ML20261H315
ML20261H315 | |
Person / Time | |
---|---|
Site: | Clinton |
Issue date: | 09/14/2020 |
From: | NRC/OCIO |
To: | |
Shared Package | |
ML20261H312 | List: |
References | |
FOIA, NRC-2019-000253 | |
Download: ML20261H315 (193) | |
Text
{{#Wiki_filter:From: Kozak Laura Note to requester: The attachment to this email has been withheld To: Lara Julio in its entirety under FO IA Ex. B5 (deliberative process privilege).
Subject:
FW: Clinton Inspection Report Date: Friday, October 12, 2018 10:03:00 AM Attachments: CLI 2018 051.docx Draft IR - just FYI From: Lambert, Kenneth Sent: Thursday, October 11, 2018 4:33 PM To: Peralta, Juan <Juan.Pera lta@ nrc.gov>; Marshfield, M ark <Ma rk.Ma rshfield@nrc.gov> Cc: Casey, La uren <Lauren.Casey@nrc.gov>
Subject:
FW: Cli nton Inspection Report Attached is the Clinton pre liminary white letter for HQ review and concurrence. We are looking for a quick turnaround to enable us to meet the NRR metric. Ken Ken Lambert Sr. Enforcement Specialist Region Ill U.S. Nuclear Regu latory Commission 630-810-4376 kenneth.lambert@orc.gov From: Wi lk, Brenda Sent: Thursday, October 11, 20 18 3:32 PM To: Lambert, Kenneth <Kenneth.Lam bert@nrc.gov> Cc: Kozak, Laura <Laura.Kozak@ nrc gov>
Subject:
Clinton Inspection Report Hi Ken , Please see attached Clinton's White Finding. If there are any changes that need to be made on the document please highlight them or whomever from HQ reviewing the document highlight the changes so I can incorporate into the report. Thank you , Brenda
(b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5)
(b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5)
(b)(5) (b)(5)
(b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5)
Note to requester: The attachm ents to this email have been withheld in their entirety under FOIA Ex. B5 (deliberative process privilege). From: Kozak Laura To : Mitman Jeffrey Subject : RE: talk to Clinton Date: Monday, October 15, 2018 9:31:00 AM Attachments: Qctob.er 15 call with Clinton.docx CLL2018~0.5J .doc.x Jeff Please see my notes for today's call. I am continuing to look at the results to see what else we should bring up. I also attached the most recent version of the report that I have (this may not reflect all comments/changes) . Laura From: Mitman, Jeffrey Sent: Monday, October 15, 2018 9:08 AM To: Kozak, Laura <Laura.Kozak@nrc.gov>
Subject:
RE: talk to Clinto n Works for me. I'll block out the time . Jeff Mitman From: Kozak, Lau ra Sent: Monday, October 15, 2018 10:06 AM To: M itman, Jeffrey <Jeffrey.Mitman@nrc.gov>
Subject:
tal k to Clinton FYI - I talked with Joe Edom. He is trying to arrange a discussion today at 3:30pm central , 4:30 pm eastern.
(b )(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5)
(b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5)
(b)(5) (b)(5)
(b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5) (b)(5)
From: Wilk Brenda To : Sanchez Santiago Elba ; Stoedter Karla; Phillips Charles Subject : CLI 2018 051 Date: Tuesday, October 16, 201810:12:36 AM Attachments: CLI 2018 05 1.docx
- Elba, Please see attached to provide the licensee a copy. The letter has been added to ADAMS.
ML18289A436 for your reference. Thank you , Brenda
OFFICIAL USE ONLY - SECURI It-RELATED INFORMATION UNITED STATES NUCLEAR REGULATORY COMMISSION REGION Ill 2443 WARRENVILLE ROAD, SUITE 210 LISLE, ILLINOIS 60532-4352 October 15, 2018 EA-18-104 Mr. Bryan C. Hanson Senior VP, Exelon Generation Company, LLC President and CNO, Exelon Nuclear 4300 Winfield Road Warrenville , IL 60555
SUBJECT:
CLINTON POWER STATION-NRC INSPECTION REPORT 05000461/2018051 AND PRELIMINARY WHITE FINDING
Dear Mr. Hanson:
On September 24, 2018, the U.S. Nuclear Regulatory Commission (NRC) presented the preliminary significance assessment results to your staff at Clinton Power Station, Unit 1. This letter transmits a finding that has preliminarily been determined to be White. A White finding low to moderate safety significance that may require additional NRC inspections. As described in this letter, on May 17, 2018, an apparent violation of Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Appendix B, Criterion V, "Instructions, Procedures, and Drawings," and Technical Specification 3.8.2, Condition 8 .3, were self-revealed for the licensee's failure to follow multiple procedures that affected quality. This resulted in the unavailability and inoperability of the Division 2 Emergency Diesel Generator (EOG) when it was relied upon for plant safety. During part of the time that the Division 2 EOG was unavailable the Division 1 EOG was already out of service for planned maintenance. During the period when neither EOG was available a loss of offsite power would have resulted in a station blackout condition that could have resulted in a long term loss of the ability to cool the reactor core. This finding was assessed based on the best available information, using the applicable Significance Determination Process (SOP). Included in the body of the enclosed inspection report is the basis for the staff's preliminary determination of significance. Your corrective actions included (1) returning the Division 2 EOG to an operable status; (2) communicating accountability and emphasis on procedure use and adherence; (3) just in time training to all operations department staff on the procedure use requirements; (4) conducting a three-day stand down to discuss case studies and lessons learned; and (5) revising the equipment operator round points to include the EOG starting air manifold pressures. The finding is also an apparent violation of NRC requirements and is being considered for escalated enforcement action in accordance with the Enforcement Policy, which can be found on the NRC's Web site at http://www.nrc.gov/about-nrc/regulatory/enforcemenUenforce-pol.html. Enclosure contains Sensitive Unclassified Non-Safeguards Information. When separated from attachment 2, this transmittal document is decontrolled. In accordance with NRC Inspection Manual Chapter 0609, we intend to complete our evaluation OFFIGI.AL USE ONI Y SECURITY RELATED INFORMATION
OFFICIAL USE 0t4LY SECURITY RELATED IHFORMATION B. Hanson using the best available information and issue our final determination of safety significance within 90 days of the date of this letter. The significance determination process encourages an open dialogue between the NRC staff and the licensee; however, the dialogue should not impact the timeliness of the staffs final determination. Before we make a final decision on this matter, we are providing you with an opportunity to (1) attend a Regulatory Conference where you can present to the NRC your perspective on the facts and assumptions the N RC used to arrive at the finding and assess its significance; or (2) submit your position on the finding to the NRC in writing. If you request a Regulatory Conference, it should be held within 40 days of the receipt of this letter and we encourage you to submit supporting documentation at least one week prior to the conference in an effort to make the conference more efficient and effective. The focus of the Regulatory Conference is to discuss the significance of the finding and not necessarily the root cause(s) or corrective action(s) associated with the finding. If a Regulatory Conference is held, it will be open for public observation. If you decide to submit only a written response, such submittal should be sent to the NRC within 40 days of your receipt of this letter. If you decline to request a Regulatory Conference or to submit a written response, you relinquish your right to appeal the final SOP determination, in that by not doing either, you fail to meet the appeal requirements stated in the Prerequisite and Limitation sections of Attachment 2 of NRC Inspection Manual Chapter 0609. If you choose to send a response , it should be clearly marked as a "Response to An Apparent Violation; (EA-18-104 )" and should include for the apparent violation: (1) the reason for the apparent violation or, if contested, the basis for disputing the apparent violation; (2) the corrective steps that have been taken and the results achieved; (3) the corrective steps that will be taken; and (4) the date when full compliance will be achieved. Your response should be submitted under oath or affirmation and may reference or include previously docketed correspondence, if the correspondence adequately addresses the required response. Additionally, your response should be sent to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Center, Washington , DC 20555-0001 with a copy to K. Stoedter, Chief, Branch 1, Division of Reactor Projects, U.S. Nuclear Regulatory Commission, Region Ill, 2443 Warrenville Road, Suite 210, Lisle, IL 60532-4352, within 40 days of the date of this letter. If an adequate response is not received within the time specified or an extension of time has not been granted by the NRC, the NRC will proceed with its enforcement decision or schedule a Regulatory Conference. Please contact Ms. Karla Stoedter at 630-829-9731 , and in writing within 10 days from the issue date of this letter to notify the NRC of your intentions. If we have not heard from you within 10 days, we will continue with our significance determination and enforcement decision. The final resolution of this matter will be conveyed in separate correspondence. Because the NRC has not made a final determination in this matter, no Notice of Violation is being issued for these inspection findings at this time. In addition, please be advised that the characterization of the apparent violation described above may change as a result of further NRC review.
OFFICIAL USE ONLt - SECURITY-RELATED INFORMA I l<>N B. Hanson This letter will be made available for public inspection and copying at http://www.nrc.gov/reading-rm/adams.html and at the NRC Public Document Room in accordance with 10 CFR 2.390, "Public Inspections, Exemptions, Requests for Withholding." However, the enclosed report contains Security-Related Information, so the enclosed report will not be made publically available in accordance with 10 CFR 2.390(d)(1 ). If you choose to provide a response that contains Security-Related Information, please mark your entire response "Security-Related Information-Withhold from public disclosure under 10 CFR 2.390" in accordance with 10 CFR 2 .390(d)(1) and follow the instructions for withholding in 10 CFR 2.390(b)(1 ). The NRC is waiving the affidavit requirements for your response in accordance with 10 CFR 2.390(b)(1)(ii). Sincerely, IRA/ Patrick L. Louden, Director Division of Reactor Projects Docket No. 50-461 License No. NPF- 62
Enclosures:
Inspection Report 05000461/2018051 (public) (non-public) cc: W. Marsh, Clinton Station Security Manager A. Khayyat, State Liaison Officer Illinois Emergency Management Agency cc w/o attach 2: Distribution via LISTSERV OFFICIAL USE ONE, SECURITY RELA I ED INFORMATION
OFFICIAL USE ONLY - SECURI IT-RELATED INFORMATION B. Hanson Letter to Bryan Hanson from Patrick Louden dated October 15, 2018
SUBJECT:
CLINTON POWER STATION-NRG INSPECTION REPORT 05000461/2018051 AND PRELIMINARY WHITE FINDING DISTRIBUTION w/attachments: Daryl Johnson Niry Simonian Eric Wharton Alonzo Richardson Raymond McKinley Binoy Desai Steven West Darrell Roberts Jeremy Groom DISTRIBUTION: Christopher Cook RidsNrrDorllpl3 RidsNrrPMClinton Resource RidsNrrDirslrib Resource Steven West Darrell Roberts Richard Skokowski Allan Barker DRSIII DRPIII ROPreports.Re sou rce@nrc.gov ADAMS Accession Number: ML18289A436 OFFICE RIii I RIii I RIii I OE I NAME CPhillips:bw LKozak JHeller for MMarshfield via Klambert email for JPeralta DATE 10/11/2018 10/11 /2018 10/12/2018 10/12/2018 OFFICE NRR I RIii I RIi i I I NAME MFranovich via KStoedter Plouden email DATE 10/12/2018 10/15/2018 10/15/2018 OFFICIAL RECORD COPY OFFICIAL USE ONLY SECtjRITV RELATED INFORMATION
OFFICIAL USE ONLY w SECURI I ,-RELATED INFORMATION U.S. NUCLEAR REGULATORY COMMISSION REGION Ill Docket Numbers: 50-461 License Numbers: NPF-62 Report Number: 05000461/2018051 Enterprise Identifier: 1-2018-051-0000 Licensee: Exelon Generation Company, LLC Facility: Clinton Power Station Location: Clinton, IL Dates: August 3 through September 4, 2018 Inspectors: C. Phillips, Project Engineer L. Kozak, Senior Re.actor Analyst J . Mitman, Senior Reliability and Risk Analyst Approved by: K. Stoedter, Chief Branch 1 Division of Reactor Projects OEEICIA.L 1.f*SE ONLY SEGURll¥ R!LATED INFORMATION Enclosure
OFFICIAi IISE ONLY SECURITY RELA I ED INFORMATION
SUMMARY
The U.S. Nuclear Regulatory Commission (NRG) completed the preliminary significance determination associated with an apparent violation in accordance with the Reactor Oversight Process. The Reactor Oversight Process is the NRC's program for overseeing the safe operation of commercial nuclear power reactors. Refer to https://www.nrc.gov/reactors/operatinq/oversiqht.html for more information. Findings and violations being considered in the NRC's assessment are summarized in the table below. List of Findings and Violations Failure to Follow Multiple Procedures Cornerstone Significance Cross-Cutting Report Section Aspect Mitigating Preliminary White [H .2] - Human 93812- Special Systems AV 05000461/2018050-01 Performance, Inspection Open Field Presence EA 104 On August 23, 2018, the NRG issued Inspection Report 05000461/2018050 which discussed a self-revealed finding with a To-Be-Determined (TBD) significance and an associated Apparent Violation of Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Appendix B, Criterion V, "Instructions, Procedures, and Drawings," and Technical Specification 3.8.2, Condition B.3. The issue involved the licensee's failure to follow multiple procedures that affected quality which resulted in the unavailability and inoperability of the Division 2 Emerqencv Diesel Generator when it was relied upon for plant safety. Additional Tracking Items None. OFFICIAL USE ONLY SECtlR:ITY RELA I ED INFORMATION 2
OFFICIAL USE ONL I - SECURrn RLLA I ED INFORMATION INSPECTION SCOPE Inspections were conducted using the appropriate portions of the inspection procedure (IP) in effect at the beginning of the inspection unless otherwise noted. Currently approved IPs with their attached revision histories are located on the public website at http://www.nrc.gov/reading-rm/doc-collections/insp-manual/i nspection-proced ure/index.html. Samples were declared complete when the IP requirements most appropriate to the inspection activity were met consistent with Inspection Manual Chapter (IMC) 2515, "Light-Water Reactor Inspection Program - Operations Phase." The inspectors reviewed selected procedures and records, observed activities, and interviewed personnel to assess !l icensee performance and compliance with Commission rules and regulations, license conditions, site procedures, and standa rds. OTHER ACTIVITIES-TEMPORARY INSTRUCTIONS, INFREQUENT AND ABNORMAL 93812-Special Inspection The purpose of this inspection was to complete the preliminary significance determination for an apparent violation 10 CFR Part 50, Appendix 8 , Criterion V and Technical Specification 3.8.2, Condition 8.3. documented in NRC Special Inspection Report 05000461/2018050. INSPECTION RESULTS 93812- Special Inspection ~ Failure to Follow Multiple Procedures Cornerstone Significance Cross-Cutting Report Section Aspect Mitigating Preliminary White [H.2] - Human 93812-Special Systems AV 05000461/2018050-01 Performance, Field Inspection Open Presence EA-18-104 On August 23, 2018, the NRC issued Inspection Report 05000461/2018050 which discussed a self-revealed finding with a To-Be-Determined (TBD) significance and an associated Apparent Violation of Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Appendix 8, Criterion V, "Instructions, Procedures, and Drawings," and Technical Specification 3.8.2, Condition 8.3. The issue involved the licensee's failure to follow multiple procedures that affected quality which resulted in the unavailability and inoperability of the Division 2 Emergency Diesel Generator when it was relied upon for plant safety.
Description:
On April 30, 2018, the licensee shut down the reactor as part of a scheduled refueling outage. During the outage, the licensee performed maintenance on the Division 2 electrical system which required the Division 2 emergency diesel generator (EDG) to be removed from service. From May 9-11 , 2018, the licensee completed activities to restore the Division 2 EDG to service. Due to the failure to follow multiple procedures (as discussed in NRC Inspection Report 05000461/2018050), the Division 2 EDG was not restored to an operable status because operations personnel had not repositioned starting air valves 1DG160 and 1 DG161 OFFICIAL USE ONLY SECURITY RELAl'E:D INFORMATION 3
OFFICIAL USE ONL) - SECOR! IV RELATED INFORMATION from the closed position to the open position. With the starting air valves in the closed position , the Division 2 EOG was unable to start if needed. On May 14, 2018, at 12:30 a.m., since the licensee was unaware that the Division 2 EOG was inoperable and unavailable due to its inability to start caused by the 1DG 160 and 1DG 161 valves being closed, the licensee began a Division 1 scheduled maintenance window. As a result of taking the Division 1 480 VAC bus out of service, the Division 1 EOG was declared inoperable. On May 17, 2018, at 3:03 p .m., a non-licensed operator performing shift rounds identified that the 1DG 160 and 1DG 161 valves were closed and reported this condition to the control room. The licensee declared the D ivision 2 EOG inoperable, investigated the condition , and subsequently returned the Division 2 EOG to an operabl,e status. Corrective Actions: The licensee initiated several corrective actions including (1) communicating accountabil ity and emphasis on procedure use and adherence; (2) j ust in time training to all operations department staff on the procedure use requirements; (3) conducting a three-day stand down to discuss case studies and lessons learned; and (4) revising the equ ipment operator round points to include the EOG starting air manifold pressures. Corrective Action
Reference:
Action Request (AR) 4 138790, "Division 2 DG Air Receiver Found Isolated Rounds," dated May 17, 2018. Performance Assessment: Performance Deficiency: T he licensee failed to perform activities affecting quality in accordance with prescribed procedures and work instructions as required by 10 CFR Part 50, Appendix B, Criterion V, "Instructions, Procedures and Drawings," that resulted in the unavailability of the Division 2 EOG w hen it was relied upon for plant safety. Screening: The inspectors determined the performance deficiency was more than minor because it adversely affected the configuration control attribute of the Mitigating Systems Cornerstone and its objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable c onsequences. Specifically, th e failure to follow station procedures/work instructions resulted in the unavailability of the Division 2 EOG w hen it was relied upon for plant safety. Significance: The inspectors evaluated the finding against the guidance of IMC 0609 Appendix G, Attachment 1, "Shutdown Operations Significance Determination Process Phase 1 Initial Screening and Characterization of Findings." The finding impacted the Mitigating Systems Cornerstone, specifically the Electric Power Availability Safety Function. The finding represented a loss of system safety function for the EDGs for greater than its TS 3.8.2, Condition B.3, allowed outage time of "Im mediately" (one of the two EDGs was required to be returned to an operable status immediately) w hich required a Phase 2 Appendix G evaluation. The Phase 2 evaluation was conducted using IMC 0609 Appendix G , Attachment 3, and "Phase 2 Significance Determination Process Template for BWR during Shutdown." A Region Ill senior reactor analyst (SRA) completed the Ph ase 2 evaluation and concluded that a Phase 3, or detailed risk evaluation, would be needed to refine the Phase 2 evaluation. OFFICIAL ijSE ONLY SEGt;JRITY RELATED INFORMATION 4
OFFICIAL USE ONL 1 - SECURIT, RELATED INFORMATION Summary from Special Inspection Report The detailed risk evaluation (DRE) covered a 6.5 day period when the Division 2 EDG was inadvertently unavailable during a refueling outage. The Division 2 EDG had been inoperable and unavailable as part of planned Division 2 480 VAC electrical distribution and Emergency Service Water (SX) systems maintenance activities. When the Division 2 systems work was completed and the systems restored on May 11 , 2018 (at 2:30 a.m.), operators incorrectly declared the Division 2 EDG available. At this time, the Division 2 EDG starting air isolation valves (1DG160 and 1DG161 ) remained closed, which would prevent starting air from reaching the EDG air start motors, making the EDG inoperable, unavailable, and non-functional because it would not and could not be started on any demand signal. On May 14, 2018, at 12:30 a.m., as the licensee was unaware that the Division 2 EDG was unavailable, the licensee began a scheduled maintenance window on the Division 1 480 VAC bus 1A 1. As a result of taking the bus out of service, the Division 1 EDG was declared inoperable. At this time neither Division 1 nor 2 EDG was functional. On May 17, 2018, at 3:03 p.m., a non-licensed operator performing shift rounds identified the 1DG 160 and 1 DG 161 valves were inappropriately closed and reported this condition to the control room. The licensee declared the Division 2 EDG inoperable and investigated the condition. The licensee restored the valves to the open position and declared the Division 2 EDG available at 3:45 p.m. After the licensee performed OP-AA-108-106, the licensee declared the Division 2 EDG operable at 9:04 p.m. During the 6.5 day period the Division 2 EDG was not operable, available, or functional as the licensee expected. During the 3.5 day period from May 14th to May 17th, neither the Division 1 nor 2 EDG was available to deal with a Loss of Offsite Power (LOOP) if one occurred. As described in Inspection Report 2018050, a Phase 1 S ignificance Determination Process (SDP) screening and a phase 2 SDP evaluation were completed for the finding using the guidance of IMC 0609 Appendix G, "Shutdown Operations Significance Determination Process". As a result, the NRC determined that a detailed risk evaluation was needed to further evaluate recovery strategies. These strategies included 1) restoration of the Division 2 EDG; 2) plant-specific mitigating system strategies such as the Division 3 cross-tie to Division 2; 3) use of Diverse and Flexible Coping Strategies (FLEX), and 4) the recovery of offsite power. As a result the inspection report initially characterized the significance of this finding as "to be determined." Summary of Preliminary (Phase 3) Significance Determination The Clinton SPAR model, revision 8.54 was modified to add a shutdown Mode 4 cold shutdown Loss of Offsite Power (LOOP) event tree based on the existing Grand Gulf shutdown SPAR model. The model was further modified to use Clinton specific system fault trees and to refine diesel generator recovery, incorporate FLEX electrical, FLEX suppression pool cooling, FLEX injection , potential recovery of high pressure core spray (HPCS) pump, recovery of reactor core isolation cooling (RCIC), use of alternate injection systems such as installed fire pumps, B.5.b fire pumps, B.5.b reactor depressurization methods, manual containment ventin ca abilit , and the cross-tie of the Division 3 EDG to Division 2 electrical OFFICIAL USE ONLY - SECURI IV-RELATED INFORMATION 5
QEEl<<:IAI IISE ONLY SECURITY RELATED INFORMATION distribution system. Human error probabilities in addition to equipment failure probabilities were added for all actions requiring manual alignment and operation. The detailed risk evaluation considers the many different core cooling methods potentially available. However, the results indicate that successful mitigation of the event relies on operator action to restore AC power by one of several methods - recovery of the Division 2 EOG, FLEX electrical, Division 3 to Division 2 cross-tie, or offsite power recovery. The analysis is complex since mitigation of a LOOP event in the degraded condition significantly relies on operator actions and the decision making involving the interaction of these four recovery strategies. The risk results are driven by human error. None of the many operator actions modeled to mitigate the postulated LOOP/SBO event were assumed to be resource limited. This is in recognition that the plant was in a refueling outage with extra operations, maintenance and engineering staff available. Few of the many actions modeled to mitigate the postulated LOOP/SBO were assumed to be limited by time available. However, the overall sequence was modeled assuming operators have one hour to recover the Division 2 EOG before an extended loss of AC power (ELAP) is declared. Once ELAP is declared, plant procedures direct the operators to pursue the FLEX method to re-power Division 2. If FLEX fails, procedures supply guidance on using the Division 3 cross-tie. For the dominant core damage sequence, the time to core damage is approximately 13 hours, this was considered to be adequate time with some margin, but not extra or expansive time, given the level of manual effort required and the number of concurrent methods of mitigation that were modeled. The finding exposure time that was quantitatively assessed was the 3.5 day period that both emergency diesel generators were unavailable. The full exposure time was approximately 6.5 days. However, the risk results are dominated by the 3.5 days when neither diesel was available. The result of the detailed risk evaluation is a finding of low to moderate safety significance (White). The best estimate change (i.e., delta) in core damage frequency for the 3.5 day period, using reasonable and realistic assumptions, was estimated to be 3.8E-6 per year. The dominant sequence was a loss of offsite power, failure to recover the Division 2 EOG leading to an Extended Loss of AC Power (ELAP) declaration, failure to maintain the reactor depressurized, failure to inject at high pressure, and the failure to cross-tie the Division 4KV bus to the Division 2 4kV bus. Sensitivity evaluations were performed to understand the influence of important assumptions. The results of the sensitivity evaluations showed a range of outcomes from very low safety significance (Green) to substantial safety significance (Yellow). The sensitivity evaluations were used to confirm the best estimate outcome - low to moderate (White) safety significance. See Table 1. The specific important assumptions of the detailed risk evaluation, the event tree, fault trees, and dominant core damage cut-sets are included in the Enclosure. OFFICIAL USE ONE f SECURIT, RLLA I ED INFORMATION 6
OFFICIAL USE ONLY - SECURITiwRELATED INFORMATION Table 1: Risk Results Including Sensitiv ity Cases Delta Old BE New BE Notes BE Adjusted CDF Value Value Results Best Case Analvsis n/a n/a n/a 3.SE-06 Sensitivity Cases: No change set Div. 2 EOG available required, simply use TRUE 1 EPS-XHE-XR-DG1 B 1.00E-03 5.4E..07l (i.e., no PD) value for base case (1 .0) no PD Div. 2 EOG non-2 recovery based on EPS-XHE-LR-NR10H 2.0E-02 8.80E-01 1.?E-05 data 88% Note that using Exelon's values reduces the CDF to Div. 2 EOG non-less than the no PD 3 recovery based EPS-XHE-LR-NR10H 2.0E-02 5.0E-03 l1.0E-07i case because the Exelon estimate NRP is lower than the base EOG failure probability HPCS pump available TRUE False 4 during entire 3.5 day HCS-XHE-XR-MDP a-.2E-07l (1 .0) (0.0) exposure time Single Human Error 5 Probability (HEP) for Multiple BE 5.3E-05 1.0E-03 3.5E-06 all injection methods Decrease RCIC HEP 6 SD-XHE-XM-FRCIC 7.SE-01 1.0E-01 3.?E-06 to 0.1 Decrease FLEX 7 Electrical HEP to SD-XHE-XM-FELEC 2.5E-01 1.0E-01 2.4E-06 Exelon value to 0.1 Reduce all FLEX Decrease R 8 Multiple BE Various TI--IIH HEPS bv factor of 10 bv 10X Set all FLEX HEPs to False 9 Multiple BE Various ~.!'l~-IIH ,___ False (0.0) . - (0.0) Increase all FLEX Increase RCIC value Increase 10 Multiple BE Various 2.9E-05 HEPs by Factor of 2 from 0.75 to 1.0 by 2X Exelon modified the IEF because the Using Exelon switchyard was Initiating Event 11 protected Note: SD-MFL-LOOP 1.7E-1 1.2E-1 2.8E-06 Frequency (IEF) of EDG2 was protected 0.12 per year during 6.5 days of unavailability OFFICl.t\L USE ONL Y SECURIT Y i<ELATED INFORMATION 7
OFFICIAL USE ONLY- SECURITY RELAIEO INFORMATION Cross-cutting Aspect: As discussed in Inspection Report 05000461/2018050, the finding had a cross-cutting aspect in the Field Presence component of the Human Performance cross-cutting area. (H.2) Enforcement: Apparent Violation: Title 10 CFR Part 50, Appendix B, Criterion V, "Instructions, Procedures, and Drawings," requires, in part, that activities affecting quality be prescribed by documented procedures of a type appropriate to the circumstances and be accomplished in accordance with these procedures. Clearance Order 139455 instructions required the performance of CPS 3506.01 P002, "Division 2 Diesel Generator Operations," Revision 3a, in conjunction with the removal of out-of-service tags on May 9, 2018. Procedure OP-AA-108-103, "Locked Equipment Program," Revision 2, Step 4.1 .5, stated, "If plant conditions require a locked component to be positioned in a manner other than that indicated on the locked equipment checklist or approved procedure, then UNLOCK and REPOSITION equipment in accordance with OP-AA-108-101 , "Control of Equipment and System Status." Procedure OP- AA- 108-101 , "Control of Equipment and System Status," Revision 14, Step 4.1.1.1 , stated, "Utilize an ACPS for aligning equipment outside of routine operations." Procedure OP-AA-108-106, "Equipment Return to SeNice," Revision 5, Step 4.3, required that "if equipment will not be restored to the Equipment Line-up/Restoration position or the original condition, then another approved equipment status control mechanism shall be used to document equipment status (i.e. Equipment Status Tag, administrative clearance/tagout). Procedure OP-AA-108-101 , 'Control of Equipment and System Status,' shall be used to document abnormal equipment configuration and shall be immediately applied following equipment restoration." Procedure OP-AA-108-106, "Equipment Return to SeNice," Revision 5, Step 4.4.9, which stated, "Applicable Operating procedures are complete and any equipment line-ups directed to be completed by the Operating Procedures are completed." Procedure OP- AA-1 08-1 06, "Equipment Return to SeNice," Revision 5, Step 4.4.14, stated , "The system/equipment has been walked down as appropriate to verify that it can be safely operated to fulfill its design function." Procedure OP- AA-109-101 , "Clearance and Tagging," Revision 12, Step 10.2.1 stated, "If a lift position is determined to be different from the normal lineup position for the present plant condition and not tracked by another C/0 or procedure, then the Shift Management shall be notified and equipment tracking initiated." Technical Specification 3.8.2, "AC Sources-Shutdown," Condition B.3, states, in part, that an inoperable EOG be restored to an operable status immediately. Between May 9 and May 17, 2018, the licensee apparently failed to: Perform CPS 3506.01 P002 , "Division 2 Diesel Generator Operations," Revision 3a, in OFFICIAi I IS! ONLY SEGURITY RELATED INFORMATION 8
OFFICIAL USE ONLY - SECURI I f - RELA I ED INFORMATION conjunction with the removal of C/0 139455 as required by the C/0 restoration instructions. Perform OP- AA- 108- 103, "Locked Equipment Program ," Revision 2, Step 4.3, valves 1DG160 and 1DG161 were normally locked open valves and an ACPS was not utilized to track valve status. Perform OP-AA-108-106, "Equipment Return to Service," Revision 5, Step 4.3, when valves 1DG160 and 1DG161 were left in an abnormal position an approved equipment status control mechanism was not used to track equipment status. Perform OP- AA- 108- 106, "Equipment Return to Service," Revision 5, Step 4.4.9, when the equipment was declared operable the applicable operating procedure CPS 3506.01P002 had not been completed and equipment line-ups directed to be completed by the operating procedures were not completed. Perform OP- AA- 108- 106, "Equipment Return to Service," Revision 5, Step 4.4.14, when the system was declared operable without being walked down. Perform OP-AA-109-101, "Clearance and Tagging," Revision 12, Step 10.2.1, when the lift position was different from the normal lineup for the present plant condition and equipment tracking was not initiated . Additionally, because the licensee was not aware of the EDG's inoperability the required action in Technical Specification 3.8.2, Condition 8 .3 was not followed. EXIT MEETINGS AND DEBRIEFS The inspectors confirmed that proprietary information was controlled to protect from public disclosure. No proprietary information was documented in this report.
- On September 24, 2018, Mr. P. Louden presented the preliminary significance assessment results to Mr. T. Stoner, Clinton Power Station, Site Vice President.
DOCUMENTS REVIEWED 93812- Special Inspection OFFICIAL OSE ONLY SECIJRITY REL.OTED INFORMATION 9
OFFICIAL USE Ol~LY - SECURI IV RELATED INFORMATION Detailed Risk Evaluation Assumptions Plant Conditions during the Conditions Assessed Clinton is a General Electric Boiling Water Reactor 6 with a Mark Ill containment. It has three divisions of Emergency Core Cooling (ECCS). Divisions 1 and 2 have residual heat removal (RHR) capability, each with an RHR train that contains a heat exchanger. Each division has its own emergency diesel generator (EOG) and 4kV safety bus. In addition, Division 3 contains a High Pressure Core Spray (HPCS) pump dedicated safety bus, and EOG, but does not contain an RHR train. The Division 2 EOG unplanned unavailability started after the reactor had been refueled and the associated reactor cavity was full. That is, there was over 23 feet of water above the reactor core. Early in the unavailability, the licensee installed the reactor pressure vessel (RPV) internals, lowered water level to about six inches below the RPV flange, installed and tensioned the reactor vessel head. The unit entered cold shutdown or Mode 4 when the last reactor head bolt was tensioned. See Figure 1 for a time line of these events. OFFICIAL USE ONL Y SECURITY RELA I ED INFORMATION Attachment 1
OFFICIAL USE ONL'f w SECURITY RELATED INFORMA I ION Cavity full End lowering cavity l evel 13:54 "'6 inches below flange RCS w ater level 09:43 begin lowering cavit_r Ievel RPV Last bolt tensioned 01:51 c M odes Mode4 ~~~~~~~~~~~~~~~~~_.,. Starting Conditions Start hydro
- RHR/SDC A 1/5
- LPCS / SRV Alt. soc:1 r - - - - - - - - - - - , Di v. 2 EOG operable
- RAT 1/S
- Di v. 2 EOG op
- RHR/ SDC A 005
- Div. 1 4Kv bus 1/S but inop.
- Div . 2 EOG *available>> 21:04
- Div. 2 EOG unavail.
- NSPS op 02: 24
- Div. 1 EOG unavailable
- Div. 2 SX available
- Div. 2 AC bus OOS
- Div. 2 ACI/S & op *
- Div. 1 DC unav ailable 01:30
- ROC restorabl e
- Div. 2 DCOOS
- Div. 2 DCI/S & op
- LPCS (Div. 1) unavailable HPCS recover able (using Div. 1 DC Power) End hydro
- Div. 2 SX unavailabl e 08:00
- RHR / SDCA unavailabl e (aft erfill & vent) HPCS 02:30
- RHR/SOC A 1/S
- ERAT 00$ 00:30 Avail able 12:53 5/16 11:18 5/18 5/ 9 5/12 00:00 C0:00 5/14 rooo 00:00 II C0:00 5/11 C0:00 5/13 00:00 23:28
- RHR/ SDC 8 1/S I 5/15 C0:00 5/17 C0:00 17:25 00:20
- RHR/ SDC A 005 Div. 2 AC Bus 1/S 05:13 15:04 ERAT 1/S 23:09 Div. 2 EOG availab le
- RHR/ SDC 8
- operable*
- LPCI C & SRVs available Actual relative risk level Planned risk level (not t o sca le)
Version Date: 07-23* 2018 OFFICIAL USE ONLY SECORIT'f RELATED INFORMATION 2
OFFICIAL USE ONLY SEtJRITY RELATED INFORMAil<>N The following assumptions were made in performing the detailed risk evaluation.
- 1. The time to boil in the reactor coolant system was assumed to be approximately 4 hours, based on Exelon document CL-SDP-010 Rev. 1. This calculation assumes the starting water level is approximately six inches below the RPV flange.
- 2. The time to top of active fuel, a surrogate for core damage, varies from approximately 10 to 24 hours depending on plant configuration assumptions. These values were based on Exelon document CL- SDP- 010 Rev. 1. If the reactor is maintained at low pressure, then the time to core uncovery is about 24 hours. If the reactor pressure increases then the time to uncovery is estimated between 10 and 13 hours. Both calculations assume the starting water level is approximately six inches below the RPV flange.
- 3. Core uncovery is the normal at-power surrogate for core damage. During shutdown ,
core damage is expected between 1/3 and 2/3 core height which is somewhat after core uncovery, therefore, using core uncovery as a surrogate for core damage is conservative.
- 4. The following equipment was out of service and was considered to be unavailable and non-recoverable:
- EDG 1A;
- 480v AC bus 1A;
- 480v AC bus A;
- NSPS 120v Power distribution panel bus A;
- Division 1 normal 125v DC battery charger 1A; and
- RHR pump A.
- 5. The following equipment was available:
- All FLEX equipment;
- RHR train B;
- RHR heat exchanger A;
- Both suppression pool cleanup (SF) pumps and the associated piping (Note:
there was a very short period at the beginning of the 3.5 days when one SF pump was not available. Because this availability was short and with the knowledge that the results are not driven by mitigating system availability, this unavailability was ignored.);
- All B5b equipment;
- 480v AC aux. building bus 1L;
- 480v AC aux. building bus 1M;
- 480v AC aux. building bus 1D;
- 480v AC aux. building bus 1E (feed to 125v DC battery charger 1F); and
- 125v DC battery (swing) charger 1F (feed from 480v AC aux. building bus 1E).
- 6. The NRC used the SPAR-H Human Reliability Method to evaluate the many operator actions in the model. For all of the human error probabilities evaluated, the performance shaping factor "stress" was considered to be "high" for both diagnosis and action because the plant would be in a station blackout condition. In many of the Human Error OFFICIAL USE 0'4LY SECURITY RELATED INFORMATION 3
QEEICIAL USE ONLY SECURITY REL.\TED INFORMATION Probability (HEP) evaluations, "complexity" was determined to be either "moderate" or "high" because the operators would be in multiple procedures in multiple plant locations. Many of the actions are local, infrequently or never performed, and some have very limited training. In many cases, "ergonomics" was also rated as "poor" because the local actions may be physically demanding and in difficult SBO conditions (on emergency lighting at best and without any ventilation). Table 2 below contains a summary of the dominant HEPs.
- 7. None of the many actions modeled to mitigate the postulated LOOP/SBO event were assumed to be resource limited. This is in recognition that the plant was in a refueling outage with extra operations, maintenance and engineering staff available. The detailed risk evaluation models operator action for four different methods to re-establish electrical power to Division 2 (EDG recovery, offsite power recovery, FLEX, Division 3 to Division 2 crosstie), two additional (beyond the normal use of SRVs after restoring emergency power) methods to maintain the reactor de-pressurized (FLEX and B.5.b), three additional methods (beyond using ECCS after restoring emergency power) to inject to the Reactor Coolant System (RCS) at low pressure (two FLEX methods and the diesel driven fire pumps), two methods to inject to the RCS at high pressure (HPCS and RCIC),
and two additional methods to remove decay heat (FLEX suppression pool cooling and containment venting). All of these require operator action. Many require significant operator effort. In addition to these actions there are other important, non-modeled actions that would also be in progress, such as actions to establish primary and secondary containment and actions for emergency response such as accountability and notifications.
- 8. Few of the many actions modeled to mitigate the postulated LOOP/Station Black Out (SBO) were assumed to be limited by time available. However, the overall sequence was modeled assuming operators have 1 hour to recover the Division 2 EDG before ELAP is declared. Once ELAP is declared, operators will pursue the FLEX method to re-power Division 2. If FLEX fails, the Division 3 cross-tie, is modeled. For the dominant sequence, the time to core damage is approximately 13 hours, this was considered to be adequate time with some margin, but not extra or expansive time, given the level of manual effort required and the number of concurrent methods of mitigation that were modeled.
- 9. The high pressure core spray system was unavailable during most of the 3.5 day exposure period due to planned maintenance. Initially, for a period of 49 hours, it was not recoverable. Later, for a duration of 34 hours, it was modeled as recoverable, and in the last 4.5 hours of the exposure period, the system was fully available. The impact of the status of HPCS over the exposure period was addressed by running three separate cases - HPCS unavailable, HPCS recoverable, and HPCS at nominal failure probabilities. The results were combined in a spreadsheet to obtain the final result. To estimate the HEP for the operator failure to recover HPCS during the 44 hours it was recoverable, the performance shaping factors that were determined to be performance drivers were stress for diagnosis, and stress and complexity for action. Stress was evaluated as "high" because the plant would be in a station blackout condition.
Complexity was rated as "moderate". Under normal conditions, this would not be a complex task, but in response to a station blackout with multiple procedures and mitigating strategies in progress, complexity is increased. OFFICIAL USE ONLY SECURITY RELATED INFORMATION 4
OFFICIAL USE ONLY - SECURI I f RELATED INFORMATION
- 10. The RCIC system was unavailable due to plant conditions. During the 3.5 days of interest, the plant was in cold shutdown with reactor coolant system water level above the steam lines. However, the RCIC system was not undergoing any maintenance and cou ld have been put into service if an event had occurred, steam was available due to RCS heat-up and boiling, and water level had decreased below the steam line. While possible, extensive work would be required to prepare the RCS for operations at normal pressure and temperature. Licensee procedure CPS 3002.01 controlled this process.
This 40 page document is the normal startup procedure. It assumes normal electrical power is available to realign systems. While much of this procedure would not be required to prepare the RCS for RCIC operation and extensive amount of procedure triage would be required. The HEP for the operator failure to put RCIC into service under the postulated conditions is 7.5E-1. The HEP was dominated by failure to perform the action. The performance drivers were considered to be time (this is one of the few HEPs that was impacted by time available), stress, complexity, experience/training, and ergonomics. The time available was assumed to be about equal to the time required, stress was considered to be "high", complexity was "high", experience/training was "low", and ergonomics was "poor". 11 . Electrical power recovery to Division 2 could be successful via offsite power recovery, recovery of Division 2 diesel generator, use of FLEX, or crosstie of the Division 3 diesel generator to the Division 2 4kV bus. The detailed risk evaluation assumes that the operators will initially try to recover the diesel generator. If recovery is not successful , operators will transition to FLEX implementation, and if FLEX fails, the evaluation models the potential to implement the crosstie.
- 12. The Division 2 EOG was recoverable and the risk evaluation shows that the operators would be very likely to recover it. However, the potential for operators failing to recover the diesel generator was evaluated. The failure to recover the diesel generator was assigned a human error probability of 0.202 (20 percent failure, 80 percent success rate). This is a factor of 4 lower than the data/statistically derived failure to recover probability. The NRC assumed that 1 hour was available to recover AC power to Division 2 by recovering the EOG. At 1 hour, ELAP declaration and implementation of FLEX electrical power to Division 2 would commence. Diesel generator recovery is further complicated by station blackout load shedding that removes all DC control power from the diesel generator and the FLEX electrical alignment which also impacts Division 2 EOG components. Recovery of the Division 2 EOG after 1 hour into an SBO does not represent successful recovery of Division 2 AC power. Operator actions to back out of ELAP, FLEX implementation, and load shedding to restore the EOG is not governed by procedures, is not a simple, skill of the craft task, and has no training. It was not credited in the risk evaluation consistent with general PRA/HRA assumptions and the Risk Assessment Standardization Project (RASP) guidance.
- 13. The human error probability for the failure to recover Division 2 EOG was estimated at 0.202. The performance shaping factors that were determined to be performance drivers were Stress and Experience/Training for Diagnosis, and Stress for Action.
Stress was considered to be "high" because the pliant would be in a station blackout condition. Experience/Training for Diagnosis was considered to "low." Plant staff perform troubleshooting as a regular job task, however, operators have not trained on, experienced or been exposed to troubleshooting a failure of the "protected" diesel generator during a shutdown SBO. OFFICIAL use ONEY SECURITY RELATED INFORMATION 5
_QfFU:IAI IISE ONLY- SECURITY RELATED INFORMATION
- 14. The human error probability for the failure to implement the FLEX electrical line-up was estimated at 2.5E-1. The performance shaping factors that were determined to be performance drivers were stress for diagnosis and action, and complexity and experience/training for action. Stress was considered to be "high" because the plant would be in a station blackout condition. The action to align the FLEX electrical system was considered to be both "highly" complex and was assigned "low" experience/training.
The procedure requires many in-plant actions under difficult conditions and the alignment has never been implemented.
- 15. The human error probability for the failure to implement the Division 3 to Division 2 crosstie was estimated at 2.7E-1. The performance shaping factors that were determined to be performance drivers were stress for diagnosis and action, and complexity, experience/training, and ergonomics for action. Stress was considered to be "high" because the plant would be in a station blackout condition . The action to implement the cross-tie was considered to be "highly" complex and was assigned "low" experience/training and "poor" ergonomics. The procedure has both in-plant and control room actions in multiple locations and has received very little training.
- 16. Offsite power recovery is also modeled but is complicated by electrical system re-alignment when FLEX or the Division 3 cross-tie are attempted but fail. These strateg ies significantly alter the electrical distribution system. The detailed risk evaluation models offsite power non-recovery at 13 hours or 24 hours, depending on the seq uence. The offsite power recovery curve is used along with a human error probability for the failure to realign the electrical system once other sources of power have been attempted but failed. The performance shaping factors that were considered to be performance drivers for the failure to realign the electrical system were stress for diagnosis and action and procedures for action. Stress was considered to be "high" because the plant would be in a station blackout condition. Procedures were considered to be "incomplete" as there are procedures for aligning offsite power sources but they would not specifically address the electrical alignment that would exist after FLEX and the crosstie have been attempted but not successfully implemented. The HEP was estimated at 7.61 E-2.
- 17. Alignment of alternate suppression pool cooling using FLEX equipment was modeled.
The human error probability was estimated at 2.33E-1. The performance shaping factors that were determined to be performance drivers were stress for diagnosis and action, and complexity, experience/training, and ergonomics for action. Diagnosis was considered to be "obvious" as the need for suppression pool cooling during SBO events is well understood. Stress was considered to be "high" because the plant would be in a station blackout condition. The action was considered to be "moderately" complex, have "low" experience/training, and "poor" ergonomics. The steps to perform the action are performed outside the control room in poor lighting and there is infrequent training and no actual experience. The procedure describes some of the steps as physically demanding and some are in high radiation areas.
- 18. Two methods of RCS Injection using FLEX equipment were modeled. The easier method would be to re-align the FLEX SPC method for injection. The human error probability for this action was estimated at 4E- 3. The less preferred method, using the diesel-driven FLEX pumps, was estimated at 1.1 E-1. For the easier method, the OFFICIAL tJSE ONLY SECURITY RELATED INFORMATION 6
OFFICIAL USE ONLi - SECURITY RELATED INF<>RM4IIQN performance shaping factors that were determined to be performance drivers were stress for diagnosis and action. The diagnosis was also assumed to be obvious, given that the FLEX suppression pool cooling alignment would already be in place and working successfully. Minimal additional action would be required to re-align the system for injection. The actions to use the less preferred method of direct injection from the lake with the diesel driven pumps was not an important action driving the results of the analysis.
- 19. Alignment of the ultimate heat sink using FLEX equipment was modeled. The human error probability was estimated at 1.39E-2. The performance shaping factors that were determined to be performance drivers were stress for diagnosis and action and time, complexity, experience/training, and ergonomics for action. Diagnosis was considered to be "obvious" similar to the rating for aligning suppression pool cooling. Stress was considered to be "high" because the plant would be in station blackout condition. The time available for the action was considered to be greater than 5x the time required .
Complexity was considered to be "moderate", experience/training "low", and ergonomics "poor". The steps to perform the action are performed outside the control room in poor lighting and there is infrequent training and no actual experience. The procedure describes some of the steps as physically demanding and some are in high radiation areas.
- 20. Use of B.5.b equipment and strategies to maintain the reactor depressurized was modeled with an operator action that was highly dependent on the operator action to use FLEX strategies. The FLEX strategy to maintain the reactor depressurized was assumed to be the preferred method. The human error probability for the dependent operator action was 5 .2E-1 .
- 21. Primary containment was open during the exposure time. However, procedures would instruct operators to take action to establish primary containment. The detailed risk evaluation assumes that operators would take this action and would establish primary containment. If suppression pool cooling is not established, then containment venting would be required, consistent with at-power PRA model assumptions. Manual venting of containment was credited. These are long sequences containing success of core cooling via injection but failure to establish suppression pool cooling. These assumptions did not impact the dominant core damage sequences.
- 22. Alternate injection with fire water system was modeled with equipment failures and an operator action for the failure to align the system. This method was assumed to be the least preferred method of low pressure injection. The operator failure to align fire water injection was assigned an HEP of 1.2E- 1 and was not modeled as dependent on previous operator actions, a possible non-conservative assumption. These assumptions did not impact the dominant core damage sequences.
- 23. The FLEX diesel generators were assigned a failure to start of 7.2E-2 and a fa ilure to run for the mission time of 1.5E-1 . The failure to start was based on actual plant operating experience. The run time data for the driesel generators was very limited and could not be used to estimate the failure to run probability. The failure to run for emergency diesel generators was multiplied by a factor of 5 based on analyst judgement to obtain the failure to run rate of the FLEX diesel generator.
OFFICIAL USE OHL¥ SECURITY RELATED INFORMATION 7
OFFICIAL IISE ONLY SEeURITY-RELATED INFORMATION
- 24. The FLEX diesel-driven pumps were assigned a failure to start of 1E-2 and a failure to run of 2.1 E-1. Based on analyst judgment these failure rates we set at five times the corresponding failure rates for permanently installed diesel driven fire pumps .
- 25. FLEX equipment was assigned a failure probability due to design or construction of SE-2 . The FLEX strategies, although carefully developed and reviewed for the Mitigating Strategies Order, have never been fully demonstrated. Latent design or construction errors could exist.
- 26. The Division 3 to the Division 2 cross-tie was assigned a failure probability due to design error of 2E- 2. Both divisions are normally in-service but never cross-tied and the cross-tie has never been fully demonstrated.
OFFICIAL USE Ol(jl'f SECUR1n* REI ATEO INFORMATION 8
OFFICIAL USE OHL¥ SECURITY RELATED INFORMAIION Table 2: Summarv of Dominant HRA Results [(6XW) SECURITY RELATED INFORMATION 9
0
OFFICIAL USE ONLY - SECURITY RELATED INFORMATION References
- 1. Clinton SPAR Model, Revision 8.54 with Modifications
- 2. NUREG- 1842, "Good Practices for Implementing Human Reliability Analysis."
April 2005
- 3. NUREG/CR-6595 Revision 1, "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events." October 2004
- 4. NUREG/CR- 6883, "The SPAR-H Human Reliability Analysis Method"
- 5. INL/EXT 18533, "SPAR-H Step-by-Step Guidance"
- 6. RASP Manual Volume 1 - Internal Events, Revision 2.02 date December 2017
- 7. NUREG/CR- 1278, "Handbook of HRA with Emphasis on Nuclear Power Plant Applications," August 1983
- 8. Analysis of Loss-of Offsite-Power Events 1987- 2016, INL/EXT- 17-42376 August 2017 (https ://nrcoe .inl.gov/resultsdb/publicdocs/LOSP/loop-summary-update-2016.pdf)
- 9. IMC 0609 Appendix G, "Shutdown Operations SDP"
- 10. NUMARC 91 - 06, "Guidelines for Industry Actions to Assess Shutdown Management."
December 1991 11 . CPS 3002.01 R32e Heatup and Pressurization
- 12. CPS 3312.03 R11d SDC and FPC Assist
- 13. CPS 3501 .01 High Voltage Auxiliary Power System
- 14. CPS 3506.01 EDG and Support Systems
- 15. CPS 3506.01 P002 Division 2 Diesel Generator Operations
- 16. CPS 4006.01 Loss of SDC
- 17. CPS 4200.01 Loss of AC Power
- 18. CPS 4200.01C002 DC Load Shedding during SBO
- 19. CPS 4303.01 P001 Containment Venting Without AC Power Available
- 20. CPS 4303.01 P004 SRV Operation With External DC Power 21 . CPS 4303.01 P023 Cross-Connecting Div. 3 DG to Div. 1(2) ECCS Electrical Susses
- 22. CPS 4306.01 P001 FLEX Electrical Connection
- 23. CPS 4306.01 P002 FLEX UHS Water Supply
- 24. CPS 4306.01 P003 FLEX Suppression Pool Cooling
- 25. CPS 4306.01 P004 FLEX Low Pressure RPV Makeup
- 26. CPS 4306.01 P017 ELAP During Modes 4 and 5
- 27. CPS 5285_R27c Alarm Panel 5285 Annunciators at 1PL12JB
- 28. CPS 5061 .07 Alarm Panel 5061 Annunciators - Row 7
- 29. CPS 4411 .03 Injection Flooding Sources
- 30. CPS 441 1.06 Emergency Containment Venting, Purging and Vacuum Relief
- 31. CPS 9065.01 Secondary Containment Access Integrity
- 32. EOP- 1 RPV Control
- 33. EOP-2 RPV Flooding
- 34. EOP- 3 Emergency RPV Depressurization (Slowdown)
- 35. EOP-6 Primary Containment Control
- 36. EOP-8 Secondary Containment Control
- 37. CC- AA- 118 Corporate FLEX Process Guidance
- 38. OU-AA-103 Shutdown Safety Management Program
- 39. OU-CL-104 Shutdown Safety Management Program (Clinton Power Station)
- 40. CL- SDP- 01 O Risk Assessment - May 2018 Outage: Division 2 DG 1B Unavailable with Division 1 Bus Unavailable, Rev. 0
- 41. DB430301 DBIG-Extensive Damage Mitigation Guide, Rev. 5 OFFICIAL USE ONLY SECURITY Rf:L/\TED nqfuRMA I ION 11
OFFICIAL USE ONLY --- SECURITY-RELATED INFORMATION
- 42. N-CL-OPS-DB430601 , FLEX, Rev. 0
- 43. SE-LOP-162, Extensive Damage Mitigation, Rev. 0
- 44. SE-LOR-4306, FLEX Event, Rev. 0 OFFICIAL USE ONLY SECURITY RELATED INFORM4 I IOfC 12
OFFICIAL USE ONLY SECtJRITf- RELATEO INFORMATION Event Tree and Fault Tree Figures 00 ' Loss of Offsite Power - M4 EMERGENCY POWER AC POWER RECOVERY - 24 # End State LATE SUPPLY - (DIV I AND II) / 1 Hours (Phase - CD) SD-M4L-Loa> SD-EPS SD-AC- REC-24H 0 0 I 1 I SD-M4L-LOOP-T 0 I 0 I 0 I 2 I SD-M4L-LOOP-T 0 I 3 I SD-M4L-LOOP-T OFFICIAL USE ONLY SECURI IV RELATED INFORMATION 13
~;~~~;;~~==~=:==~~='.==-
~~~- :===;
- - : : :=---?. , ==~
I
- I
---,:===-;;___(====
0- 0---
~ ~~ ~~ ~~ ===;;_- -~ == o---1 o---1 I II OK I OK 2
OK 0--- I I *' I OK
-- lowpressuren~ion - -o- IL *~!:::
I ====:~=
, o---1' 1 _ I ,. ---0--- -,===- '-' !" '""""'""" 0---1 7 I OK I LoWOff!l$1.11"elnjeeti:in o--[ °===-, - ;_--'~ . =- o---.
0---I I I o--j
- I
- 8
' I OK OK *I *I ~ I I o--------f=*oo o-- " I -
o---1 I I
---o-- -===
oK 1 12 1 0--- I 13 I
- OK
*I - 0---I
- I GT20...... co o--- ** I 0---I "
a,~o OK II o---1 co-, o I 0--- I "I *I I"I OK
*II o=-L 0---
0--- I "I I '° I OK
*I o--{
OK
*-*-* C>----j__~ o---
0---
- Hlghpre~1n I ~ **-*oo 0---1l " u I a,~
OK I
---- IIIJecticn TTCU-1Q-t I o---1" 1 - I ~ ~ o - - -l--=.-"-1..I____
SECURITY 14
OFFICIAL QSE QISILY - SECURITY RELATED INFORMA I IQN 1gure 4 AC Power Recoverv Fau It Tree AC POWER RECOVERY
- 24 / 1 Hours SD*AC*REC*24H I
~ I OPERATOR FAILS TO RECOVER EMERGENCY DIESEL IN 1 HOUR EPS*XHE*XL*NROlH SD-AC*REC*24H 3 8.88E*Ol 7
OPERATOR FAILS TO RECOVER EOG B I N 1 HOUR due to Start Air Issue EPS*XHE*XM-NROlH OPERATOR FAILS TO RECOVER 2.02E*Ol OFFSITE POWER IN 24 HOURS OEP*XHE*XL-NR24H u 5.91E-02 Operator fails to recovery electrical distribution system afteroffsite power recovery SD-XHE-XL-ELAP 7.60E-02 OFFICIAL USE ONEV SECURITY RELATED INFORMATION 15
OFFICIAL I !SE OHLY SECURITY RELA I ED INFORMATION Figure 5: Manual De ressurization Fault Tree MANUAL REACTOR DEPRESS SD-DEP ADS SRV FAILURE DUE TO SEISMIC ADS VALVES FAIL FROM COM MON EVENT CAUSE ADS-SRV-EO ADS-SRV-CF-VALVS External 1.SSE-06 CLINTON ADS SUPPORT SYSTEMS OPERATOR FAILS TO Manually FAIL Depressurize Reactor DEP-SS ADS-XHE-XM-MDEPR External 5.00E-04 OPERATOR FAILS TO INITIATE REACTOR DEPRESSURIZATION GIVEN SEISMIC EVENT u ADS-XH E-DPR-EOK External D OFFICIAL U SE ONLY SECURITY RELATED INFORMA I ION 16
OFFICIAL USE ONLY-SECURITY-RELATED INFORMATION Figure 6: Division 1125 Power Fault Tree shows FLEX linkage) CLINTON DIVISION I 125 VDC POWER IS UNAVAILABLE Normal DC Power FLEX DC Power DCP-125V-1A-LTS DCP-125V-1A-LTl CLINTON DIVISION I AC POWER FAILURE OF DIVISION I 125VDC BU FLEX AC Electrical System CCF OF 125VDC BATTERYS (3) SYSTEM FAULT TREE IA ACP*4KVBUS* IA1 DCP-BDC*LP-IA FLEX*ELEC DCP*BAT*CF*ALL External 5.21E*06 External 3.SSE-08 DC BATT CHARGERS FAILURE FROM FAILURE OF DIVISION I 125VDC FAILURE OF DIVISION I 125VDC SEISMIC EVENT BATTERY CHARGER BATTERY DCP-BCH-EO DCP-BCH -LP-IA DCP-BAT*LP* IA External 6.17E-05 7.97E-06 u BATTERY CHARGERS FAIL FROM COMMON CAUSE FAILURE OF DIVISION I 125VDC BU IA DCP*BCH *CF-CHRS OCP*BDC-LP* IA 2.I OE-07 5.21E-06 DIVISION I 125VDC BATTERY FAILURE OF BOP 125VOC BATTERY CHARGER in Test and Maintenance CHARGER IE DCP*BCH*TM*IA DCP*BCH *LP* If 2.00E-03 6.17E*OS () BATTERY CHARGERS FAIL FROM COMMON CAUSE DCP*BCH*CF*CHRS 2.l OE-07 () OFFICIAL USE ONE r SECURITY RELATED INFORMATION 17
OFFICIAi IISE ONLY SEGl;;IRITV-RELATED INFORMATION Figure 7: FLEX Electrical Fault~T_re -'--e- - - - - - - - ~ FLEX AC Electrical System FLEX-ELEC FLEX Diesel Generators FLEXAC Bus Equipmernt Failures ACP-FLEX-BUS FLEX-ELEC4 2.29E-05 Operator Fails to Setup and Run FLEXDG and Electrical Distribution SD-XHE-XM-FELEC FLEX Diesel 1 (permanently installed FLEX Diesel 2 (portable) 2.SOE-01 FLEX Electrical Connection Fails due FLEX-ELEC41 FLEX-ELEC42 to DesignorConstruction FLEX-ELEC-CONNECT 5.00E-02 CCF of FLEX Diesel Generato rs 1 and 2 to Run FLEX Diesel Generator 1 Fails to Run FLEX Diesel Generate r 2 Fails to Run EPS-FDGN-CF-FR 2.37E-03 EPS-DGN-FR-FDGl EPS-DGN-FR-FDG2 CCF of FLEX Diesel Generato rs 1 and 1.SOE-01 1.SOE-01 2 to Start FLEX Diesel Generator 1 Fails to FLEX Diesel Generator 2 Fails to Start Start EPS-FDGN-CF-FS 6.90E-04 EPS-DG N-FS-FDGl EPS-DGN-FS-FDG2 FLEX Feed Breaker to 1FX07E (CB 7.20E-02 7.20E-02 762 el .. west stairway) FLEX Diesel Generator 1Unavailable FLEXDiesel Generate r2 Unavailable because ofTest or Maintenance becauseofTest or Maintenance ACP-FLEX-CRB-FX01E-CB02 1.03E-03 EPS-DGN-TM-FDGl 1.48E-02 EPS-DGN-TM-FDG2 1.48E-02 u u FLEX Diesel 2 (portable) Fails due to Improper Transport or Setup EPS-DGN-XR-FDG 5.00E-02 u OFFICIAi use ONLY SECURITY RELATED INFORMATION 18
OFFICIAL IISE dNLY - SECURITY RELATED INFORMATION Figure 8: Alternate Injection Fault Tree (includes FLEX) ALTERNATE INJECTION - CDS SWS FWSand FLEX SD-ALT-INJ All FLEXInjection Fails due to Dependent Fail ure SD-XHE-XM-FLEXINJFAn. SD-ALT-INJS Ignore y CONDENSATE u CDS External CLINTON SSW INJECTION FAULT TREE 551 External CLINTON FIREWATER SYSTEM FAULT TREEduring Shutdown ELAP SD-FWS External FLEXRCS Injection using Diesel FLEX Pumps (CPS 4306.01P004 Section 4.4 and 4306.01P002) FLEX-RCS-INJ External FLEX Suppression Pool Clecn.p Inject into RCS (4306.01P004 Section 4.1) FLEX-SPC-INJ External 6 OFFICIAL USE ONLY SECURITY RELATED INFORMATION 19
QEEIC:IAL USE ot~LY SECURITY RELA I EU INFdRMAJION Figure 9: RCS Injection using FLEX Diesel Driven FLEX Pumps Fault Tree FLEXRCSlnjectlon uslng Diesel FLEX Pumps (CPS 4306.01P004 Section 4.4 and 4306.01P002) FLEX*RCS*INJ I I I I FLEX UHS System (4306.01P002) FLEX RCS Injection vis LPI FLEXRCS Injection Connection Fails due to Desig n or Construction SD-FUHS FLEX-RCS-CONNECT External FRCS-INJ13 5.00E-02 6 y Injection into RCSusing FLEX Diesel Driven Pumps (4306.01P002 Sectio ns 4.3 and 4.4) I SD*XHE*XM*FRCS FLEX Injection Via LPCS FLEX Injection Via RHR C 1.lOE-01 0 FRCS*INJ 130 FRCS*INJ131 H H LPCS INJECTION CKV F006 FAILS TC LPCI TRAIN C INJECTION MOV OPEN RHR42C FAILS TO OPEN LCS-CKV*CC*FOOi RHR*MOV-CC*F042C 9.24E*06 8.16E*04 LPCS INJECTION MOV FOOS FAILS LPCI INJECTION CKV F041C FAILS TO OPEN TO OPEN LCS-MOV*CC-F005 RHR*CKV*CC*41C 8.16E-04 9.24E-06 LPCI CKVS F041C, LCS F006 FAIL LPCI CKVS F041C, LCS F006 FAIL FROM COMMON CAUSE FROM COMMON CAUSE LCS*CKV-CF*FINJB'.: LCS*CKV*CF*FINJB'.: 1.94E*07 1.94E*07 LPCI Train C Vent Valve Fails to LPCS VentV<1lve Fails to Open (FLEX Open (FLEX connection point) connection point) LPCI* MV-CC*F088 LPSC*MV-CC-F374 4.59E-04 4.59E-04 0 0 OFFICIAL USE ONLY SECURITY RELATED IHFORMATIQN 20
OFFICIAL USE ONLY SECURITY RELA I ED INFORMATION = Figure 10: FLEX Ultimate Heat Sink S~stem Fault Tree FLEX UHS System (4306.01P002) SD-FUHS FLEX Engine Driven Pumps SSW A TIE TO PSW MOV SSW 14A FAILS TO CLOSE SSW-MOV-OO-SSW14A SD-FUHSl 8.16E-04 Operator Fails to Setup and Run FLEX Ultimate Heat Sink System ( 4306.01P002) SD-XHE-XM -FUHS FLEX Pump 1 Fails FLEX Pump 2 Fails 1.40E-01 FLEX PUMPS FAIL FROM COMMON CAUSE TO RUN SD-FUHSlO SD-FUHSl l FLEX-EDP-CF-FR 6.12E-03 FLEX PUMPS FAIL FROM COMMON CAUSE TO START FLEX ENGINE DRIVEN PUMP 1 FAILS FLEX ENGINE DRIVEN PUMP 2 FAILS TO RUN TO RUN FLEX-EDP-CF-FS 2.90E-04 FLEX-EDP-FR-1 FLEX-EDP-FR-2 FLEX Diesel Driven Pump Connection 2.00E-01 2.00E-01 Fails due to Design or Construction FLEX ENGINE DRIVEN PUMP 1 FAILS FLEX ENGINE DRIVEN PUMP 2 FAILS TO START TO START FLEX-EDP-CONNECT 5.00E-02 FLEX-EDP-FS-1 FLEX-EDP-FS-2 FLEX Manifo ld Isolation Valve Fails 1.00E-02 1.00E-02 Closed u u FLEX-MV-CC-1XF003 4.59E-04 FLEX Pipe Manifold Isolation Valve to SXDiv. lor 2Fails Closed FLEX-MV-CC-lXFOOlC 4.59E-04 FLEX Water Injection to SX Valve Div .1 or 2 Fails Closed SSW-MV-CC-SXF354 4.59E-04 u OFFICIAL I ISE ONLY SECURITY RELATED INFORMATION 21
OFFICIAL I ISE ONLY SECURITY RELATED IN FOR MA I ION Figure 11: RCS Injection using FLEX Su ~ression Pool Cleanup Fault Tree FLEX Sup pression Pool Clear1.4> Inject into RCS (4306.01P004 Section 4.1) FLEX*SPC*INJ I I I I FLEX Suppression Pool Cleanup ard FLEX Injection Paths Fail LPCI INJECTION MOVS RHR 42A,B,C Transfer FAIL FROM COM MON CAUSE FLEX*SPC RHR*MOV*CF*F042 External FLEX-SPC-INJ2 3.57E-06 6 y LPCI CKVS 41A,B,C FAIL FROM COMMON CAUSE I RHR*CKV*CF-F041 FLEX InJectin Path via Train A FLEX InJeetin Path via Train B 6.07E-08 Operator Fails RCS Injection using FLEX SPC (4306.01P004 Section 4.1) FLEX*SPC*INJ20 FLEX*SPC*INJ21 50-XHE*XM*FINJ H H 4.00E-03 RHR A MOV 27A FAILS TO OPEN LPCI TRA IN B INJECTION MOV u RHR42B FAILS TO OPEN RHR-MOV-CC-F027A RHR*MOV-CC*F042B 8.16E*04 8.16E*04 LPCI TRAIN A INJECTION MOV LPCI INJECTION CKV F0418 FAILS RHR42A FAILS TO OPEN TO OPEN RH R*MOV-CC-F042A RHR-CKV*CC-418 8.16E-04 9.24E-06 LPCI INJECTION CKV F041A FAILS RHR A MOV 276 FAILS TO OPEN TO OPEN RHR*CKV*CC*41A RHR-MOV*CC*F027B 9.24E*06 8.16E*04 0 0 OFFICIAL USE ONE t SECU R'.I I t RELATED INFORMATION 22
01 FICIAL tJSE ONLY SECURI IV RELATED INFORMATION Figure 12: FLEX Suppression Pool Cleanu and Transfer Fault Tree FLEX Suppress lo n Pool Cleanup lid Transfer FLEX*SPC I I I I I Suppression Pool Cleanup (FS) RHRH eat Exmangers NotAvailable FLEX AC Electrical System CCF OF SF MDPS TO RUN Pumps Not A"Yailable FLEX*ELEC SF*MDP-CF*FR FFC2 FFC8 External 9.81E*07 I Suppression Pool Cleanup (FS) PUMP L.J I Suppression Pool Cleanup (FS) PUr-t' y CLINTON FLEX SPC LOOP B IS FLEX UHS System (4306.01P002) SD*FUHS CCF OF Sf MOP'S TO START SF*MDP*CF*STRT External 4.5BE*06 A ISUNAVAl lABLE B ISUNAVAllABLE UNAVAl lABLE FSPC*B 6 SF COOLJNG SUCTION MOV F004 FFC64 FFC73 External SF*MOV*CC*FOO'I CLINTON FLEX SPC LOOP A IS 1 Suppression Pool Cleaflll) ard Transfer MDP l A FAILS TO START 1 Suppression Pool Cleanl.4) an:l Transfer MOP 18 FAILS TO START FSPC*A External UNAVAllABLE 8.16E-04 Sf COOLING SUCTION Manual F003 SF*VLV-CC*FOO} Sf-MDP-FS-l A SF-MOP-FS-1B 6 8.16E*04 SF COOLING D ischargeAOV F01 1 1.091:-03 l.09E*03 SuppressiolnPool Clean..p cn:I Suppressloln Pool Clea"-" an:! Transfer MOP I A FAILS TO RUN Transfer MOP lB FAILS TO RUN Sf*AOV-CC*F011 7.SSE*04 Sf*MOP*FR* l A SF*MOP*FR* 1B SF COOLING Valve F041 9.00E-05 9.00E-05 SF MOP 6A DISCHARGE CHECK SF MOP 6B DISCHARGE CHECK VALVE FAILS TO OPEN VALVE FAILS TO OPEN SF*MOV*CC*F04l 8.16E*04 SF-CKV*CC*6A SF-CKV*CC*6B Operator Falls SUppresslon AJol 9.24E-06 9.24E-06 Cooling using FU:X SF MOP LA UNAVAl lABLEOUETO SF MOP l B UNAVAl lABLE DUE TO TEST AND MAINTENANCE TEST AND MAINTENANCE SO*XHE*XM*FSPC 2.33E*Ol SF*MDP-TM*lA SF*MOP-1~1-!B FLEXSUppression Pool COOll'g 4.561:-03 4.56E-03 Conne<:tlonFallsducto Design or SF COOLING Discharge MOV FOi 0A SF COOLING Discharge MOV FOJOB Constructi:>n FLEX*SPC*CON N ECT S.OOE*02 Sf*MOV*CC*FOl!i\
- 8. 16E-04 SF*MOV*CC*FOIOB 8.16E-04 u u u OFFICIAL USE ONL'f SECURI I Y RELATED INFORMATION 23
OFFICIAi I !SE ONLY SECURITY RELATED INFORMATION Figure 13: FLEX Sue ression Pool Coolin using RHR Heat Exchanger A Fault Tree CLINTON FLEX SPC LOOP A IS UNAVAILABLE FSPC-A RHR/SSW HEAT EXCHANGE FAILS LOOP A SPC INJECT MOV RHR 24A FAILS TO OPEN RHR-FLEX-HXA RHR-MOV-CC-F024A External 8.16E-04 SP INJECTION MOVS 24A,B COMMON CAUSE FAIL TO OPEN RH R-MOV-CF-F024 l.lSE-05 RHR PUMP MIN FLOW MOVSA,B,C FAIL FROM COMMON CAUSE RHR-MOV-CF-MINFL 3.57E-06 u OFFICIAi IISE ONLY SEOijRIT'f RELAIED INFORMATION 24
OFFICIAL USE ONE, - SECURITY RELA I ED INFORMATION Figure 14: RHR Heat Exchanger A for FLEX SPC Fault Tree RHR/SSW HEAT EXCHANGE FAILS RHR-FLEX-HXA RHR HTXS FAIL FROM COMMON CAUSE RHR-HlX-CF-RHRHX 2.41E-07 RHR HlX BYPASS VALVES FAIL FROM COMMON CAUSE RHR-MOV-CF-HXBPS 1.lSE-05 RHR LOOP A HlX BYPASS MOV RHR 48A FAILS TO CLOSE RHR-MOV-00-BYPS<\ 8.16E-04 RHR MOVS F003A,B FAIL FROM COMMON CAUSE RHR-MOV-CF-HXDIS 1.lSE-05 RHR HlXA DISCHARGE MOV 3A FAILS TO OPEN RHR-MOV-CC-F003A 8.16E-04 RHR HTX A FAILS RHR-HTX-PG-HTXA 8.88E-06 RHR HlX SSW SUPPLY VALVE F014A FAILS TO OPEN SSW-MOV-CC-F014A 8.16E-04 RHR HTX SSW OUTLET ISOLATION VLV F068A FAILS TO OPEN SSW-MOV-CC-F068A 8.16E-04 u OFI ICIAL tJS E ONLY SECURI I V REI ATED INFORMATION 25
OFFICIAL USE ONU - SECURIT1 wl<ELATED INFOR MATION Figure 15: Containment Venting-' Fault Tree CONTAINMENT VENTING
- SD SD-CVS y
I I I CONTAINMENT (SUPPRESSION Venting of Containment with Manual Containment Failure Causes POOL) VENTING Valves (CPS 4303.0lPOOl) Injection Failure CVS CF-IF External SD*CVS4 2.00E-01 D H u IFC012B Containment Pools Drain Valveto Spent Fuel Pool Closed Fails Close:! FC*MV*CC*126 4.59E-04 IFC012A Containment Pools Drain Valve to Surge Tank Closed Fails Close:! FC-MV-CC-12A 4.59E-04 Operator Fails to ManuallyVent Containment with 1FC012A & B (CPS 4303.0lPOOl) FC*XHE*XM* MCV 4.20E-03 u
-= OFFICIAL U SE ONLY SECtJff:ITY RELATED INfCJRMATION 26
OFFICIAL USE ONL'f - SECURITY RELATED INFORMATION Figure 16: Electrical Cross-Tie Division 3 to Division 2 Fault Tree Electrical Connection Div. 3 to Div. 2 ELEC_XTIE CLINTON DIVISION III AC POWER Operator Fails to Establish Div. 3 to SYSTEM FAULT TREE Div. 2 Electrical Cross Tie ACP-4KVBUS-1Q SD-XH E-XM-CROSSTIE External 2.70E-01 CLINTON DIVISION II AC POWER Div. 3to Div. 2 Cross Tie Fails d ue to SYSTEM FAULT TREE Cross Tie (no Design FLEX Elect.) ACP-4KVBUS-1B1-XTIE2 XTIE-ELEC-CONNECT External 2.00E-02 D u OFFICIAL US E ONL f SECtJ RITY RELATED INFORMATION 27
OFFICIAL USE ONLY- SECORI I 1-RELATED INFORMATION Figure 17: Division 2 AC Power Fault Tree
~--------~
CLINTON DIVISION II AC POWER SYSTEM FAULT TREE Cross Tie (no FLEX Beet.) ACP-4KVBUS* IBI*XTIE2 I I I I 4.1 KV BUS FAILURE FROM SEISMIC FAILURE TO RECOVER BREAKER 4160 V DIVISION II BUS (181) EVENT CCF DURING BATTERY LIFE HARDWAREFAILURES ACP-4KV*EO ACP*BAC*LP* 181 External ACP-4KVBUS-181 *XTIE215 2.29E-05
~ 0 FAILURE OF OIV2 SWITCHGEAR COOLING HVC*SWGR*OIV2*CCXll..
I I DC BATTEREIS FAILU RE FROM CCF OF 125VDC BATTERYS (3) External SEISMIC EVENT 6 DCP*BAT*E DCP-BAT*CF*ALL External 3.85E*08 FAILURE OF DIVISION II 125VDC BATTERY DCP-BAT*LP*IB 7.97E-06 FAILURE OF CIRCUITBREAKER 201Bl TO OPEN (RAT) ACP*CRB*CC*201Bl 2.49E-03 CCF OF CIRCUIT BREAKERS 201Al
& 2.01B1 TO OPEN ACP*CRB*CF*201 4.13E*OS FAILURE OF CIRCUIT BREAKER 221Bl TO CLOSE ACP*CRB*00*221Bl 2.0SE-03 OFFICIAL USE ONLY SECijRITY RELATED INFORMATION 28
OFFICIAL I ISE ONLY SECURITY RELATED INFORMATION Cut Set Ren xt SD- CLINTON SPAR MODEL "II Case ProblFrea Total '1, Cut Set Descriotion Total 4 .86E-04 Displaying 30 Cut Sets. 100 (27055 Oriainal) 1 C 1.60E-04 3298 O-SD-M4L-l.OOP : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offsrte Power - M4 LAT E 2 .02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to Start tv; Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 2.70E-01 SD-XHE-XM-CROSSTIE Operator Fails to Establish Div. 3 to Div. 2 Electrical cross Tie 5 .11E-01 SD-XHE-XM-OEPBSB 'lnPrntor Fails to setuo 85b Fn11ioment for Dern><:.<:.Lfization Cd<>n<>ndentl 2 .50E-01 SD-XHE-XM-FELEC Operator Fails to Setup and RISI FLEX 0G and Electrical Distribution 1.00E+OO ITCU-10 Time to Core Uncoverv 10 hours or areater 2 C 8 .90E-05 18.32 O-SD-M4L-l.OOP : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offsrte Power - M4 LAT E 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to Start Iv; Issue 7.60E-02 SD-XHE-XL-ELAP '1n?r.>,tor fails to recoverv electrical cistribution """tern after offsrte rxM/PC recoverv 2 .70E-01 SD-XHE-XM-CROSSTIE Operator Fails to Estabflstl Div. 3 to Div. 2 Electrical Cross Tie 5 .11E-01 SD-XHE-XM-OEPBSB in,,r.uor Fails to setuo B5b 1-n11ioment for De (d""""dentl 2.50E-01 SD-XHE-XM-FELEC Operator Fails to Setup and RISI FLEX 0G and Electrical Distribution 3 C 3..20E-05 6.6 O-SD-M4L-l.OOP : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offslte Power - M4 LATE 2 .02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG B IN 1 HOUR due to Start tv; Issue 5.00E-02 FLEX-fl.EC-CONNECT FLEX Electrical COmection Fails due to Design or COnstrudion 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 2 .70E-01 SD-XHE-XM-CROSSTIE Operator Fails to Establish Div. 3 to Div. 2 Electncal Cross Tie 5 .11E-01 SD-XHE-XM-OEP85B Joerntor Fails to setuo B5b t-ouioment for De . tion (d"""'1dent) 1.00E+OO ncu-10 Time to Core Uncovery 10 hours or greater 4 C 3 .13E-05 6.45 O-SD-M4l-l00P : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offsrte Power - M4 LAT E 1.00E-01 DEP-B5B B5b ..,,, ,inment for Ooenino SRVs 2 .02E-01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to Start tv; Issue 1.37E-01 OEP-XHE-Xl-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 2.70E-01 SD-XHE-XM-CROSSTIE Operator Fails to Establish Div. 3 to Div. 2 Electrical cross Tie 2.50E-01 SD-XHE-XM-FELEC -,,,,tor Fails to Setuo and RISI FLEX OG and Electrical Distribution 1.00E+OO ncu-10 Time to Core Uncovery 10 hours or greater 5 C 2 .01E-05 4 .14 O-SD-M4l-LOOP : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offsite Power - M4 LATE 3.39E-02 EPS-DGN- FR-DG1 C DIESEL GENERATOR 1C FAILS TO RUN 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to Start Iv; Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 9 .99E-01 OEP-XHE-XX-NR24H1 Convolution Factor for 1 FTR-OPR (24H-) OFFICIAL USE ONLY SECURITY RELA I EU INFORMATION Attachment 2
OFFICIAL USE ONLY .... SECURIT t RELA I ED INFORMATION 5 _11E-01 S~XHE-XM-OEPB5B Operator Fails to setup B5b Equipment for Oepressurization (dependent) 2.50E-01 S~XHE-XM-FELEC luoerator Fails to Setuo and RU\ FLEX DG and Bectrical DistribUlion 1_00E+OC) TTCU-10 Time to Core UI\CO\lery 1o hOurs Of areater 6 C 1.78E-05 3_66 Q.SD-M4L-LOOP : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offslte Power - M4 LATE 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to start Ai Issue 5.00E-02 FLEX-ELEC-CONNECT FLEX Eledrical COnnection Fails due to Design or COOstrudion 7.60E-02 S~XHE-XL-El.AP IUDefator fais to recoverv electrical distribution svstem after offslte oower recoverv 2.70E-01 S~XHE-XM-cROSSTIE Operator Fails to Establish Div. 3 to Div. 2 Eledncal Cross Tie 5.11E-01 S~XHE-XM-OEPB5B JDeraior Fails to setuo B5b >-<111ioment for ..,..,,.essuriZation 7 C 1.74E-05 3.58 O-SD-M4L-LOOP : 3-24 1.68E-01 SD-M4l-LOOP Loss of Offsite Power - M4 LATE 1.00E-01 OEP-858 B5b Equpment for Opening SRVs 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EDG BIN 1 HOUR due to start Ai Issue 7.60E-02 S~XHE-XL-ElAP Operator fails to recovery electrical distribution system after offslte power recovery 2.70E-01 S~XHE-XM-cROSSTIE IOoerator Fails to Establish Div. 3 to Div. 2 ElectricaJ Cross Tie 2.50E-01 S~XHE-XM-FELEC Operator Fails to Setup and RU\ FLEX DG and Bectrical Distribution 8 C 1_44E-05 297 O-SD-M4L-LOOP : 3-24 1.68E-01 SIHML-LOOP Loss of Offslte Power - M4 LATE 1.50E-01 EPS-DGN- FR-FOG 1 FLEX Diesel GeneratOf 1 Fails to RIii 1_50E-01 EPS-DGN- FR-FOG2 FLEX Diesel GeneratOf 2 Fails to RIii 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOV ER EOG BIN 1 HOUR due to Start Ai Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOV ER OFFSITE POWER IN 10 HOURS 2.70E-01 S~XHE-XM-cROSSTIE """""or Fails to Establish Div_ 3 to Div_ 2 Electrical Cross Tie 5_11E-01 S~XHE-XM-OEPB5B Operator Fails to setup B5b Equipment for OepressuriZation (dependent) 1.00E+OO TTCU-10 Time lo C<lfe Uncoverv 10 hOurs Of oreater 9 C 1.19E-05 244 O-SD-M4L-LOOP : 3--24 1_68E-01 SD-M4L-LOOP Loss Of Offsite Power - M4 LATE 2_02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOV ER EOG B IN 1 HOUR due to Start NT Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOV ER OFFSITE POWER IN 10 HOURS 5.11E-01 S~XHE-XM-OEPB5B Operator Fails to setup B5b Equipment for OepressuiZation (dependent) 2.50E-01 S~XHE-XM-FELEC .JDerator Fails to Setuo and Run FLEX DG and Bectrical Distribution 1.00E+OO TTCU-10 Time lo C<lfe Uncovery 10 hOurs Of greater 2.00E-02 XTIE-ELEC-CONNECT Div. 3 to Div. 2 Cross Tte Fais due to ><><tinn 10 C 1.12E-05 2.3 O-SD-M4L-LOOP : 3-24 1.68E-01 SIHML-LOOP Loss of Offsite Power - M4 LATE 3.39E-02 EPS-DGN-FR-OG1C DIESEL GENERATOR 1C FAILS TO RUN 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOV ER EOG BIN 1 HOUR due to start NT Issue 7.60E-02 S~XHE-XL-ElAP Operator fais to recovery electrical distribution system after offslte power recovery 5.11E-01 S~XHE-XM-OEPB5B JDeraior Fails to setuo B5b ~ *inment for ......-essunzat,on /den,,nn,,m 2.50E-01 S~XHE-XM-FELEC Operator Fails to Setup and RU\ FLEX DG and Bectrical Distribution OFFICIAL USE ONLY SECURITY RELAIED INFORMATION 2
OFFICIAi I ISE ONLY SECURITY RELATED INfQRMATION 11 C 8 .01E-06 1.65 0-SD-M4L-l00P : 3-24 1 .68E-01 SD-M4L-LOOP Loss of Offsite Power
- M4 LATE 1.50E-01 EPS-OGN-FR-FOG1 FLEX Diesel Generator 1 Fails to Rlil 1.50E-01 EPS-OGN-FR-FOG2 FLEX Diesel Generator 2 Fails to R!Il 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAJL.S TO RECOVER EOG BIN 1 HOUR due to Start Air Issue 7.60E-02 SD-XHE-XL-ElAP """"'Of faJs to recoverv electrical <istribulion cvctem after offsite ,,,..,,.,,. recoverv 2.70E-01 SD-XHE-XM-CROSST IE Operator Fails to Establish DiV. 3 to Div. 2 Ele<:trtcal Cross Tie 5.11E-01 SD-XHE-XM-OEPBSB mer.nor Fails to setuo 85b t-0.1iomenl ror DeoressunzatiOn Cdeoenaenu 12 C 6 .92E-06 1.42 0-SD-M4L-l00P : 3-24 1.68E-01 SD-M4L-l00P Loss of Offsrte Power .. M4 LATE 1.50E-01 EPS-OGN--FR-FOG1 FLEX Diesel Generator 1 Fails to Rlil 720E-02 EPS-OGN--FS-FOG2 FLEX Diesel Generator 2 Fails to Start 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAD..$ TO RECOVER EOG BIN 1 HOUR due to Start Air Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAD..$ TO RECOVER OFFSITE POWER IN 10 HOURS 2 .70E-01 SD-XHE-XM-CROSST IE Operator Fails to Establish DiV. 3 to Div. 2 Eledlical Cross Tie 5.11E-01 SD-XHE-XM-OEPBSB ,.,.,,,.,or Fails to setuo 85b t ror DeoressunzatiOn <d e ~1 1.00E+OO TTCU-10 Tlme to Core Uncovery 10 hours or greater 13 C 6 .9.2 E-06 1.42 O-SD-M4L-l00P : 3-24 1.68E-01 SD-M4L-l00P Loss of Offsite Pf7Her
- M4 LATE 1.50E-01 EPS-OGN*FR-FDG2 FLEX Diesel Generator 2 Fails to R!Il 720E-02 EPS-OGN-FS-FOG1 FLEX Diesel Generator 1 Fails to Start 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to Start Nr Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAD..$ TO RECOVER OFFSITE POWER IN 10 HOURS 2 .70E-01 SD-XHE-XM-CROSST IE 1uoerai.or Fails to Establish DiV. 3 to Div. 2 Eledlical Cross Tie 5 .11E-01 SD-XHE-XM-OEPBSB Operator Fails to setup B5b Equipment ror DepressunzatiOn (dependent) 1.00E+OO TTCU-10 Tlme to Core Uncoverv 10 hours or oreater 14 C 6.59E-06 1.36 O-SD-M4L-l00P : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offsite Power - M4 LATE 2.02E-01 EPS-XHE*XM-NR01H OPERATOR FAD..$ TO RECOVER EOG B IN 1 HOUR due to start /vr Issue 7.60E-02 SD-XHE-XL-B..AP JDeraior faJs to recoverv electrical distribution <<v<:tem after offsite n<N.'Pf recoverv 5.11E-01 SD-XHE-XM-OEPBSB Operator Fails to setup 85b Equipment for DepressunzatiOn (dependent) 2 .50E-01 SD-XHE-XM-FELEC """"'Of Fails to Seh n and Rm FLEX 0G and 8ectrical Distribution 2 .00E-02 XTIE-a.EC-CONNECT Div. 3 to Div. 2 Cross Tie Fais due to Design 15 C 627E-06 1.29 O-SD-M4L-l00P : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offsile Power - M4 LATE 1.00E-01 DEP-858 85b Fnuinment for Ooenin<J SRVs 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAD..$ TO RECOVER EOG BIN 1 HOUR due to Start Air Issue 5.00E-02 FLEX-ELEC-CONNECT FLEX Eledrical Comection Fais due lo ....ann or Construction 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 2.70E-01 SD-XHE-XM-CROSSTIE ,.,.,,,.,or Fails to Establish Div. 310 Div. 2 Eledlical Cross Tie 1.00E+OO TTCU-10 Tlme to Core Uncovery 10 hours or greater OFFICIAL USE ONLY SECURITY RELATED INFORMATION 3
OFFICIAL USE ONLY SECaRITY RELA I EC INFORMATION 16 C 4.BOE-06 0.99 O-SD-M4L-t.OOP: 3-24 1.68E-01 SD-M4L-LOOP Loss of Offslte Power - M4 LATE 1 .50E-01 EPS-OGN-FR-FOG1 FLEX Diesel Generator 1 Fails to Run 5.00E-02 EPS-OGN-XR-FOG FLEX Diesel 2 1oonable} Fails due to lmnrn,.,.... Transoon or,..,,.,,., 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to Start A,; Issue 1 .37E-01 OEP-XHE-Xl-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 2 .70E-01 SO-XHE-XM-CROSSTIE Operator FailS to Establ.iStl Div. 3 to Div. 2 Electrical Cross Tie 5 .11E-01 SD-XHE-XM-OEPB5B ,.,.,..,.,or FailS to setup B5b 1-rNJioment for Deoress~ 1.00E+OO TTCU-10 nme to Core Uncovery 10 hours or greater 17 C 4.02E-06 0.83 O-SD-M4L-t.OOP: 3-24 1 .68E-01 SD-M4L-LOOP Loss of Offsite Power - M4 LATE 3 .39E-02 EPS-OGN-FR-DG1C DIESEL GENERATOR 1C FAILS TO RUN 2 .02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG B IN 1 HOUR due to Start A,; Issue 5 .00E-02 FLEX-ELEC-CONNECT FLEX Electrical Connection Fails due to ""<tlnn or Construction 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 9 .99E-01 OEP-XHE-XX-NR24H1 Convolution Factor for 1FTR-OPR (24H-l 5.11E-01 SD-XHE-XM-OEPB5B Operator FailS to setup B5b Equipment for Depressunzation (dependent) 1.00E+OO TTCU-10 nme to Core Uncoverv 10 hours or areater 18 C 3 .93E-06 0 .81 O-SD-M4L-LOOP : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offsite Power - M4 LATE 1.00E-01 DEP-B5B B5b Equipment for Opening SRVs 3.39E-02 EPS-OGN-FR-DG1C DIESEL GENERATOR 1C FAILS TO RUN 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to start A,; Issue 1 .37E-01 OEP-XHE-Xl-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 9 .99E-01 OEP-XHE-XX-NR24H1 Convolution Factor for 1FTR-OPR (24H-) 2 .50E-01 SD-XHE-XM-FELEC """""lor FailS to Sell.ID and Ru! FLEX 0G and Electrical Distribution 1.00E+OO TTCU-10 nme to Core uncovery 10 hours or greater 19 C 3 .84E-06 0 .79 O-SD-M4L-t.OOP : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offsite Power - M4 LATE 1.SOE--01 EPS-OGN-FR-F002 FLEX Diesel Generator 2 Fails to Run 7.20E-02 EPS-OGN-Fs-FDG1 FLEX Diesel Generator 1 Fails to Start 2 .02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to start A,; Issue 7.60E-02 SD-XHE-XL-ELAP Operator falls to recovery electrical distribution system after offsite J)OINer recovery 2.70E-01 SD-XHE-XM-CROSSTIE ooe-a.tor Fails to EstabliStl Div. 3 to Div. 2 Electncal Cross Tre 5.11E-01 SD-XHE-XM-OEPB5B Operator FailS to setup B5b EQUipment for Depress~ (dependent) 20 C 3.84E-06 0 .79 O-SD-M4L-t.OOP : 3-24 1.68E-01 SO-M4l-LOOP Loss of Offsite Power - M4 LATE 1.50E-01 EPS-OGN-FR-FDG1 FLEX Diesel Generator 1 Fails to Ru! 7.20E-02 EPS-OGN-FS-FDG2 FLEX Diesel Generator 2 Fails to Start 2 .02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to start A,; Issue 7 .60E-02 SD-XHE-XL-ELAP Operator tails to recovery electrical distribution system after offsite power recovery
OFFICIAL USE ONE, Sl:CtjRITY RELATED INEQRMATION 2.70E-01 SD-XHE-~ROSSTIE Operator Fails to Establish Div. 3 to Div. 2 Electrical Cross Tie 5.11E-01 SD-XHE-XM-O EPB5B """"'tor Fails to setuo 85b ,= t for """'es516ization 1oeoendent) 21 C 3.48E-06 0.72 0-SD-M4L-LOOP: 3-24 1 .68E-01 SIHML-LOOP Loss ot Oflsite Power - M4 LATE 1.00E-01 DEP-B5B 85b Equipment for Opening SRVs 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOV ER EOG BIN 1 HOUR due to Start "'6 Issue 5 .00E-02 FLEX-El.EC-CONNECT FLEX Electrical Connection Fails due to Design or Construction 7.60E-02 SD-XHE-XL-El.AP on..rator fails to recovetV electrical distnbution svstem after offsrte "°"""'r recov<><V 2 .70E-01 SD-XHE-~ROSSTIE Operator Fails to Establish Div. 3 to Div. 2 Electrical Cross T ie 22 C 3 .32E-06 0 .68 O-SD-M4l-LOOP : 3-24 1.68E-01 SIHML-LOOP Loss ot Offsite Power - M4 LATE 7.20E-02 EPS-OGN-Fs-FDG1 FLEX Diesel Generator 1 Fails to start 7 .20E-02 EPS-OGN- Fs-FDG2 FLEX Diesel Generator 2 Fails to Start 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOV ER EOG BIN 1 HOUR due to Start /vT Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOV ER OFFSITE POWER IN 10 HOURS 2.70E-01 SD-XHE-~ROSSTIE """"'or Fails to Establish Div. 3 to Div. 2 Electrical Cross Tie 5.11E-01 SD-XHE-XM-OEPB5B Operator Fails to setup 85b Equipment for Depress~ (dependent) 1.00E+OO TTCL>-10 Time to Core Uncoverv 10 hours or oreater 23 C 2 .82E-06 0.58 O-SD-M4l-LOOP : 3-24 1.68E-01 SD-M4l-LOOP Loss ot Olfsite Power - M4 LATE 1.00E-01 DEP-B5B 85b Equipment for Opening SRVs 1.50E-01 EPS-DGN-FR-FDG1 FLEX Diesel Generator 1 Fails to Run 1 .50E-01 EPS-OGN-FR-FDG2 FLEX Diesel Generator 2 Fails lo Run 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOV ER EOG BIN 1 HOUR due to Start "'6 Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAflS TO RECOVER OFFSITE POWER IN 10 HOURS 2.70E-01 SD-XHE-~ROSSTIE """"'tor Fails to Establish Div. 3 to Div. 2 Electrical Cross Tie 1.00800 TTCL>-10 Time to Core Uncovery 1O hours or greater 24 C 2.67E-06 0.55 O-SD-M4l-LOOP: 3-24 1.68E-01 SD-M4L-LOOP Loss ot Oflsite Power - M4 LATE 1.50E-01 EPS-OGN-FR-FOG1 FLEX Diesel Generator 1 Fails to Rm 5.00E-02 EPS-OGN-XR-FOG FLEX Diesel 2 (portable) Fails due to Improper Transport or Se1t4> 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOV ER EOG BIN 1 HOUR due to Start /vT Issue 7 .60E-02 SD-XHE-XL-ELAP Operator fails to recovery eledri cal distribution =tern after offsite poy,,er recovery 2.70E-01 SD-XHE-~ROSSTIE """"'Of Fails to Establish Div. 3 to Div. 2 Electrical Cross Tie 5.11E-01 SD-XHE-XM-OEPB5B Operator Fails to setup 85b Equipment for Oepressl6ization (dependent) 25 C 2.37E-06 0.49 0-SD-M4L-LOOP : 3-24 1 .68E-01 SD-M4L-LOOP Loss ot Oflsite Power - M4 LATE 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to Start "'6 Issue 5.00E-02 FLEX-El.EC-CONNECT FLEX Electrical Connec1iOn Fails due to Design or Construction 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAflS TO RECOVER OFFSITE POWER IN 10 HOURS 5.11E-01 SD-XHE-XM-OEPB5B Operator Fails to setup 85b Equipment for Oepresst.nZation (dependent) OFFICIAL USE ONL i' SECURITY RELA I ED INFORMATION 5
OFFICIAL USE ONLY SE~RIT'f RELALED INFORMATION 1.00E+OO ITCU-10 r une to Corn Uncovery 10 hours or greater 2.QQE-02 XTIE-El..EC-CONNECT Orv. 3 to Div. 2 Cross Tie Fais due to Desion 26 C 2.32E-06 0 .48 0-SCHML-LOOP : 3-24 1.68E-01 SD-M4L-LOOP Loss ol Offslle Power - M4 LATE 1.00E-01 DEP-B5B B5b ~ipment f<X" Opening SRVs 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOVER EOG B IN 1 HOUR due to Start AJr Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOV ER OFFSITE POWER IN 10 HOURS 2.50E-01 S~XHE-XM-FELEC JDeralOf FailS to '"""" " and Run FLEX DG and 8ectncal DistribUtlon 1.00E-+00 ITCU-10 r une to Corn Uncovery 10 hours or or-eater 2.00E-02 XTIE-ELEC-CONNECT Div. 3 to Div. 2 Cross Tie Fais due to Desion 27 C 2.31E-06 0 .47 O-S~M4L-LOOP : 3-24 1.68E-01 SD-M4L-LOOP Loss ol Offsite Power - M4 LATE 7.20E-02 EPS-DGN-Fs-FDG1 FLEX Diesel Generator 1 Fails to Start 5.00E-02 EPS-OGN-XR-FDG FLEX Diesel 2 Fails due to lmnrnnPr Transoon or Seh.-. 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG B IN 1 HOUR due to Start AJr Issue 1 .37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 2.70E-01 S~XHE-XM-CROSSTIE Operator FailS to Estabhsh Div. 3 to Div. 2 Elecmcal Cross rie 5.11E-01 S~XHE-XM-OEPSSB .,per.nor Fails to setup B5b ~ipment for Deaoessunzation 1.00E-+00 ITCU-10 r une to Corn Uncovery 1o hours oc greater "" 28 C 223E-06 0.46 O-S~M4L-LOOP : 3-24 1 .68E-01 SD-M4L-LOOP Loss ol Offsite Power - M4 LATE 3.39E-02 EPS-OG~FR-OG1C DIESEL GENERATOR 1C FAILS TO RUN 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOVER EOG B IN 1 HOUR due to Start Afr Issue 5.00E-02 FLEX-ELEC-CONNECT FLEX Eledrical Comectioo Fals due to Oesian Of Construdion 7.60E-02 S~XHE-XL-8..AP Operator fais to recovery electrical distnbubon svstem a1ter offsite power recovery 5.11E-01 S~XHE-XM-OEPSSB JDeratOf Fails to setup B5b ~ *iPment for Delll"essunzation Cdeoenoenu 29 C 2.20E-06 0 .45 O-S~M4L-LOOP : 3-24 1.68E-01 SD-M4L-LOOP Loss ol Offsite Power - M4 LATE 3.70E-03 EPS-OGN-LR-OG1C DIESEL GENERATOR 1C FAILS TO LOAD RU N 2.02E-01 EP&XHE-XM-NROlH OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to Start AJr Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 5.11E-01 S~XHE-XM-OEPBSB JDerator FailS to setup B5b ~,ipment for J<>(}l"essunzation (de[lf>fl{]ent) 2.SOE-01 S~XHE-XM-FELEC Operator FailS to Setup and Run FLEX DG and 8ectncal Distribution 1.00E+OO ITCU-10 Time to Core Uncoverv 10 hours or oreater 30 C 2.19E-06 0 .45 O-S~M4L-LOOP : 3-24 1.68E-01 SD-M4L-LOOP Loss ol Offsite Power - M4 LATE 1.00E-01 OEP-858 B5b ~pment for Opening SRVs 3.39E-02 EPS-OGN-FR-OG1C DIESEL GENERATOR 1C FAILS TO RUN 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOVER EOG B IN 1 HOUR due to Start AJr Issue 7.60E-02 S~XHE-XL-B.AP JDeraior fais to recoverv electrical distnbution """tern after offsite rvlWPr recov""'
- 2. 50E-01 S~XHE-XM-FELEC Operator Fails to Setup and Run FLEX DG and 8ectncal DistribUtlon
From: Kozak Laura To: Hunter Christopher Subject : RE: Clinton and Perry Issues Date: Wednesday, October 17, 2018 7:37:00 AM Attachments: CLI 2018 051.docx Chris We sent out a preliminary Wh ite finding for Clinton (attached), on Monday. We are not working anything on Perry - I will need to check into it. Laura From: Hunter, Christopher Sent: Wednesday, Octobe r 17, 2018 6:17 AM To: Kozak, La ura <Laura.Kozak@nrc.gov>
Subject:
Clinton and Perry Issues Laura, I hope you are well. Have you fina lized the Clinton EDG issue yet? I am also looking at an iss ue at Perry where a fai led fuse took out t rain A of ECCS (alt hough it may have just been the automatic funct ion on the LOCA signal) ... LER 440-2018-002 isn't completely clear. Are you working this? Thanks, Chris Sr. Reliability and Risk Engineer RES/DRA/PRB T-lOASO Phone: (301) 415-1394 (Wednesday} (b )(6) J:!pme.Phone:! -... * .. ***.. ... I (b )(6) IY'!9.~i11;:.Phone:..(. ................ I Email: Chrjstopher,Hunter@nrc.gov
OFFICIAL USE ONLY SECURITY-RELATED INFORMATION UNITED STATES NUCLEAR REGULATORY COMMISSION REGION Ill 2443 WARRENVILLE ROAD, SUITE 210 LISLE, ILLINOIS 60532-4352 October 15, 2018 EA-18-104 Mr. Bryan C. Hanson Senior VP, Exelon Generation Company, LLC President and CNO, Exelon Nuclear 4300 Winfield Road Warrenville, IL 60555
SUBJECT:
CLINTON POWER STATION-NRC INSPECTION REPORT 05000461/2018051 AND PRELIMINARY WHITE FINDING
Dear Mr. Hanson:
On September 24, 2018, the U.S. Nuclear Regulatory Commission (NRC) presented the preliminary significance assessment results to your staff at Clinton Power Station, Unit 1. This letter transmits a finding that has preliminarily been determined to be White. A White finding low to moderate safety significance that may require additional NRC inspections. As described in this letter, on May 17, 2018, an apparent violation of Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Appendix B, Criterion V, "Instructions, Procedures, and Drawings," and Technical Specification 3.8.2, Condition 8 .3, were self-revealed for the licensee's failure to follow multiple procedures that affected quality. This resulted in the unavailability and inoperability of the Division 2 Emergency Diesel Generator (EOG) when it was relied upon for plant safety. During part of the time that the Division 2 EOG was unavailable the Division 1 EOG was already out of service for planned maintenance. During the period when neither EOG was available a loss of offsite power would have resulted in a station blackout condition that could have resulted in a long term loss of the ability to cool the reactor core. This finding was assessed based on the best available information, using the applicable Significance Determination Process (SOP). Included in the body of the enclosed inspection report is the basis for the staff's preliminary determination of significance. Your corrective actions included (1) returning the Division 2 EOG to an operable status; (2) communicating accountability and emphasis on procedure use and adherence; (3) just in time training to all operations department staff on the procedure use requirements; (4) conducting a three-day stand down to discuss case studies and lessons learned; and (5) revising the equipment operator round points to include the EOG starting air manifold pressures. The finding is also an apparent violation of NRC requirements and is being considered for escalated enforcement action in accordance with the Enforcement Policy, which can be found on the NRC's Web site at http://www.nrc.gov/about-nrc/regulatory/enforcemenUenforce-pol.html. Enclosure contains Sensitive Uncl assified Non-Safeguards Information. When separated from attachment 2, this transmittal document is decontrolled. In accordance with NRC Inspection Manual Chapter 0609, we intend to complete our evaluation OFFICIAL USE ONL, SECURITY RELATED INFORM A I ION :
OFFICIAL USE ONLi - SECURI I T-RELATED INFORMATION B. Hanson using the best available information and issue our final determination of safety significance within 90 days of the date of this letter. The significance determination process encourages an open dialogue between the NRC staff and the licensee; however, the dialogue should not impact the timeliness of the staffs final determination. Before we make a final decision on this matter, we are providing you with an opportunity to (1) attend a Regulatory Conference where you can present to the NRC your perspective on the facts and assumptions the N RC used to arrive at the finding and assess its significance; or (2) submit your position on the finding to the NRC in writing. If you request a Regulatory Conference, it should be held within 40 days of the receipt of this letter and we encourage you to submit supporting documentation at least one week prior to the conference in an effort to make the conference more efficient and effective. The focus of the Regulatory Conference is to discuss the significance of the finding and not necessarily the root cause(s) or corrective action(s) associated with the finding. If a Regulatory Conference is held, it will be open for public observation. If you decide to submit only a written response, such submittal should be sent to the NRC within 40 days of your receipt of this letter. If you decline to request a Regulatory Conference or to submit a written response, you relinquish your right to appeal the final SOP determination, in that by not doing either, you fail to meet the appeal requirements stated in the Prerequisite and Limitation sections of Attachment 2 of NRC Inspection Manual Chapter 0609. If you choose to send a response, it should be clearly marked as a "Response to An Apparent Violation; (EA-18-104)" and should include for the apparent violation: (1) the reason for the apparent violation or, if contested, the basis for disputing the apparent violation; (2) the corrective steps that have been taken and the results achieved; (3) the corrective steps that will be taken; and (4) the date when full compliance will be achieved. Your response should be submitted under oath or affirmation and may reference or include previously docketed correspondence, if the correspondence adequately addresses the required response. Additionally, your response should be sent to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Center, Washington , DC 20555-0001 with a copy to K. Stoedter, Chief, Branch 1, Division of Reactor Projects, U.S. Nuclear Regulatory Commission, Region Ill, 2443 Warrenville Road , Suite 210, Lisle, IL 60532-4352, within 40 days of the date of this letter. If an adequate response is not received within the time specified or an extension of time has not been granted by the NRC, the NRC will proceed with its enforcement decision or schedule a Regulatory Conference. Please contact Ms. Karla Stoedter at 630-829-9731 , and in writing within 10 days from the issue date of this letter to notify the NRC of your intentions. If we have not heard from you within 10 days, we will continue with our significance determination and enforcement decision. The final resolution of this matter will be conveyed in separate correspondence. Because the NRC has not made a final determination in this matter, no Notice of Violation is being issued for these inspection findings at this time. In addition, please be advised that the characterization of the apparent violation described above may change as a result of further NRC review.
OFFICIAL USE ONLY - SECURITY- RELATED INFORMATION B. Hanson This letter will be made available for public inspection and copying at http://www.nrc.gov/reading-rm/adams.html and at the NRC Public Document Room in accordance with 10 CFR 2.390, "Public Inspections, Exemptions, Requests for Withholding." However, the enclosed report contains Security-Related Information, so the enclosed report will not be made publically available in accordance with 10 CFR 2.390(d)(1 ). If you choose to provide a response that contains Security-Related Information, please mark your entire response "Security-Related Information-Withhold from public disclosure under 10 CFR 2.390" in accordance with 10 CFR 2 .390(d)(1) and follow the instructions for withholding in 10 CFR 2.390(b)(1). The NRC is waiving the affidavit requirements for your response in accordance with 10 CFR 2.390(b)(1)(ii). Sincerely, IRA/ Patrick L. Louden, Director Division of Reactor Projects Docket No. 50-461 License No. NPF- 62
Enclosures:
Inspection Report 05000461/2018051 (public) (non-public) cc: W. Marsh, Clinton Station Security Manager A. Khayyat, State Liaison Officer Illinois Emergency Management Agency cc w/o attach 2: Distribution via LISTSERV OFFICIAL USE ONLY SECURITY RELATED INFORMATION
OFFICIAL USE ONLY - SECURITY RELATED INFORMATION B. Hanson Letter to Bryan Hanson from Patrick Louden dated October 15, 2018
SUBJECT:
CLINTON POWER STATION-NRG INSPECTION REPORT 05000461/2018051 AND PRELIMINARY WHITE FINDING DISTRIBUTION w/attachments: Daryl Johnson Niry Simonian Eric Wharton Alonzo Richardson Raymond McKinley Binoy Desai Steven West Darrell Roberts Jeremy Groom DISTRIBUTION: Christopher Cook RidsNrrDorllpl3 RidsNrrPMClinton Resource RidsNrrDirslrib Resource Steven West Darrell Roberts Richard Skokowski Allan Barker DRSIII DRPIII ROPreports.Re sou rce@nrc.gov ADAMS Accession Number: ML18289A436 OFFICE RIii I RIii I RIii I OE I NAME CPhillips:bw LKozak JHeller for MMarshfield via Klambert email for JPeralta DATE 10/11/2018 10/11 /2018 10/12/2018 10/12/2018 OFFICE NRR I RIii I RIi i I I NAME MFranovich via KStoedter Plouden email DATE 10/12/2018 10/15/2018 10/15/2018 OFFICIAL RECORD COPY OFFICIAL USE ONLY SECUftlTY RELATED INFORMATION
OFFICIAL USE ONLY SECURITY RELA I ED INFORMATION U.S. NUCLEAR REGULATORY COMMISSION REGION Ill Docket Numbers: 50-461 License Numbers: NPF-62 Report Number: 05000461/2018051 Enterprise Identifier: 1-2018-051-0000 Licensee: Exelon Generation Company, LLC Facility: Clinton Power Station Location: Clinton, IL Dates: August 3 through September 4, 2018 Inspectors: C. Phillips, Project Engineer L. Kozak, Senior Re.actor Analyst J . Mitman, Senior Reliability and Risk Analyst Approved by: K. Stoedter, Chief Branch 1 Division of Reactor Projects OFFICIAL USE ONLY SECURITY RELATED INFORMATION Enclosure
OFFICIAi I !SE ONLY SECOR! IV- RELATED INFORMATION~
SUMMARY
The U.S. Nuclear Regulatory Commission (NRG) completed the preliminary significance determination associated with an apparent violation in accordance with the Reactor Oversight Process. The Reactor Oversight Process is the NRC's program for overseeing the safe operation of commercial nuclear power reactors. Refer to https://www.nrc.gov/reactors/operatinq/oversiqht.html for more information. Findings and violations being considered in the NRC's assessment are summarized in the table below. List of Findings and Violations Failure to Follow Multiple Procedures Cornerstone Significance Cross-Cutting Report Section Aspect Mitigating Preliminary White [H.2] - Human 93812- Special Systems AV 05000461/2018050-01 Performance, Inspection Open Field Presence EA 104 On August 23, 2018, the NRG issued Inspection Report 05000461/2018050 which discussed a self-revealed finding with a To-Be-Determined (T BD) significance and an associated Apparent Violation of Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Appendix B, Criterion V, "Instructions, Procedures, and Drawings," and Technical Specification 3.8.2, Condition B.3. The issue involved the licensee's failure to follow multiple procedures that affected quality which resulted in the unavailability and inoperability of the Division 2 Emerqencv Diesel Generator when it was relied upon for plant safety. Additional Tracking Items None. OFFICIAL t.lSE 6 Nt l SEGORITY-RELAI EO INFORMATION 2
OFFICIAL USE ONLY - SECtJRITY- RELA I ED INFORMAIIQN INSPECTION SCOPE Inspections were conducted using the appropriate portions of the inspection procedure (IP) in effect at the beginning of the inspection unless otherwise noted. Currently approved IPs with their attached revision histories are located on the public website at http://www.nrc.gov/reading-rm/doc-collections/insp-manual/i nspection-proced ure/index.html. Samples were declared complete when the IP requirements most appropriate to the inspection activity were met consistent with Inspection Manual Chapter (IMC) 2515, "Light-Water Reactor Inspection Program - Operations Phase." The inspectors reviewed selected procedures and records, observed activities, and interviewed personnel to assess !l icensee performance and compliance with Commission ru les and regulations, license conditions, site procedures, and standards. OTHER ACTIVITIES-TEMPORARY INSTRUCTIONS, INFREQUENT AND ABNORMAL 93812-Special Inspection The purpose of this inspection was to complete the preliminary significance determination for an apparent violation 10 CFR Part 50, Appendix 8 , Criterion V and Technical Specification 3.8.2, Condition 8.3. documented in NRC Special Inspection Report 05000461/2018050. INSPECTION RESULTS 93812- Special Inspection ~ Failure to Follow Multiple Procedures Cornerstone Significance Cross-Cutting Report Section Aspect Mitigating Preliminary White [H.2] - Human 93812-Special Systems AV 05000461/2018050-01 Performance, Field Inspection Open Presence EA-18-104 On August 23, 2018, the NRC issued Inspection Report 05000461/2018050 which discussed a self-revealed finding with a To-Be-Determined (TBD) significance and an associated Apparent Violation of Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Appendix 8, Criterion V, "Instructions, Procedures, and Drawings," and Technical Specification 3.8.2, Condition 8.3. The issue involved the licensee's failure to follow multiple procedures that affected quality which resulted in the unavailability and inoperability of the Division 2 Emergency Diesel Generator when it was relied upon for plant safety.
Description:
On April 30, 2018, the licensee shut down the reactor as part of a scheduled refueling outage. During the outage, the licensee performed maintenance on the Division 2 electrical system which required the Division 2 emergency diesel generator (EDG) to be removed from service. From May 9-11 , 2018, the licensee completed activities to restore the Division 2 EDG to service. Due to the failure to follow multiple procedures (as discussed in NRC Inspection Report 05000461/2018050), the Division 2 EDG was not restored to an operable status because operations personnel had not repositioned starting air valves 1DG160 and 1 DG161 ni:i:1r1 A 1 * ** " ' -
----'" '"i=Lh*-- ... -* ~~"" u JN 3
OFFICIAL USE ONLY SE6URITY RELATED INFORMATION from the closed position to the open position. With the starting air valves in the closed position, the Division 2 EOG was unable to start if needed. On May 14, 2018, at 12:30 a.m., since the licensee was unaware that the Division 2 EOG was inoperable and unavailable due to its inability to start caused by the 1DG 160 and 1DG 161 valves being closed, the licensee began a Division 1 scheduled maintenance window. As a result of taking the Division 1 480 VAC bus out of service, the Division 1 EOG was declared inoperable. On May 17, 2018, at 3:03 p.m., a non-licensed operator performing shift rounds identified that the 1DG 160 and 1DG 161 valves were closed and reported this condition to the control room. The licensee declared the Division 2 EOG inoperable, investigated the condition, and subsequently returned the Division 2 EOG to an operabl,e status. Corrective Actions: The licensee initiated several corrective actions including (1) communicating accountability and emphasis on procedure use and adherence; (2) just in time training to all operations department staff on the procedure use requirements; (3) conducting a three-day stand down to discuss case studies and lessons learned; and (4) revising the equ ipment operator round points to include the EOG starting air manifold pressures. Corrective Action
Reference:
Action Request (AR) 4138790, "Division 2 DG Air Receiver Found Isolated Rounds," dated May 17, 2018. Performance Assessment: Performance Deficiency: The licensee failed to perform activities affecting quality in accordance with prescribed procedures and work instructions as required by 10 CFR Part 50, Appendix B, Criterion V, "Instructions, Procedures and Drawings," that resulted in the unavailability of the Division 2 EOG when it was relied upon for plant safety. Screening: The inspectors determined the performance deficiency was more than minor because it adversely affected the configuration control attribute of the Mitigating Systems Cornerstone and its objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, the failure to follow station procedures/work instructions resulted in the unavailability of the Division 2 EOG when it was relied upon for plant safety. Significance: The inspectors evaluated the finding against the guidance of IMC 0609 Appendix G, Attachment 1, "Shutdown Operations Significance Determination Process Phase 1 Initial Screening and Characterization of Findings." The finding impacted the Mitigating Systems Cornerstone, specifically the Electric Power Availability Safety Function. The finding represented a loss of system safety function for the EDGs for greater than its TS 3.8.2, Condition B.3, allowed outage time of "Immediately" (one of the two EDGs was required to be returned to an operable status immediately) which required a Phase 2 Appendix G evaluation. The Phase 2 evaluation was conducted using IMC 0609 Appendix G, Attachment 3, and "Phase 2 Significance Determination Process Template for BWR during Shutdown." A Region Ill senior reactor analyst (SRA) completed the Phase 2 evaluation and concluded that a Phase 3, or detailed risk evaluation, would be needed to refine the Phase 2 evaluation. OFFICIAL USE ONLY SECtJRITY RELATED INFORMATION 4
OFFICIAi IISE ONLY SECURITY RELATED INFORMATION Summary from Special Inspection Report The detailed risk evaluation (DRE) covered a 6.5 day period when the Division 2 EDG was inadvertently unavailable during a refueling outage. The Division 2 EDG had been inoperable and unavailable as part of planned Division 2 480 VAC electrical distribution and Emergency Service Water (SX) systems maintenance activities. When the Division 2 systems work was completed and the systems restored on May 11, 2018 (at 2:30 a.m.), operators incorrectly declared the Division 2 EDG available. At this time, the Division 2 EDG starting air isolation valves (1DG160 and 1DG16 1) rema ined closed, which would prevent starting air from reaching the EDG air start motors, making the EDG inoperable, unavailable, and non-functional because it would not and could not be started on any demand signal. On May 14, 2018, at 12:30 a.m., as the licensee was unaware that the Division 2 EDG was unavailable, the licensee began a scheduled maintenance window on the Division 1 480 VAC bus 1A 1. As a result of taking the bus out of service, the Division 1 EDG was declared inoperable. At this time neither Division 1 nor 2 EDG was functional. On May 17, 2018, at 3:03 p.m., a non-licensed operator performing shift rounds identified the 1DG 160 and 1 DG 161 valves were inappropriately closed and reported this condition to the control room. The licensee declared the Division 2 EDG inoperable and investigated the condition. The licensee restored the valves to the open position and declared the Division 2 EDG available at 3:45 p.m. After the licensee performed OP-AA-108-106, the licensee declared the Division 2 EDG operable at 9:04 p.m. During the 6.5 day period the Division 2 EDG was not operable, available, or functional as the licensee expected. During the 3.5 day period from May 14th to May 17th, neither the Division 1 nor 2 EDG was available to deal with a Loss of Offsite Power (LOOP) if one occurred. As described in Inspection Report 2018050, a Phase 1 S ignificance Determination Process (SDP) screening and a phase 2 SDP evaluation were completed for the finding using the guidance of IMC 0609 Appendix G, "Shutdown Operations Significance Determination Process". As a result, the NRC determined that a detailed risk evaluation was needed to further evaluate recovery strategies. These strategies included 1) restoration of the D ivision 2 EDG; 2) plant-specific mitigating system strategies such as the Division 3 cross-tie to Division 2; 3) use of Diverse and Flexible Coping Strategies (FLEX), and 4) the recovery of offsite power. As a result the inspection report initially characterized the significance of this finding as "to be determined." Summary of Preliminary (Phase 3) Significance Determination The Clinton SPAR model, revision 8.54 was modified to add a shutdown Mode 4 cold shutdown Loss of Offsite Power (LOOP) event tree based on the existing Grand Gulf shutdown SPAR model. The model was further modified to use Clinton specific system fault trees and to refine diesel generator recovery, incorporate FLEX electrical, FLEX suppression pool cooling, FLEX injection , potential recovery of high pressure core spray (HPCS) pump, recovery of reactor core isolation cooling (RCIC), use of alternate injection systems such as installed fire pumps, B.5.b fire pumps, B.5.b reactor depressurization methods, manual containment ventin ca abilit , and the cross-tie of the Division 3 EOG to Division 2 electrical OFFICIAL I !*SE ONLY SECURI I , - RELATED INFORMATION 5
OFFICIAL USE ONLY - SECURITY- RELATED INF<>RMAI IQN distribution system. Human error probabilities in addition to equipment failure probabilities were added for all actions requiring manual alignment and operation. The detailed risk evaluation considers the many different core cooling methods potentially available. However, the results indicate that successful mitigation of the event relies on operator action to restore AC power by one of several methods - recovery of the Division 2 EOG, FLEX electrical, Division 3 to Division 2 cross-tie, or offsite power recovery. The analysis is complex since mitigation of a LOOP event in the degraded condition significantly relies on operator actions and the decision making involving the interaction of these four recovery strategies. The risk results are driven by human error. None of the many operator actions modeled to mitigate the postulated LOOP/SBO event were assumed to be resource limited. This is in recognition that the plant was in a refueling outage with extra operations, maintenance and engineering staff available. Few of the many actions modeled to mitigate the postulated LOOP/SBO were assumed to be limited by time available. However, the overall sequence was modeled assuming operators have one hour to recover the Division 2 EOG before an extended loss of AC power (ELAP) is declared. Once ELAP is declared, plant procedures direct the operators to pursue the FLEX method to re-power Division 2. If FLEX fails, procedures supply guidance on using the Division 3 cross-tie . For the dominant core damage sequence, the time to core damage is approximately 13 hours, this was considered to be adequate time with some margin, but not extra or expansive time, given the level of manual effort required and the number of concurrent methods of mitigation that were modeled. The finding exposure time t hat was quantitatively assessed was the 3.5 day period that both emergency diesel generators were unavailable. The full exposure time was approximately 6.5 days. However, the risk results are dominated by the 3.5 days when neither diesel was available. The result of the detailed risk evaluation is a finding of low to moderate safety significance (White). The best estimate change (i.e., delta) in core damage frequency for the 3.5 day period, using reasonable and realistic assumptions, was estimated to be 3.8E-6 per year. The dominant sequence was a loss of offsite power, failure to recover the Division 2 EOG leading to an Extended Loss of AC Power (ELAP) declaration, failure to maintain the reactor depressurized, failure to inject at high pressure, and the failure to cross-tie the Division 4KV bus to the Division 2 4kV bus. Sensitivity evaluations were performed to understand the influence of important assumptions. The results of the sensitivity evaluations showed a range of outcomes from very low safety significance (Green) to substantial safety significance (Yellow). The sensitivity evaluations were used to confirm the best estimate outcome - low to moderate (White) safety significance. See Table 1. The specific important assumptions of the detailed risk evaluation, the event tree, fault trees, and dominant core damage cut-sets are included in the Enclosure. OFFICIAL USE 014L , SECtJRI IV i<ELATED INFORMATION 6
OFFICIAi I !SE ONLY SECURITY-RELA I ED INFQRMAJIQN Table 1: Risk Results Including Sensitivity Cases Delta Old BE New BE Notes BE Adjusted CDF Value Value Results Best Case Analvsis n/a n/a n/a 3.SE-06 Sensitivity Cases: No change set Div. 2 EOG available required, simply use TRUE 1 EPS-XHE-XR-DG1 B 1.00E-03 5.4E..07l (i.e., no PD) value for base case (1 .0) no PD Div. 2 EOG non-2 recovery based on EPS-XHE-LR-NR10H 2.0E-02 8.80E-01 1.?E-05 data 88% Note that using Exelon's values reduces the CDF to Div. 2 EOG non-less than the no PD 3 recovery based EPS-XHE-LR-NR10H 2.0E-02 5.0E-03 l1.0E-07i case because the Exelon estimate NRP is lower than the base EOG failure probability HPCS pump available TRUE False 4 during entire 3.5 day HCS-XHE-XR-MDP a-.2E-07l (1 .0) (0.0) exposure time Single Human Error 5 Probability (HEP) for Multiple BE 5.3E-05 1.0E-03 3.5E-06 all injection methods Decrease RCIC HEP 6 SD-XHE-XM-FRCIC 7.5E-01 1.0E-01 3.?E-06 to 0.1 Decrease FLEX 7 Electrical HEP to SD-XHE-XM-FELEC 2.5E-01 1.0E-01 2.4E-06 Exelon value to 0.1 Reduce all FLEX Decrease R 8 Multiple BE Various Tl-..flH HEPS bv factor of 10 bv 10X Set all FLEX HEPs to False 9 Multiple BE Various ~.!'l~..flH ,___ False (0.0) . - (0.0) Increase all FLEX Increase RCIC value Increase 10 Multiple BE Various 2.9E-05 HEPs by Factor of 2 from 0.75 to 1.0 by 2X Exelon modified the IEF because the Using Exelon switchyard was Initiating Event 11 protected Note: SD-MFL-LOOP 1.7E-1 1.2E-1 2.8E-06 Frequency (IEF) of EDG2 was protected 0.12 per year during 6.5 days of unavailability OFFICIAL USE QNL't' = SECURITY RELATED INFORMATION 7
OFFICIAL USE ONE, Sl:CURln.._RELATED lblFOBMATION Cross-cutting Aspect: As discussed in Inspection Report 05000461/2018050, the finding had a cross-cutting aspect in the Field Presence component of the Human Performance cross-cutting area. (H.2) Enforcement: Apparent Violation: Title 10 CFR Part 50, Appendix B, Criterion V, "Instructions, Procedures, and Drawings," requires, in part, that activities affecting quality be prescribed by documented procedures of a type appropriate to the circumstances and be accomplished in accordance with these procedures. Clearance Order 139455 instructions required the performance of CPS 3506.01P002, "Division 2 Diesel Generator Operations," Revision 3a, in conjunction with the removal of out-of-service tags on May 9, 2018. Procedure OP-AA-108-103, "Locked Equipment Program," Revision 2, Step 4. 1.5, stated, "If plant conditions require a locked component to be positioned in a manner other than that indicated on the locked equipment checklist or approved procedure, then UNLOCK and REPOSITION equipment in accordance with OP-AA-108-101 , "Control of Equipment and System Status." Procedure OP- AA- 108-101, "Control of Equipment and System Status," Revision 14, Step 4.1.1. 1, stated, "Utilize an ACPS for aligning equipment outside of routine operations." Procedure OP-AA-108-106, "Equipment Return to SeNice," Revision 5, Step 4.3, required that "if equipment will not be restored to the Equipment Line-up/Restoration position or the original condition, then another approved equipment status control mechanism shall be used to document equipment status (i.e. Equipment Status Tag, administrative clearance/tagout). Procedure OP-AA-108-101 , 'Control of Equipment and System Status,' shall be used to document abnormal equipment configuration and shall be immediately applied following equ ipment restoration." Procedure OP-AA-108-106, "Equipment Return to SeNice," Revision 5, Step 4.4.9, which stated, "Applicable Operating procedures are complete and any equipment line-ups directed to be completed by the Operating Procedures are completed." Procedure OP- AA-108-1 06, "Equipment Return to SeNice," Revision 5, Step 4.4. 14, stated, "The system/equipment has been walked down as appropriate to verify that it can be safely operated to fulfill its design function." Procedure OP-AA-109-101, "Clearance and Tagging," Revision 12, Step 10.2.1 stated, "If a lift position is determined to be different from the normal lineup position for the present plant condition and not tracked by another C/0 or procedure, then the Shift Management shall be notified and equipment tracking initiated." Technical Specification 3.8.2, "AC Sources-Shutdown," Condition B.3, states, in part, that an inoperable EOG be restored to an operable status immediately. Between May 9 and May 17, 2018, the licensee apparently failed to: Perform CPS 3506.01 P002 , "Division 2 Diesel Generator Operations," Revision 3a, in OFFICIAi IISE ONLY SECURIT'r' RELATED INFORMATION 8
OFFICIAL USE ONLY SECljRIT't' RELATED INFORMATION conjunction with the removal of C/0 139455 as required by the C/0 restoration instructions. Perform OP- AA- 108- 103, "Locked Equipment Program," Revision 2, Step 4.3, valves 1DG160 and 1DG161 were normally locked open valves and an ACPS was not utilized to track valve status. Perform OP-AA-108-106, "Equipment Return to Service ," Revision 5, Step 4.3, when valves 1DG160 and 1DG161 were left in an abnormal position an approved equipment status control mechanism was not used to track equipment status. Perform OP- AA- 108- 106, "Equipment Return to Service," Revision 5, Step 4.4.9, when the equipment was declared operable the applicable operating procedure CPS 3506.01P002 had not been completed and equipment line-ups directed to be completed by the operating procedures were not completed. Perform OP- AA- 108- 106, "Equipment Return to Service," Revision 5, Step 4.4.14, when the system was declared operable without being walked down. Perform OP-AA-109-101, "Clearance and Tagging," Revision 12, Step 10.2.1, when the lift position was different from the normal lineup for the present plant condition and equipment tracking was not initiated. Additionally, because the licensee was not aware of the EDG's inoperability the required action in Technical Specification 3.8.2, Condition 8.3 was not followed. EXIT MEETINGS AND DEBRIEFS The inspectors confirmed that proprietary information was controlled to protect from public disclosure. No proprietary information was documented in this report.
- On September 24, 2018, Mr. P. Louden presented the preliminary significance assessment results to Mr. T. Stoner, Clinton Power Station, Site Vice President.
DOCUMENTS REVIEWED 93812- Special Inspection OFFICIAL USE ONLY SECtJfitlTY RELATED INFORMATION 9
OFFICIAL USE ONLY SECURITY RELATED IUFORMATION Detailed Risk Evaluation Assumptions Plant Conditions during the Conditions Assessed Clinton is a General Electric Boiling Water Reactor 6 with a Mark Ill containment. It has three divisions of Emergency Core Cooling (ECCS). Divisions 1 and 2 have residual heat removal (RHR) capabil ity, each with an RHR train that contains a heat exchanger. Each division has its own emergency diesel generator (EOG) and 4kV safety bus. In addition, Division 3 contains a High Pressure Core Spray (HPCS) pump dedicated safety bus, and EOG, but does not contain an RHR train. The Division 2 EOG unplanned unavailability started after the reactor had been refueled and the associated reactor cavity was full. That is, there was over 23 feet of water above the reactor core. Early in the unavailability, the licensee installed the reactor pressure vessel (RPV) internals, lowered water level to about six inches below the RPV flange, installed and tensioned the reactor vessel head. The unit entered cold shutdown or Mode 4 when the last reactor head bolt was tensioned. See Figure 1 for a time line of these events. OFF ICIAL USE ONL'f SECU RITY RELATED INFORMATION Attachment 1
OFFICIAL USE ONLY SECtlRITt RELATED INI ORMATION Cavity full End lowering cavity l evel 13:54 "'6 inches below flange RCS water level 09:43 begin lowering cavit_r Ievel RPV Last bolt tensioned 01:51 c Modes Mode4 ~~~~~~~~~~~~~~~~~_.,. Starting Conditions Start hydro
- RHR/SDC A 1/5
- LPCS / SRV Alt. soc:1 r - - - - - - - - - - - , Di v. 2 EOG operable
- RAT 1/S
- Div. 2 EOG op
- RHR/ SDC A 005
- Div. 1 4Kv bus 1/S but inop.
- Div . 2 EOG *available>> 21:04
- Div. 2 EOG unavail.
- NSPS op 02: 24
- Div. 1 EOG unavailable
- Div. 2 SX available
- Div. 2 AC bus OOS
- Div. 2 ACI/S & op *
- Div. 1 DC unavailable 01:30
- ROC restorabl e
- Div. 2 DCOOS
- Div. 2 DCI/S & op
- LPCS (Div. 1) unavailable HPCS recover able (using Div. 1 DC Power) End hydro
- Div. 2 SX unavailabl e 08:00
- RHR / SDCA unavailabl e (aft erfill & vent) HPCS 02:30
- RHR/SOC A 1/S
- ERAT 00$ 00:30 Avail able 12:53 5/16 11:18 5/18 5/ 9 5/12 00:00 C0:00 5/14 rooo 00:00 II C0:00 5/11 C0:00 5/13 00:00 23:28
- RHR/ SDC 8 1/S I 5/15 C0:00 5/17 C0:00 17:25 00:20
- RHR/ SDC A 005 Div. 2 AC Bus 1/S 05:13 15:04 ERAT 1/S 23:09 Div. 2 EOG availab le
- RHR/ SDC 8
- operable*
- LPCI C & SRVs available Actual relative risk level Planned risk level (not to sca le)
Version Date: 07-23* 2018 OEEICIA.l USE ONLY SECURI I t RELATED INFORMATION 2
QffU:IAL USE ONLY SECURITY RELATED INFORMATION The following assumptions were made in performing the detailed risk evaluation.
- 1. The time to boil in the reactor coolant system was assumed to be approximately 4 hours, based on Exelon document CL-SDP-010 Rev. 1. This calculation assumes the starting water level is approximately six inches below the RPV flange.
- 2. The time to top of active fuel, a surrogate for core damage, varies from approximately 10 to 24 hours depending on plant configuration assumptions. These values were based on Exelon document CL- SDP- 010 Rev. 1. If the reactor is maintained at low pressure, then the time to core uncovery is about 24 hours. If the reactor pressure increases then the time to uncovery is estimated between 10 and 13 hours. Both calculations assume the starting water level is approximately six inches below the RPV flange.
- 3. Core uncovery is the normal at-power surrogate for core damage. During shutdown, core damage is expected between 1/3 and 2/3 core height which is somewhat after core uncovery, therefore, using core uncovery as a surrogate for core damage is conservative.
- 4. The following equipment was out of service and was considered to be unavailable and non-recoverable:
- EDG 1A;
- 480v AC bus 1A;
- 480v AC bus A;
- NSPS 120v Power distribution panel bus A;
- Division 1 normal 125v DC battery charger 1A; and
- RHR pump A.
- 5. The following equipment was available:
- All FLEX equipment;
- RHR train B;
- RHR heat exchanger A;
- Both suppression pool cleanup (SF) pumps and the associated piping (Note:
there was a very short period at the beginning of the 3.5 days when one SF pump was not available. Because this availability was short and with the knowledge that the results are not driven by mitigating system availability, this unavailability was ignored.);
- All B5b equipment;
- 480v AC aux. building bus 1L;
- 480v AC aux. building bus 1M;
- 480v AC aux. building bus 1D;
- 480v AC aux. building bus 1E (feed to 125v DC battery charger 1F); and
- 125v DC battery (swing) charger 1F (feed from 480v AC aux. building bus 1E).
- 6. The NRC used the SPAR-H Human Reliability Method to evaluate the many operator actions in the model. For all of the human error probabilities evaluated, the performance shaping factor "stress" was considered to be "high" for both diagnosis and action because the plant would be in a station blackout condition. In many of the Human Error OFFICIAL USE ONLY SECURITf RELATED INFORMATION 3
OFFICIAL USE ONLi - SECURITY- RELATED INFORMATION Probability (HEP) evaluations, "complexity" was determined to be either "moderate" or "high" because the operators would be in multiple procedures in multiple plant locations. Many of the actions are local, infrequently or never performed, and some have very limited training. In many cases, "ergonomics" was also rated as "poor" because the local actions may be physically demanding and in difficult SBO conditions (on emergency lighting at best and without any ventilation). Table 2 below contains a summary of the dominant HEPs.
- 7. None of the many actions modeled to mitigate the postulated LOOP/SBO event were assumed to be resource limited. This is in recogn ition that the plant was in a refueling outage with extra operations, maintenance and engineering staff available. The detailed risk evaluation models operator action for four different methods to re-establish electrical power to Division 2 (EDG recovery, offsite power recovery, FLEX, Division 3 to Division 2 crosstie), two additional (beyond the normal use of SRVs after restoring emergency power) methods to maintain the reactor de-pressurized (FLEX and B.5.b), three additional methods (beyond using ECCS after restoring emergency power) to inject to the Reactor Coolant System (RCS) at low pressure (two FLEX methods and the diesel driven fire pumps), two methods to inject to the RCS at high pressure (HPCS and RCIC),
and two additional methods to remove decay heat (FLEX suppression pool cooling and containment venting). All of these require operator action. Many require significant operator effort. In addition to these actions there are other important, non-modeled actions that would also be in progress, such as actions to establish primary and secondary containment and actions for emergency response such as accountability and notifications.
- 8. Few of the many actions modeled to mitigate the postulated LOOP/Station Black Out (SBO) were assumed to be limited by time available. However, the overall sequence was modeled assuming operators have 1 hour to recover the Division 2 EDG before ELAP is declared. Once ELAP is declared, operators will pursue the FLEX method to re-power Division 2. If FLEX fails, the Division 3 cross-tie, is modeled. For the dominant sequence, the time to core damage is approximately 13 hours, this was considered to be adequate time with some margin, but not extra or expansive time, given the level of manual effort required and the number of concurrent methods of mitigation that were modeled.
- 9. The high pressure core spray system was unavailable during most of the 3.5 day exposure period due to planned maintenance. Initially, for a period of 49 hours, it was not recoverable. Later, for a duration of 34 hours, it was modeled as recoverable, and in the last 4.5 hours of the exposure period, the system was fully available. The impact of the status of HPCS over the exposure period was addressed by running three separate cases - HPCS unavailable, HPCS recoverable, and HPCS at nominal failure probabilities. The results were combined in a spreadsheet to obtain the final result. To estimate the HEP for the operator failure to recover HPCS during the 44 hours it was recoverable, the performance shaping factors that were determined to be performance drivers were stress for diagnosis, and stress and complexity for action. Stress was evaluated as "high" because the plant would be in a station blackout condition.
Complexity was rated as "moderate". Under normal conditions, this would not be a complex task, but in response to a station blackout with multiple procedures and mitigating strategies in progress, complexity is increased. OFFICIAL USE ONLY SECtlRITY fitELATED INFORMATION 4
OFFICIAi I !SE 8~JLY SECURITY RELATED INFORMATION
- 10. The RCIC system was unavailable due to plant conditions. During the 3.5 days of interest, the plant was in cold shutdown with reactor coolant system water level above the steam lines. However, the RCIC system was not undergoing any maintenance and cou ld have been put into service if an event had occurred, steam was available due to RCS heat-up and boiling, and water level had decreased below the steam line. While possible, extensive work would be required to prepare the RCS for operations at normal pressure and temperature. Licensee procedure CPS 3002.01 controlled this process.
This 40 page document is the normal startup procedure. It assumes normal electrical power is available to realign systems. While much of this procedure would not be required to prepare the RCS for RCIC operation and extensive amount of procedure triage would be required. The HEP for the operator failure to put RCIC into service under the postulated conditions is 7.5E-1. The HEP was dominated by failure to perform the action. The performance drivers were considered to be time (this is one of the few HEPs that was impacted by time available), stress, complexity, experience/training, and ergonomics. The time available was assumed to be about equal to the time required, stress was considered to be "high", complexity was "high", experience/training was "low", and ergonomics was "poor". 11 . Electrical power recovery to Division 2 could be successful via offsite power recovery, recovery of Division 2 diesel generator, use of FLEX, or crosstie of the Division 3 diesel generator to the Division 2 4kV bus. The detailed risk evaluation assumes that the operators will initially try to recover the diesel generator. If recovery is not successful , operators will transition to FLEX implementation, and if FLEX fails, the evaluation models the potential to implement the crosstie.
- 12. The Division 2 EOG was recoverable and the risk evaluation shows that the operators would be very likely to recover it. However, the potential for operators failing to recover the diesel generator was evaluated. The failure to recover the diesel generator was assigned a human error probability of 0.202 (20 percent failure, 80 percent success rate). This is a factor of 4 lower than the data/statistically derived failure to recover probability. The NRC assumed that 1 hour was available to recover AC power to Division 2 by recovering the EOG. At 1 hour, ELAP declaration and implementation of FLEX electrical power to Division 2 would commence. Diesel generator recovery is further complicated by station blackout load shedding that removes all DC control power from the diesel generator and the FLEX electrical alignment which also impacts Division 2 EOG components. Recovery of the Division 2 EOG after 1 hour into an SBO does not represent successful recovery of Division 2 AC power. Operator actions to back out of ELAP, FLEX implementation, and load shedding to restore the EOG is not governed by procedures, is not a simple, skill of the craft task, and has no training. It was not credited in the risk evaluation consistent with general PRA/HRA assumptions and the Risk Assessment Standardization Project (RASP) guidance.
- 13. The human error probability for the failure to recover Division 2 EOG was estimated at 0.202. The performance shaping factors that were determined to be performance drivers were Stress and Experience/Training for Diagnosis, and Stress for Action.
Stress was considered to be "high" because the pliant would be in a station blackout condition. Experience/Training for Diagnosis was considered to "low." Plant staff perform troubleshooting as a regular job task, however, operators have not trained on, experienced or been exposed to troubleshooting a failure of the "protected" diesel generator during a shutdown SBO. OFFICIAL USE ONLf SECURIT"f RELATED INFORMATION 5
Qf FICIAI I ISE ONLY SECURITY RELA I ED INFORMATION
- 14. The human error probability for the failure to implement the FLEX electrical line-up was estimated at 2.5E- 1. The performance shaping factors that were determined to be performance drivers were stress for diagnosis and action, and complexity and experience/training for action. Stress was considered to be "high" because the plant would be in a station blackout condition. The action to align the FLEX electrical system was considered to be both "highly" complex and was assigned "low" experience/training.
The procedure requires many in-plant actions under difficult conditions and the alignment has never been implemented.
- 15. The human error probability for the failure to implement the Division 3 to Division 2 crosstie was estimated at 2.7E-1. The performance shaping factors that were determined to be performance drivers were stress for diagnosis and action, and complexity, experience/training, and ergonomics for action. Stress was considered to be "high" because the plant would be in a station blackout condition. The action to implement the cross-tie was considered to be "highly" complex and was assigned "low" experience/training and "poor" ergonomics. The procedure has both in-plant and control room actions in multiple locations and has received very little training.
- 16. Offsite power recovery is also modeled but is complicated by electrical system re-alignment when FLEX or the Division 3 cross-tie are attempted but fail. These strateg ies significantly alter the electrical distribution system. The detailed risk evaluation models offsite power non-recovery at 13 hours or 24 hours, depending on the sequence. The offsite power recovery curve is used along with a human error probability for the failure to realign the electrical system once other sources of power have been attempted but failed. The performance shaping factors that were considered to be performance drivers for the failure to realign the electrical system were stress for diagnosis and action and procedures for action. Stress was considered to be "high" because the plant would be in a station blackout condition. Procedures were considered to be "incomplete" as there are procedures for aligning offsite power sources but they would not specifically address the electrical alignment that would exist after FLEX and the crosstie have been attempted but not successfully implemented. The HEP was estimated at 7.61 E-2.
- 17. Alignment of alternate suppression pool cooling using FLEX equipment was modeled.
The human error probability was estimated at 2.33E-1. The performance shaping factors that were determined to be performance drivers were stress for diagnosis and action, and complexity, experience/training, and ergonomics for action. Diagnosis was considered to be "obvious" as the need for suppression pool cooling during SBO events is well understood. Stress was considered to be "high" because the plant would be in a station blackout condition. The action was considered to be "moderately" complex, have "low" experience/training, and "poor" ergonomics. The steps to perform the action are performed outside the control room in poor lighting and there is infrequent training and no actual experience. The procedure describes some of the steps as physically demanding and some are in high radiation areas.
- 18. Two methods of RCS Injection using FLEX equipment were modeled. The easier method would be to re-align the FLEX SPC method for injection. The human error probability for this action was estimated at 4E- 3. The less preferred method, using the diesel-driven FLEX pumps, was estimated at 1.1 E-1. For the easier method, the OFFICIAL USE ONLY SECURiff RELATED INFORM.A.TION 6
OFFICl.<<\L USE ONLY SECURITY RELATED INE< >RMA I ION performance shaping factors that were determined to be performance drivers were stress for diagnosis and action. The diagnosis was also assumed to be obvious, given that the FLEX suppression pool cooling alignment would already be in place and working successfully. Minimal additional action would be required to re-align the system for injection. The actions to use the less preferred method of direct injection from the lake with the diesel driven pumps was not an important action driving the results of the analysis.
- 19. Alignment of the ultimate heat sink using FLEX equipment was modeled. The human error probability was estimated at 1.39E-2. The performance shaping factors that were determined to be performance drivers were stress for diagnosis and action and time, complexity, experience/training, and ergonomics for action. Diagnosis was considered to be "obvious" similar to the rating for aligning suppression pool cooling. Stress was considered to be "high" because the plant would be in station blackout condition. The time available for the action was considered to be greater than 5x the time required.
Complexity was considered to be "moderate", experience/training "low", and ergonomics "poor". The steps to perform the action are performed outside the control room in poor lighting and there is infrequent training and no actual experience. The procedure describes some of the steps as physically demanding and some are in high radiation areas.
- 20. Use of B.5.b equipment and strategies to maintain the reactor depressurized was modeled with an operator action that was highly dependent on the operator action to use FLEX strategies. The FLEX strategy to maintain the reactor depressurized was assumed to be the preferred method. The human error probability for the dependent operator action was 5 .2E-1 .
- 21. Primary containment was open during the exposure time. However, procedures would instruct operators to take action to establish primary containment. The detailed risk evaluation assumes that operators would take this action and would establish primary containment. If suppression pool cooling is not established, then containment venting would be required, consistent with at-power PRA model assumptions. Manual venting of containment was credited. These are long sequences containing success of core cooling via injection but failure to establish suppression pool cooling. These assumptions did not impact the dominant core damage sequences.
- 22. Alternate injection with fire water system was modeled with equipment failures and an operator action for the failure to align the system. This method was assumed to be the least preferred method of low pressure injection. The operator failure to align fire water injection was assigned an HEP of 1.2E- 1 and was not modeled as dependent on previous operator actions, a possible non-conservative assumption. These assumptions did not impact the dominant core damage sequences.
- 23. The FLEX diesel generators were assigned a failure to start of 7.2E-2 and a fa ilure to run for the mission time of 1.5E- 1. The failure to start was based on actual plant operating experience. The run time data for the driesel generators was very limited and could not be used to estimate the failure to run probability. The failure to run for emergency diesel generators was multiplied by a factor of 5 based on analyst judgement to obtain the failure to run rate of the FLEX diesel generator.
OFFICIAL USE ONLY SECURITY RELATED INFORMAIION 7
OFFICIAL USE ONI Y - SECURl"f¥.=RELATED INFORMATION
- 24. The FLEX diesel-driven pumps were assigned a failure to start of 1E-2 and a failure to run of 2.1 E-1. Based on analyst judgment these failure rates we set at five times the corresponding failure rates for permanently installed diesel driven fire pumps .
- 25. FLEX equipment was assigned a failure probability due to design or construction of SE-2 . The FLEX strategies, although carefully developed and reviewed for the Mitigating Strategies Order, have never been fully demonstrated. Latent design or construction errors could exist.
- 26. The Division 3 to the Division 2 cross-tie was assigned a failure probability due to design error of 2E-2. Both divisions are normally in-service but never cross-tied and the cross-tie has never been fully demonstrated.
OFFICIAL USE ONLY SEC ORI I , RELA I ED INFORMft.TION 8
0) 0
OFFICIAL USE ONLY SECURITY REU\TED INFORMAIIQN References
- 1. Clinton SPAR Model, Revision 8.54 with Modifications
- 2. NUREG-1842, "Good Practices for Implementing Human Reliability Analysis."
April 2005
- 3. NUREG/CR-6595 Revision 1, "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events." October 2004
- 4. NUREG/CR- 6883, "The SPAR-H Human Reliability Analysis Method"
- 5. INL/EXT 18533, "SPAR-H Step-by-Step Guidance"
- 6. RASP Manual Volume 1 - Internal Events, Revision 2.02 date December 2017
- 7. NUREG/CR- 1278, "Handbook of HRA with Emphasis on Nuclear Power Plant Applications," August 1983
- 8. Analysis of Loss-of Offsite-Power Events 1987-2016, INL/EXT- 17-42376 August 2017 (https ://nrcoe .inl.gov/resultsdb/publicdocs/LOSP/loop-summary-update-2016.pdf)
- 9. IMC 0609 Appendix G, "Shutdown Operations SDP"
- 10. NUMARC 91- 06, "Guidelines for Industry Actions to Assess Shutdown Management."
December 1991 11 . CPS 3002.01 R32e Heatup and Pressurization
- 12. CPS 3312.03 R11d SDC and FPC Assist
- 13. CPS 3501 .01 High Voltage Auxiliary Power System
- 14. CPS 3506.01 EDG and Support Systems
- 15. CPS 3506.01 P002 Division 2 Diesel Generator Operations
- 16. CPS 4006.01 Loss of SDC
- 17. CPS 4200.01 Loss of AC Power
- 18. CPS 4200.01C002 DC Load Shedding during SBO
- 19. CPS 4303.01 P001 Containment Venting Without AC Power Available
- 20. CPS 4303.01 P004 SRV Operation With External DC Power
- 21. CPS 4303.01 P023 Cross-Connecting Div. 3 DG to Div. 1(2) ECCS Electrical Susses
- 22. CPS 4306.01 P001 FLEX Electrical Connection
- 23. CPS 4306.01 P002 FLEX UHS Water Supply
- 24. CPS 4306.01 P003 FLEX Suppression Pool Cooling
- 25. CPS 4306.01 P004 FLEX Low Pressure RPV Makeup
- 26. CPS 4306.01 P017 ELAP During Modes 4 and 5
- 27. CPS 5285_R27c Alarm Panel 5285 Annunciators at 1PL12JB
- 28. CPS 5061 .07 Alarm Panel 5061 Annunciators - Row 7
- 29. CPS 441 1.03 Injection Flooding Sources
- 30. CPS 441 1.06 Emergency Containment Venting, Purging and Vacuum Relief
- 31. CPS 9065.01 Secondary Containment Access Integrity
- 32. EOP- 1 RPV Control
- 33. EOP- 2 RPV Flooding
- 34. EOP- 3 Emergency RPV Depressurization (Slowdown)
- 35. EOP-6 Primary Containment Control
- 36. EOP-8 Secondary Containment Control
- 37. CC- AA- 118 Corporate FLEX Process Guidance
- 38. OU-AA-103 Shutdown Safety Management Program
- 39. OU-CL-104 Shutdown Safety Management Program (Clinton Power Station)
- 40. CL-SDP- 01 O Risk Assessment - May 2018 Outage: Division 2 DG 1B Unavailable with Division 1 Bus Unavailable, Rev. 0
- 41. DB430301 DBIG-Extensive Damage Mitigation Guide, Rev. 5 OFFICIAL USE ONLY SECtJR'.ITY RELATED INFORMATION 11
OFFICIAL USE ONLY-SECURI I ,-RELATED INFORMATION
- 42. N-CL-OPS-DB430601 , FLEX, Rev. 0
- 43. SE-LOP-162, Extensive Damage Mitigation, Rev. 0
- 44. SE-LOR-4306, FLEX Event, Rev. 0 OFFICIAL USE ONLY SECORI I f RELATED INF08MATION 12
OFFICIAi OSE ONbY SECURITY RELAI ED INFORMATION Event Tree and Fault Tree Figures 00 ' Loss of Offsite Power - M4 EMERGENCY POWER AC POWER RECOVERY - 24 # End State LATE SUPPLY - (DIV I AND II) / 1 Hours (Phase - CD) SD-M4L-Loa> SD-EPS SD-AC- REC-24H 0 0 I 1 I SD-M4L-LOOP-T 0 I 0 I 0 I 2 I SD-M4L-LOOP-T 0 I 3 I SD-M4L-LOOP-T OFFICIAL USE ONLY SECURITY RELATED INFORMATION 13
~;~~~;;~~==~=:==~~='.==-
~~~- :===;
- - : : :=---?. , ==~
I
- I
---,:===-;;___(====
0- 0---
~ ~~ ~~ ~~ ===;;_- -~ == o---1 o---1 I II OK I OK 2
OK 0--- I I *' I OK
-- lowpressuren~ion - -o- IL *~!:::
I ====:~=
, o---1' 1 _ I ,. ---0--- -,===- '-' !" '""""'""" 0---1 7 I OK I LoWOff!l$1.11"elnjeeti:in o--[ °===-, - ;_--'~ . =- o---.
0---I I I o--j
- I
- 8
' I OK OK *I *I ~ I I o--------f=*oo o-- " I -
o---1 I I
---o-- -===
oK 1 12 1 0--- I 13 I
- OK
*I - 0---I
- I GT20...... co o--- ** I 0---I "
a,~o OK II o---1 co-, o I 0--- I "I *I I"I OK
*II o=-L 0---
0--- I "I I '° I OK
*I o--{
OK
*-*-* C>----j__~ o---
0---
- Hlghpre~1n I ~ **-*oo 0---1l " u I a,~
OK I
---- IIIJecticn TTCU-1Q-t I o---1" 1 - I ~ ~ o - - -l--=.-"-1..I____
OFFICIAL USE ONLY-SECURIT't-RELATED INFORMATION 1gure 4 AC Power Recoverv Fau It Tree AC POWER RECOVERY
- 24 / 1 Hours SD*AC*REC*24H I
~ I OPERATOR FAILS TO RECOVER EMERGENCY DIESEL IN 1 HOUR EPS*XHE*XL*NROlH SD-AC*REC*24H 3 8.88E*Ol 7
OPERATOR FAILS TO RECOVER EOG B I N 1 HOUR due to Start Air Issue EPS*XHE*XM-NROlH OPERATOR FAILS TO RECOVER 2.02E*Ol OFFSITE POWER IN 24 HOURS OEP*XHE*XL-NR24H u 5.91E-02 Operator fails to recovery electrical distribution system afteroffsite power recovery SD-XHE-XL-ELAP 7.60E-02 OFFICIAL USE ONLY SECURITY RELATED INFORMATION 15
OFFICl.<<\l U*SE ONLY = SECtJRITY- RELA I ED INFORMATION Figure 5: Manual De ressurization Fault Tree MANUAL REACTOR DEPRESS SD-DEP ADS SRV FAILURE DUE TO SEISMIC ADS VALVES FAIL FROM COM MON EVENT CAUSE ADS-SRV-EO ADS-SRV-CF-VALVS External 1.SSE-06 CLINTON ADS SUPPORT SYSTEMS OPERATOR FAILS TO Manually FAIL Depressurize Reactor DEP-SS ADS-XHE-XM-MDEPR External 5.00E-04 OPERATOR FAILS TO INITIATE REACTOR DEPRESSURIZATION GIVEN SEISMIC EVENT u ADS-XH E-DPR-EOK External D OFFICIAi I ISE ONLY SECtJRI IV RELATED INFORMATION 16
OFFICIAL USE ONLY w SECURITY RELA I ED INFORMATION Figure 6: Division 1125 Power Fault Tree shows FLEX linkage) CLINTON DIVISION I 125 VDC POWERIS UNAVAILABLE Normal DC Power FLEX DC Power DCP-125V-1A-LTS DCP-125V-1A-LTl CLINTON DIVISION I AC POWER FAILURE OF DIVISION I 125VDC BU FLEX AC Electrical System CCF OF 125VDC BATTERYS (3) SYSTEM FAULT TREE IA ACP*4KVBUS* IA1 DCP-BDC*LP-IA FLEX*ELEC DCP*BAT*CF*ALL External 5.21E*06 External 3.SSE-08 DC BATT CHARGERS FAILURE FROM FAILURE OF DIVISION I 125VDC FAILURE OF DIVISION I 125VDC SEISMIC EVENT BATTERY CHARG ER BATTERY DCP-BCH-EO DCP-BCH-LP-IA DCP-BAT*LP* IA External 6.17E-05 7.97E-06 u BATTERY CHARGERS FAIL FROM COMMONCAUSE FAILURE OF DIVISION I 125VDC BU IA DCP*BCH*CF-CHRS DCP*BDC-LP* IA 2.lOE-07 5.21E-06 DIVISION I 125VDC BATTERY FAILURE OF BOP 125VDC BATTERY CHARGER in Test and Maintenance CHARGER IE DCP*BCH*TM* IA DCP*BCH *LP* If 2.00E-03 6.17E*OS () BATTERY CHARGERS FAIL FROM COMMON CAUSE DCP*BCH*CF*CHRS 2.l OE-07 () OFFICIAL USE ONLY SECURl'Pr RELATED INFORMATION 17
OFFICIAL USE ONLY - SECURITY RELATED INFORM4 I ION Figure 7: FLEX Electrical Fault~T_re -'--e- - - - - - - - ~ FLEX AC Electrical System FLEX-ELEC FLEX Diesel Generators FLEXAC Bus Equipmernt Failures ACP-FLEX-BUS FLEX-ELEC4 2.29E-05 Operator Fails to Setup and Run FLEXDG and Electrical Distribution SD-XHE-XM-FELEC FLEX Diesel 1 (permanently installed FLEX Diesel 2 (portable) 2.SOE-01 FLEX Electrical Connection Fails due FLEX-ELEC41 FLEX-ELEC42 to DesignorConstruction FLEX-ELEC-CONNECT 5.00E-02 CCF of FLEX Diesel Generato rs 1 and 2 to Run FLEX Diesel Generator 1 Fails to Run FLEX Diesel Generate r 2 Fails to Run EPS-FDGN-CF-FR 2.37E-03 EPS-DGN-FR-FDGl EPS-DGN-FR-FDG2 CCF of FLEX Diesel Generato rs 1 and 1.SOE-01 1.SOE-01 2 to Start FLEX Diesel Generator 1 Fails to FLEX Diesel Generator 2 Fails to Start Start EPS-FDGN-CF-FS 6.90E-04 EPS-DG N-FS-FDGl EPS-DGN-FS-FDG2 FLEX Feed Breaker to 1FX07E (CB 7.20E-02 7.20E-02 762 el .. west stairway) FLEX Diesel Generator 1Unavailable FLEXDiesel Generate r2 Unavailable because ofTest or Maintenance becauseofTest or Maintenance ACP-FLEX-CRB-FX01E-CB02 1.03E-03 EPS-DGN-TM-FDGl 1.48E-02 EPS-DGN-TM-FDG2 1.48E-02 u u FLEX Diesel 2 (portable) Fails due to Improper Transport or Setup EPS-DGN-XR-FDG 5.00E-02 u OFFICIAi I ISE O~JLY SEOl;;JRITY RELA I ED INFORMATION 18
OFFICIAi IISE ONLY w SECURIT,-RELATED INFORMATION Figure 8: Alternate Injection Fault Tree (includes FLEX) ALTERNATE INJECTION - CDS SWS FWSand FLEX SD-ALT-INJ All FLEX Injection Fails due to Dependent Failure SD-XHE-XM-FLEXINJFAn. SD-ALT-INJS Ignore y CONDENSATE u CDS External CLINTON SSW INJECTION FAULT TREE 551 External CLINTON FIREWATER SYSTEM FAULTTREEduring Shutdown ELAP SD-FWS External FLEX RCS Injection using Diesel FLEX Pumps (CPS 4306.01P004 Section 4.4 and 4306.01P002) FLEX-RCS-INJ External FLEX Suppression Pool Clecn.p Inject into RCS (4306.01P004 Section 4.1) FLEX-SPC-INJ External 6 OFFICIAL USE ONLY SECURITY RELATED INFORMATION 19
OFFICIAL USE ONL ,. Sl:CURITYa:.RELA I ED INFORMAI IQN Figure 9: RCS Injection using FLEX Diesel Driven FLEX Pumps Fault Tree FLEXRCSlnjectlon uslng Diesel FLEX Pumps (CPS 4306.01P004 Section 4.4 and 4306.01P002) FLEX*RCS*INJ I I I I FLEX UHS System (4306.01P002) FLEX RCS Injection vis LPI FLEXRCS Injection Connection Fails due to Desig n or Construction SD-FUHS FLEX-RCS-CONNECT External FRCS-INJ13 5.00E-02 6 y Injection into RCSusing FLEX Diesel Driven Pumps (4306.01P002 Sectio ns 4.3 and 4.4) I SD*XHE*XM*FRCS FLEX Injection Via LPCS FLEX Injection Via RHR C 1.lOE-01 0 FRCS*INJ 130 FRCS*INJ131 H H LPCS INJECTION CKV F006 FAILS TC LPCI TRAIN C INJECTION MOV OPEN RHR42C FAILS TO OPEN LCS-CKV*CC*FOOi RHR*MOV-CC*F042C 9.24E*06 8.16E*04 LPCS INJECTION MOV FOOS FAILS LPCI INJECTION CKV F041C FAILS TO OPEN TO OPEN LCS-MOV*CC-F005 RHR*CKV*CC*41C 8.16E-04 9.24E-06 LPCI CKVS F041C, LCS F006 FAIL LPCI CKVS F041C, LCS F006 FAIL FROM COMMON CAUSE FROM COMMON CAUSE LCS*CKV*CF*FINJEC LCS*CKV*CF*FINJEC 1.94E*07 1.94E*07 LPCI Train C Vent Valve Fails to LPCS VentV<1lve Fails to Open (FLEX Open (FLEX connection point) connection point) LPCI* MV-CC*F088 LPSC*MV-CC-F374 4.59E-04 4.59E-04 0 0 OFFICIAL ! ISE ONLY SEC! IRIIY REI 4 I EO INEORMAJION 20
OFFICIAL USE 0NLY - SECURITY.:..RELATED INFORMATION Figure 10: FLEX Ultimate Heat Sink S~stem Fault Tree FLEX UHS System (4306.01P002) SD-FUHS FLEX Engine Driven Pumps SSW A TIE TO PSW MOV SSW 14A FAILS TO CLOSE SSW-MOV-OO-SSW14A SD-FUHSl 8.16E-04 Operator Fails to Setup and Run FLEX Ultimate Heat Sink System ( 4306.01P002) SD-XHE-XM -FUHS FLEX Pump 1 Fails FLEX Pump 2 Fails 1.40E-01 FLEX PUMPS FAIL FROM COMMON CAUSE TO RUN SD-FUHSlO SD-FUHSl l FLEX-EDP-CF-FR 6.12E-03 FLEX PUMPS FAIL FROM COMMON CAUSE TO START FLEX ENGINE DRIVEN PUMP 1 FAILS FLEX ENGINE DRIVEN PUMP 2 FAILS TO RUN TO RUN FLEX-EDP-CF-FS 2.90E-04 FLEX-EDP-FR-1 FLEX-EDP-FR-2 FLEX Diesel Driven Pump Connection 2.00E-01 2.00E-01 Fails due to Design or Construction FLEX ENGINE DRIVEN PUMP 1 FAILS FLEX ENGINE DRIVEN PUMP 2 FAILS TO START TO START FLEX-EDP-CONNECT 5.00E-02 FLEX-EDP-FS-1 FLEX-EDP-FS-2 FLEX Manifo ld Isolation Valve Fails 1.00E-02 1.00E-02 Closed u u FLEX-MV-CC-1XF003 4.59E-04 FLEX Pipe Manifold Isolation Valve to SXDiv. lor 2Fails Closed FLEX-MV-CC-lXFOOlC 4.59E-04 FLEX Water I nj ection to SX Valve Div . 1 or 2 Fails Closed SSW-MV-CC-SXF354 4.59E-04 u OFFICIAL U SE ONLY SECUR:IT , RELATED INFORMATION 21
OFFICIAL USE ONLY SECURITY RELA I ED INFORMATION Figure 11 : RCS Injection using FLEX Su ~ression Pool Cleanup Fault Tree FLEX Sup pression Pool Clear1.4> Inject into RCS (4306.01P004 Section 4.1) FLEX*SPC*INJ I I I I FLEX Suppression Pool Cleanup ard FLEX Injection Paths Fail LPCI INJECTION MOVS RHR 42A,B,C Transfer FAIL FROM COM MON CAUSE FLEX*SPC RHR*MOV*CF*F042 External FLEX-SPC-INJ2 3.57E-06 6 y LPCI CKVS 41A,B,C FAIL FROM COMMON CAUSE I RHR*CKV*CF-F041 FLEX InJectin Path via Train A FLEX InJeetin Path via Train B 6.07E-08 Operator Fails RCS Injection using FLEX SPC (4306.01P004 Section 4.1) FLEX*SPC*INJ20 FLEX*SPC*INJ21 50-XHE*XM*FINJ H H 4.00E-03 RHR A MOV 27A FAILS TO OPEN LPCI TRA IN B INJECTION MOV u RHR42B FAILS TO OPEN RHR-MOV-CC-F027A RHR*MOV-CC*F042B 8.16E*04 8.16E*04 LPCI TRAIN A INJECTION MOV LPCI INJECTION CKV F0418 FAILS RHR42A FAILS TO OPEN TO OPEN RH R*MOV-CC-F042A RHR-CKV*CC-418 8.16E-04 9.24E-06 LPCI INJECTION CKV F041A FAILS RHR A MOV 276 FAILS TO OPEN TO OPEN RHR*CKV*CC*41A RHR-MOV*CC*F027B 9.24E*06 8.16E*04 0 0 OFFICIAL USE ONLY SECORITV 8E[ATED INFORMATION 22
OFFICIAL USE Ol~LY- SECURITY RELATED INFORMATION = Figure 12: FLEX Suppression Pool Cleanu and Transfer Fault Tree FLEX Suppress lo n Pool Cleanup lid Transfer FLEX*SPC I I I I I Suppression Pool Cleanup (FS) RHRH eat Exmangers NotAvailable FLEX AC Electrical System CCF OF SF MDPS TO RUN Pumps Not A"Yailable FLEX*ELEC SF*MDP-CF*FR FFC2 FFC8 External 9.BIE-07 I Suppression Pool Cleanup (FS) PUMP L.J I Suppression Pool Cleanup (FS) PUr-t' y CLINTON FLEX SPC LOOP B IS FLEX UHS System (4306.01P002) SD*FUHS CCFOF Sf MOP'S TO START SF*MDP*CF*STRT External 4.58E*06 A ISUNAVAILABLE B ISUNAVAILABLE UNAVAl lABLE FSPC*B 6 SF COOLJNG SUCTION MOV F004 FFC64 FFC73 External SF*MOV*CC*FOO'I CLINTON FLEX SPC LOOP A IS 1 Suppression Pool Cleaflll) ard Transfer MDP l A FAILS TO START 1 Suppression Pool Cleanl.4) an:l Transfer MOP 18 FAILS TO START FSPC*A External UNAVAllABLE 8.16E-04 Sf COOLING SUCTION Manual F003 SF*VLV-CC*FOO} Sf-MDP-FS-lA SF-MOP-FS-18 6 8.16E*04 SF COOLING D ischargeAOV F01 1 1.091:-03 l.09E*03 SuppressiolnPool Clean..p cn:I Suppressloln Pool Clea"-" an:! Transfer MOP I A FAILS TO RUN Transfer MOP 18 FAILS TO RUN Sf*AOV-CC*F011 7.SSE*04 Sf*MOP*FR* l A SF*MOP*FR* 1B SF COOLING Valve F041 9.00E-05 9.00E-05 SF MOP 6A DISCHARGE CHECK SF MOP 68 DISCHARGE CHECK VALVE FAILS TO OPEN VALVE FAILS TO OPEN SF*MOV*CC*F04l 8.16E*04 SF-CKV*CC*6A SF-CKV*CC*6B Operator Falls SUppresslon AJol 9.24E-06 9.24E-06 Cooling using FU:X SF MOP LA UNAVAILABLEOUETO SF MOP 18 UNAVAILABLE DUE TO TEST AND MAINTENANCE TEST AND MAINTENANCE SO*XHE*XM*FSPC 2.33E*Ol SF*MDP-TM*l A SF*MOP-1~1-18 FLEXSUppression Pool COOll'g 4.561:-03 4.56E-03 Conne<:tlon Falls ducto Design or SF COOLING Discharge MOV FOi 0A SF COOLING Discharge MOV FOJOB Constructi:>n FLEX*SPC*CON N ECT S.OOE*02 Sf*MOV*CC*FOl!i\
- 8. 16E-04 SF*MOV*CC*FOICB 8.16E-04 u u u OFFICIAL use ONLY SECURITY RELATED INFORMATION 23
OFFICIAL USE ONL't - SECUR'.I I ,-RELATED INFORMATION Figure 13: FLEX Sue ression Pool Coolin using RHR Heat Exchanger A Fault Tree CLINTON FLEX SPC LOOP A IS UNAVAILABLE FSPC-A RHR/SSW HEAT EXCHANGE FAILS LOOP A SPC INJECT MOV RHR 24A FAILS TO OPEN RHR-FLEX-HXA RHR-MOV-CC-F024A External 8.16E-04 SP INJECTION MOVS 24A,B COMMON CAUSE FAIL TO OPEN RH R-MOV-CF-F024 l.lSE-05 RHR PUMP MIN FLOW MOVSA,B,C FAIL FROM COMMON CAUSE RHR-MOV-CF-MINFL 3.57E-06 u OFFICIAL USE ONLY SECURITY RELATED INFORMAI ION 24
OFFICIAL USE ONLY' SEGUR.ITV RELATED INFORMATION Figure 14: RHR Heat Exchanger A for FLEX SPC Fault Tree RHR/SSW HEAT EXCHANGE FAILS RHR-FLEX-HXA RHR HTXS FAIL FROM COMMON CAUSE RHR-HlX-CF-RHRHX 2.41E-07 RHR HlX BYPASS VALVES FAIL FROM COMMON CAUSE RHR-MOV-CF-HXBPS 1.lSE-05 RHR LOOP A HlX BYPASS MOV RHR 48A FAILS TO CLOSE RHR-MOV-00-BYPS<\ 8.16E-04 RHR MOVS F003A,B FAIL FROM COMMON CAUSE RHR-MOV-CF-HXDIS 1.lSE-05 RHR HlXA DISCHARGE MOV 3A FAILS TO OPEN RHR-MOV-CC-F003A 8.16E-04 RHR HTX A FAILS RHR-HTX-PG-HTXA 8.88E-06 RHR HlX SSW SUPPLY VALVE F014A FAILS TO OPEN SSW-MOV-CC-F014A 8.16E-04 RHR HTX SSW OUTLET ISOLATION VLV F068A FAILS TO OPEN SSW-MOV-CC-F068A 8.16E-04 u OFFICIAL USE Ol~LY SECURI IV RELATED INFORMATION 25
OFFICIAL use ONLY SEGtJRIT¥-RELATED INFORMATION Figure 15: Containment Venting-' Fault Tree CONTAINMENT VENTING
- SD SD-CVS y
I I I CONTAINMENT (SUPPRESSION Venting of Containment with Manual Containment Failure Causes POOL) VENTING Valves (CPS 4303.0lPOOl) Injection Failure CVS CF-IF External SD*CVS4 2.00E-01 D H u IFC012B Containment Pools Drain Valveto Spent Fuel Pool Closed Fails Close:! FC* MV*CC* 126 4.59E-04 IFC012A Containment Pools Drain Valve to Surge Tank Closed Fails Close:! FC-MV-CC-12A 4.59E-04 Operator Fails to ManuallyVent Containment with 1FC012A & B (CPS 4303.0lPOOl) FC*XHE*XM*MCV 4.20E-03 u OFFICIAL USE ONLY SECl:JRIT'f RELATED INFORMATION 26
OFFICIAL USE ONLY SECORITr-RELATED INI ORMATION Figure 16: Electrical Cross-Tie Division 3 to Division 2 Fault Tree Electrical Connection Div. 3 to Div. 2 ELEC_XTIE CLINTON DIVISION III AC POWER Operator Fails to Establish Div. 3 to SYSTEM FAULT TREE Div. 2 Electrical Cross Tie ACP-4KVBUS-1Q SD-XH E-XM-CROSSTIE External 2.70E-01 CLINTON DIVISION II AC POWER Div. 3to Div. 2 Cross Tie Fails d ue to SYSTEM FAULT TREE Cross Tie (no Design FLEX Elect.) ACP-4KVBUS-1B1-XTIE2 XTIE-ELEC-CONNECT External 2.00E-02 D u OFFICIAL t1SE ONLY SE6UR:IT'f RElA I ED INFORMATION 27
OFFICIAL USE ONLY - SECURI I Y RELATED INFORMATION Figure 17: Division 2 AC Power Fault Tree
~--------~
CLINTON DIVISION II AC POWER SYSTEM FAULT TREE Cross Tie (no FLEX Beet.) ACP-4KVBUS* IBI*XTIE2 I I I I 4.1 KV BUS FAILURE FROM SEISMIC FAILURE TO RECOVER BREAKER 4160 V DIVISION II BUS (181) EVENT CCF DURING BATTERY LIFE HAROWAREFAILURES ACP-4KV*EO ACP*BAC*LP* 181 External ACP-4KVBUS-181 *XTIE215 2.29E-05
~ 0 FAILURE OF OIV2 SWITCHGEAR COOLING HVC*SWGR*OIV2*CCXll..
I I DC BATTEREIS FAILU RE FROM CCF OF 125VOC BATTERYS (3) External SEISMIC EVENT 6 OCP*BAT*E OCP-BAT*CF*ALL External 3.85E*08 FAILURE OF DIVISION II 125VOC BATTERY OCP-BAT*LP*IB 7.97E-06 FAILURE OF CIRCUITBREAKER 201Bl TO OPEN (RAT) ACP*CRB*CC*201Bl 2.49E-03 CCF OF CIRCUIT BREAKERS 201Al
& 2.01B1 TO OPEN ACP*CRB*CF*201 4.13E*OS FAILURE OF CIRCUIT BREAKER 221Bl TO CLOSE ACP*CRB*00*221Bl 2.0SE-03 OFFICIAL USE ONLY SECURITY RELATED INFORMATION 28
OFFICIAL USE ONLY SECURITY RELAIED INFORMATION Cut Set Ren xt SD- CLINTON SPAR MODEL "II Case ProblFrea Total '1, Cut Set Descriotion Total 4 .86E-04 Displaying 30 Cut Sets. 100 (27055 Orioinal) 1 C 1.60E-04 3298 O-SD-M4L-l.OOP : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offsrte Power - M4 LAT E 2 .02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to Start tv; Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 2.70E-01 SD-XHE-XM-CROSSTIE Operator Fails to Establish Div. 3 to Div. 2 Electrical cross Tie 5 .11E-01 SD-XHE-XM-OEPBSB 'lnPrntor Fails to setuo BSb Fn11ioment for Dern><:.<:.Lfization Cd<>n<>ndentl 2 .50E-01 SD-XHE-XM-FELEC Operator Fails to Setup and RISI FLEX 0G and Electrical Distribution 1.00E+OO ITCU-10 Time to Core Uncoverv 10 hours or areatE!f 2 C 8 .90E-05 18.32 O-SD-M4L-l.OOP : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offsrte Power - M4 LAT E 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to Start /v; Issue 7.60E-02 SD-XHE-XL-ELAP '1n?r.>,lor fails to recovE!fV electrical cistribution """tern aflE!f offsrte rxM/PC recovE!fV 2 .70E-01 SD-XHE-XM-CROSSTIE Operator Fails to Estabflstl Div. 3 to Div. 2 Electrical Cross Tie 5 .11E-01 SD-XHE-XM-OEPBSB in,,r.uor Fails to setuo B5b 1-n11ioment for De (d""""dentl 2.50E-01 SD-XHE-XM-FELEC Operator Fails to Setup and RISI FLEX 0G and Electrical Distribution 3 C 3.20E-05 6.6 O-SD-M4L-l.OOP : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offslte Power - M4 LATE 2 .02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG B IN 1 HOUR due to Start tv; Issue 5.00E-02 FLEX-fl.EC-CONNECT FLEX Electrical COmection Fails due to Design or COnslrudion 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 2 .70E-01 SD-XHE-XM-CROSSTIE Operator Fails to Establish Div. 3 to Div. 2 Electncal Cross Tie 5 .11E-01 SD-XHE-XM-OEP85B Joerntor Fails to setuo B5b t-ouioment for De . tion (d"""'1dent) 1.00E+OO ncu-10 Time to Core Uncovery 10 hours or greatE!f 4 C 3.13E-05 6.45 O-SD-M4l-l00P : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offsrte Power - M4 LAT E 1.00E-01 DEP-B5B B5b ..,,, ,inment for Ooenino SRVs 2 .02E-01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to Start tv; Issue 1.37E-01 OEP-XHE-Xl-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 2.70E-01 SD-XHE-XM-CROSSTIE Operator Fails to Establish Div. 3 to Div. 2 Electrical cross Tie 2.50E-01 SD-XHE-XM-FELEC -,,,,tor Fails to Setuo and RISI FLEX OG and Electrical Distribution 1.00E+OO ncu-10 Time to Core Uncovery 1O hours or greatE!f 5 C 2 .01E-05 4 .14 O-SD-M4l-LOOP : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offsite Power - M4 LATE 3.39E-02 EPS-OGN- FR-DG1 C DIESEL GENERATOR 1C FAILS TO RUN 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to Start Iv; Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 9 .99E-01 OEP-XHE-XX-NR24H1 Convolution Factor for 1 FTR-OPR (24H-) OF'FICIAI IISE ONLY SECURIT, RELATED INEQRMATION Attachment 2
OFFICIAL USE ONLY SECURI I , RELATED INFORMATION 5 _11E-01 SD-XHE-XM-OEPB5B Operator Fails to setup B5b Equipment for Oepressurization (dependent) 2.50E-01 SD-XHE-XM-FELEC luoerator Fails to Setuo and RU\ FLEX DG and Bectrical DistribUlion 1_00E+OC) TTCU-10 Time to Core UI\CO\lery 1o hOurs Of areater 6 C 1 .78E--05 3_66 Q.SD-M4L-LOOP : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offslte Power - M4 LATE 2.02E--01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to start Ai Issue 5.00E-02 FLEX-ELEC-CONNECT FLEX Eledrical COnnection Fails due to Design or COOstrudion 7.60E-02 SD-XHE-XL-El.AP IUDefator fais to recoverv electrical distribution svstem after offslte oower recoverv 2.70E-01 SD-XHE-XM-cROSSTIE Operator Fails to Establish Div. 3 to Div. 2 Eledncal Cross Tie 5.11E-01 SD-XHE-XM-OEPB5B JDeraior Fails to setuo B5b >-<111ioment for ..,..,,.essuriZation 7 C 1.74E-05 3.58 O-SD-M4L-LOOP : 3-24 1.68E-01 SD-M4l-LOOP Loss of Offsite Power - M4 LATE 1.00E-01 OEP-858 B5b Equpment for Opening SRVs 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EDG BIN 1 HOUR due to start Ai Issue 7.60E-02 SD-XHE-XL-ElAP Operator fails to recovery electrical distribution system after offslte power recovery 2.70E-01 SD-XHE-XM-cROSSTIE IOoerator Fails to Establish Div. 3 to Div. 2 ElectricaJ Cross Tie 2.50E-01 SD-XHE-XM-FELEC Operator Fails to Setup and RU\ FLEX DG and Bectrical Distribution 8 C 1_44E-05 297 O-SD-M4L-LOOP : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offslte Power - M4 LATE 1.50E-01 EPS-DGN- FR-FOG 1 FLEX Diesel GeneratOf 1 Fails to RIii 1_50E-01 EPS-DGN- FR-FOG2 FLEX Diesel GeneratOf 2 Fails to RIii 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOV ER EOG BIN 1 HOUR due to Start Ai Issue 1.37E--01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOV ER OFFSITE POWER IN 10 HOURS 2.70E-01 SD-XHE-XM-cROSSTIE """""or Fails to Establish Div_ 3 to Div_ 2 Electrical Cross Tie 5_11E-01 SD-XHE-XM-OEPB5B Operator Fails to setup B5b Equipment for OepressuriZation (dependent) 1.00E+OO TTCU-10 Time lo C<lfe Uncoverv 10 hOurs Of oreater 9 C 1.19E-05 244 O-SD-M4L-LOOP : 3--24 1_68E-01 SD-M4L-LOOP Loss Of Offsite Power - M4 LATE 2_02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOV ER EOG B IN 1 HOUR due to Start NT Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOV ER OFFSITE POWER IN 10 HOURS 5.11E-01 SD-XHE-XM-OEPB5B Operator Fails to setup B5b Equipment for OepressuiZation (dependent) 2.50E-01 SD-XHE-XM-FELEC .JDerator Fails to Setuo and Run FLEX DG and Bectrical Distribution 1.00E+OO TTCU-10 Time lo C<lfe Uncovery 10 hOurs Of greater 2.00E-02 XTIE-ELEC-CONNECT Div. 3 to Div. 2 Cross Tte Fais due to ><><tinn 10 C 1.12E--05 2.3 O-SD-M4L-LOOP : 3-24 1.68E--01 SD-M4L-LOOP Loss of Offsite Power - M4 LATE 3.39E-02 EPS-DGN-FR-OG1C DIESEL GENERATOR 1C FAILS TO RUN 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOV ER EOG BIN 1 HOUR due to start NT Issue 7.60E-02 SD-XHE-XL-ElAP Operator fais to recovery electrical distribution system after offslte power recovery 5.11E-01 SD-XHE-XM-OEPB5B JDeraior Fails to setuo B5b ~ *inment for ......-essunzat,on /den,,nn,,m 2.SOE--01 SD-XHE-XM-FELEC Operator Fails to Setup and RIii FLEX DG and Bectrical Distribution OFFICIAi I fSE ONLY SECURITY RELhTED INFORMAIION 2
OFFICIAL USE ONLY SECURIT, RELATED INFORMATION 11 C 8 .01E-06 1.65 0-SD-M4L-l00P : 3-24 1 .68E-01 SD-M4L-LOOP Loss of Offsite Power
- M4 LATE 1.SOE-01 EPS-OGN-FR-FOG1 FLEX Diesel Generator 1 Fails to Rlil 1.SOE-01 EPS-OGN--FR-FOG2 FLEX Diesel Generator 2 Fails to R!Il 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAJL.S TO RECOVER EOG BIN 1 HOUR due to Start Air Issue 7.60E-02 SD-XHE-XL-ElAP """"'Of faJs to recoverv electrical <isbibulion cvctem after offsite ,,,..,,.,,. recoverv 2.70E-01 SD-XHE-XM-CROSST IE Operator Fails to Establish DiV. 3 to Div. 2 Ele<:trtcal Cross Tie 5.11E-01 SD-XHE-XM-OEPBSB mer.nor Fails to setuo 85b t-<11.1iomenl ror DeoressunzatiOn Cdeoenoenu 12 C 6 .92E-06 1.42 0-SD-M4L-l00P : 3-24 1.68E-01 SD-M4L-l00P Loss of Offsrte Power - M4 LATE 1.50E-01 EPS-OGN--FR-FOG1 FLEX Diesel Generator 1 Fails to Rlil 720E-02 EPS-OGN--FS-FOG2 FLEX Diesel Generator 2 Fails to Start 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAD..$ TO RECOVER EOG BIN 1 HOUR due to Start Air Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAD..$ TO RECOVER OFFSITE POWER IN 10 HOURS 2 .70E-01 SD-XHE-XM-CROSST IE Operator Fails to Establish DiV. 3 to Div. 2 Eledlical Cross Tie 5.11E-01 SD-XHE-XM-OEPBSB ,.,.,,,.,or Fails to setuo 85b t ror DeoressunzatiOn <deoenaern1 1.00E+OO TTCU-10 Tlme to Core Uncovery 10 hours or greater 13 C 6 .9.2 E-06 1.42 O-SD-M4L-l00P : 3-24 1.68E-01 SD-M4L-l00P Loss of Offsite PC7Her - M4 LATE 1.SOE-01 EPS-OGN*FR-FDG2 FLEX Diesel Generator 2 Fails to R!Il 720E-02 EPS-OGN-FS-FOG1 FLEX Diesel Generator 1 Fails to Start 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to Start Nr Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAD..$ TO RECOVER OFFSITE POWER IN 10 HOURS 2 .70E-01 SD-XHE-XM-CROSST IE 1uoerai.or Fails to Establish DiV. 3 to Div. 2 Eledlical Cross Tie 5 .11E-01 SD-XHE-XM-OEPBSB Operator Fails to setup B5b Equipment ror DepressunzatiOn (dependent) 1.00E+OO TTCU-10 Tlme to Core Uncoverv 10 hours or oreater 14 C 6.59E-06 1.36 O-SD-M4L-l00P : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offsite Power - M4 LATE 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOVER EOG B IN 1 HOUR due to start /vr Issue 7.60E-02 SD-XHE-XL-B.AP JDeraior faJs to recoverv electrical disbibulion <<v<:tem after offsite n<N.'Pr recoverv 5.11E-01 SD-XHE-XM-OEPBSB Operator Fails to setup 85b Equipment for DepressurizatiOn (dependent) 2 .SOE-01 SD-XHE-XM-FELEC """"'Of Fails to Seh n and Rm FLEX 0G and 8ectrical Distribution 2 .00E-02 XTIE-a.EC-CONNECT Div. 3 to Div. 2 Cross Tie Fais due to Design 15 C 627E-06 1.29 O-SD-M4L-l00P : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offsile Power - M4 LATE 1.00E-01 DEP-858 85b Fnuinment foc Ooenin<J SRVs 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAlLS TO RECOVER EOG BIN 1 HOUR due to Start Air Issue 5.00E-02 FLEX-ELEC-CONNECT FLEX Eledrical Comection Fais due lo ....ann or Construction 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 2.70E-01 SD-XHE-XM-CROSSTIE ,.,.,,,.,or Fails to Establish Div. 310 Div. 2 Eledlical Cross Tie 1.00E+OO TTCU-10 Tlme to Core Uncovery 10 hours or greater OFFICIAL USE ONLY 3
OFFICIAL USE ONLY SECURI I V RELATED INFORMATION 16 C 4.BOE-06 0.99 O-SD-M4L-t.OOP: 3-24 1.68E-01 SD-M4L-LOOP Loss of Offslte Power - M4 LATE 1 .50E-01 EPS-OGN-FR-FOG1 FLEX Diesel Generator 1 Fails to Run 5.00E-02 EPS-OGN-XR-FOG FLEX Diesel 2 1oonable} Fails due to lmnrn,.,.... Transoon or,..,,.,,., 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to Start A,; Issue 1 .37E-01 OEP-XHE-Xl-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 2 .70E-01 SO-XHE-XM-CROSSTIE Operator FailS to Establ.iStl Div. 3 to Div. 2 Electrical Cross Tie 5 .11E-01 SO-XHE-XM-OEPB5B ,.,.,..,.,or FailS to setup B5b 1-rNJioment for Deoress~ 1.00E+OO TTCU-10 nme to Core Uncovery 10 hours or greater 17 C 4.02E-06 0.83 O-SD-M4L-t.OOP: 3-24 1 .68E-01 SD-M4L-LOOP Loss of Offsite Power - M4 LATE 3 .39E-02 EPS-OGN-FR-DG1C DIESEL GENERATOR 1C FAILS TO RUN 2 .02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG B IN 1 HOUR due to Start A,; Issue 5 .00E-02 FLEX-ELEC-CONNECT FLEX Electrical Connection Fails due to ""<tlnn or Construction 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 9 .99E-01 OEP-XHE-XX-NR24H1 Convolution Factor for 1FTR-OPR (24H-l 5.11E-01 SO-XHE-XM-OEPB5B Operator FailS to setup B5b Equipment for Depressunzation (dependent) 1.00E+OO TTCU-10 nme to Core Uncoverv 10 hours or areater 18 C 3 .93E-06 0 .81 O-SD-M4L-LOOP : 3-24 1.68E-01 SO-M4L-LOOP Loss of Offsite Power - M4 LATE 1.00E-01 DEP-B5B B5b Equipment for Opening SRVs 3.39E-02 EPS-OGN-FR-DG1C DIESEL GENERATOR 1C FAILS TO RUN 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to start A,; Issue 1 .37E-01 OEP-XHE-Xl-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 9 .99E-01 OEP-XHE-XX-NR24H1 Convolution Factor for 1FTR-OPR (24H-) 2 .50E-01 SO-XHE-XM-FELEC """""lor FailS to Sell.ID and Ru! FLEX 0G and Electrical Distribution 1.00E+OO TTCU-10 nme to Core uncovery 10 hours or greater 19 C 3 .84E-06 0 .79 O-SD-M4L-t.OOP : 3-24 1.68E-01 SO-M4L-LOOP Loss of Offsite Power - M4 LATE 1.SOE-01 EPS-OGN-FR-F002 FLEX Diesel Generator 2 Fails to Run 7.20E-02 EPS-OGN-Fs-FDG1 FLEX Diesel Generator 1 Fails to Start 2 .02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to start A,; Issue 7.60E-02 SO-XHE-XL-ELAP Operator falls to recovery electrical distribution system after offsite J)OINer recovery 2.70E-01 SO-XHE-XM-CROSSTIE ooe-a.tor Fails to EstabliStl Div. 3 to Div. 2 Electncal Cross Tre 5.11E-01 SO-XHE-XM-OEPB5B Operator FailS to setup B5b EQUipment for Depress~ (dependent) 20 C 3.84E-06 0 .79 O-SD-M4L-t.OOP : 3-24 1.68E-01 SO-M4L-LOOP Loss of Offsite Power - M4 LATE 1.50E-01 EPS-OGN-FR-FDG1 FLEX Diesel Generator 1 Fails to Ru! 7.20E-02 EPS-OGN-FS-FDG2 FLEX Diesel Generator 2 Fails to Start 2 .02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to start A,; Issue 7 .60E-02 SO-XHE-XL-ELAP Operator tails to recovery electrical distribution system after offsite power recovery QFFICIAI IISE ONLY SECURITY RELATED INFORMATION 4
OFFICIAL USE ONLY SECURITY RELATED INI ORMATION 2.70E-01 SD-XHE-~ROSSTIE Operator Fails to Establish Div. 3 to Div. 2 Electrical Cross Tie 5.11E-01 SD-XHE-XM-O EPB5B """"'tor Fails to setuo 85b ,= t for """'es516ization 1oeoendent) 21 C 3.48E-06 0.72 0-SD-M4L-LOOP: 3-24 1 .68E-01 SIHML-LOOP Loss ot Offsite Power - M4 LATE 1.00E-01 DEP-858 85b Equipment for Opening SRVs 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOV ER EOG BIN 1 HOUR due to Start "'6 Issue 5 .00E-02 FLEX-El.EC-CONNECT FLEX Electrical Connection Fails due to Design or Construction 7.60E-02 SD-XHE-XL-El.AP on..rator fails to recovetV electrical distnbution svstem after offsrte "°"""'r recov<><V 2 .70E-01 SD-XHE-~ROSSTIE Operator Fails to Establish Div. 3 to Div. 2 Electrical Cross T ie 22 C 3 .32E-06 0 .68 O-SD-M4l-LOOP : 3-24 1.68E-01 SIHML-LOOP Loss ot Offsite Power - M4 LATE 7.20E-02 EPS-OGN-Fs-FDG1 FLEX Diesel Generator 1 Fails to start 7 .20E-02 EPS-OGN- Fs-FDG2 FLEX Diesel Generator 2 Fails to Start 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOV ER EOG BIN 1 HOUR due to Start /vT Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOV ER OFFSITE POWER IN 10 HOURS 2.70E-01 SD-XHE-~ROSSTIE """"'or Fails to Establish Div. 3 to Div. 2 Electrical Cross Tie 5.11E-01 SD-XHE-XM-OEPB5B Operator Fails to setup 85b Equipment for Depress~ (dependent) 1.00E+OO TTCL>-10 Time to Core Uncoverv 10 hours or oreater 23 C 2 .82E-06 0.58 O-SD-M4l-LOOP : 3-24 1.68E-01 SD-M4l-LOOP Loss ot Offsite Power - M4 LATE 1.00E-01 DEP-B5B 85b Equipment for Opening SRVs 1.50E-01 EPS-DGN-FR-FDG1 FLEX Diesel Generator 1 Fails to Run 1 .50E-01 EPS-OGN-FR-FDG2 FLEX Diesel Generator 2 Fails lo Run 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOV ER EOG BIN 1 HOUR due to Start "'6 Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 2.70E-01 SD-XHE-~ROSSTIE """"'tor Fai'ls to Establish Div. 3 to Div. 2 Electrical Cross Tie 1.00800 TTCL>-10 Time to Core Uncovery 1O hours or greater 24 C 2.67E-06 0.55 O-SD-M4l-LOOP: 3-24 1.68E-01 SD-M4L-LOOP Loss ot Offsite Power - M4 LATE 1.50E-01 EPS-OGN-FR-FOG1 FLEX Diesel Generator 1 Fails to Rm 5.00E-02 EPS-OGN-XR-FOG FLEX Diesel 2 (portable) Fails due to Improper Transport or Se1t4> 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOV ER EOG BIN 1 HOUR due to Start /vT Issue 7 .60E-02 SD-XHE-XL-El.AP Operator fails to recovery electrical distribution =tern after offsite poy,,er recovery 2.70E-01 SD-XHE-~ROSSTIE """"'Of Fails to Establish Div. 3 to Div. 2 Electrical Cross Tie 5.11E-01 SD-XHE-XM-OEPB5B Operator Fails to setup 85b Equipment for Oepressl6ization (dependent) 25 C 2.37E-06 0.49 0-SD-M4L-LOOP : 3-24 1 .68E-01 SD-M4L-LOOP Loss ot Offsite Power - M4 LATE 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to Start "'6 Issue 5.00E-02 FLEX-El.EC-CONNECT FLEX Electrical Connec1iOn Fails due to Design or Construction 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 5.11E-01 SD-XHE-XM-OEPB5B Operator Fails to setup 85b Equipment for Oepresst.nZation (dependent) OFFICIAL USE ONL"f SECORI I t RELATED INFORMATION 5
OFFICIAL USE ONLY w SECURITY RELATED INFORMATION 1.00E+OO ITCU-10 r une to Corn Uncovery 10 hours or greater 2.QQE-02 XTIE-El..EC-CONNECT Orv. 3 to Div. 2 Cross Tie Fais due to Desion 26 C 2.32E-06 0 .48 0-SCHML-LOOP : 3-24 1.68E-01 SD-M4L-LOOP Loss ol Offslle Power - M4 LATE 1.00E-01 DEP-B5B B5b ~ipment f<X" Opening SRVs 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOVER EOG B IN 1 HOUR due to Start AJr Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOV ER OFFSITE POWER IN 10 HOURS 2.50E-01 S~XHE-XM-FELEC JDeralOf FailS to '"""" " and Run FLEX DG and Bectncal DistribUtlon 1.00E-+00 ITCU-10 Tune to Corn Uncovery 10 hours or or-eater 2.00E-02 XTIE-ELEC-CONNECT Div. 3 to Div. 2 Cross Tie Fais due to Desion 27 C 2.31E-06 0 .47 O-S~M4L-LOOP : 3-24 1.68E-01 SD-M4L-LOOP Loss ol Offsite Power - M4 LATE 7.20E-02 EPS-DGN-Fs-FDG1 FLEX Diesel Generator 1 Fails to Start 5.00E-02 EPS-OGN-XR-FDG FLEX Diesel 2 Fails due to lmnrnnPr Transoon or Seh.-. 2.02E-01 EPS-XHE-XM-NR01 H OPERATOR FAILS TO RECOVER EOG B IN 1 HOUR due to Start AJr Issue 1 .37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 2.70E-01 S~XHE-XM-CROSSTIE Operator FailS to Estabhsh Div. 3 to Div. 2 Elecmcal Cross Tie 5.11E-01 S~XHE-XM-OEPSSB .,per.nor Fails to setup B5b ~ipment for Deaoessunzation 1.00E-+00 ITCU-10 r une to Corn Uncovery 1o hours oc greater "" 28 C 223E-06 0.46 O-S~M4L-LOOP : 3-24 1 .68E-01 SD-M4L-LOOP Loss ol Offsite Power - M4 LATE 3.39E-02 EPS-OG~FR-OG1C DIESEL GENERATOR 1C FAILS TO RUN 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOVER EOG B IN 1 HOUR due to Start Afr Issue 5.00E-02 FLEX-ELEC-CONNECT FLEX Eledrical Comectioo Fals due to Desian Of Construdion 7.60E-02 S~XHE-XL-8..AP Operator fais to recovery electrical distnbubon svstem a1ter offsite power recovery 5.11E-01 S~XHE-XM-OEPSSB JDeratOf Fails to setup B5b ~ *iPment for Delll"essunzation C deoenoenu 29 C 2.20E-06 0 .45 O-S~M4L-LOOP : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offsite Power - M4 LATE 3.70E-03 EPS-OGN-LR-OG1C DIESEL GENERATOR 1C FAILS TO LOAD RU N 2.02E-01 EP&XHE-XM-NROlH OPERATOR FAILS TO RECOVER EOG BIN 1 HOUR due to Start AJr Issue 1.37E-01 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 10 HOURS 5.11E-01 S~XHE-XM-OEPBSB JDerator FailS to setup B5b ~,ipment for J<>(}l"essunzation (de[lf>fl{]ent) 2.SOE-01 S~XHE-XM-FELEC Operator FailS to Setup and Run FLEX DG and Bectncal Distribution 1.00E+OO ITCU-10 Time to Core Uncoverv 10 hours or oreater 30 C 2.19E-06 0 .45 O-S~M4L-LOOP : 3-24 1.68E-01 SD-M4L-LOOP Loss of Offsite Power - M4 LATE 1.00E-01 OEP-858 B5b ~pment for Opening SRVs 3.39E-02 EPS-OGN-FR-OG1C DIESEL GENERATOR 1C FAILS TO RUN 2.02E-01 EPS-XHE-XM-NR01H OPERATOR FAILS TO RECOVER EOG B IN 1 HOUR due to Start AJr Issue 7.60E-02 S~XHE-XL-B.AP JDeraior fais to recoverv electrical distnbution """tern after offsite rvlWPr recov""'
- 2. 50E-01 S~XHE-XM-FELEC Operator Fails to Setup and Run FLEX DG and Bectncal DistribUtlon OFFICIAL USl: 0NLY SECURITY RELATED INFORMATION 6}}