker 1AP07EJ opened, the control room received a low scram pilot air header pressure alarm. Soon after, the control rod drift annunciator alarmed as expected and the control room operators inserted a manual scram in accordance with procedures.

Operators began cooling down the reactor by directing steam to the main condenser using the main steam bypass valves and auxiliary steam equipment. Due to loss of containment instrument air, the inboard MSIVs began to close slowly. Operators lined up the MSL drains to maintain pressure control and continue the cooldown in anticipation of MSIV closure as containment air pressure lowered. The last inboard MSIV indicated full closed about 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after the instrument air containment isolation valve closed; however, the MSL drain valves remained available to the operators throughout the event. These drains were used in conjunction with the RCIC turbine to continue to cooldown to Mode 4.

This loss of division 1 480 V AC buses resulted in the unavailability of LPCS, RHR pump A, and the division 1 EDG to fulfil their safety function for the complete mission time (i.e., 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />).1 Normal charging capability to the division 1 batteries was also lost. Additional information is provided in licensee event report (LER) 461-2017-010-02 (Ref. 1) and inspection report (IR) 05000461/2017012 (Ref. 2).

Cause. The unexpected opening of breaker 1AP07EJ was due to a phase-to-ground fault on 480 V transformer 1A. Subsequent vendor testing determined that the ground fault was caused by excessive layer-to-layer design stress within the 4.16 kV transformer winding. This preexisting design defect resulted in the issuance of a 10 CFR Part 21 notification to the NRC.

Additional Event Information. The following event details are provided as additional information about the event. This additional information was not factored in the modeling of this analysis due to the negligible risk impact.

  • The RCIC system was declared inoperable because the 480 V AC power was lost to water leg pump and, therefore, operators could not ensure the system was free of voids.

NRC inspectors determined that although the RCIC system was appropriately declared inoperable, the system was available (if necessary) for pressure/inventory control and decay heat removal.

  • The isolation of instrument air to containment affected some components in the reactor water cleanup (RWCU) and control rod drive (CRD) systems. The safety-related 1 The division 1 EDG was rendered unable to fulfil its safety function for the complete mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> due to loss 480V AC power to its associated fuel oil transfer pump. The fuel oil transfer pump starts as soon as the level in its associated day tank starts decreasing. Without the fuel oil transfer pump, the day tank only has enough fuel to run the EDG for approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. In addition, the circulating oil and turbo soakback pumps were also unavailable due to the loss of division 1 480 V AC power. However, the loss of these two pumps is not expected to result in a loss of safety function of the EDG.

2

LER 461-2017-010-02 aspects of the RWCU system are typically limited to the containment isolation requirements. The standardized plant analysis risk (SPAR) models typically have limited modeling of the RWCU system and containment isolation; however, their inclusion would not affect the analysis for this initiating event. Therefore, no modeling of RWCU system and its components was needed for this analysis. The CRD system component unavailabilities were limited to the scram pilot air header and did not affect the CRD pumps as a potential source of RCS inventory makeup. The SPAR model only credits CRD makeup from 1 of 2 pumps if RCIC is initially successful. The model does not credit enhanced two-pump flow, which may require instrument air inside containment.

Therefore, no model changes for the CRD system were needed for this analysis.

MODELING SDP Results/Basis for ASP Analysis. The ASP Program performs independent analyses for initiating events. ASP analyses of initiating events account for all failures/degraded conditions and unavailabilities (e.g., equipment out for test/maintenance) that occurred during the event, regardless of licensee performance.2 Additional LERs were reviewed to determine if concurrent unavailabilities existed during the December 9th event. No windowed events or concurrent degraded operating conditions were identified.

In response to this event, the NRC performed a special inspection per Management Directive 8.3, NRC Incident Investigation Program. The special inspection (as documented in IR 05000461/2017012) revealed two Green (i.e., very low safety significance) findings. The first finding was associated with the licensee failure to perform corrective action to preclude repetition for a similar transformer failure that occurred in December 2013. The second finding was associated with the licensee failing to follow procedure that would classify three nonsafety-related 4.16 kV and 480 V transformers as operationally critical components. Both findings were screened out (i.e., no detailed risk evaluation was performed) using Inspection Manual Chapter 0609, Attachment 4, Initial Characterization of Findings at Power, and Appendix A, The Significance Determination Process for Findings at Power. The LER remains open.

Analysis Type. An initiating event analysis was performed using the Clinton Power Station SPAR model, Revision 8.54, modified on December 20, 2017. This event was modeled as a general plant transient with a loss of instrument air to the containment and loss of division 1 480 V AC power.

SPAR Model Modifications. The following modifications were required for this initiating event assessment:

  • The base SPAR models provide credit for EDG repair for SBO scenarios; however, the analyst must determine whether credit should be applied given the specific circumstances surrounding the event being analyzed. The probabilities of successful repair of an EDG in the base SPAR models are calculated using the data from the unplanned unavailability mitigating system performance index (MSPI). There are questions on the applicability of this data. First, this repair data is not collected under SBO conditions (e.g., reduced lighting). Second, during postulated SBO scenarios, multiple EDG failures have occurred, thus further complicating troubleshooting activities, 2 ASP analyses also account for any degraded condition(s) identified after the initiating event occurred, if the failure/degradation exposure period(s) overlapped the initiating event date.

3

LER 461-2017-010-02 which would likely increase the time to repair. Given these uncertainties, repair credit for EDG failures is limited to cases where event information supports this credit. Repair credit for postulated failures of the EDGs is not provided in this analysis.3 The issue of crediting EDG repair is noted as a key modeling uncertainty for this analysis and will be discussed with internal stakeholders to determine if consensus approach can be developed.

  • The CVS (containment venting) fault tree was modified to eliminate duplicative operator actions to initiate containment venting. Specifically, basic events CVS-XHE-XM-VENT1 (operator fails to vent containment through CCP), CVS-XHE-XM-VENT2 (operator fails to vent containment through FC to SFP), and CVS-XHE-XM-VENT3 (operator fails to vent containment through RHR A to FP) were deleted. The operator action to vent containment is already accounted for in the model via basic event CVS-XHE-XM-VENT (operator fails to vent containment). The modified CVS fault tree is shown in Figure B-1 of Appendix B.
  • The base model does not explicitly include modeling of the 480 V AC portion of the electrical distribution system. During the event, the 4.16 kV bus 1A1 breaker 1AP07EJ, which feeds both division 1 480 V buses (1AP11E and 0AP05E), opened due to a fault on 480 V transformer 1A. This caused the unavailability of the LPCS pump, RHR pump A, and the division 1 EDG. To account for the dependency of these pumps on 480 V AC power, a new basic event ACP-BAC-LP-480V-DIV1 (480V division 1 buses are unavailable) was inserted in the LPCS fault tree (under the LCS-MDP-SS subtree),

RHR pump A fault tree (under the RHR-MDPA-SS subtree), and DGA-SS fault tree (under gate DGA-SS8).4 These modified faults trees are shown in Figure B-2, Figure B-3, and Figure B-4 of Appendix B.

  • The loss of division 1 480 V buses also resulted in the loss of normal battery charging for the division 1 batteries. During the event, operators successfully aligned the class 1E swing charger to supply the division 1 batteries. To account for the loss of normal battery charging on the division 1 batteries and the potential for aligning the swing charger, fault tree DCP-125V-1A-LT (Clinton division I 125 VDC power is unavailable) was modified. Specifically, a new AND gate was added under the top gate with the new basic events ACP-BAC-LP-480V-DIV1 and a DCP-XHE-SWINGCHARGER (operators fail to align the swing charger) inserted under this new gate. Basic event DCP-XHE-SWINGCHARGER was set to IGNORE in the base model. This modified fault tree is shown in Figure B-5 of Appendix B.
  • The only modeling of instrument air system in the current SPAR model is via house event HE-LOIAS (loss of instrument air system initiating event has occurred), which is used alone or within the IAS (Clinton instrument air) fault tree. Dependency on the instrument air system is limited in the current SPAR model (e.g., power conversion 3 The applicable EDG recovery basic events: EPS-XHE-XL-NR30M (operator fails to recover emergency diesel in 30 minutes), EPS-XHE-XL-NR02H (operator fails to recover emergency diesel in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />), EPS-XHE-XL-NR04H (operator fails to recover emergency diesel in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />), and EPS-XHE-XL-NR12H (operator fails to recover emergency diesel in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />) were set to TRUE in the base SPAR model.

4 The ZT-BAC-LP (AC bus fails to operate) default template was used for this basic event.

4

LER 461-2017-010-02 system, condenser, containment venting, RCIC).5, 6 During the event, the loss instrument air was limited to components/systems inside containment and, therefore, only containment venting and power conversion system were affected.7 The PCS fault tree assumes that PCS is rendered unavailable given a complete loss of instrument air, which would fail MFW because of lack of makeup to condenser hotwell and render the condenser heat sink unavailable due to the closure of MSIVs. Since instrument air was only lost in containment, feedwater and the condenser heat sink remained available throughout the event and operators were able to align the MSL drains to the condenser, two changes were made to the PCS fault tree. First, the IAS transfer tree and a new basic event PCS-XHE-XM-MSLDRAINS (operators fail to align the MSL drains to the condenser) were added under a new AND gate. Basic event PCS-XHE-XM-MSLDRAINS was set to IGNORE in the base model. The modified PCS fault tree is shown in Figure B-6 of Appendix B. Second, the IAS transfer tree was deleted from the CDS-HW (Clinton condensate hotwell makeup is unavailable) fault tree.

The modified CD-HW fault trees are shown in Figure B-7 of Appendix B.

  • Errors associated with late injection modeling were identified in two event trees, 1SORV (Clinton transfer - one stuck open SRV) and LOOP-1 (Clinton transfer - one stuck open SRV). Specifically, transient (TRANS) sequences 65-33 and 67-38-19 incorrectly assumed a failure of late injection. The transfers for these two sequences were changed from LI02 (Clinton late injection fault tree) to LI00 (Clinton late injection fault tree).

Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this initiating event assessment:

  • The operators manually scrammed the reactor due to low scram header air pressure; therefore, the probability of IE-TRANS (general plant transient initiating event) was set to 1.0. All other initiating event probabilities were set to zero.
  • Basic event ACP-BAC-LP-480V-DIV1 was set to TRUE due to the loss of the division 1 480 V AC buses caused by the opening of the 4.16 kV bus 1A1 breaker 1AP07EJ as result of the transformer fault.
  • Basic event HE-LOIAS was set to TRUE to account for the loss of instrument air inside containment. Recovery potential for instrument air to the containment was not credited in this analysis since that portion of the air system was not recovered for over 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> after initiation of the event.
  • The human failure event (HFE) DCP-XHE-SWINGCHARGER was evaluated using SPAR-H (Ref. 3 and Ref. 4); see Appendix C for additional information. The human error probability (HEP) for DCP-XHE-SWINGCHARGER was calculated to be 1x10-2.

5 The CND (main condenser heat sink) fault tree also has an instrument air system dependency; however, this fault tree is only used in the loss of feedwater event tree. Modeling associated with the condenser is included in the PCS (power conversion system) fault tree for the TRANS (general transient) event tree.

6 The use of house event HE-LOIAS in the RCIC pump modeling in the RCI-SS-LT (RCIC support systems) subtree corresponds to different support system requirements needed for different initiating events and was not intended to model a RCIC system dependency for instrument air. Therefore, this modeling does not need to be modified for this event analysis.

7 In addition to the condensate and feedwater systems, the power conversion system includes modeling of the MSIVs.

5

LER 461-2017-010-02

  • The HFE PCS-XHE-XM-MSLDRAINS was evaluated using SPAR-H; see Appendix C for additional information. The HEP for PCS-XHE-XM-MSLDRAINS was calculated to be 1x10-3.

ANALYSIS RESULTS CCDP. The conditional CCDP for this analysis is calculated to be 8.3x10-6. The ASP Program acceptance threshold is a CCDP of 1x10-6 or the CCDP equivalent of an uncomplicated reactor trip with a non-recoverable loss of feed water or the condenser heat sink), whichever is greater.

This CCDP equivalent for Clinton Power Station is 2.3x10-6.8 Therefore, this event is a precursor.

Dominant Sequence. The dominant accident sequence is transient sequence 67-40-06 (CCDP = 1.4x10-6), which contributes approximately 17 percent of the total internal events CCDP. The dominant sequences that contribute at least 1.0 percent to the total internal events CCDP are provided in the following table. The dominant sequence is shown graphically in Figure A-1, Figure A-2, and Figure A-3 and Appendix A.

Sequence CCDP Percentage Description

-6 TRANS 67-40-06 1.44x10 17.40% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; HPCS succeeds; operators fail to recover offsite power in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; containment venting fails resulting in a loss of all injection TRANS 67-40-24 1.39x10-6 16.80% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; HPCS fails, but RCIC succeeds; operators successfully shed DC loads; operators fail to recovery offsite power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> TRANS 67-40-30 7.83x10-7 9.50% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; RCIC and HPCS fail; operators fail to recovery offsite power in 30 minutes TRANS 67-35 5.15x10-7 6.20% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS fail; reactor depressurization succeeds; low-pressure injection succeeds; suppression pool cooling and containment spray fails; containment venting fails resulting in a loss of all injection TRANS 67-40-31-13 5.06x10-7 6.10% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; recirculation pump seals fail resulting in a small loss-of-coolant accident (SLOCA); RCIC and HPCS fail TRANS 67-40-32-13 4.85x10-7 5.90% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; a stuck-open relief valve results in a SLOCA; RCIC and HPCS fail 8 For BWRs, a loss of condenser heat sink initiating event typically assumes that the condensate system is available to provide a source of low-pressure injection to the reactor.

6

LER 461-2017-010-02 Sequence CCDP Percentage Description

-7 TRANS 65-07 4.80x10 5.80% Successful reactor trip; a stuck-open relief valve results in a SLOCA; feedwater succeeds; suppression pool cooling and containment spray fails; containment venting fails resulting in a loss of all injection TRANS 67-13 3.15x10-7 3.80% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; HPCS fails, but RCIC succeeds; suppression pool cooling fails; reactor depressurization succeeds; low-pressure injection succeeds; containment spray fails; containment venting fails resulting in a loss of all injection TRANS 67-07 2.87x10-7 3.50% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS succeed; suppression pool cooling and containment spray fails; containment venting fails resulting in a loss of all injection TRANS 63 2.52x10-7 3.10% Successful reactor trip; power conversion system fails; feedwater fails; RCIC and HPCS fail; reactor depressurization succeeds; low-pressure injection fails TRANS 67-40-31-06 1.60x10-7 1.90% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; recirculation pump seals fail resulting in a SLOCA; HPCS succeeds; operators fail to recover offsite power in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; containment venting fails resulting in a loss of all injection TRANS 67-40-31-09 1.54x10-7 1.90% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; recirculation pump seals fail resulting in a SLOCA; HPCS fails but RCIC succeeds; operators successfully shed DC loads; operators fail to recovery offsite power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> TRANS 67-40-32-06 1.53x10-7 1.90% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; a stuck-open relief valve results in a SLOCA; HPCS succeeds; operators fail to recover offsite power in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; containment venting fails resulting in a loss of all injection TRANS 67-40-32-09 1.48x10-7 1.80% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; a stuck-open relief valve results in a SLOCA; HPCS fails but RCIC succeeds; operators successfully shed DC loads; operators fail to recovery offsite power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> TRANS 67-28 1.45x10-7 1.80% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC fails, but HPCS succeeds; suppression pool cooling and containment spray fails; operators fail to recover the power conversion system; containment venting fails resulting in a loss of all injection TRANS 67-37 1.03x10-7 1.30% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS fail; operators fail to depressurize the reactors 7

LER 461-2017-010-02 Sequence CCDP Percentage Description

-8 TRANS 67-40-28-31 9.81x10 1.20% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; RCIC and HPCS fail; operators successfully recovery offsite power in 30 minutes; reactor depressurization succeeds; low-pressure injection fails TRANS 67-38-14 9.42x10-8 1.10% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; a stuck-open relief valve results in a SLOCA; HPCS fails, but RCIC succeeds; low-pressure injection succeeds; suppression pool cooling and containment spray fails; operators fail to align the MSL drains; containment venting fails resulting in a loss of all injection Key Modeling Uncertainties. The base SPAR models provide credit for EDG repair and recovery; however, it is up to the analyst to determine whether credit should be applied given the specific circumstances surrounding the event being analyzed. This ASP analysis does not credit repair of postulated EDG failures. A sensitivity analysis was performed crediting EDG repair of postulated failures of the division 1 EDG using the unplanned unavailability MSPI data.

With this credit applied, the CDP for the second exposure period decreases from 8.3x10-6 to 6.9x10-6 (a decrease of approximately 17 percent).

Successful equipment operation is treated probabilistically in ASP analyses (i.e., success is not assumed), while observed failures are modeled as such.9 However, barring any postulated failures, the division 1 EDG would run until the fuel supply in its associated day tank was depleted (approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />). To show the effects of this modeling uncertainty, a sensitivity analysis was performed allowing an additional 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for operators to recover offsite power during postulated LOOP scenarios. With this credit applied, the CDP for the second exposure period decreases from 8.3x10-6 to 6.2x10-6 (a decrease of approximately 25 percent).

REFERENCES

1. Clinton Power Station, "LER 461/17-010 Division 1 Transformer Failure Leads to Instrument Air Isolation to Containment Requiring a Manual Reactor Scram, dated January 17, 2019 (ADAMS Accession No. ML19022A264).
2. U.S. Nuclear Regulatory Commission, ERRATA Clinton Power Station NRC Special Inspection Report 05000461/2017012, dated January 29, 2018 (ADAMS Accession No. ML18029A863).
3. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ADAMS Accession No. ML051950061).
4. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ADAMS Accession No. ML112060305).

9 This general modeling technique is called the failure memory approach.

8

LER 461-2017-010-02 Appendix A: Key Event Tree GENERAL PLANT TRANSIENT REACTOR PROTECTION CONSEQUENTIAL LOSS OF SRV'S CLOSE POWER CONVERSION FEEDWATER RCIC SUPPRESSION POOL CRD INJECTION HPCS MANUAL REACTOR CONDENSATE LOW PRESSURE INJECTION ALTERNATE LOW PRESS SUPPRESSION POOL CONTAINMENT SPRAY POWER CONVERSION CONTAINMENT VENTING LATE INJECTION # End State SYSTEM OFFSITE POWER SYSTEM COOLING DEPRESSURIZATION INJECTION COOLING SYSTEM RECOVERY (Phase - CD)

IE-TRANS RPS OEP SRV PCS MFW RCI SPC CRD HCS DEP CDS LPI VA SPC CSS PCSR CVS LI 1 OK 2 OK 3 OK 4 OK 5 OK 6 CD LI00 7 OK 8 CD LI01 9 OK 10 OK 11 OK 12 OK 13 CD LI00 14 OK 15 CD LI01 16 OK 17 OK 18 OK 19 CD LI00 20 OK 21 CD LI01 22 OK 23 OK 24 OK 25 CD LI00 26 OK 27 CD LI03 28 OK 29 OK 30 OK 31 CD LI00 32 OK 33 CD LI03 34 OK 35 OK 36 OK 37 CD LI00 38 OK 39 CD LI03 40 CD 41 CD 42 OK 43 OK 44 OK 45 OK 46 CD LI00 47 OK 48 CD LI01 49 OK 50 OK 51 OK 52 OK 53 CD LI00 54 OK 55 CD LI03 56 OK 57 OK 58 OK 59 OK 60 CD LI00 61 OK 62 CD LI03 63 CD 64 CD 65 1SORV P1 66 2SORVS P2 67 LOOPPC 68 ATWS Figure A-1. Clinton General Transient Event Tree A-1

LER 461-2017-010-02 LOSS OF OFFSITE REACTOR EMERGENCY POWER SRV'S CLOSE RCIC SUPPRESSION POOL HPCS MANUAL REACTOR LOW PRESSURE ALTERNATE LOW SUPPRESSION POOL CONTAINMENT SPRAY POWER CONVERSION CONTAINMENT LATE INJECTION # End State POWER INITIATOR PROTECTION SYSTEM COOLING DEPRESSURIZATION INJECTION PRESS INJECTION COOLING SYSTEM RECOVERY VENTING (Phase - CD)

(PLANT-CENTERED) FS = FTF-SBO IE-LOOPPC RPS EPS SRV RCI SPC HCS DEP LPI VA SPC CSS PCSR CVS LI 1 OK 2 OK 3 OK 4 OK 5 CD LI04 6 OK 7 CD LI01 8 OK 9 OK 10 OK 11 CD LI04 12 OK 13 CD LI03 14 OK 15 OK 16 OK 17 CD LI04 18 OK 19 CD LI03 20 CD 21 CD 22 OK 23 OK 24 OK 25 OK 26 CD LI04 27 OK 28 CD LI01 29 OK 30 OK 31 OK 32 OK 33 CD LI04 34 OK 35 CD LI03 36 CD 37 CD 38 LOOP-1 P1 39 LOOP-2 P2 40 SBO 41 ATWS 42 CD Figure A-2. Clinton (Plant-Centered) LOOP Event Tree A-2

LER 461-2017-010-02 EMERGENCY POWER SRV'S CLOSE RECIRC PUMP SEAL HPCS RCIC DC LOAD SHEDDING ACTIONS TO EXTEND MANUAL REACTOR FIRE WATER INJECTION OFFSITE POWER DIESEL GENERATOR CONTAINMENT LATE INJECTION # End State INTEGRITY ECCS OPERATION DEPRESS RECOVERY RECOVERY VENTING (Phase - CD)

FS = FTF-SBO FS = FTF-SBO FS = FTF-SBO FS = FTF-SBO EPS SRV RPSL HCS01 RCI01 DCL EXT DEP02 FWS OPR DGR CVS LI 1 SBO-OP OPR-12H 2 OK 3 OK CVS01 4 CD OPR-12H LI00 DGR-12H 5 OK CVS01 6 CD LI05 7 SBO-OP OPR-12H 8 OK 9 OK CVS01 10 CD OPR-12H LI-EXT DGR-12H 11 OK CVS01 12 CD LI01 13 SBO-OP OPR-12H 14 OK 15 OK CVS01 16 CD OPR-12H LI00 DGR-12H 17 OK CVS01 18 CD LI01 19 SBO-OP OPR-04H 20 OK 21 CD OPR-04H DGR-04H 22 SBO-OP OPR-04H 23 OK OPR-04H 24 CD DGR-04H 25 SBO-OP OPR-02H 26 OK OPR-02H 27 CD DGR-02H 28 SBO-OP OPR-30M 29 OK OPR-30M 30 CD DGR-30M 31 SBO-1 32 SBO-1 P1B 33 SBO-2 P2 Figure A-3. Modified Clinton SBO Event Tree A-3

LER 461-2017-010-02 Appendix B: Modified Fault Trees CONTAINMENT VENTING CVS VENT PATHS ARE UNAVAILABLE OPERATOR FAILS TO VENT OPERATOR FAILS TO VENT CONTAINMENT GIVEN SEISMIC CONTAINMENT EVENT CVS-1 CVS-XHE-EQK Ext CVS-XHE-XM-VENT 1.00E-03 CONTAINMENT SPRAY HEADER CONTAINMENT VENTING THROUGH CONTAINMENT UPPER POOL VENT VENT PATH IS UNAVAILABLE CTM CONTINUOUS PURGE (CCP) PATH (VIA FC) IS UNAVAILABLE CVS-2 CVS-4 CVS-3 CLINTON DIVISION I AC POWER RHR A CONTAINMENT VENT MOV CLINTON INSTRUMENT AIR SYSTEM HOUSE EVENT - LOSS OF OFFSITE CONTINUOUS PURGE VENT VALVE CLINTON DIVISION I AC POWER MANUAL VENT VALVE FC012B FAILS SYSTEM FAULT TREE 27A FAILS TO OPEN FAULT TREE POWER IE HAS OCCURRED 1VR006B FAILS TO OPEN SYSTEM FAULT TREE TO OPEN ACP-4KVBUS-1A1 Ext RHR-MOV-CC-F027A 8.16E-04 IAS Ext HE-LOOP False CVS-AOV-CC-VR06B 7.55E-04 ACP-4KVBUS-1A1 Ext CVS-XVM-CC-FC012B 4.59E-04 RHR A CONTAINMENT VENT MOV CLINTON DIVISION I AC POWER CONTINUOUS PURGE VENT VALVE CLINTON DIVISION II AC POWER CONT VENT MOV FC007 FAILS TO 28A FAILS TO OPEN SYSTEM FAULT TREE 1VR006A FAILS TO OPEN SYSTEM FAULT TREE OPEN RHR-MOV-CC-F028A 8.16E-04 ACP-4KVBUS-1A1 Ext CVS-AOV-CC-VR06A 7.55E-04 ACP-4KVBUS-1B1 Ext CVS-MOV-CC-FC007 8.16E-04 MANUAL VENT VALVE F099 FAILS TO CONT VENT MOV FC008 FAILS TO OPEN OPEN CVS-XVM-CC-F099 4.59E-04 CVS-MOV-CC-FC008 8.16E-04 MANUAL VENT VALVE FC090 FAILS TO OPEN CVS-XVM-CC-FC090 4.59E-04 MANUAL VENT VALVE FC177 FAILS TO OPEN CVS-XVM-CC-FC177 4.59E-04 Figure B-1. Modified Containment Venting Fault Tree B-1

LER 461-2017-010-02 LPCS LCS-MDP-SS LPCS PUMP ROOM COOLING IS CLINTON DIVISION I AC POWER 480V DIVISION 1 BUSES ARE UNAVAILABLE SYSTEM FAULT TREE UNAVAILABLE LCS-MDP-SS-1 ACP-4KVBUS-1A1 Ext ACP-BAC-LP-480V-DIV1 2.29E-05 CLINTON DIVISION I 125 VDC POWER IS UNAVAILABLE DCP-125V-1A-LT Ext Figure B-2. Modified LCS-MDP-SS Fault Tree B-2

LER 461-2017-010-02 CLINTON FAILURE OF RHR MDP 1A RHR-MDPA-SS FAILURE OF ROOM COOLING FOR CLINTON DIVISION I AC POWER 480V DIVISION 1 BUSES ARE RHR PUMP A SYSTEM FAULT TREE UNAVAILABLE RHR-MDPA-SS-1 ACP-4KVBUS-1A1 Ext ACP-BAC-LP-480V-DIV1 2.29E-05 CLINTON DIVISION I 125 VDC POWER IS UNAVAILABLE DCP-125V-1A-LT Ext Figure B-3. Modified RHR-MDPA-SS Fault Tree B-3

LER 461-2017-010-02 DIESEL GENERATOR 1A SUPPORT SYSTEM FAILURES DGA-SS DIESEL GENERATOR 1A SSW SYSTEM FAILS TO DG1A FAILURE OF DG1A HVAC DG1A FUEL OIL FAILURES ELECTRICAL FAULTS DGN-SSWA DGA-SS-1 External DGA-SS3 DGA-SS8 FUEL OIL PUMP 1A FAILS TO START FHS-MDP-FS-DO1A 7.84E-04 FUEL OIL PUMP 1A FAILS TO RUN FHS-MDP-FR-DO1A 3.87E-04 FO PUMPS A,B,C FAIL FROM COMMON CAUSE TO START FHS-MDP-CF-FS 6.23E-06 FO PUMP A,B,C FAIL FROM COMMON CAUSE TO RUN FHS-MDP-CF-FR 2.90E-06 FO PUMPS A,B FAIL FROM COMMON CAUSE TO START FHS-MDP-CF-FSAB 1.99E-05 FO PUMPS A,C FAIL FROM COMMON CAUSE TO START FHS-MDP-CF-FSAC 1.99E-05 480V DIVISION 1 BUSES ARE UNAVAILABLE ACP-BAC-LP-480V-DIV1 2.29E-05 Figure B-4. Modified DGA-SS Fault Tree B-4

LER 461-2017-010-02 CLINTON DIVISION I 125 VDC POWER IS UNAVAILABLE DCP-125V-1A-LT LOSS OF DIVISION 1 POWER CLINTON DIVISION I AC POWER FAILURE OF DIVISION I 125VDC BUS RESULTS IN LOSS OF BATTERY SYSTEM FAULT TREE 1A CHARGING CAPBILITY DCP-125V-1A-LT-2 ACP-4KVBUS-1A1 Ext DCP-BDC-LP-1A 5.21E-06 DC BATT CHARGERS FAILURE FROM FAILURE OF DIVISION I 125VDC SEISMIC EVENT BATTERY CHARGER 480V DIVISION 1 BUSES ARE DCP-BCH-EQ Ext DCP-BCH-LP-1A 6.17E-05 UNAVAILABLE BATTERY CHARGERS FAIL FROM COMMON CAUSE ACP-BAC-LP-480V-DIV1 2.29E-05 OPERATORS FAIL TO ALIGN SWING DCP-BCH-CF-CHRS 2.10E-07 CHARGER DCP-XHE-XM-SWINGCHARGER Ignore Figure B-5. Modified DCP-125V-1A-LT Fault Tree B-5

LER 461-2017-010-02 POWER CONVERSION SYSTEM PCS FEEDWATER FAILURE OF STEAM CONDENSING FUNCTION OF PCS MFW Ext PCS-1 STEAM SYSTEM FAILS MSIVS AND MSL DRAINS ARE CLINTON MAIN CIRCULATING HOUSE EVENT - TOTAL LOSS OF ISOLATED WATER IS UNAVAILABLE CONDENSER HEAT SINK INITIATOR PCS-2 PCS-3 MCW Ext HE-LOCHS False STEAM LOOP VALVES FAIL TO CLINTON INSTRUMENT AIR SYSTEM OPERATORS FAIL TO ALIGN MSL OPEN/REMAIN OPEN FAULT TREE DRAINS MSS-MSV-OC-STEAM 7.44E-06 IAS Ext PCS-XHE-XM-MSLDRAINS Ignore TURBINE BYPASS VALVES FAIL TO OPEN MSS-TBV-CC-BYPAS 3.12E-03 Figure B-6. Modified PCS Fault Tree B-6

LER 461-2017-010-02 CLINTON CONDENSATE HOTWELL MAKEUP IS UNAVAILABLE CDS-HW FAILURE OF HOTWELL INVENTORY CONDENSATE STORAGE TANK CONDENSATE STORAGE TANK IS FAILURE FROM SEISMIC EVENT UNAVAILABLE CDS-HW-1 CDS-TNK-EQ Ext CDS-TNK-FC-CST 6.26E-06 HOTWELL LEVEL CONTROL VALVE 2 FAILS FAILURE TO MAINTAIN HOTWELL INITIATORS WITHOUT STEAM CDS-AOV-CC-MKUP2 7.55E-04 INVENTORY RETURN TO HOTWELL HOTWELL LEVEL CONTROL VALVE 1 FAILS CDS-HW-3 CDS-HW-2 CDS-AOV-CC-MKUP1 7.55E-04 FAILURE TO CONTROL CD/CB FLOW TWO OR MORE BWR SRVS FAIL TO HOUSE EVENT - SMALL LOSS-OF-TO PREVENT EMPTYING HOTWELL CLOSE COOLANT ACCIDENT INITIATOR CDS-XHE-XM-HOTWELL 1.00E-03 PPR-SRV-OO-2VLVS 2.00E-03 HE-SLOCA False set to PSA value of 0.067 ONE BWR SRV FAILS TO CLOSE INADVERTENT OPEN RELIEF VALVE (IORV) HAS OCCURRED CDS-TNK-FC-CYMC 6.26E-06 PPR-SRV-OO-1VLV 9.60E-02 HE-IORV False FAILURE OF CIRCUIT BREAKER HOUSE EVENT - TOTAL LOSS OF 501A TO OPEN (UAT) CONDENSER HEAT SINK INITIATOR ACP-CRB-CC-501A 2.49E-03 HE-LOCHS False FAILURE OF CIRCUIT BREAKER 501B TO OPEN (UAT)

ACP-CRB-CC-501B 2.49E-03 SJAE MIN FLOW TO COND VALVE 1CD039 FAILS TO CLOSE CDS-AOV-CC-039 7.55E-04 Figure B-7. Modified CDS-HW Fault Tree B-7

LER 461-2017-010-02 Appendix C: Evaluation of Key HFEs Evaluation of DCP-XHE-SWINGCHARGER (operators fail to align the swing charger).

Definition Operators swing charger to supply the division 1 batteries.

If normal battery charging capability is lost via the 480 V division 1 AC buses, Description and operators can align the swing charger to prevent a loss of division 1 direct Event Context current (DC) power.

Operator Action Operators successfully align the swing charger to supply the division 1 batteries Success Criteria prior to batter depletion (2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />).

Key Cue(s) Low DC bus voltage Procedural CPS 3503.01C006, Class 1E Swing Battery Charger 1DC11E Feed to Guidance Safety-Related DC Bus Checklist Diagnosis/Action This HFE only contains both diagnosis and action activities.

Multiplier PSF Notes Diagnosis/Action The nominal battery depletion time of the safety-related batteries is 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> without shedding of DC loads. With successful load shedding, the battery life can be extended to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. In addition, During the event, a loss of division 1 AC loads (as occurred during the event) reduces the depletion rate. The time estimated to align the swing charger is approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This would leave a maximum of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> available for diagnosis under the most restrictive scenario (i.e. nominal depletion rate and, low Time Available 1/1 bus voltage threshold quickly reached). However, there could be less time. Given this uncertainty, the diagnosis PSF for available time is set to Nominal.

Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 4 for guidance on apportioning time between the diagnosis and action components of an HFE.

Stress, Complexity, Procedures No event information is available to warrant a change in Experience/Training, 1/1 these PSFs (diagnosis or action) from Nominal for this Ergonomics/HMI, HFE.

Fitness for Duty, Work Processes The HEP is calculated using the following SPAR-H formula:

HEP = (Product of Diagnosis PSFs x Nominal Diagnosis HEP) + (Product of Action PSFs x Nominal Action HEP)

= (1 x 0.01) + (1 x 0.001) = 1x10-2 Therefore, the human error probability for DCP-XHE-SWINGCHARGER was set to 1x10-2.

C-1

LER 461-2017-010-02 Evaluation of PCS-XHE-XM-MSLDRAINS (operators fail to align the MSL drains to the condenser).

Definition Operators use MSL drains for reactor pressure control.

Description and If the condenser is available, but the MSIVs are closed (or expected to close)

Event Context operators can align the MSL drains to for reactor pressure control.

Operator Action Operators align MSL drains to the main condenser to maintain steam path prior Success Criteria to closure of all MSIVs.

Key Cue(s) MSIV(s) closing or expected closure of MSIVs Procedural EOP-1, RPV Control and CPS 4411.09, RPV Pressure Control Sources Guidance Diagnosis/Action This HFE only contains both diagnosis and action activities.

Multiplier PSF Notes Diagnosis/Action During the event, the last inboard MSIV did not close until approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after instrument air to containment was isolated. The time estimated to align the MSL drain is conservatively estimated to be 30 minutes. This would leave at least 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> available for diagnosis. The nominal time for diagnosis is estimated to take 5 minutes.

Since the 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> available for diagnosis is greater than Time Available 0.01 / 1 2x nominal time and greater than 30 minutes, the diagnosis PSF for available time is set to Expansive.

Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 4 for guidance on apportioning time between the diagnosis and action components of an HFE.

Stress, Complexity, Procedures No event information is available to warrant a change in Experience/Training, 1/1 these PSFs (diagnosis or action) from Nominal for this Ergonomics/HMI, HFE.

Fitness for Duty, Work Processes The HEP is calculated using the following SPAR-H formula:

HEP = (Product of Diagnosis PSFs x Nominal Diagnosis HEP) + (Product of Action PSFs x Nominal Action HEP)

= (.01 x 0.01) + (1 x 0.001) = 1x10-3 Therefore, the human error probability for PCS-XHE-XM-MSLDRAINS was set to 1x10-3.

C-2

Retrieved from "https://kanterella.com/w/index.php?title=ML19050A510&oldid=2524540"