ML19050A510
| ML19050A510 | |
| Person / Time | |
|---|---|
| Site: | Clinton  |
| Issue date: | 03/21/2019 |
| From: | NRC/RES/DRA |
| To: | |
| Chris Hunter 415-1394 | |
| References | |
| LER 2017-010-002 IR 2017012 | |
| Download: ML19050A510 (20) | |
Text
{{#Wiki_filter:1 Final ASP Program Analysis - Precursor Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Clinton Power Station Division 1 Transformer Failure Leads to Instrument Air Isolation to Containment Requiring a Manual Reactor Scram Event Date: 12/9/2017 LER: 461-2017-010-02 CCDP = 8x10-6 IR: 05000461/2017012 Plant Type: General Electric Type 6 Boiling-Water Reactor (BWR) with a Mark III Containment Plant Operating Mode (Reactor Power Level): Mode 1 (97% Reactor Power) Analyst: Reviewer: Contributors: Approval Date: Christopher Hunter Dale Yeilding N/A 3/21/2019 EXECUTIVE
SUMMARY
On December 9, 2017, multiple alarms were received in the Clinton Power Station control room due to the unexpected opening of the 4.16 kilovolt (kV) alternating current (AC) bus 1 A1 breaker (1AP07EJ), which feeds the division 1 480-volt (V) AC buses. The loss of division 1 480 V AC power caused the outboard instrument air containment isolation valve to close and resulted in a subsequent loss of containment instrument air. In addition, the loss of the division 1 480 V AC buses resulted in the unavailability of the low-pressure core spray (LPCS) pump, residual heat removal (RHR) pump A, the division 1 emergency diesel generator (EDG) A, normal battery charging to the division 1 batteries. Approximately 4 minutes after the breaker 1AP07EJ opened, the control room operators inserted a manual scram in accordance with procedures for low scram pilot air header pressure and control rod drift annunciator alarms. Operators performed a reactor cooldown of the reactor by directing steam to the main condenser using the main steam bypass valves and auxiliary steam equipment. Due to the loss of containment instrument air, the main steam isolation valves (MSIVs) began to close. In response to the expected closure of the MSIVs, operators aligned the main steam line (MSL) drains to maintain pressure control. These drains were used in conjunction with the reactor core isolation cooling (RCIC) turbine to continue to cooldown to Mode 4. According to the risk analysis modeling assumptions used in this accident sequence precursor (ASP) analysis, the most likely core damage sequence is reactor transient with a consequential loss of offsite power (LOOP) and postulated failures of the division 2 EDG B result in a subsequent station blackout (SBO). Although high-pressure core spray (HPCS) is initially successful, operators fail to recover offsite power within 12 hours resulting in the inability to vent containment, which results in the loss of all injection. This accident sequence accounts for approximately 17 percent of the conditional core damage probability (CCDP) for the event. Two Green (i.e., very low safety significance) findings were identified for this event. The first finding was associated with the licensee failure to perform corrective action to preclude repetition for a similar transformer failure that occurred in December 2013. The second finding
LER 461-2017-010-02 2 was associated with the licensee failure to follow procedure that would classify three nonsafety-related 4.16 kV and 480 V transformers as operationally critical components. EVENT DETAILS Event Description. On December 9, 2017, multiple alarms were received in the Clinton Power Station control room due to the unexpected opening of the 4.16 kV AC bus 1 A1 breaker (1AP07EJ), which feeds 480-volt (V) AC unit substation 1A and 480 V AC unit substation 1A. The loss of 480 V AC power caused the outboard instrument air containment isolation valve to close and resulted in a subsequent loss of containment instrument air. Approximately 4 minutes after the breaker 1AP07EJ opened, the control room received a low scram pilot air header pressure alarm. Soon after, the control rod drift annunciator alarmed as expected and the control room operators inserted a manual scram in accordance with procedures. Operators began cooling down the reactor by directing steam to the main condenser using the main steam bypass valves and auxiliary steam equipment. Due to loss of containment instrument air, the inboard MSIVs began to close slowly. Operators lined up the MSL drains to maintain pressure control and continue the cooldown in anticipation of MSIV closure as containment air pressure lowered. The last inboard MSIV indicated full closed about 4 hours after the instrument air containment isolation valve closed; however, the MSL drain valves remained available to the operators throughout the event. These drains were used in conjunction with the RCIC turbine to continue to cooldown to Mode 4. This loss of division 1 480 V AC buses resulted in the unavailability of LPCS, RHR pump A, and the division 1 EDG to fulfil their safety function for the complete mission time (i.e., 24 hours).1 Normal charging capability to the division 1 batteries was also lost. Additional information is provided in licensee event report (LER) 461-2017-010-02 (Ref. 1) and inspection report (IR) 05000461/2017012 (Ref. 2). Cause. The unexpected opening of breaker 1AP07EJ was due to a phase-to-ground fault on 480 V transformer 1A. Subsequent vendor testing determined that the ground fault was caused by excessive layer-to-layer design stress within the 4.16 kV transformer winding. This preexisting design defect resulted in the issuance of a 10 CFR Part 21 notification to the NRC. Additional Event Information. The following event details are provided as additional information about the event. This additional information was not factored in the modeling of this analysis due to the negligible risk impact. The RCIC system was declared inoperable because the 480 V AC power was lost to water leg pump and, therefore, operators could not ensure the system was free of voids. NRC inspectors determined that although the RCIC system was appropriately declared inoperable, the system was available (if necessary) for pressure/inventory control and decay heat removal. The isolation of instrument air to containment affected some components in the reactor water cleanup (RWCU) and control rod drive (CRD) systems. The safety-related 1 The division 1 EDG was rendered unable to fulfil its safety function for the complete mission time of 24 hours due to loss 480V AC power to its associated fuel oil transfer pump. The fuel oil transfer pump starts as soon as the level in its associated day tank starts decreasing. Without the fuel oil transfer pump, the day tank only has enough fuel to run the EDG for approximately 2 hours. In addition, the circulating oil and turbo soakback pumps were also unavailable due to the loss of division 1 480 V AC power. However, the loss of these two pumps is not expected to result in a loss of safety function of the EDG.
LER 461-2017-010-02 3 aspects of the RWCU system are typically limited to the containment isolation requirements. The standardized plant analysis risk (SPAR) models typically have limited modeling of the RWCU system and containment isolation; however, their inclusion would not affect the analysis for this initiating event. Therefore, no modeling of RWCU system and its components was needed for this analysis. The CRD system component unavailabilities were limited to the scram pilot air header and did not affect the CRD pumps as a potential source of RCS inventory makeup. The SPAR model only credits CRD makeup from 1 of 2 pumps if RCIC is initially successful. The model does not credit enhanced two-pump flow, which may require instrument air inside containment. Therefore, no model changes for the CRD system were needed for this analysis. MODELING SDP Results/Basis for ASP Analysis. The ASP Program performs independent analyses for initiating events. ASP analyses of initiating events account for all failures/degraded conditions and unavailabilities (e.g., equipment out for test/maintenance) that occurred during the event, regardless of licensee performance.2 Additional LERs were reviewed to determine if concurrent unavailabilities existed during the December 9th event. No windowed events or concurrent degraded operating conditions were identified. In response to this event, the NRC performed a special inspection per Management Directive 8.3, NRC Incident Investigation Program. The special inspection (as documented in IR 05000461/2017012) revealed two Green (i.e., very low safety significance) findings. The first finding was associated with the licensee failure to perform corrective action to preclude repetition for a similar transformer failure that occurred in December 2013. The second finding was associated with the licensee failing to follow procedure that would classify three nonsafety-related 4.16 kV and 480 V transformers as operationally critical components. Both findings were screened out (i.e., no detailed risk evaluation was performed) using Inspection Manual Chapter 0609, Attachment 4, Initial Characterization of Findings at Power, and Appendix A, The Significance Determination Process for Findings at Power. The LER remains open. Analysis Type. An initiating event analysis was performed using the Clinton Power Station SPAR model, Revision 8.54, modified on December 20, 2017. This event was modeled as a general plant transient with a loss of instrument air to the containment and loss of division 1 480 V AC power. SPAR Model Modifications. The following modifications were required for this initiating event assessment: The base SPAR models provide credit for EDG repair for SBO scenarios; however, the analyst must determine whether credit should be applied given the specific circumstances surrounding the event being analyzed. The probabilities of successful repair of an EDG in the base SPAR models are calculated using the data from the unplanned unavailability mitigating system performance index (MSPI). There are questions on the applicability of this data. First, this repair data is not collected under SBO conditions (e.g., reduced lighting). Second, during postulated SBO scenarios, multiple EDG failures have occurred, thus further complicating troubleshooting activities, 2 ASP analyses also account for any degraded condition(s) identified after the initiating event occurred, if the failure/degradation exposure period(s) overlapped the initiating event date.
LER 461-2017-010-02 4 which would likely increase the time to repair. Given these uncertainties, repair credit for EDG failures is limited to cases where event information supports this credit. Repair credit for postulated failures of the EDGs is not provided in this analysis.3 The issue of crediting EDG repair is noted as a key modeling uncertainty for this analysis and will be discussed with internal stakeholders to determine if consensus approach can be developed. The CVS (containment venting) fault tree was modified to eliminate duplicative operator actions to initiate containment venting. Specifically, basic events CVS-XHE-XM-VENT1 (operator fails to vent containment through CCP), CVS-XHE-XM-VENT2 (operator fails to vent containment through FC to SFP), and CVS-XHE-XM-VENT3 (operator fails to vent containment through RHR A to FP) were deleted. The operator action to vent containment is already accounted for in the model via basic event CVS-XHE-XM-VENT (operator fails to vent containment). The modified CVS fault tree is shown in Figure B-1 of Appendix B. The base model does not explicitly include modeling of the 480 V AC portion of the electrical distribution system. During the event, the 4.16 kV bus 1A1 breaker 1AP07EJ, which feeds both division 1 480 V buses (1AP11E and 0AP05E), opened due to a fault on 480 V transformer 1A. This caused the unavailability of the LPCS pump, RHR pump A, and the division 1 EDG. To account for the dependency of these pumps on 480 V AC power, a new basic event ACP-BAC-LP-480V-DIV1 (480V division 1 buses are unavailable) was inserted in the LPCS fault tree (under the LCS-MDP-SS subtree), RHR pump A fault tree (under the RHR-MDPA-SS subtree), and DGA-SS fault tree (under gate DGA-SS8).4 These modified faults trees are shown in Figure B-2, Figure B-3, and Figure B-4 of Appendix B. The loss of division 1 480 V buses also resulted in the loss of normal battery charging for the division 1 batteries. During the event, operators successfully aligned the class 1E swing charger to supply the division 1 batteries. To account for the loss of normal battery charging on the division 1 batteries and the potential for aligning the swing charger, fault tree DCP-125V-1A-LT (Clinton division I 125 VDC power is unavailable) was modified. Specifically, a new AND gate was added under the top gate with the new basic events ACP-BAC-LP-480V-DIV1 and a DCP-XHE-SWINGCHARGER (operators fail to align the swing charger) inserted under this new gate. Basic event DCP-XHE-SWINGCHARGER was set to IGNORE in the base model. This modified fault tree is shown in Figure B-5 of Appendix B. The only modeling of instrument air system in the current SPAR model is via house event HE-LOIAS (loss of instrument air system initiating event has occurred), which is used alone or within the IAS (Clinton instrument air) fault tree. Dependency on the instrument air system is limited in the current SPAR model (e.g., power conversion 3 The applicable EDG recovery basic events: EPS-XHE-XL-NR30M (operator fails to recover emergency diesel in 30 minutes), EPS-XHE-XL-NR02H (operator fails to recover emergency diesel in 2 hours), EPS-XHE-XL-NR04H (operator fails to recover emergency diesel in 4 hours), and EPS-XHE-XL-NR12H (operator fails to recover emergency diesel in 12 hours) were set to TRUE in the base SPAR model. 4 The ZT-BAC-LP (AC bus fails to operate) default template was used for this basic event.
LER 461-2017-010-02 5 system, condenser, containment venting, RCIC).5, 6 During the event, the loss instrument air was limited to components/systems inside containment and, therefore, only containment venting and power conversion system were affected.7 The PCS fault tree assumes that PCS is rendered unavailable given a complete loss of instrument air, which would fail MFW because of lack of makeup to condenser hotwell and render the condenser heat sink unavailable due to the closure of MSIVs. Since instrument air was only lost in containment, feedwater and the condenser heat sink remained available throughout the event and operators were able to align the MSL drains to the condenser, two changes were made to the PCS fault tree. First, the IAS transfer tree and a new basic event PCS-XHE-XM-MSLDRAINS (operators fail to align the MSL drains to the condenser) were added under a new AND gate. Basic event PCS-XHE-XM-MSLDRAINS was set to IGNORE in the base model. The modified PCS fault tree is shown in Figure B-6 of Appendix B. Second, the IAS transfer tree was deleted from the CDS-HW (Clinton condensate hotwell makeup is unavailable) fault tree. The modified CD-HW fault trees are shown in Figure B-7 of Appendix B. Errors associated with late injection modeling were identified in two event trees, 1SORV (Clinton transfer - one stuck open SRV) and LOOP-1 (Clinton transfer - one stuck open SRV). Specifically, transient (TRANS) sequences 65-33 and 67-38-19 incorrectly assumed a failure of late injection. The transfers for these two sequences were changed from LI02 (Clinton late injection fault tree) to LI00 (Clinton late injection fault tree). Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this initiating event assessment: The operators manually scrammed the reactor due to low scram header air pressure; therefore, the probability of IE-TRANS (general plant transient initiating event) was set to 1.0. All other initiating event probabilities were set to zero. Basic event ACP-BAC-LP-480V-DIV1 was set to TRUE due to the loss of the division 1 480 V AC buses caused by the opening of the 4.16 kV bus 1A1 breaker 1AP07EJ as result of the transformer fault. Basic event HE-LOIAS was set to TRUE to account for the loss of instrument air inside containment. Recovery potential for instrument air to the containment was not credited in this analysis since that portion of the air system was not recovered for over 16 hours after initiation of the event. The human failure event (HFE) DCP-XHE-SWINGCHARGER was evaluated using SPAR-H (Ref. 3 and Ref. 4); see Appendix C for additional information. The human error probability (HEP) for DCP-XHE-SWINGCHARGER was calculated to be 1x10-2. 5 The CND (main condenser heat sink) fault tree also has an instrument air system dependency; however, this fault tree is only used in the loss of feedwater event tree. Modeling associated with the condenser is included in the PCS (power conversion system) fault tree for the TRANS (general transient) event tree. 6 The use of house event HE-LOIAS in the RCIC pump modeling in the RCI-SS-LT (RCIC support systems) subtree corresponds to different support system requirements needed for different initiating events and was not intended to model a RCIC system dependency for instrument air. Therefore, this modeling does not need to be modified for this event analysis. 7 In addition to the condensate and feedwater systems, the power conversion system includes modeling of the MSIVs.
LER 461-2017-010-02 6 The HFE PCS-XHE-XM-MSLDRAINS was evaluated using SPAR-H; see Appendix C for additional information. The HEP for PCS-XHE-XM-MSLDRAINS was calculated to be 1x10-3. ANALYSIS RESULTS CCDP. The conditional CCDP for this analysis is calculated to be 8.3x10-6. The ASP Program acceptance threshold is a CCDP of 1x10-6 or the CCDP equivalent of an uncomplicated reactor trip with a non-recoverable loss of feed water or the condenser heat sink), whichever is greater. This CCDP equivalent for Clinton Power Station is 2.3x10-6.8 Therefore, this event is a precursor. Dominant Sequence. The dominant accident sequence is transient sequence 67-40-06 (CCDP = 1.4x10-6), which contributes approximately 17 percent of the total internal events CCDP. The dominant sequences that contribute at least 1.0 percent to the total internal events CCDP are provided in the following table. The dominant sequence is shown graphically in Figure A-1, Figure A-2, and Figure A-3 and Appendix A. Sequence CCDP Percentage Description TRANS 67-40-06 1.44x10-6 17.40% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; HPCS succeeds; operators fail to recover offsite power in 12 hours; containment venting fails resulting in a loss of all injection TRANS 67-40-24 1.39x10-6 16.80% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; HPCS fails, but RCIC succeeds; operators successfully shed DC loads; operators fail to recovery offsite power in 4 hours TRANS 67-40-30 7.83x10-7 9.50% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; RCIC and HPCS fail; operators fail to recovery offsite power in 30 minutes TRANS 67-35 5.15x10-7 6.20% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS fail; reactor depressurization succeeds; low-pressure injection succeeds; suppression pool cooling and containment spray fails; containment venting fails resulting in a loss of all injection TRANS 67-40-31-13 5.06x10-7 6.10% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; recirculation pump seals fail resulting in a small loss-of-coolant accident (SLOCA); RCIC and HPCS fail TRANS 67-40-32-13 4.85x10-7 5.90% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; a stuck-open relief valve results in a SLOCA; RCIC and HPCS fail 8 For BWRs, a loss of condenser heat sink initiating event typically assumes that the condensate system is available to provide a source of low-pressure injection to the reactor.
LER 461-2017-010-02 7 Sequence CCDP Percentage Description TRANS 65-07 4.80x10-7 5.80% Successful reactor trip; a stuck-open relief valve results in a SLOCA; feedwater succeeds; suppression pool cooling and containment spray fails; containment venting fails resulting in a loss of all injection TRANS 67-13 3.15x10-7 3.80% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; HPCS fails, but RCIC succeeds; suppression pool cooling fails; reactor depressurization succeeds; low-pressure injection succeeds; containment spray fails; containment venting fails resulting in a loss of all injection TRANS 67-07 2.87x10-7 3.50% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS succeed; suppression pool cooling and containment spray fails; containment venting fails resulting in a loss of all injection TRANS 63 2.52x10-7 3.10% Successful reactor trip; power conversion system fails; feedwater fails; RCIC and HPCS fail; reactor depressurization succeeds; low-pressure injection fails TRANS 67-40-31-06 1.60x10-7 1.90% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; recirculation pump seals fail resulting in a SLOCA; HPCS succeeds; operators fail to recover offsite power in 12 hours; containment venting fails resulting in a loss of all injection TRANS 67-40-31-09 1.54x10-7 1.90% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; recirculation pump seals fail resulting in a SLOCA; HPCS fails but RCIC succeeds; operators successfully shed DC loads; operators fail to recovery offsite power in 4 hours TRANS 67-40-32-06 1.53x10-7 1.90% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; a stuck-open relief valve results in a SLOCA; HPCS succeeds; operators fail to recover offsite power in 12 hours; containment venting fails resulting in a loss of all injection TRANS 67-40-32-09 1.48x10-7 1.80% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; a stuck-open relief valve results in a SLOCA; HPCS fails but RCIC succeeds; operators successfully shed DC loads; operators fail to recovery offsite power in 4 hours TRANS 67-28 1.45x10-7 1.80% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC fails, but HPCS succeeds; suppression pool cooling and containment spray fails; operators fail to recover the power conversion system; containment venting fails resulting in a loss of all injection TRANS 67-37 1.03x10-7 1.30% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS fail; operators fail to depressurize the reactors
LER 461-2017-010-02 8 Sequence CCDP Percentage Description TRANS 67-40-28-31 9.81x10-8 1.20% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; RCIC and HPCS fail; operators successfully recovery offsite power in 30 minutes; reactor depressurization succeeds; low-pressure injection fails TRANS 67-38-14 9.42x10-8 1.10% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; a stuck-open relief valve results in a SLOCA; HPCS fails, but RCIC succeeds; low-pressure injection succeeds; suppression pool cooling and containment spray fails; operators fail to align the MSL drains; containment venting fails resulting in a loss of all injection Key Modeling Uncertainties. The base SPAR models provide credit for EDG repair and recovery; however, it is up to the analyst to determine whether credit should be applied given the specific circumstances surrounding the event being analyzed. This ASP analysis does not credit repair of postulated EDG failures. A sensitivity analysis was performed crediting EDG repair of postulated failures of the division 1 EDG using the unplanned unavailability MSPI data. With this credit applied, the CDP for the second exposure period decreases from 8.3x10-6 to 6.9x10-6 (a decrease of approximately 17 percent). Successful equipment operation is treated probabilistically in ASP analyses (i.e., success is not assumed), while observed failures are modeled as such.9 However, barring any postulated failures, the division 1 EDG would run until the fuel supply in its associated day tank was depleted (approximately 2 hours). To show the effects of this modeling uncertainty, a sensitivity analysis was performed allowing an additional 2 hours for operators to recover offsite power during postulated LOOP scenarios. With this credit applied, the CDP for the second exposure period decreases from 8.3x10-6 to 6.2x10-6 (a decrease of approximately 25 percent). REFERENCES
- 1. Clinton Power Station, "LER 461/17-010 Division 1 Transformer Failure Leads to Instrument Air Isolation to Containment Requiring a Manual Reactor Scram, dated January 17, 2019 (ADAMS Accession No. ML19022A264).
- 2. U.S. Nuclear Regulatory Commission, ERRATA Clinton Power Station NRC Special Inspection Report 05000461/2017012, dated January 29, 2018 (ADAMS Accession No. ML18029A863).
- 3. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ADAMS Accession No. ML051950061).
- 4. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ADAMS Accession No. ML112060305).
9 This general modeling technique is called the failure memory approach.
LER 461-2017-010-02 A-1 Appendix A: Key Event Tree Figure A-1. Clinton General Transient Event Tree IE-TRANS GENERAL PLANT TRANSIENT RPS REACTOR PROTECTION SYSTEM OEP CONSEQUENTIAL LOSS OF OFFSITE POWER SRV SRV'S CLOSE PCS POWER CONVERSION SYSTEM MFW FEEDWATER RCI RCIC SPC SUPPRESSION POOL COOLING CRD CRD INJECTION HCS HPCS DEP MANUAL REACTOR DEPRESSURIZATION CDS CONDENSATE LPI LOW PRESSURE INJECTION VA ALTERNATE LOW PRESS INJECTION SPC SUPPRESSION POOL COOLING CSS CONTAINMENT SPRAY PCSR POWER CONVERSION SYSTEM RECOVERY CVS CONTAINMENT VENTING LI LATE INJECTION End State (Phase - CD) 1 OK 2 OK 3 OK 4 OK 5 OK LI00 6 CD 7 OK LI01 8 CD 9 OK 10 OK 11 OK 12 OK LI00 13 CD 14 OK LI01 15 CD 16 OK 17 OK 18 OK LI00 19 CD 20 OK LI01 21 CD 22 OK 23 OK 24 OK LI00 25 CD 26 OK LI03 27 CD 28 OK 29 OK 30 OK LI00 31 CD 32 OK LI03 33 CD 34 OK 35 OK 36 OK LI00 37 CD 38 OK LI03 39 CD 40 CD 41 CD 42 OK 43 OK 44 OK 45 OK LI00 46 CD 47 OK LI01 48 CD 49 OK 50 OK 51 OK 52 OK LI00 53 CD 54 OK LI03 55 CD 56 OK 57 OK 58 OK 59 OK LI00 60 CD 61 OK LI03 62 CD 63 CD 64 CD P1 65 1SORV P2 66 2SORVS 67 LOOPPC 68 ATWS
LER 461-2017-010-02 A-2 Figure A-2. Clinton (Plant-Centered) LOOP Event Tree IE-LOOPPC LOSS OF OFFSITE POWER INITIATOR (PLANT-CENTERED) RPS REACTOR PROTECTION SYSTEM EPS FS = FTF-SBO EMERGENCY POWER SRV SRV'S CLOSE RCI RCIC SPC SUPPRESSION POOL COOLING HCS HPCS DEP MANUAL REACTOR DEPRESSURIZATION LPI LOW PRESSURE INJECTION VA ALTERNATE LOW PRESS INJECTION SPC SUPPRESSION POOL COOLING CSS CONTAINMENT SPRAY PCSR POWER CONVERSION SYSTEM RECOVERY CVS CONTAINMENT VENTING LI LATE INJECTION End State (Phase - CD) 1 OK 2 OK 3 OK 4 OK LI04 5 CD 6 OK LI01 7 CD 8 OK 9 OK 10 OK LI04 11 CD 12 OK LI03 13 CD 14 OK 15 OK 16 OK LI04 17 CD 18 OK LI03 19 CD 20 CD 21 CD 22 OK 23 OK 24 OK 25 OK LI04 26 CD 27 OK LI01 28 CD 29 OK 30 OK 31 OK 32 OK LI04 33 CD 34 OK LI03 35 CD 36 CD 37 CD P1 38 LOOP-1 P2 39 LOOP-2 40 SBO 41 ATWS 42 CD
LER 461-2017-010-02 A-3 Figure A-3. Modified Clinton SBO Event Tree EPS FS = FTF-SBO EMERGENCY POWER SRV SRV'S CLOSE RPSL RECIRC PUMP SEAL INTEGRITY HCS01 FS = FTF-SBO HPCS RCI01 FS = FTF-SBO RCIC DCL DC LOAD SHEDDING EXT ACTIONS TO EXTEND ECCS OPERATION DEP02 FS = FTF-SBO MANUAL REACTOR DEPRESS FWS FIRE WATER INJECTION OPR OFFSITE POWER RECOVERY DGR DIESEL GENERATOR RECOVERY CVS CONTAINMENT VENTING LI LATE INJECTION End State (Phase - CD) OPR-12H 1 SBO-OP OPR-12H 2 OK DGR-12H CVS01 3 OK LI00 4 CD CVS01 5 OK LI05 6 CD OPR-12H 7 SBO-OP OPR-12H 8 OK DGR-12H CVS01 9 OK LI-EXT 10 CD CVS01 11 OK LI01 12 CD OPR-12H 13 SBO-OP OPR-12H 14 OK DGR-12H CVS01 15 OK LI00 16 CD CVS01 17 OK LI01 18 CD OPR-04H 19 SBO-OP OPR-04H 20 OK DGR-04H 21 CD OPR-04H 22 SBO-OP OPR-04H 23 OK DGR-04H 24 CD OPR-02H 25 SBO-OP OPR-02H 26 OK DGR-02H 27 CD OPR-30M 28 SBO-OP OPR-30M 29 OK DGR-30M 30 CD 31 SBO-1 P1B 32 SBO-1 P2 33 SBO-2
LER 461-2017-010-02 B-1 Appendix B: Modified Fault Trees Figure B-1. Modified Containment Venting Fault Tree CVS CONTAINMENT VENTING CVS-1 VENT PATHS ARE UNAVAILABLE CVS-2 CONTAINMENT SPRAY HEADER VENT PATH IS UNAVAILABLE Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE 8.16E-04 RHR-MOV-CC-F027A RHR A CONTAINMENT VENT MOV 27A FAILS TO OPEN 8.16E-04 RHR-MOV-CC-F028A RHR A CONTAINMENT VENT MOV 28A FAILS TO OPEN 4.59E-04 CVS-XVM-CC-F099 MANUAL VENT VALVE F099 FAILS TO OPEN 4.59E-04 CVS-XVM-CC-FC090 MANUAL VENT VALVE FC090 FAILS TO OPEN 4.59E-04 CVS-XVM-CC-FC177 MANUAL VENT VALVE FC177 FAILS TO OPEN CVS-4 CONTAINMENT VENTING THROUGH CTM CONTINUOUS PURGE (CCP) Ext IAS CLINTON INSTRUMENT AIR SYSTEM FAULT TREE Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE False HE-LOOP HOUSE EVENT - LOSS OF OFFSITE POWER IE HAS OCCURRED 7.55E-04 CVS-AOV-CC-VR06B CONTINUOUS PURGE VENT VALVE 1VR006B FAILS TO OPEN 7.55E-04 CVS-AOV-CC-VR06A CONTINUOUS PURGE VENT VALVE 1VR006A FAILS TO OPEN CVS-3 CONTAINMENT UPPER POOL VENT PATH (VIA FC) IS UNAVAILABLE Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE Ext ACP-4KVBUS-1B1 CLINTON DIVISION II AC POWER SYSTEM FAULT TREE 4.59E-04 CVS-XVM-CC-FC012B MANUAL VENT VALVE FC012B FAILS TO OPEN 8.16E-04 CVS-MOV-CC-FC007 CONT VENT MOV FC007 FAILS TO OPEN 8.16E-04 CVS-MOV-CC-FC008 CONT VENT MOV FC008 FAILS TO OPEN Ext CVS-XHE-EQK OPERATOR FAILS TO VENT CONTAINMENT GIVEN SEISMIC EVENT 1.00E-03 CVS-XHE-XM-VENT OPERATOR FAILS TO VENT CONTAINMENT
LER 461-2017-010-02 B-2 Figure B-2. Modified LCS-MDP-SS Fault Tree LCS-MDP-SS LPCS LCS-MDP-SS-1 LPCS PUMP ROOM COOLING IS UNAVAILABLE Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE Ext DCP-125V-1A-LT CLINTON DIVISION I 125 VDC POWER IS UNAVAILABLE 2.29E-05 ACP-BAC-LP-480V-DIV1 480V DIVISION 1 BUSES ARE UNAVAILABLE
LER 461-2017-010-02 B-3 Figure B-3. Modified RHR-MDPA-SS Fault Tree RHR-MDPA-SS CLINTON FAILURE OF RHR MDP 1A RHR-MDPA-SS-1 FAILURE OF ROOM COOLING FOR RHR PUMP A Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE Ext DCP-125V-1A-LT CLINTON DIVISION I 125 VDC POWER IS UNAVAILABLE 2.29E-05 ACP-BAC-LP-480V-DIV1 480V DIVISION 1 BUSES ARE UNAVAILABLE
LER 461-2017-010-02 B-4 Figure B-4. Modified DGA-SS Fault Tree DGA-SS DIESEL GENERATOR 1A SUPPORT SYSTEM FAILURES DGA-SS-1 DIESEL GENERATOR 1A ELECTRICAL FAULTS DGN-SSWA External SSW SYSTEM FAILS TO DG1A DGA-SS3 FAILURE OF DG1A HVAC DGA-SS8 DG1A FUEL OIL FAILURES FHS-MDP-FS-DO1A 7.84E-04 FUEL OIL PUMP 1A FAILS TO START FHS-MDP-FR-DO1A 3.87E-04 FUEL OIL PUMP 1A FAILS TO RUN FHS-MDP-CF-FS 6.23E-06 FO PUMPS A,B,C FAIL FROM COMMON CAUSE TO START FHS-MDP-CF-FR 2.90E-06 FO PUMP A,B,C FAIL FROM COMMON CAUSE TO RUN FHS-MDP-CF-FSAB 1.99E-05 FO PUMPS A,B FAIL FROM COMMON CAUSE TO START FHS-MDP-CF-FSAC 1.99E-05 FO PUMPS A,C FAIL FROM COMMON CAUSE TO START ACP-BAC-LP-480V-DIV1 2.29E-05 480V DIVISION 1 BUSES ARE UNAVAILABLE
LER 461-2017-010-02 B-5 Figure B-5. Modified DCP-125V-1A-LT Fault Tree DCP-125V-1A-LT CLINTON DIVISION I 125 VDC POWER IS UNAVAILABLE DCP-125V-1A-LT-2 LOSS OF DIVISION 1 POWER RESULTS IN LOSS OF BATTERY CHARGING CAPBILITY 2.29E-05 ACP-BAC-LP-480V-DIV1 480V DIVISION 1 BUSES ARE UNAVAILABLE Ignore DCP-XHE-XM-SWINGCHARGER OPERATORS FAIL TO ALIGN SWING CHARGER Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE Ext DCP-BCH-EQ DC BATT CHARGERS FAILURE FROM SEISMIC EVENT 5.21E-06 DCP-BDC-LP-1A FAILURE OF DIVISION I 125VDC BUS 1A 6.17E-05 DCP-BCH-LP-1A FAILURE OF DIVISION I 125VDC BATTERY CHARGER 2.10E-07 DCP-BCH-CF-CHRS BATTERY CHARGERS FAIL FROM COMMON CAUSE
LER 461-2017-010-02 B-6 Figure B-6. Modified PCS Fault Tree PCS POWER CONVERSION SYSTEM Ext MFW FEEDWATER PCS-1 FAILURE OF STEAM CONDENSING FUNCTION OF PCS PCS-2 STEAM SYSTEM FAILS 7.44E-06 MSS-MSV-OC-STEAM STEAM LOOP VALVES FAIL TO OPEN/REMAIN OPEN 3.12E-03 MSS-TBV-CC-BYPAS TURBINE BYPASS VALVES FAIL TO OPEN PCS-3 MSIVS AND MSL DRAINS ARE ISOLATED Ext IAS CLINTON INSTRUMENT AIR SYSTEM FAULT TREE Ignore PCS-XHE-XM-MSLDRAINS OPERATORS FAIL TO ALIGN MSL DRAINS Ext MCW CLINTON MAIN CIRCULATING WATER IS UNAVAILABLE False HE-LOCHS HOUSE EVENT - TOTAL LOSS OF CONDENSER HEAT SINK INITIATOR
LER 461-2017-010-02 B-7 Figure B-7. Modified CDS-HW Fault Tree CDS-HW CLINTON CONDENSATE HOTWELL MAKEUP IS UNAVAILABLE CDS-HW-1 FAILURE OF HOTWELL INVENTORY CDS-HW-3 FAILURE TO MAINTAIN HOTWELL INVENTORY 1.00E-03 CDS-XHE-XM-HOTWELL FAILURE TO CONTROL CD/CB FLOW TO PREVENT EMPTYING HOTWELL 6.26E-06 CDS-TNK-FC-CYMC set to PSA value of 0.067 2.49E-03 ACP-CRB-CC-501A FAILURE OF CIRCUIT BREAKER 501A TO OPEN (UAT) 2.49E-03 ACP-CRB-CC-501B FAILURE OF CIRCUIT BREAKER 501B TO OPEN (UAT) 7.55E-04 CDS-AOV-CC-039 SJAE MIN FLOW TO COND VALVE 1CD039 FAILS TO CLOSE CDS-HW-2 INITIATORS WITHOUT STEAM RETURN TO HOTWELL 2.00E-03 PPR-SRV-OO-2VLVS TWO OR MORE BWR SRVS FAIL TO CLOSE 9.60E-02 PPR-SRV-OO-1VLV ONE BWR SRV FAILS TO CLOSE False HE-SLOCA HOUSE EVENT - SMALL LOSS-OF-COOLANT ACCIDENT INITIATOR False HE-IORV INADVERTENT OPEN RELIEF VALVE (IORV) HAS OCCURRED False HE-LOCHS HOUSE EVENT - TOTAL LOSS OF CONDENSER HEAT SINK INITIATOR Ext CDS-TNK-EQ CONDENSATE STORAGE TANK FAILURE FROM SEISMIC EVENT 6.26E-06 CDS-TNK-FC-CST CONDENSATE STORAGE TANK IS UNAVAILABLE 7.55E-04 CDS-AOV-CC-MKUP2 HOTWELL LEVEL CONTROL VALVE 2 FAILS 7.55E-04 CDS-AOV-CC-MKUP1 HOTWELL LEVEL CONTROL VALVE 1 FAILS
LER 461-2017-010-02 C-1 Appendix C: Evaluation of Key HFEs Evaluation of DCP-XHE-SWINGCHARGER (operators fail to align the swing charger). Definition Operators swing charger to supply the division 1 batteries. Description and Event Context If normal battery charging capability is lost via the 480 V division 1 AC buses, operators can align the swing charger to prevent a loss of division 1 direct current (DC) power. Operator Action Success Criteria Operators successfully align the swing charger to supply the division 1 batteries prior to batter depletion (2 hours). Key Cue(s) Low DC bus voltage Procedural Guidance CPS 3503.01C006, Class 1E Swing Battery Charger 1DC11E Feed to Safety-Related DC Bus Checklist Diagnosis/Action This HFE only contains both diagnosis and action activities. PSF Multiplier Diagnosis/Action Notes Time Available 1 / 1 The nominal battery depletion time of the safety-related batteries is 2 hours without shedding of DC loads. With successful load shedding, the battery life can be extended to 4 hours. In addition, During the event, a loss of division 1 AC loads (as occurred during the event) reduces the depletion rate. The time estimated to align the swing charger is approximately 1 hour. This would leave a maximum of 1 hour available for diagnosis under the most restrictive scenario (i.e. nominal depletion rate and, low bus voltage threshold quickly reached). However, there could be less time. Given this uncertainty, the diagnosis PSF for available time is set to Nominal. Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 4 for guidance on apportioning time between the diagnosis and action components of an HFE.
- Stress, Complexity, Procedures Experience/Training, Ergonomics/HMI, Fitness for Duty, Work Processes 1 / 1 No event information is available to warrant a change in these PSFs (diagnosis or action) from Nominal for this HFE.
The HEP is calculated using the following SPAR-H formula: HEP = (Product of Diagnosis PSFs x Nominal Diagnosis HEP) + (Product of Action PSFs x Nominal Action HEP) = (1 x 0.01) + (1 x 0.001) = 1x10-2 Therefore, the human error probability for DCP-XHE-SWINGCHARGER was set to 1x10-2.
LER 461-2017-010-02 C-2 Evaluation of PCS-XHE-XM-MSLDRAINS (operators fail to align the MSL drains to the condenser). Definition Operators use MSL drains for reactor pressure control. Description and Event Context If the condenser is available, but the MSIVs are closed (or expected to close) operators can align the MSL drains to for reactor pressure control. Operator Action Success Criteria Operators align MSL drains to the main condenser to maintain steam path prior to closure of all MSIVs. Key Cue(s) MSIV(s) closing or expected closure of MSIVs Procedural Guidance EOP-1, RPV Control and CPS 4411.09, RPV Pressure Control Sources Diagnosis/Action This HFE only contains both diagnosis and action activities. PSF Multiplier Diagnosis/Action Notes Time Available 0.01 / 1 During the event, the last inboard MSIV did not close until approximately 4 hours after instrument air to containment was isolated. The time estimated to align the MSL drain is conservatively estimated to be 30 minutes. This would leave at least 3.5 hours available for diagnosis. The nominal time for diagnosis is estimated to take 5 minutes. Since the 3.5 hours available for diagnosis is greater than 2x nominal time and greater than 30 minutes, the diagnosis PSF for available time is set to Expansive. Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 4 for guidance on apportioning time between the diagnosis and action components of an HFE.
- Stress, Complexity, Procedures Experience/Training, Ergonomics/HMI, Fitness for Duty, Work Processes 1 / 1 No event information is available to warrant a change in these PSFs (diagnosis or action) from Nominal for this HFE.
The HEP is calculated using the following SPAR-H formula: HEP = (Product of Diagnosis PSFs x Nominal Diagnosis HEP) + (Product of Action PSFs x Nominal Action HEP) = (.01 x 0.01) + (1 x 0.001) = 1x10-3 Therefore, the human error probability for PCS-XHE-XM-MSLDRAINS was set to 1x10-3.}}