ML19050A510: Difference between revisions

From kanterella
Jump to navigation Jump to search
(StriderTol Bot change)
(StriderTol Bot change)
 
Line 17: Line 17:


=Text=
=Text=
{{#Wiki_filter:Final ASP Program Analysis - Precursor Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Clinton Power                   Division 1 Transformer Failure Leads to Instrument Air Isolation Station                          to Containment Requiring a Manual Reactor Scram LER:         461-2017-010-02 Event Date:    12/9/2017                                                CCDP =       8x10-6 IR:         05000461/2017012 General Electric Type 6 Boiling-Water Reactor (BWR) with a Mark III Plant Type:
{{#Wiki_filter:1 Final ASP Program Analysis - Precursor Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Clinton Power Station Division 1 Transformer Failure Leads to Instrument Air Isolation to Containment Requiring a Manual Reactor Scram Event Date: 12/9/2017 LER:
Containment Plant Operating Mode Mode 1 (97% Reactor Power)
461-2017-010-02 CCDP =
(Reactor Power Level):
8x10-6 IR:
Analyst:                   Reviewer:                 Contributors:           Approval Date:
05000461/2017012 Plant Type:
Christopher Hunter         Dale Yeilding             N/A                     3/21/2019 EXECUTIVE  
General Electric Type 6 Boiling-Water Reactor (BWR) with a Mark III Containment Plant Operating Mode (Reactor Power Level):
Mode 1 (97% Reactor Power)
Analyst:
Reviewer:
Contributors:
Approval Date:
Christopher Hunter Dale Yeilding N/A 3/21/2019 EXECUTIVE  


==SUMMARY==
==SUMMARY==
On December 9, 2017, multiple alarms were received in the Clinton Power Station control room due to the unexpected opening of the 4.16 kilovolt (kV) alternating current (AC) bus 1 A1 breaker (1AP07EJ), which feeds the division 1 480-volt (V) AC buses. The loss of division 1 480 V AC power caused the outboard instrument air containment isolation valve to close and resulted in a subsequent loss of containment instrument air. In addition, the loss of the division 1 480 V AC buses resulted in the unavailability of the low-pressure core spray (LPCS) pump, residual heat removal (RHR) pump A, the division 1 emergency diesel generator (EDG)
On December 9, 2017, multiple alarms were received in the Clinton Power Station control room due to the unexpected opening of the 4.16 kilovolt (kV) alternating current (AC) bus 1 A1 breaker (1AP07EJ), which feeds the division 1 480-volt (V) AC buses. The loss of division 1 480 V AC power caused the outboard instrument air containment isolation valve to close and resulted in a subsequent loss of containment instrument air. In addition, the loss of the division 1 480 V AC buses resulted in the unavailability of the low-pressure core spray (LPCS) pump, residual heat removal (RHR) pump A, the division 1 emergency diesel generator (EDG)
A, normal battery charging to the division 1 batteries. Approximately 4 minutes after the breaker 1AP07EJ opened, the control room operators inserted a manual scram in accordance with procedures for low scram pilot air header pressure and control rod drift annunciator alarms.
A, normal battery charging to the division 1 batteries. Approximately 4 minutes after the breaker 1AP07EJ opened, the control room operators inserted a manual scram in accordance with procedures for low scram pilot air header pressure and control rod drift annunciator alarms.
Operators performed a reactor cooldown of the reactor by directing steam to the main condenser using the main steam bypass valves and auxiliary steam equipment. Due to the loss of containment instrument air, the main steam isolation valves (MSIVs) began to close. In response to the expected closure of the MSIVs, operators aligned the main steam line (MSL) drains to maintain pressure control. These drains were used in conjunction with the reactor core isolation cooling (RCIC) turbine to continue to cooldown to Mode 4.
Operators performed a reactor cooldown of the reactor by directing steam to the main condenser using the main steam bypass valves and auxiliary steam equipment. Due to the loss of containment instrument air, the main steam isolation valves (MSIVs) began to close. In response to the expected closure of the MSIVs, operators aligned the main steam line (MSL) drains to maintain pressure control. These drains were used in conjunction with the reactor core isolation cooling (RCIC) turbine to continue to cooldown to Mode 4.
According to the risk analysis modeling assumptions used in this accident sequence precursor (ASP) analysis, the most likely core damage sequence is reactor transient with a consequential loss of offsite power (LOOP) and postulated failures of the division 2 EDG B result in a subsequent station blackout (SBO). Although high-pressure core spray (HPCS) is initially successful, operators fail to recover offsite power within 12 hours resulting in the inability to vent containment, which results in the loss of all injection. This accident sequence accounts for approximately 17 percent of the conditional core damage probability (CCDP) for the event.
According to the risk analysis modeling assumptions used in this accident sequence precursor (ASP) analysis, the most likely core damage sequence is reactor transient with a consequential loss of offsite power (LOOP) and postulated failures of the division 2 EDG B result in a subsequent station blackout (SBO). Although high-pressure core spray (HPCS) is initially successful, operators fail to recover offsite power within 12 hours resulting in the inability to vent containment, which results in the loss of all injection. This accident sequence accounts for approximately 17 percent of the conditional core damage probability (CCDP) for the event.
Two Green (i.e., very low safety significance) findings were identified for this event. The first finding was associated with the licensee failure to perform corrective action to preclude repetition for a similar transformer failure that occurred in December 2013. The second finding 1
Two Green (i.e., very low safety significance) findings were identified for this event. The first finding was associated with the licensee failure to perform corrective action to preclude repetition for a similar transformer failure that occurred in December 2013. The second finding  


LER 461-2017-010-02 was associated with the licensee failure to follow procedure that would classify three nonsafety-related 4.16 kV and 480 V transformers as operationally critical components.
LER 461-2017-010-02 2
was associated with the licensee failure to follow procedure that would classify three nonsafety-related 4.16 kV and 480 V transformers as operationally critical components.
EVENT DETAILS Event Description. On December 9, 2017, multiple alarms were received in the Clinton Power Station control room due to the unexpected opening of the 4.16 kV AC bus 1 A1 breaker (1AP07EJ), which feeds 480-volt (V) AC unit substation 1A and 480 V AC unit substation 1A.
EVENT DETAILS Event Description. On December 9, 2017, multiple alarms were received in the Clinton Power Station control room due to the unexpected opening of the 4.16 kV AC bus 1 A1 breaker (1AP07EJ), which feeds 480-volt (V) AC unit substation 1A and 480 V AC unit substation 1A.
The loss of 480 V AC power caused the outboard instrument air containment isolation valve to close and resulted in a subsequent loss of containment instrument air. Approximately 4 minutes after the breaker 1AP07EJ opened, the control room received a low scram pilot air header pressure alarm. Soon after, the control rod drift annunciator alarmed as expected and the control room operators inserted a manual scram in accordance with procedures.
The loss of 480 V AC power caused the outboard instrument air containment isolation valve to close and resulted in a subsequent loss of containment instrument air. Approximately 4 minutes after the breaker 1AP07EJ opened, the control room received a low scram pilot air header pressure alarm. Soon after, the control rod drift annunciator alarmed as expected and the control room operators inserted a manual scram in accordance with procedures.
Line 38: Line 44:
Cause. The unexpected opening of breaker 1AP07EJ was due to a phase-to-ground fault on 480 V transformer 1A. Subsequent vendor testing determined that the ground fault was caused by excessive layer-to-layer design stress within the 4.16 kV transformer winding. This preexisting design defect resulted in the issuance of a 10 CFR Part 21 notification to the NRC.
Cause. The unexpected opening of breaker 1AP07EJ was due to a phase-to-ground fault on 480 V transformer 1A. Subsequent vendor testing determined that the ground fault was caused by excessive layer-to-layer design stress within the 4.16 kV transformer winding. This preexisting design defect resulted in the issuance of a 10 CFR Part 21 notification to the NRC.
Additional Event Information. The following event details are provided as additional information about the event. This additional information was not factored in the modeling of this analysis due to the negligible risk impact.
Additional Event Information. The following event details are provided as additional information about the event. This additional information was not factored in the modeling of this analysis due to the negligible risk impact.
* The RCIC system was declared inoperable because the 480 V AC power was lost to water leg pump and, therefore, operators could not ensure the system was free of voids.
The RCIC system was declared inoperable because the 480 V AC power was lost to water leg pump and, therefore, operators could not ensure the system was free of voids.
NRC inspectors determined that although the RCIC system was appropriately declared inoperable, the system was available (if necessary) for pressure/inventory control and decay heat removal.
NRC inspectors determined that although the RCIC system was appropriately declared inoperable, the system was available (if necessary) for pressure/inventory control and decay heat removal.
* The isolation of instrument air to containment affected some components in the reactor water cleanup (RWCU) and control rod drive (CRD) systems. The safety-related 1   The division 1 EDG was rendered unable to fulfil its safety function for the complete mission time of 24 hours due to loss 480V AC power to its associated fuel oil transfer pump. The fuel oil transfer pump starts as soon as the level in its associated day tank starts decreasing. Without the fuel oil transfer pump, the day tank only has enough fuel to run the EDG for approximately 2 hours. In addition, the circulating oil and turbo soakback pumps were also unavailable due to the loss of division 1 480 V AC power. However, the loss of these two pumps is not expected to result in a loss of safety function of the EDG.
The isolation of instrument air to containment affected some components in the reactor water cleanup (RWCU) and control rod drive (CRD) systems. The safety-related 1
2
The division 1 EDG was rendered unable to fulfil its safety function for the complete mission time of 24 hours due to loss 480V AC power to its associated fuel oil transfer pump. The fuel oil transfer pump starts as soon as the level in its associated day tank starts decreasing. Without the fuel oil transfer pump, the day tank only has enough fuel to run the EDG for approximately 2 hours. In addition, the circulating oil and turbo soakback pumps were also unavailable due to the loss of division 1 480 V AC power. However, the loss of these two pumps is not expected to result in a loss of safety function of the EDG.  


LER 461-2017-010-02 aspects of the RWCU system are typically limited to the containment isolation requirements. The standardized plant analysis risk (SPAR) models typically have limited modeling of the RWCU system and containment isolation; however, their inclusion would not affect the analysis for this initiating event. Therefore, no modeling of RWCU system and its components was needed for this analysis. The CRD system component unavailabilities were limited to the scram pilot air header and did not affect the CRD pumps as a potential source of RCS inventory makeup. The SPAR model only credits CRD makeup from 1 of 2 pumps if RCIC is initially successful. The model does not credit enhanced two-pump flow, which may require instrument air inside containment.
LER 461-2017-010-02 3
aspects of the RWCU system are typically limited to the containment isolation requirements. The standardized plant analysis risk (SPAR) models typically have limited modeling of the RWCU system and containment isolation; however, their inclusion would not affect the analysis for this initiating event. Therefore, no modeling of RWCU system and its components was needed for this analysis. The CRD system component unavailabilities were limited to the scram pilot air header and did not affect the CRD pumps as a potential source of RCS inventory makeup. The SPAR model only credits CRD makeup from 1 of 2 pumps if RCIC is initially successful. The model does not credit enhanced two-pump flow, which may require instrument air inside containment.
Therefore, no model changes for the CRD system were needed for this analysis.
Therefore, no model changes for the CRD system were needed for this analysis.
MODELING SDP Results/Basis for ASP Analysis. The ASP Program performs independent analyses for initiating events. ASP analyses of initiating events account for all failures/degraded conditions and unavailabilities (e.g., equipment out for test/maintenance) that occurred during the event, regardless of licensee performance.2 Additional LERs were reviewed to determine if concurrent unavailabilities existed during the December 9th event. No windowed events or concurrent degraded operating conditions were identified.
MODELING SDP Results/Basis for ASP Analysis. The ASP Program performs independent analyses for initiating events. ASP analyses of initiating events account for all failures/degraded conditions and unavailabilities (e.g., equipment out for test/maintenance) that occurred during the event, regardless of licensee performance.2 Additional LERs were reviewed to determine if concurrent unavailabilities existed during the December 9th event. No windowed events or concurrent degraded operating conditions were identified.
Line 49: Line 56:
Analysis Type. An initiating event analysis was performed using the Clinton Power Station SPAR model, Revision 8.54, modified on December 20, 2017. This event was modeled as a general plant transient with a loss of instrument air to the containment and loss of division 1 480 V AC power.
Analysis Type. An initiating event analysis was performed using the Clinton Power Station SPAR model, Revision 8.54, modified on December 20, 2017. This event was modeled as a general plant transient with a loss of instrument air to the containment and loss of division 1 480 V AC power.
SPAR Model Modifications. The following modifications were required for this initiating event assessment:
SPAR Model Modifications. The following modifications were required for this initiating event assessment:
* The base SPAR models provide credit for EDG repair for SBO scenarios; however, the analyst must determine whether credit should be applied given the specific circumstances surrounding the event being analyzed. The probabilities of successful repair of an EDG in the base SPAR models are calculated using the data from the unplanned unavailability mitigating system performance index (MSPI). There are questions on the applicability of this data. First, this repair data is not collected under SBO conditions (e.g., reduced lighting). Second, during postulated SBO scenarios, multiple EDG failures have occurred, thus further complicating troubleshooting activities, 2   ASP analyses also account for any degraded condition(s) identified after the initiating event occurred, if the failure/degradation exposure period(s) overlapped the initiating event date.
The base SPAR models provide credit for EDG repair for SBO scenarios; however, the analyst must determine whether credit should be applied given the specific circumstances surrounding the event being analyzed. The probabilities of successful repair of an EDG in the base SPAR models are calculated using the data from the unplanned unavailability mitigating system performance index (MSPI). There are questions on the applicability of this data. First, this repair data is not collected under SBO conditions (e.g., reduced lighting). Second, during postulated SBO scenarios, multiple EDG failures have occurred, thus further complicating troubleshooting activities, 2
3
ASP analyses also account for any degraded condition(s) identified after the initiating event occurred, if the failure/degradation exposure period(s) overlapped the initiating event date.  


LER 461-2017-010-02 which would likely increase the time to repair. Given these uncertainties, repair credit for EDG failures is limited to cases where event information supports this credit. Repair credit for postulated failures of the EDGs is not provided in this analysis.3 The issue of crediting EDG repair is noted as a key modeling uncertainty for this analysis and will be discussed with internal stakeholders to determine if consensus approach can be developed.
LER 461-2017-010-02 4
* The CVS (containment venting) fault tree was modified to eliminate duplicative operator actions to initiate containment venting. Specifically, basic events CVS-XHE-XM-VENT1 (operator fails to vent containment through CCP), CVS-XHE-XM-VENT2 (operator fails to vent containment through FC to SFP), and CVS-XHE-XM-VENT3 (operator fails to vent containment through RHR A to FP) were deleted. The operator action to vent containment is already accounted for in the model via basic event CVS-XHE-XM-VENT (operator fails to vent containment). The modified CVS fault tree is shown in Figure B-1 of Appendix B.
which would likely increase the time to repair. Given these uncertainties, repair credit for EDG failures is limited to cases where event information supports this credit. Repair credit for postulated failures of the EDGs is not provided in this analysis.3 The issue of crediting EDG repair is noted as a key modeling uncertainty for this analysis and will be discussed with internal stakeholders to determine if consensus approach can be developed.
* The base model does not explicitly include modeling of the 480 V AC portion of the electrical distribution system. During the event, the 4.16 kV bus 1A1 breaker 1AP07EJ, which feeds both division 1 480 V buses (1AP11E and 0AP05E), opened due to a fault on 480 V transformer 1A. This caused the unavailability of the LPCS pump, RHR pump A, and the division 1 EDG. To account for the dependency of these pumps on 480 V AC power, a new basic event ACP-BAC-LP-480V-DIV1 (480V division 1 buses are unavailable) was inserted in the LPCS fault tree (under the LCS-MDP-SS subtree),
The CVS (containment venting) fault tree was modified to eliminate duplicative operator actions to initiate containment venting. Specifically, basic events CVS-XHE-XM-VENT1 (operator fails to vent containment through CCP), CVS-XHE-XM-VENT2 (operator fails to vent containment through FC to SFP), and CVS-XHE-XM-VENT3 (operator fails to vent containment through RHR A to FP) were deleted. The operator action to vent containment is already accounted for in the model via basic event CVS-XHE-XM-VENT (operator fails to vent containment). The modified CVS fault tree is shown in Figure B-1 of Appendix B.
The base model does not explicitly include modeling of the 480 V AC portion of the electrical distribution system. During the event, the 4.16 kV bus 1A1 breaker 1AP07EJ, which feeds both division 1 480 V buses (1AP11E and 0AP05E), opened due to a fault on 480 V transformer 1A. This caused the unavailability of the LPCS pump, RHR pump A, and the division 1 EDG. To account for the dependency of these pumps on 480 V AC power, a new basic event ACP-BAC-LP-480V-DIV1 (480V division 1 buses are unavailable) was inserted in the LPCS fault tree (under the LCS-MDP-SS subtree),
RHR pump A fault tree (under the RHR-MDPA-SS subtree), and DGA-SS fault tree (under gate DGA-SS8).4 These modified faults trees are shown in Figure B-2, Figure B-3, and Figure B-4 of Appendix B.
RHR pump A fault tree (under the RHR-MDPA-SS subtree), and DGA-SS fault tree (under gate DGA-SS8).4 These modified faults trees are shown in Figure B-2, Figure B-3, and Figure B-4 of Appendix B.
* The loss of division 1 480 V buses also resulted in the loss of normal battery charging for the division 1 batteries. During the event, operators successfully aligned the class 1E swing charger to supply the division 1 batteries. To account for the loss of normal battery charging on the division 1 batteries and the potential for aligning the swing charger, fault tree DCP-125V-1A-LT (Clinton division I 125 VDC power is unavailable) was modified. Specifically, a new AND gate was added under the top gate with the new basic events ACP-BAC-LP-480V-DIV1 and a DCP-XHE-SWINGCHARGER (operators fail to align the swing charger) inserted under this new gate. Basic event DCP-XHE-SWINGCHARGER was set to IGNORE in the base model. This modified fault tree is shown in Figure B-5 of Appendix B.
The loss of division 1 480 V buses also resulted in the loss of normal battery charging for the division 1 batteries. During the event, operators successfully aligned the class 1E swing charger to supply the division 1 batteries. To account for the loss of normal battery charging on the division 1 batteries and the potential for aligning the swing charger, fault tree DCP-125V-1A-LT (Clinton division I 125 VDC power is unavailable) was modified. Specifically, a new AND gate was added under the top gate with the new basic events ACP-BAC-LP-480V-DIV1 and a DCP-XHE-SWINGCHARGER (operators fail to align the swing charger) inserted under this new gate. Basic event DCP-XHE-SWINGCHARGER was set to IGNORE in the base model. This modified fault tree is shown in Figure B-5 of Appendix B.
* The only modeling of instrument air system in the current SPAR model is via house event HE-LOIAS (loss of instrument air system initiating event has occurred), which is used alone or within the IAS (Clinton instrument air) fault tree. Dependency on the instrument air system is limited in the current SPAR model (e.g., power conversion 3 The applicable EDG recovery basic events: EPS-XHE-XL-NR30M (operator fails to recover emergency diesel in 30 minutes), EPS-XHE-XL-NR02H (operator fails to recover emergency diesel in 2 hours), EPS-XHE-XL-NR04H (operator fails to recover emergency diesel in 4 hours), and EPS-XHE-XL-NR12H (operator fails to recover emergency diesel in 12 hours) were set to TRUE in the base SPAR model.
The only modeling of instrument air system in the current SPAR model is via house event HE-LOIAS (loss of instrument air system initiating event has occurred), which is used alone or within the IAS (Clinton instrument air) fault tree. Dependency on the instrument air system is limited in the current SPAR model (e.g., power conversion 3
4 The ZT-BAC-LP (AC bus fails to operate) default template was used for this basic event.
The applicable EDG recovery basic events: EPS-XHE-XL-NR30M (operator fails to recover emergency diesel in 30 minutes), EPS-XHE-XL-NR02H (operator fails to recover emergency diesel in 2 hours), EPS-XHE-XL-NR04H (operator fails to recover emergency diesel in 4 hours), and EPS-XHE-XL-NR12H (operator fails to recover emergency diesel in 12 hours) were set to TRUE in the base SPAR model.
4
4 The ZT-BAC-LP (AC bus fails to operate) default template was used for this basic event.  


LER 461-2017-010-02 system, condenser, containment venting, RCIC).5, 6 During the event, the loss instrument air was limited to components/systems inside containment and, therefore, only containment venting and power conversion system were affected.7 The PCS fault tree assumes that PCS is rendered unavailable given a complete loss of instrument air, which would fail MFW because of lack of makeup to condenser hotwell and render the condenser heat sink unavailable due to the closure of MSIVs. Since instrument air was only lost in containment, feedwater and the condenser heat sink remained available throughout the event and operators were able to align the MSL drains to the condenser, two changes were made to the PCS fault tree. First, the IAS transfer tree and a new basic event PCS-XHE-XM-MSLDRAINS (operators fail to align the MSL drains to the condenser) were added under a new AND gate. Basic event PCS-XHE-XM-MSLDRAINS was set to IGNORE in the base model. The modified PCS fault tree is shown in Figure B-6 of Appendix B. Second, the IAS transfer tree was deleted from the CDS-HW (Clinton condensate hotwell makeup is unavailable) fault tree.
LER 461-2017-010-02 5
system, condenser, containment venting, RCIC).5, 6 During the event, the loss instrument air was limited to components/systems inside containment and, therefore, only containment venting and power conversion system were affected.7 The PCS fault tree assumes that PCS is rendered unavailable given a complete loss of instrument air, which would fail MFW because of lack of makeup to condenser hotwell and render the condenser heat sink unavailable due to the closure of MSIVs. Since instrument air was only lost in containment, feedwater and the condenser heat sink remained available throughout the event and operators were able to align the MSL drains to the condenser, two changes were made to the PCS fault tree. First, the IAS transfer tree and a new basic event PCS-XHE-XM-MSLDRAINS (operators fail to align the MSL drains to the condenser) were added under a new AND gate. Basic event PCS-XHE-XM-MSLDRAINS was set to IGNORE in the base model. The modified PCS fault tree is shown in Figure B-6 of Appendix B. Second, the IAS transfer tree was deleted from the CDS-HW (Clinton condensate hotwell makeup is unavailable) fault tree.
The modified CD-HW fault trees are shown in Figure B-7 of Appendix B.
The modified CD-HW fault trees are shown in Figure B-7 of Appendix B.
* Errors associated with late injection modeling were identified in two event trees, 1SORV (Clinton transfer - one stuck open SRV) and LOOP-1 (Clinton transfer - one stuck open SRV). Specifically, transient (TRANS) sequences 65-33 and 67-38-19 incorrectly assumed a failure of late injection. The transfers for these two sequences were changed from LI02 (Clinton late injection fault tree) to LI00 (Clinton late injection fault tree).
Errors associated with late injection modeling were identified in two event trees, 1SORV (Clinton transfer - one stuck open SRV) and LOOP-1 (Clinton transfer - one stuck open SRV). Specifically, transient (TRANS) sequences 65-33 and 67-38-19 incorrectly assumed a failure of late injection. The transfers for these two sequences were changed from LI02 (Clinton late injection fault tree) to LI00 (Clinton late injection fault tree).
Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this initiating event assessment:
Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this initiating event assessment:
* The operators manually scrammed the reactor due to low scram header air pressure; therefore, the probability of IE-TRANS (general plant transient initiating event) was set to 1.0. All other initiating event probabilities were set to zero.
The operators manually scrammed the reactor due to low scram header air pressure; therefore, the probability of IE-TRANS (general plant transient initiating event) was set to 1.0. All other initiating event probabilities were set to zero.
* Basic event ACP-BAC-LP-480V-DIV1 was set to TRUE due to the loss of the division 1 480 V AC buses caused by the opening of the 4.16 kV bus 1A1 breaker 1AP07EJ as result of the transformer fault.
Basic event ACP-BAC-LP-480V-DIV1 was set to TRUE due to the loss of the division 1 480 V AC buses caused by the opening of the 4.16 kV bus 1A1 breaker 1AP07EJ as result of the transformer fault.
* Basic event HE-LOIAS was set to TRUE to account for the loss of instrument air inside containment. Recovery potential for instrument air to the containment was not credited in this analysis since that portion of the air system was not recovered for over 16 hours after initiation of the event.
Basic event HE-LOIAS was set to TRUE to account for the loss of instrument air inside containment. Recovery potential for instrument air to the containment was not credited in this analysis since that portion of the air system was not recovered for over 16 hours after initiation of the event.
* The human failure event (HFE) DCP-XHE-SWINGCHARGER was evaluated using SPAR-H (Ref. 3 and Ref. 4); see Appendix C for additional information. The human error probability (HEP) for DCP-XHE-SWINGCHARGER was calculated to be 1x10-2.
The human failure event (HFE) DCP-XHE-SWINGCHARGER was evaluated using SPAR-H (Ref. 3 and Ref. 4); see Appendix C for additional information. The human error probability (HEP) for DCP-XHE-SWINGCHARGER was calculated to be 1x10-2.
5   The CND (main condenser heat sink) fault tree also has an instrument air system dependency; however, this fault tree is only used in the loss of feedwater event tree. Modeling associated with the condenser is included in the PCS (power conversion system) fault tree for the TRANS (general transient) event tree.
5 The CND (main condenser heat sink) fault tree also has an instrument air system dependency; however, this fault tree is only used in the loss of feedwater event tree. Modeling associated with the condenser is included in the PCS (power conversion system) fault tree for the TRANS (general transient) event tree.
6   The use of house event HE-LOIAS in the RCIC pump modeling in the RCI-SS-LT (RCIC support systems) subtree corresponds to different support system requirements needed for different initiating events and was not intended to model a RCIC system dependency for instrument air. Therefore, this modeling does not need to be modified for this event analysis.
6 The use of house event HE-LOIAS in the RCIC pump modeling in the RCI-SS-LT (RCIC support systems) subtree corresponds to different support system requirements needed for different initiating events and was not intended to model a RCIC system dependency for instrument air. Therefore, this modeling does not need to be modified for this event analysis.
7   In addition to the condensate and feedwater systems, the power conversion system includes modeling of the MSIVs.
7 In addition to the condensate and feedwater systems, the power conversion system includes modeling of the MSIVs.  
5


LER 461-2017-010-02
LER 461-2017-010-02 6
* The HFE PCS-XHE-XM-MSLDRAINS was evaluated using SPAR-H; see Appendix C for additional information. The HEP for PCS-XHE-XM-MSLDRAINS was calculated to be 1x10-3.
The HFE PCS-XHE-XM-MSLDRAINS was evaluated using SPAR-H; see Appendix C for additional information. The HEP for PCS-XHE-XM-MSLDRAINS was calculated to be 1x10-3.
ANALYSIS RESULTS CCDP. The conditional CCDP for this analysis is calculated to be 8.3x10-6. The ASP Program acceptance threshold is a CCDP of 1x10-6 or the CCDP equivalent of an uncomplicated reactor trip with a non-recoverable loss of feed water or the condenser heat sink), whichever is greater.
ANALYSIS RESULTS CCDP. The conditional CCDP for this analysis is calculated to be 8.3x10-6. The ASP Program acceptance threshold is a CCDP of 1x10-6 or the CCDP equivalent of an uncomplicated reactor trip with a non-recoverable loss of feed water or the condenser heat sink), whichever is greater.
This CCDP equivalent for Clinton Power Station is 2.3x10-6.8 Therefore, this event is a precursor.
This CCDP equivalent for Clinton Power Station is 2.3x10-6.8 Therefore, this event is a precursor.
Dominant Sequence. The dominant accident sequence is transient sequence 67-40-06 (CCDP = 1.4x10-6), which contributes approximately 17 percent of the total internal events CCDP. The dominant sequences that contribute at least 1.0 percent to the total internal events CCDP are provided in the following table. The dominant sequence is shown graphically in Figure A-1, Figure A-2, and Figure A-3 and Appendix A.
Dominant Sequence. The dominant accident sequence is transient sequence 67-40-06 (CCDP = 1.4x10-6), which contributes approximately 17 percent of the total internal events CCDP. The dominant sequences that contribute at least 1.0 percent to the total internal events CCDP are provided in the following table. The dominant sequence is shown graphically in Figure A-1, Figure A-2, and Figure A-3 and Appendix A.
Sequence               CCDP       Percentage                             Description
Sequence CCDP Percentage Description TRANS 67-40-06 1.44x10-6 17.40%
                                      -6 TRANS 67-40-06           1.44x10       17.40%         Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; HPCS succeeds; operators fail to recover offsite power in 12 hours; containment venting fails resulting in a loss of all injection TRANS 67-40-24           1.39x10-6     16.80%         Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; HPCS fails, but RCIC succeeds; operators successfully shed DC loads; operators fail to recovery offsite power in 4 hours TRANS 67-40-30           7.83x10-7       9.50%         Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; RCIC and HPCS fail; operators fail to recovery offsite power in 30 minutes TRANS 67-35           5.15x10-7       6.20%         Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS fail; reactor depressurization succeeds; low-pressure injection succeeds; suppression pool cooling and containment spray fails; containment venting fails resulting in a loss of all injection TRANS 67-40-31-13 5.06x10-7               6.10%         Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; recirculation pump seals fail resulting in a small loss-of-coolant accident (SLOCA); RCIC and HPCS fail TRANS 67-40-32-13 4.85x10-7               5.90%         Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; a stuck-open relief valve results in a SLOCA; RCIC and HPCS fail 8   For BWRs, a loss of condenser heat sink initiating event typically assumes that the condensate system is available to provide a source of low-pressure injection to the reactor.
Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; HPCS succeeds; operators fail to recover offsite power in 12 hours; containment venting fails resulting in a loss of all injection TRANS 67-40-24 1.39x10-6 16.80%
6
Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; HPCS fails, but RCIC succeeds; operators successfully shed DC loads; operators fail to recovery offsite power in 4 hours TRANS 67-40-30 7.83x10-7 9.50%
Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; RCIC and HPCS fail; operators fail to recovery offsite power in 30 minutes TRANS 67-35 5.15x10-7 6.20%
Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS fail; reactor depressurization succeeds; low-pressure injection succeeds; suppression pool cooling and containment spray fails; containment venting fails resulting in a loss of all injection TRANS 67-40-31-13 5.06x10-7 6.10%
Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; recirculation pump seals fail resulting in a small loss-of-coolant accident (SLOCA); RCIC and HPCS fail TRANS 67-40-32-13 4.85x10-7 5.90%
Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; a stuck-open relief valve results in a SLOCA; RCIC and HPCS fail 8
For BWRs, a loss of condenser heat sink initiating event typically assumes that the condensate system is available to provide a source of low-pressure injection to the reactor.  


LER 461-2017-010-02 Sequence         CCDP     Percentage                         Description
LER 461-2017-010-02 7
                          -7 TRANS 65-07     4.80x10     5.80%   Successful reactor trip; a stuck-open relief valve results in a SLOCA; feedwater succeeds; suppression pool cooling and containment spray fails; containment venting fails resulting in a loss of all injection TRANS 67-13     3.15x10-7   3.80%   Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; HPCS fails, but RCIC succeeds; suppression pool cooling fails; reactor depressurization succeeds; low-pressure injection succeeds; containment spray fails; containment venting fails resulting in a loss of all injection TRANS 67-07     2.87x10-7   3.50%   Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS succeed; suppression pool cooling and containment spray fails; containment venting fails resulting in a loss of all injection TRANS 63       2.52x10-7   3.10%   Successful reactor trip; power conversion system fails; feedwater fails; RCIC and HPCS fail; reactor depressurization succeeds; low-pressure injection fails TRANS 67-40-31-06 1.60x10-7   1.90%   Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; recirculation pump seals fail resulting in a SLOCA; HPCS succeeds; operators fail to recover offsite power in 12 hours; containment venting fails resulting in a loss of all injection TRANS 67-40-31-09 1.54x10-7   1.90%   Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; recirculation pump seals fail resulting in a SLOCA; HPCS fails but RCIC succeeds; operators successfully shed DC loads; operators fail to recovery offsite power in 4 hours TRANS 67-40-32-06 1.53x10-7   1.90%   Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; a stuck-open relief valve results in a SLOCA; HPCS succeeds; operators fail to recover offsite power in 12 hours; containment venting fails resulting in a loss of all injection TRANS 67-40-32-09 1.48x10-7   1.80%   Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; a stuck-open relief valve results in a SLOCA; HPCS fails but RCIC succeeds; operators successfully shed DC loads; operators fail to recovery offsite power in 4 hours TRANS 67-28     1.45x10-7   1.80%   Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC fails, but HPCS succeeds; suppression pool cooling and containment spray fails; operators fail to recover the power conversion system; containment venting fails resulting in a loss of all injection TRANS 67-37     1.03x10-7   1.30%   Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS fail; operators fail to depressurize the reactors 7
Sequence CCDP Percentage Description TRANS 65-07 4.80x10-7 5.80%
Successful reactor trip; a stuck-open relief valve results in a SLOCA; feedwater succeeds; suppression pool cooling and containment spray fails; containment venting fails resulting in a loss of all injection TRANS 67-13 3.15x10-7 3.80%
Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; HPCS fails, but RCIC succeeds; suppression pool cooling fails; reactor depressurization succeeds; low-pressure injection succeeds; containment spray fails; containment venting fails resulting in a loss of all injection TRANS 67-07 2.87x10-7 3.50%
Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS succeed; suppression pool cooling and containment spray fails; containment venting fails resulting in a loss of all injection TRANS 63 2.52x10-7 3.10%
Successful reactor trip; power conversion system fails; feedwater fails; RCIC and HPCS fail; reactor depressurization succeeds; low-pressure injection fails TRANS 67-40-31-06 1.60x10-7 1.90%
Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; recirculation pump seals fail resulting in a SLOCA; HPCS succeeds; operators fail to recover offsite power in 12 hours; containment venting fails resulting in a loss of all injection TRANS 67-40-31-09 1.54x10-7 1.90%
Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; recirculation pump seals fail resulting in a SLOCA; HPCS fails but RCIC succeeds; operators successfully shed DC loads; operators fail to recovery offsite power in 4 hours TRANS 67-40-32-06 1.53x10-7 1.90%
Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; a stuck-open relief valve results in a SLOCA; HPCS succeeds; operators fail to recover offsite power in 12 hours; containment venting fails resulting in a loss of all injection TRANS 67-40-32-09 1.48x10-7 1.80%
Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; a stuck-open relief valve results in a SLOCA; HPCS fails but RCIC succeeds; operators successfully shed DC loads; operators fail to recovery offsite power in 4 hours TRANS 67-28 1.45x10-7 1.80%
Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC fails, but HPCS succeeds; suppression pool cooling and containment spray fails; operators fail to recover the power conversion system; containment venting fails resulting in a loss of all injection TRANS 67-37 1.03x10-7 1.30%
Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS fail; operators fail to depressurize the reactors  


LER 461-2017-010-02 Sequence             CCDP       Percentage                             Description
LER 461-2017-010-02 8
                                  -8 TRANS 67-40-28-31 9.81x10                 1.20%         Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; RCIC and HPCS fail; operators successfully recovery offsite power in 30 minutes; reactor depressurization succeeds; low-pressure injection fails TRANS 67-38-14         9.42x10-8       1.10%         Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; a stuck-open relief valve results in a SLOCA; HPCS fails, but RCIC succeeds; low-pressure injection succeeds; suppression pool cooling and containment spray fails; operators fail to align the MSL drains; containment venting fails resulting in a loss of all injection Key Modeling Uncertainties. The base SPAR models provide credit for EDG repair and recovery; however, it is up to the analyst to determine whether credit should be applied given the specific circumstances surrounding the event being analyzed. This ASP analysis does not credit repair of postulated EDG failures. A sensitivity analysis was performed crediting EDG repair of postulated failures of the division 1 EDG using the unplanned unavailability MSPI data.
Sequence CCDP Percentage Description TRANS 67-40-28-31 9.81x10-8 1.20%
Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; RCIC and HPCS fail; operators successfully recovery offsite power in 30 minutes; reactor depressurization succeeds; low-pressure injection fails TRANS 67-38-14 9.42x10-8 1.10%
Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; a stuck-open relief valve results in a SLOCA; HPCS fails, but RCIC succeeds; low-pressure injection succeeds; suppression pool cooling and containment spray fails; operators fail to align the MSL drains; containment venting fails resulting in a loss of all injection Key Modeling Uncertainties. The base SPAR models provide credit for EDG repair and recovery; however, it is up to the analyst to determine whether credit should be applied given the specific circumstances surrounding the event being analyzed. This ASP analysis does not credit repair of postulated EDG failures. A sensitivity analysis was performed crediting EDG repair of postulated failures of the division 1 EDG using the unplanned unavailability MSPI data.
With this credit applied, the CDP for the second exposure period decreases from 8.3x10-6 to 6.9x10-6 (a decrease of approximately 17 percent).
With this credit applied, the CDP for the second exposure period decreases from 8.3x10-6 to 6.9x10-6 (a decrease of approximately 17 percent).
Successful equipment operation is treated probabilistically in ASP analyses (i.e., success is not assumed), while observed failures are modeled as such.9 However, barring any postulated failures, the division 1 EDG would run until the fuel supply in its associated day tank was depleted (approximately 2 hours). To show the effects of this modeling uncertainty, a sensitivity analysis was performed allowing an additional 2 hours for operators to recover offsite power during postulated LOOP scenarios. With this credit applied, the CDP for the second exposure period decreases from 8.3x10-6 to 6.2x10-6 (a decrease of approximately 25 percent).
Successful equipment operation is treated probabilistically in ASP analyses (i.e., success is not assumed), while observed failures are modeled as such.9 However, barring any postulated failures, the division 1 EDG would run until the fuel supply in its associated day tank was depleted (approximately 2 hours). To show the effects of this modeling uncertainty, a sensitivity analysis was performed allowing an additional 2 hours for operators to recover offsite power during postulated LOOP scenarios. With this credit applied, the CDP for the second exposure period decreases from 8.3x10-6 to 6.2x10-6 (a decrease of approximately 25 percent).
REFERENCES
REFERENCES
: 1. Clinton Power Station, "LER 461/17-010 Division 1 Transformer Failure Leads to Instrument Air Isolation to Containment Requiring a Manual Reactor Scram, dated January 17, 2019 (ADAMS Accession No. ML19022A264).
: 1. Clinton Power Station, "LER 461/17-010 Division 1 Transformer Failure Leads to Instrument Air Isolation to Containment Requiring a Manual Reactor Scram, dated January 17, 2019 (ADAMS Accession No. ML19022A264).
: 2. U.S. Nuclear Regulatory Commission, ERRATA Clinton Power Station NRC Special Inspection Report 05000461/2017012, dated January 29, 2018 (ADAMS Accession No. ML18029A863).
: 2. U.S. Nuclear Regulatory Commission, ERRATA Clinton Power Station NRC Special Inspection Report 05000461/2017012, dated January 29, 2018 (ADAMS Accession No. ML18029A863).
: 3. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ADAMS Accession No. ML051950061).
: 3. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ADAMS Accession No. ML051950061).
: 4. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ADAMS Accession No. ML112060305).
: 4. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ADAMS Accession No. ML112060305).
9   This general modeling technique is called the failure memory approach.
9 This general modeling technique is called the failure memory approach.  
8


LER 461-2017-010-02 Appendix A: Key Event Tree GENERAL PLANT TRANSIENT   REACTOR PROTECTION CONSEQUENTIAL LOSS OF     SRV'S CLOSE   POWER CONVERSION     FEEDWATER     RCIC     SUPPRESSION POOL     CRD INJECTION     HPCS     MANUAL REACTOR       CONDENSATE LOW PRESSURE INJECTION   ALTERNATE LOW PRESS     SUPPRESSION POOL     CONTAINMENT SPRAY   POWER CONVERSION   CONTAINMENT VENTING   LATE INJECTION End State SYSTEM          OFFSITE POWER                              SYSTEM                                      COOLING                                      DEPRESSURIZATION                                                INJECTION              COOLING                                SYSTEM RECOVERY                                            (Phase - CD)
LER 461-2017-010-02 A-1 Appendix A: Key Event Tree Figure A-1. Clinton General Transient Event Tree IE-TRANS GENERAL PLANT TRANSIENT RPS REACTOR PROTECTION SYSTEM OEP CONSEQUENTIAL LOSS OF OFFSITE POWER SRV SRV'S CLOSE PCS POWER CONVERSION SYSTEM MFW FEEDWATER RCI RCIC SPC SUPPRESSION POOL COOLING CRD CRD INJECTION HCS HPCS DEP MANUAL REACTOR DEPRESSURIZATION CDS CONDENSATE LPI LOW PRESSURE INJECTION VA ALTERNATE LOW PRESS INJECTION SPC SUPPRESSION POOL COOLING CSS CONTAINMENT SPRAY PCSR POWER CONVERSION SYSTEM RECOVERY CVS CONTAINMENT VENTING LI LATE INJECTION End State (Phase - CD) 1 OK 2
IE-TRANS                RPS                  OEP                    SRV            PCS                MFW          RCI      SPC                  CRD              HCS      DEP                  CDS            LPI                    VA                    SPC                  CSS                  PCSR                CVS                  LI 1     OK 2     OK 3     OK 4     OK 5     OK 6     CD LI00 7     OK 8     CD LI01 9     OK 10     OK 11     OK 12     OK 13     CD LI00 14     OK 15     CD LI01 16     OK 17     OK 18     OK 19     CD LI00 20     OK 21     CD LI01 22     OK 23     OK 24     OK 25     CD LI00 26     OK 27     CD LI03 28     OK 29     OK 30     OK 31     CD LI00 32     OK 33     CD LI03 34     OK 35     OK 36     OK 37     CD LI00 38     OK 39     CD LI03 40     CD 41     CD 42     OK 43     OK 44     OK 45     OK 46     CD LI00 47     OK 48     CD LI01 49     OK 50     OK 51     OK 52     OK 53     CD LI00 54     OK 55     CD LI03 56     OK 57     OK 58     OK 59     OK 60     CD LI00 61     OK 62     CD LI03 63     CD 64     CD 65   1SORV P1 66   2SORVS P2 67   LOOPPC 68   ATWS Figure A-1. Clinton General Transient Event Tree A-1
OK 3
OK 4
OK 5
OK LI00 6
CD 7
OK LI01 8
CD 9
OK 10 OK 11 OK 12 OK LI00 13 CD 14 OK LI01 15 CD 16 OK 17 OK 18 OK LI00 19 CD 20 OK LI01 21 CD 22 OK 23 OK 24 OK LI00 25 CD 26 OK LI03 27 CD 28 OK 29 OK 30 OK LI00 31 CD 32 OK LI03 33 CD 34 OK 35 OK 36 OK LI00 37 CD 38 OK LI03 39 CD 40 CD 41 CD 42 OK 43 OK 44 OK 45 OK LI00 46 CD 47 OK LI01 48 CD 49 OK 50 OK 51 OK 52 OK LI00 53 CD 54 OK LI03 55 CD 56 OK 57 OK 58 OK 59 OK LI00 60 CD 61 OK LI03 62 CD 63 CD 64 CD P1 65 1SORV P2 66 2SORVS 67 LOOPPC 68 ATWS


LER 461-2017-010-02 LOSS OF OFFSITE     REACTOR       EMERGENCY POWER     SRV'S CLOSE     RCIC   SUPPRESSION POOL     HPCS   MANUAL REACTOR     LOW PRESSURE   ALTERNATE LOW   SUPPRESSION POOL CONTAINMENT SPRAY POWER CONVERSION     CONTAINMENT   LATE INJECTION #    End State POWER INITIATOR PROTECTION SYSTEM                                                COOLING                DEPRESSURIZATION      INJECTION    PRESS INJECTION      COOLING                        SYSTEM RECOVERY        VENTING                        (Phase - CD)
LER 461-2017-010-02 A-2 Figure A-2. Clinton (Plant-Centered) LOOP Event Tree IE-LOOPPC LOSS OF OFFSITE POWER INITIATOR (PLANT-CENTERED)
(PLANT-CENTERED)                  FS = FTF-SBO IE-LOOPPC          RPS              EPS              SRV            RCI      SPC              HCS      DEP              LPI              VA                SPC              CSS              PCSR              CVS            LI 1       OK 2       OK 3       OK 4       OK 5       CD LI04 6       OK 7       CD LI01 8       OK 9       OK 10       OK 11       CD LI04 12       OK 13       CD LI03 14       OK 15       OK 16       OK 17       CD LI04 18       OK 19       CD LI03 20       CD 21       CD 22       OK 23       OK 24       OK 25       OK 26       CD LI04 27       OK 28       CD LI01 29       OK 30       OK 31       OK 32       OK 33       CD LI04 34       OK 35       CD LI03 36       CD 37       CD 38   LOOP-1 P1 39   LOOP-2 P2 40     SBO 41     ATWS 42       CD Figure A-2. Clinton (Plant-Centered) LOOP Event Tree A-2
RPS REACTOR PROTECTION SYSTEM EPS FS = FTF-SBO EMERGENCY POWER SRV SRV'S CLOSE RCI RCIC SPC SUPPRESSION POOL COOLING HCS HPCS DEP MANUAL REACTOR DEPRESSURIZATION LPI LOW PRESSURE INJECTION VA ALTERNATE LOW PRESS INJECTION SPC SUPPRESSION POOL COOLING CSS CONTAINMENT SPRAY PCSR POWER CONVERSION SYSTEM RECOVERY CVS CONTAINMENT VENTING LI LATE INJECTION End State (Phase - CD) 1 OK 2
OK 3
OK 4
OK LI04 5
CD 6
OK LI01 7
CD 8
OK 9
OK 10 OK LI04 11 CD 12 OK LI03 13 CD 14 OK 15 OK 16 OK LI04 17 CD 18 OK LI03 19 CD 20 CD 21 CD 22 OK 23 OK 24 OK 25 OK LI04 26 CD 27 OK LI01 28 CD 29 OK 30 OK 31 OK 32 OK LI04 33 CD 34 OK LI03 35 CD 36 CD 37 CD P1 38 LOOP-1 P2 39 LOOP-2 40 SBO 41 ATWS 42 CD


LER 461-2017-010-02 EMERGENCY POWER     SRV'S CLOSE RECIRC PUMP SEAL         HPCS           RCIC   DC LOAD SHEDDING ACTIONS TO EXTEND   MANUAL REACTOR FIRE WATER INJECTION   OFFSITE POWER DIESEL GENERATOR     CONTAINMENT     LATE INJECTION #    End State INTEGRITY                                                      ECCS OPERATION          DEPRESS                            RECOVERY        RECOVERY          VENTING                        (Phase - CD)
LER 461-2017-010-02 A-3 Figure A-3. Modified Clinton SBO Event Tree EPS FS = FTF-SBO EMERGENCY POWER SRV SRV'S CLOSE RPSL RECIRC PUMP SEAL INTEGRITY HCS01 FS = FTF-SBO HPCS RCI01 FS = FTF-SBO RCIC DCL DC LOAD SHEDDING EXT ACTIONS TO EXTEND ECCS OPERATION DEP02 FS = FTF-SBO MANUAL REACTOR DEPRESS FWS FIRE WATER INJECTION OPR OFFSITE POWER RECOVERY DGR DIESEL GENERATOR RECOVERY CVS CONTAINMENT VENTING LI LATE INJECTION End State (Phase - CD)
FS = FTF-SBO                                      FS = FTF-SBO  FS = FTF-SBO                                          FS = FTF-SBO EPS              SRV            RPSL              HCS01        RCI01            DCL              EXT                DEP02            FWS                  OPR            DGR              CVS              LI 1   SBO-OP OPR-12H 2     OK 3     OK CVS01 4     CD OPR-12H                                                  LI00 DGR-12H 5     OK CVS01 6     CD LI05 7   SBO-OP OPR-12H 8     OK 9     OK CVS01 10    CD OPR-12H                                              LI-EXT DGR-12H 11     OK CVS01 12     CD LI01 13   SBO-OP OPR-12H 14     OK 15     OK CVS01 16     CD OPR-12H                                                  LI00 DGR-12H 17     OK CVS01 18     CD LI01 19   SBO-OP OPR-04H 20     OK 21     CD OPR-04H DGR-04H 22   SBO-OP OPR-04H 23     OK OPR-04H 24     CD DGR-04H 25   SBO-OP OPR-02H 26     OK OPR-02H 27     CD DGR-02H 28   SBO-OP OPR-30M 29     OK OPR-30M 30     CD DGR-30M 31   SBO-1 32   SBO-1 P1B 33   SBO-2 P2 Figure A-3. Modified Clinton SBO Event Tree A-3
OPR-12H 1
SBO-OP OPR-12H 2
OK DGR-12H CVS01 3
OK LI00 4
CD CVS01 5
OK LI05 6
CD OPR-12H 7
SBO-OP OPR-12H 8
OK DGR-12H CVS01 9
OK LI-EXT 10 CD CVS01 11 OK LI01 12 CD OPR-12H 13 SBO-OP OPR-12H 14 OK DGR-12H CVS01 15 OK LI00 16 CD CVS01 17 OK LI01 18 CD OPR-04H 19 SBO-OP OPR-04H 20 OK DGR-04H 21 CD OPR-04H 22 SBO-OP OPR-04H 23 OK DGR-04H 24 CD OPR-02H 25 SBO-OP OPR-02H 26 OK DGR-02H 27 CD OPR-30M 28 SBO-OP OPR-30M 29 OK DGR-30M 30 CD 31 SBO-1 P1B 32 SBO-1 P2 33 SBO-2


LER 461-2017-010-02 Appendix B: Modified Fault Trees CONTAINMENT VENTING CVS VENT PATHS ARE UNAVAILABLE                                                                                                               OPERATOR FAILS TO VENT          OPERATOR FAILS TO VENT CONTAINMENT GIVEN SEISMIC              CONTAINMENT EVENT CVS-1                                                                                                                                  CVS-XHE-EQK                  Ext CVS-XHE-XM-VENT        1.00E-03 CONTAINMENT SPRAY HEADER                                                           CONTAINMENT VENTING THROUGH                                                        CONTAINMENT UPPER POOL VENT VENT PATH IS UNAVAILABLE                                                           CTM CONTINUOUS PURGE (CCP)                                                          PATH (VIA FC) IS UNAVAILABLE CVS-2                                                                                CVS-4                                                                              CVS-3 CLINTON DIVISION I AC POWER         RHR A CONTAINMENT VENT MOV       CLINTON INSTRUMENT AIR SYSTEM    HOUSE EVENT - LOSS OF OFFSITE    CONTINUOUS PURGE VENT VALVE      CLINTON DIVISION I AC POWER        MANUAL VENT VALVE FC012B FAILS SYSTEM FAULT TREE                    27A FAILS TO OPEN                   FAULT TREE                POWER IE HAS OCCURRED            1VR006B FAILS TO OPEN              SYSTEM FAULT TREE                        TO OPEN ACP-4KVBUS-1A1              Ext    RHR-MOV-CC-F027A        8.16E-04 IAS                          Ext HE-LOOP                    False CVS-AOV-CC-VR06B        7.55E-04 ACP-4KVBUS-1A1                Ext  CVS-XVM-CC-FC012B      4.59E-04 RHR A CONTAINMENT VENT MOV        CLINTON DIVISION I AC POWER                                      CONTINUOUS PURGE VENT VALVE       CLINTON DIVISION II AC POWER        CONT VENT MOV FC007 FAILS TO 28A FAILS TO OPEN               SYSTEM FAULT TREE                                               1VR006A FAILS TO OPEN              SYSTEM FAULT TREE                         OPEN RHR-MOV-CC-F028A        8.16E-04 ACP-4KVBUS-1A1              Ext                                  CVS-AOV-CC-VR06A        7.55E-04 ACP-4KVBUS-1B1                Ext  CVS-MOV-CC-FC007        8.16E-04 MANUAL VENT VALVE F099 FAILS TO                                                                                                                                             CONT VENT MOV FC008 FAILS TO OPEN                                                                                                                                                                    OPEN CVS-XVM-CC-F099          4.59E-04                                                                                                                                         CVS-MOV-CC-FC008        8.16E-04 MANUAL VENT VALVE FC090 FAILS TO OPEN CVS-XVM-CC-FC090        4.59E-04 MANUAL VENT VALVE FC177 FAILS TO OPEN CVS-XVM-CC-FC177        4.59E-04 Figure B-1. Modified Containment Venting Fault Tree B-1
LER 461-2017-010-02 B-1 Appendix B: Modified Fault Trees Figure B-1. Modified Containment Venting Fault Tree CVS CONTAINMENT VENTING CVS-1 VENT PATHS ARE UNAVAILABLE CVS-2 CONTAINMENT SPRAY HEADER VENT PATH IS UNAVAILABLE Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE 8.16E-04 RHR-MOV-CC-F027A RHR A CONTAINMENT VENT MOV 27A FAILS TO OPEN 8.16E-04 RHR-MOV-CC-F028A RHR A CONTAINMENT VENT MOV 28A FAILS TO OPEN 4.59E-04 CVS-XVM-CC-F099 MANUAL VENT VALVE F099 FAILS TO OPEN 4.59E-04 CVS-XVM-CC-FC090 MANUAL VENT VALVE FC090 FAILS TO OPEN 4.59E-04 CVS-XVM-CC-FC177 MANUAL VENT VALVE FC177 FAILS TO OPEN CVS-4 CONTAINMENT VENTING THROUGH CTM CONTINUOUS PURGE (CCP)
Ext IAS CLINTON INSTRUMENT AIR SYSTEM FAULT TREE Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE False HE-LOOP HOUSE EVENT - LOSS OF OFFSITE POWER IE HAS OCCURRED 7.55E-04 CVS-AOV-CC-VR06B CONTINUOUS PURGE VENT VALVE 1VR006B FAILS TO OPEN 7.55E-04 CVS-AOV-CC-VR06A CONTINUOUS PURGE VENT VALVE 1VR006A FAILS TO OPEN CVS-3 CONTAINMENT UPPER POOL VENT PATH (VIA FC) IS UNAVAILABLE Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE Ext ACP-4KVBUS-1B1 CLINTON DIVISION II AC POWER SYSTEM FAULT TREE 4.59E-04 CVS-XVM-CC-FC012B MANUAL VENT VALVE FC012B FAILS TO OPEN 8.16E-04 CVS-MOV-CC-FC007 CONT VENT MOV FC007 FAILS TO OPEN 8.16E-04 CVS-MOV-CC-FC008 CONT VENT MOV FC008 FAILS TO OPEN Ext CVS-XHE-EQK OPERATOR FAILS TO VENT CONTAINMENT GIVEN SEISMIC EVENT 1.00E-03 CVS-XHE-XM-VENT OPERATOR FAILS TO VENT CONTAINMENT


LER 461-2017-010-02 LPCS LCS-MDP-SS LPCS PUMP ROOM COOLING IS     CLINTON DIVISION I AC POWER               480V DIVISION 1 BUSES ARE UNAVAILABLE                    SYSTEM FAULT TREE                         UNAVAILABLE LCS-MDP-SS-1                  ACP-4KVBUS-1A1                      Ext ACP-BAC-LP-480V-DIV1      2.29E-05 CLINTON DIVISION I 125 VDC POWER IS UNAVAILABLE DCP-125V-1A-LT                      Ext Figure B-2. Modified LCS-MDP-SS Fault Tree B-2
LER 461-2017-010-02 B-2 Figure B-2. Modified LCS-MDP-SS Fault Tree LCS-MDP-SS LPCS LCS-MDP-SS-1 LPCS PUMP ROOM COOLING IS UNAVAILABLE Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE Ext DCP-125V-1A-LT CLINTON DIVISION I 125 VDC POWER IS UNAVAILABLE 2.29E-05 ACP-BAC-LP-480V-DIV1 480V DIVISION 1 BUSES ARE UNAVAILABLE


LER 461-2017-010-02 CLINTON FAILURE OF RHR MDP 1A RHR-MDPA-SS FAILURE OF ROOM COOLING FOR     CLINTON DIVISION I AC POWER               480V DIVISION 1 BUSES ARE RHR PUMP A                    SYSTEM FAULT TREE                         UNAVAILABLE RHR-MDPA-SS-1                  ACP-4KVBUS-1A1                    Ext   ACP-BAC-LP-480V-DIV1      2.29E-05 CLINTON DIVISION I 125 VDC POWER IS UNAVAILABLE DCP-125V-1A-LT                    Ext Figure B-3. Modified RHR-MDPA-SS Fault Tree B-3
LER 461-2017-010-02 B-3 Figure B-3. Modified RHR-MDPA-SS Fault Tree RHR-MDPA-SS CLINTON FAILURE OF RHR MDP 1A RHR-MDPA-SS-1 FAILURE OF ROOM COOLING FOR RHR PUMP A Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE Ext DCP-125V-1A-LT CLINTON DIVISION I 125 VDC POWER IS UNAVAILABLE 2.29E-05 ACP-BAC-LP-480V-DIV1 480V DIVISION 1 BUSES ARE UNAVAILABLE


LER 461-2017-010-02 DIESEL GENERATOR 1A SUPPORT SYSTEM FAILURES DGA-SS DIESEL GENERATOR 1A SSW SYSTEM FAILS TO DG1A     FAILURE OF DG1A HVAC   DG1A FUEL OIL FAILURES ELECTRICAL FAULTS DGN-SSWA DGA-SS-1              External                  DGA-SS3                DGA-SS8 FUEL OIL PUMP 1A FAILS TO START FHS-MDP-FS-DO1A 7.84E-04 FUEL OIL PUMP 1A FAILS TO RUN FHS-MDP-FR-DO1A 3.87E-04 FO PUMPS A,B,C FAIL FROM COMMON CAUSE TO START FHS-MDP-CF-FS 6.23E-06 FO PUMP A,B,C FAIL FROM COMMON CAUSE TO RUN FHS-MDP-CF-FR 2.90E-06 FO PUMPS A,B FAIL FROM COMMON CAUSE TO START FHS-MDP-CF-FSAB 1.99E-05 FO PUMPS A,C FAIL FROM COMMON CAUSE TO START FHS-MDP-CF-FSAC 1.99E-05 480V DIVISION 1 BUSES ARE UNAVAILABLE ACP-BAC-LP-480V-DIV1 2.29E-05 Figure B-4. Modified DGA-SS Fault Tree B-4
LER 461-2017-010-02 B-4 Figure B-4. Modified DGA-SS Fault Tree DGA-SS DIESEL GENERATOR 1A SUPPORT SYSTEM FAILURES DGA-SS-1 DIESEL GENERATOR 1A ELECTRICAL FAULTS DGN-SSWA External SSW SYSTEM FAILS TO DG1A DGA-SS3 FAILURE OF DG1A HVAC DGA-SS8 DG1A FUEL OIL FAILURES FHS-MDP-FS-DO1A 7.84E-04 FUEL OIL PUMP 1A FAILS TO START FHS-MDP-FR-DO1A 3.87E-04 FUEL OIL PUMP 1A FAILS TO RUN FHS-MDP-CF-FS 6.23E-06 FO PUMPS A,B,C FAIL FROM COMMON CAUSE TO START FHS-MDP-CF-FR 2.90E-06 FO PUMP A,B,C FAIL FROM COMMON CAUSE TO RUN FHS-MDP-CF-FSAB 1.99E-05 FO PUMPS A,B FAIL FROM COMMON CAUSE TO START FHS-MDP-CF-FSAC 1.99E-05 FO PUMPS A,C FAIL FROM COMMON CAUSE TO START ACP-BAC-LP-480V-DIV1 2.29E-05 480V DIVISION 1 BUSES ARE UNAVAILABLE


LER 461-2017-010-02 CLINTON DIVISION I 125 VDC POWER IS UNAVAILABLE DCP-125V-1A-LT LOSS OF DIVISION 1 POWER             CLINTON DIVISION I AC POWER            FAILURE OF DIVISION I 125VDC BUS RESULTS IN LOSS OF BATTERY                 SYSTEM FAULT TREE                              1A CHARGING CAPBILITY DCP-125V-1A-LT-2                      ACP-4KVBUS-1A1                   Ext     DCP-BDC-LP-1A            5.21E-06 DC BATT CHARGERS FAILURE FROM             FAILURE OF DIVISION I 125VDC SEISMIC EVENT                         BATTERY CHARGER 480V DIVISION 1 BUSES ARE        DCP-BCH-EQ                        Ext    DCP-BCH-LP-1A           6.17E-05 UNAVAILABLE                                                            BATTERY CHARGERS FAIL FROM COMMON CAUSE ACP-BAC-LP-480V-DIV1      2.29E-05 OPERATORS FAIL TO ALIGN SWING                                                  DCP-BCH-CF-CHRS         2.10E-07 CHARGER DCP-XHE-XM-SWINGCHARGER Ignore Figure B-5. Modified DCP-125V-1A-LT Fault Tree B-5
LER 461-2017-010-02 B-5 Figure B-5. Modified DCP-125V-1A-LT Fault Tree DCP-125V-1A-LT CLINTON DIVISION I 125 VDC POWER IS UNAVAILABLE DCP-125V-1A-LT-2 LOSS OF DIVISION 1 POWER RESULTS IN LOSS OF BATTERY CHARGING CAPBILITY 2.29E-05 ACP-BAC-LP-480V-DIV1 480V DIVISION 1 BUSES ARE UNAVAILABLE Ignore DCP-XHE-XM-SWINGCHARGER OPERATORS FAIL TO ALIGN SWING CHARGER Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE Ext DCP-BCH-EQ DC BATT CHARGERS FAILURE FROM SEISMIC EVENT 5.21E-06 DCP-BDC-LP-1A FAILURE OF DIVISION I 125VDC BUS 1A 6.17E-05 DCP-BCH-LP-1A FAILURE OF DIVISION I 125VDC BATTERY CHARGER 2.10E-07 DCP-BCH-CF-CHRS BATTERY CHARGERS FAIL FROM COMMON CAUSE


LER 461-2017-010-02 POWER CONVERSION SYSTEM PCS FEEDWATER                                                                          FAILURE OF STEAM CONDENSING FUNCTION OF PCS MFW          Ext                                                                    PCS-1 STEAM SYSTEM FAILS                             MSIVS AND MSL DRAINS ARE                          CLINTON MAIN CIRCULATING        HOUSE EVENT - TOTAL LOSS OF ISOLATED                                    WATER IS UNAVAILABLE        CONDENSER HEAT SINK INITIATOR PCS-2                                              PCS-3                                              MCW                        Ext  HE-LOCHS                    False STEAM LOOP VALVES FAIL TO     CLINTON INSTRUMENT AIR SYSTEM      OPERATORS FAIL TO ALIGN MSL OPEN/REMAIN OPEN                     FAULT TREE                          DRAINS MSS-MSV-OC-STEAM        7.44E-06 IAS                         Ext  PCS-XHE-XM-MSLDRAINS       Ignore TURBINE BYPASS VALVES FAIL TO OPEN MSS-TBV-CC-BYPAS        3.12E-03 Figure B-6. Modified PCS Fault Tree B-6
LER 461-2017-010-02 B-6 Figure B-6. Modified PCS Fault Tree PCS POWER CONVERSION SYSTEM Ext MFW FEEDWATER PCS-1 FAILURE OF STEAM CONDENSING FUNCTION OF PCS PCS-2 STEAM SYSTEM FAILS 7.44E-06 MSS-MSV-OC-STEAM STEAM LOOP VALVES FAIL TO OPEN/REMAIN OPEN 3.12E-03 MSS-TBV-CC-BYPAS TURBINE BYPASS VALVES FAIL TO OPEN PCS-3 MSIVS AND MSL DRAINS ARE ISOLATED Ext IAS CLINTON INSTRUMENT AIR SYSTEM FAULT TREE Ignore PCS-XHE-XM-MSLDRAINS OPERATORS FAIL TO ALIGN MSL DRAINS Ext MCW CLINTON MAIN CIRCULATING WATER IS UNAVAILABLE False HE-LOCHS HOUSE EVENT - TOTAL LOSS OF CONDENSER HEAT SINK INITIATOR


LER 461-2017-010-02 CLINTON CONDENSATE HOTWELL MAKEUP IS UNAVAILABLE CDS-HW FAILURE OF HOTWELL INVENTORY                                         CONDENSATE STORAGE TANK        CONDENSATE STORAGE TANK IS FAILURE FROM SEISMIC EVENT              UNAVAILABLE CDS-HW-1                                                           CDS-TNK-EQ                  Ext CDS-TNK-FC-CST        6.26E-06 HOTWELL LEVEL CONTROL VALVE 2 FAILS FAILURE TO MAINTAIN HOTWELL                            INITIATORS WITHOUT STEAM                                                        CDS-AOV-CC-MKUP2      7.55E-04 INVENTORY                                      RETURN TO HOTWELL                                                            HOTWELL LEVEL CONTROL VALVE 1 FAILS CDS-HW-3                                              CDS-HW-2 CDS-AOV-CC-MKUP1      7.55E-04 FAILURE TO CONTROL CD/CB FLOW        TWO OR MORE BWR SRVS FAIL TO        HOUSE EVENT - SMALL LOSS-OF-TO PREVENT EMPTYING HOTWELL                    CLOSE                   COOLANT ACCIDENT INITIATOR CDS-XHE-XM-HOTWELL         1.00E-03 PPR-SRV-OO-2VLVS       2.00E-03  HE-SLOCA                    False set to PSA value of 0.067        ONE BWR SRV FAILS TO CLOSE     INADVERTENT OPEN RELIEF VALVE (IORV) HAS OCCURRED CDS-TNK-FC-CYMC            6.26E-06 PPR-SRV-OO-1VLV        9.60E-02  HE-IORV                    False FAILURE OF CIRCUIT BREAKER                                            HOUSE EVENT - TOTAL LOSS OF 501A TO OPEN (UAT)                                              CONDENSER HEAT SINK INITIATOR ACP-CRB-CC-501A            2.49E-03                                  HE-LOCHS                    False FAILURE OF CIRCUIT BREAKER 501B TO OPEN (UAT)
LER 461-2017-010-02 B-7 Figure B-7. Modified CDS-HW Fault Tree CDS-HW CLINTON CONDENSATE HOTWELL MAKEUP IS UNAVAILABLE CDS-HW-1 FAILURE OF HOTWELL INVENTORY CDS-HW-3 FAILURE TO MAINTAIN HOTWELL INVENTORY 1.00E-03 CDS-XHE-XM-HOTWELL FAILURE TO CONTROL CD/CB FLOW TO PREVENT EMPTYING HOTWELL 6.26E-06 CDS-TNK-FC-CYMC set to PSA value of 0.067 2.49E-03 ACP-CRB-CC-501A FAILURE OF CIRCUIT BREAKER 501A TO OPEN (UAT) 2.49E-03 ACP-CRB-CC-501B FAILURE OF CIRCUIT BREAKER 501B TO OPEN (UAT) 7.55E-04 CDS-AOV-CC-039 SJAE MIN FLOW TO COND VALVE 1CD039 FAILS TO CLOSE CDS-HW-2 INITIATORS WITHOUT STEAM RETURN TO HOTWELL 2.00E-03 PPR-SRV-OO-2VLVS TWO OR MORE BWR SRVS FAIL TO CLOSE 9.60E-02 PPR-SRV-OO-1VLV ONE BWR SRV FAILS TO CLOSE False HE-SLOCA HOUSE EVENT - SMALL LOSS-OF-COOLANT ACCIDENT INITIATOR False HE-IORV INADVERTENT OPEN RELIEF VALVE (IORV) HAS OCCURRED False HE-LOCHS HOUSE EVENT - TOTAL LOSS OF CONDENSER HEAT SINK INITIATOR Ext CDS-TNK-EQ CONDENSATE STORAGE TANK FAILURE FROM SEISMIC EVENT 6.26E-06 CDS-TNK-FC-CST CONDENSATE STORAGE TANK IS UNAVAILABLE 7.55E-04 CDS-AOV-CC-MKUP2 HOTWELL LEVEL CONTROL VALVE 2 FAILS 7.55E-04 CDS-AOV-CC-MKUP1 HOTWELL LEVEL CONTROL VALVE 1 FAILS
ACP-CRB-CC-501B            2.49E-03 SJAE MIN FLOW TO COND VALVE 1CD039 FAILS TO CLOSE CDS-AOV-CC-039              7.55E-04 Figure B-7. Modified CDS-HW Fault Tree B-7


LER 461-2017-010-02 Appendix C: Evaluation of Key HFEs Evaluation of DCP-XHE-SWINGCHARGER (operators fail to align the swing charger).
LER 461-2017-010-02 C-1 Appendix C: Evaluation of Key HFEs Evaluation of DCP-XHE-SWINGCHARGER (operators fail to align the swing charger).
Definition     Operators swing charger to supply the division 1 batteries.
Definition Operators swing charger to supply the division 1 batteries.
If normal battery charging capability is lost via the 480 V division 1 AC buses, Description and operators can align the swing charger to prevent a loss of division 1 direct Event Context current (DC) power.
Description and Event Context If normal battery charging capability is lost via the 480 V division 1 AC buses, operators can align the swing charger to prevent a loss of division 1 direct current (DC) power.
Operator Action     Operators successfully align the swing charger to supply the division 1 batteries Success Criteria    prior to batter depletion (2 hours).
Operator Action Success Criteria Operators successfully align the swing charger to supply the division 1 batteries prior to batter depletion (2 hours).
Key Cue(s)     Low DC bus voltage Procedural     CPS 3503.01C006, Class 1E Swing Battery Charger 1DC11E Feed to Guidance      Safety-Related DC Bus Checklist Diagnosis/Action   This HFE only contains both diagnosis and action activities.
Key Cue(s)
Multiplier PSF                                                              Notes Diagnosis/Action The nominal battery depletion time of the safety-related batteries is 2 hours without shedding of DC loads. With successful load shedding, the battery life can be extended to 4 hours. In addition, During the event, a loss of division 1 AC loads (as occurred during the event) reduces the depletion rate. The time estimated to align the swing charger is approximately 1 hour. This would leave a maximum of 1 hour available for diagnosis under the most restrictive scenario (i.e. nominal depletion rate and, low Time Available            1/1 bus voltage threshold quickly reached). However, there could be less time. Given this uncertainty, the diagnosis PSF for available time is set to Nominal.
Low DC bus voltage Procedural Guidance CPS 3503.01C006, Class 1E Swing Battery Charger 1DC11E Feed to Safety-Related DC Bus Checklist Diagnosis/Action This HFE only contains both diagnosis and action activities.
PSF Multiplier Diagnosis/Action Notes Time Available 1 / 1 The nominal battery depletion time of the safety-related batteries is 2 hours without shedding of DC loads. With successful load shedding, the battery life can be extended to 4 hours. In addition, During the event, a loss of division 1 AC loads (as occurred during the event) reduces the depletion rate. The time estimated to align the swing charger is approximately 1 hour. This would leave a maximum of 1 hour available for diagnosis under the most restrictive scenario (i.e. nominal depletion rate and, low bus voltage threshold quickly reached). However, there could be less time. Given this uncertainty, the diagnosis PSF for available time is set to Nominal.
Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 4 for guidance on apportioning time between the diagnosis and action components of an HFE.
Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 4 for guidance on apportioning time between the diagnosis and action components of an HFE.
Stress, Complexity, Procedures                             No event information is available to warrant a change in Experience/Training,          1/1            these PSFs (diagnosis or action) from Nominal for this Ergonomics/HMI,                            HFE.
: Stress, Complexity, Procedures Experience/Training, Ergonomics/HMI, Fitness for Duty, Work Processes 1 / 1 No event information is available to warrant a change in these PSFs (diagnosis or action) from Nominal for this HFE.
Fitness for Duty, Work Processes The HEP is calculated using the following SPAR-H formula:
The HEP is calculated using the following SPAR-H formula:
HEP = (Product of Diagnosis PSFs x Nominal Diagnosis HEP) + (Product of Action PSFs x Nominal Action HEP)
HEP = (Product of Diagnosis PSFs x Nominal Diagnosis HEP) + (Product of Action PSFs x Nominal Action HEP)  
  = (1 x 0.01) + (1 x 0.001) = 1x10-2 Therefore, the human error probability for DCP-XHE-SWINGCHARGER was set to 1x10-2.
= (1 x 0.01) + (1 x 0.001) = 1x10-2 Therefore, the human error probability for DCP-XHE-SWINGCHARGER was set to 1x10-2.  
C-1


LER 461-2017-010-02 Evaluation of PCS-XHE-XM-MSLDRAINS (operators fail to align the MSL drains to the condenser).
LER 461-2017-010-02 C-2 Evaluation of PCS-XHE-XM-MSLDRAINS (operators fail to align the MSL drains to the condenser).
Definition     Operators use MSL drains for reactor pressure control.
Definition Operators use MSL drains for reactor pressure control.
Description and     If the condenser is available, but the MSIVs are closed (or expected to close)
Description and Event Context If the condenser is available, but the MSIVs are closed (or expected to close) operators can align the MSL drains to for reactor pressure control.
Event Context    operators can align the MSL drains to for reactor pressure control.
Operator Action Success Criteria Operators align MSL drains to the main condenser to maintain steam path prior to closure of all MSIVs.
Operator Action     Operators align MSL drains to the main condenser to maintain steam path prior Success Criteria    to closure of all MSIVs.
Key Cue(s)
Key Cue(s)     MSIV(s) closing or expected closure of MSIVs Procedural EOP-1, RPV Control and CPS 4411.09, RPV Pressure Control Sources Guidance Diagnosis/Action   This HFE only contains both diagnosis and action activities.
MSIV(s) closing or expected closure of MSIVs Procedural Guidance EOP-1, RPV Control and CPS 4411.09, RPV Pressure Control Sources Diagnosis/Action This HFE only contains both diagnosis and action activities.
Multiplier PSF                                                            Notes Diagnosis/Action During the event, the last inboard MSIV did not close until approximately 4 hours after instrument air to containment was isolated. The time estimated to align the MSL drain is conservatively estimated to be 30 minutes. This would leave at least 3.5 hours available for diagnosis. The nominal time for diagnosis is estimated to take 5 minutes.
PSF Multiplier Diagnosis/Action Notes Time Available 0.01 / 1 During the event, the last inboard MSIV did not close until approximately 4 hours after instrument air to containment was isolated. The time estimated to align the MSL drain is conservatively estimated to be 30 minutes. This would leave at least 3.5 hours available for diagnosis. The nominal time for diagnosis is estimated to take 5 minutes.
Since the 3.5 hours available for diagnosis is greater than Time Available          0.01 / 1      2x nominal time and greater than 30 minutes, the diagnosis PSF for available time is set to Expansive.
Since the 3.5 hours available for diagnosis is greater than 2x nominal time and greater than 30 minutes, the diagnosis PSF for available time is set to Expansive.
Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 4 for guidance on apportioning time between the diagnosis and action components of an HFE.
Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 4 for guidance on apportioning time between the diagnosis and action components of an HFE.
Stress, Complexity, Procedures                           No event information is available to warrant a change in Experience/Training,          1/1          these PSFs (diagnosis or action) from Nominal for this Ergonomics/HMI,                          HFE.
: Stress, Complexity, Procedures Experience/Training, Ergonomics/HMI, Fitness for Duty, Work Processes 1 / 1 No event information is available to warrant a change in these PSFs (diagnosis or action) from Nominal for this HFE.
Fitness for Duty, Work Processes The HEP is calculated using the following SPAR-H formula:
The HEP is calculated using the following SPAR-H formula:
HEP = (Product of Diagnosis PSFs x Nominal Diagnosis HEP) + (Product of Action PSFs x Nominal Action HEP)
HEP = (Product of Diagnosis PSFs x Nominal Diagnosis HEP) + (Product of Action PSFs x Nominal Action HEP)  
  = (.01 x 0.01) + (1 x 0.001) = 1x10-3 Therefore, the human error probability for PCS-XHE-XM-MSLDRAINS was set to 1x10-3.
= (.01 x 0.01) + (1 x 0.001) = 1x10-3 Therefore, the human error probability for PCS-XHE-XM-MSLDRAINS was set to 1x10-3.}}
C-2}}

Latest revision as of 04:48, 5 January 2025

Final Accident Sequence Precursor Analysis - Clinton Power Station, Division 1 Transformer Failure Leads to Instrument Air Isolation to Containment Requiring a Manual Reactor Scram (LER 461-2017-010) - Precursor
ML19050A510
Person / Time
Site: Clinton Constellation icon.png
Issue date: 03/21/2019
From:
NRC/RES/DRA
To:
Chris Hunter 415-1394
References
LER 2017-010-002 IR 2017012
Download: ML19050A510 (20)
v  d  e


Text

{{#Wiki_filter:1 Final ASP Program Analysis - Precursor Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Clinton Power Station Division 1 Transformer Failure Leads to Instrument Air Isolation to Containment Requiring a Manual Reactor Scram Event Date: 12/9/2017 LER: 461-2017-010-02 CCDP = 8x10-6 IR: 05000461/2017012 Plant Type: General Electric Type 6 Boiling-Water Reactor (BWR) with a Mark III Containment Plant Operating Mode (Reactor Power Level): Mode 1 (97% Reactor Power) Analyst: Reviewer: Contributors: Approval Date: Christopher Hunter Dale Yeilding N/A 3/21/2019 EXECUTIVE

SUMMARY

On December 9, 2017, multiple alarms were received in the Clinton Power Station control room due to the unexpected opening of the 4.16 kilovolt (kV) alternating current (AC) bus 1 A1 breaker (1AP07EJ), which feeds the division 1 480-volt (V) AC buses. The loss of division 1 480 V AC power caused the outboard instrument air containment isolation valve to close and resulted in a subsequent loss of containment instrument air. In addition, the loss of the division 1 480 V AC buses resulted in the unavailability of the low-pressure core spray (LPCS) pump, residual heat removal (RHR) pump A, the division 1 emergency diesel generator (EDG) A, normal battery charging to the division 1 batteries. Approximately 4 minutes after the breaker 1AP07EJ opened, the control room operators inserted a manual scram in accordance with procedures for low scram pilot air header pressure and control rod drift annunciator alarms. Operators performed a reactor cooldown of the reactor by directing steam to the main condenser using the main steam bypass valves and auxiliary steam equipment. Due to the loss of containment instrument air, the main steam isolation valves (MSIVs) began to close. In response to the expected closure of the MSIVs, operators aligned the main steam line (MSL) drains to maintain pressure control. These drains were used in conjunction with the reactor core isolation cooling (RCIC) turbine to continue to cooldown to Mode 4. According to the risk analysis modeling assumptions used in this accident sequence precursor (ASP) analysis, the most likely core damage sequence is reactor transient with a consequential loss of offsite power (LOOP) and postulated failures of the division 2 EDG B result in a subsequent station blackout (SBO). Although high-pressure core spray (HPCS) is initially successful, operators fail to recover offsite power within 12 hours resulting in the inability to vent containment, which results in the loss of all injection. This accident sequence accounts for approximately 17 percent of the conditional core damage probability (CCDP) for the event. Two Green (i.e., very low safety significance) findings were identified for this event. The first finding was associated with the licensee failure to perform corrective action to preclude repetition for a similar transformer failure that occurred in December 2013. The second finding

LER 461-2017-010-02 2 was associated with the licensee failure to follow procedure that would classify three nonsafety-related 4.16 kV and 480 V transformers as operationally critical components. EVENT DETAILS Event Description. On December 9, 2017, multiple alarms were received in the Clinton Power Station control room due to the unexpected opening of the 4.16 kV AC bus 1 A1 breaker (1AP07EJ), which feeds 480-volt (V) AC unit substation 1A and 480 V AC unit substation 1A. The loss of 480 V AC power caused the outboard instrument air containment isolation valve to close and resulted in a subsequent loss of containment instrument air. Approximately 4 minutes after the breaker 1AP07EJ opened, the control room received a low scram pilot air header pressure alarm. Soon after, the control rod drift annunciator alarmed as expected and the control room operators inserted a manual scram in accordance with procedures. Operators began cooling down the reactor by directing steam to the main condenser using the main steam bypass valves and auxiliary steam equipment. Due to loss of containment instrument air, the inboard MSIVs began to close slowly. Operators lined up the MSL drains to maintain pressure control and continue the cooldown in anticipation of MSIV closure as containment air pressure lowered. The last inboard MSIV indicated full closed about 4 hours after the instrument air containment isolation valve closed; however, the MSL drain valves remained available to the operators throughout the event. These drains were used in conjunction with the RCIC turbine to continue to cooldown to Mode 4. This loss of division 1 480 V AC buses resulted in the unavailability of LPCS, RHR pump A, and the division 1 EDG to fulfil their safety function for the complete mission time (i.e., 24 hours).1 Normal charging capability to the division 1 batteries was also lost. Additional information is provided in licensee event report (LER) 461-2017-010-02 (Ref. 1) and inspection report (IR) 05000461/2017012 (Ref. 2). Cause. The unexpected opening of breaker 1AP07EJ was due to a phase-to-ground fault on 480 V transformer 1A. Subsequent vendor testing determined that the ground fault was caused by excessive layer-to-layer design stress within the 4.16 kV transformer winding. This preexisting design defect resulted in the issuance of a 10 CFR Part 21 notification to the NRC. Additional Event Information. The following event details are provided as additional information about the event. This additional information was not factored in the modeling of this analysis due to the negligible risk impact. The RCIC system was declared inoperable because the 480 V AC power was lost to water leg pump and, therefore, operators could not ensure the system was free of voids. NRC inspectors determined that although the RCIC system was appropriately declared inoperable, the system was available (if necessary) for pressure/inventory control and decay heat removal. The isolation of instrument air to containment affected some components in the reactor water cleanup (RWCU) and control rod drive (CRD) systems. The safety-related 1 The division 1 EDG was rendered unable to fulfil its safety function for the complete mission time of 24 hours due to loss 480V AC power to its associated fuel oil transfer pump. The fuel oil transfer pump starts as soon as the level in its associated day tank starts decreasing. Without the fuel oil transfer pump, the day tank only has enough fuel to run the EDG for approximately 2 hours. In addition, the circulating oil and turbo soakback pumps were also unavailable due to the loss of division 1 480 V AC power. However, the loss of these two pumps is not expected to result in a loss of safety function of the EDG.

LER 461-2017-010-02 3 aspects of the RWCU system are typically limited to the containment isolation requirements. The standardized plant analysis risk (SPAR) models typically have limited modeling of the RWCU system and containment isolation; however, their inclusion would not affect the analysis for this initiating event. Therefore, no modeling of RWCU system and its components was needed for this analysis. The CRD system component unavailabilities were limited to the scram pilot air header and did not affect the CRD pumps as a potential source of RCS inventory makeup. The SPAR model only credits CRD makeup from 1 of 2 pumps if RCIC is initially successful. The model does not credit enhanced two-pump flow, which may require instrument air inside containment. Therefore, no model changes for the CRD system were needed for this analysis. MODELING SDP Results/Basis for ASP Analysis. The ASP Program performs independent analyses for initiating events. ASP analyses of initiating events account for all failures/degraded conditions and unavailabilities (e.g., equipment out for test/maintenance) that occurred during the event, regardless of licensee performance.2 Additional LERs were reviewed to determine if concurrent unavailabilities existed during the December 9th event. No windowed events or concurrent degraded operating conditions were identified. In response to this event, the NRC performed a special inspection per Management Directive 8.3, NRC Incident Investigation Program. The special inspection (as documented in IR 05000461/2017012) revealed two Green (i.e., very low safety significance) findings. The first finding was associated with the licensee failure to perform corrective action to preclude repetition for a similar transformer failure that occurred in December 2013. The second finding was associated with the licensee failing to follow procedure that would classify three nonsafety-related 4.16 kV and 480 V transformers as operationally critical components. Both findings were screened out (i.e., no detailed risk evaluation was performed) using Inspection Manual Chapter 0609, Attachment 4, Initial Characterization of Findings at Power, and Appendix A, The Significance Determination Process for Findings at Power. The LER remains open. Analysis Type. An initiating event analysis was performed using the Clinton Power Station SPAR model, Revision 8.54, modified on December 20, 2017. This event was modeled as a general plant transient with a loss of instrument air to the containment and loss of division 1 480 V AC power. SPAR Model Modifications. The following modifications were required for this initiating event assessment: The base SPAR models provide credit for EDG repair for SBO scenarios; however, the analyst must determine whether credit should be applied given the specific circumstances surrounding the event being analyzed. The probabilities of successful repair of an EDG in the base SPAR models are calculated using the data from the unplanned unavailability mitigating system performance index (MSPI). There are questions on the applicability of this data. First, this repair data is not collected under SBO conditions (e.g., reduced lighting). Second, during postulated SBO scenarios, multiple EDG failures have occurred, thus further complicating troubleshooting activities, 2 ASP analyses also account for any degraded condition(s) identified after the initiating event occurred, if the failure/degradation exposure period(s) overlapped the initiating event date.

LER 461-2017-010-02 4 which would likely increase the time to repair. Given these uncertainties, repair credit for EDG failures is limited to cases where event information supports this credit. Repair credit for postulated failures of the EDGs is not provided in this analysis.3 The issue of crediting EDG repair is noted as a key modeling uncertainty for this analysis and will be discussed with internal stakeholders to determine if consensus approach can be developed. The CVS (containment venting) fault tree was modified to eliminate duplicative operator actions to initiate containment venting. Specifically, basic events CVS-XHE-XM-VENT1 (operator fails to vent containment through CCP), CVS-XHE-XM-VENT2 (operator fails to vent containment through FC to SFP), and CVS-XHE-XM-VENT3 (operator fails to vent containment through RHR A to FP) were deleted. The operator action to vent containment is already accounted for in the model via basic event CVS-XHE-XM-VENT (operator fails to vent containment). The modified CVS fault tree is shown in Figure B-1 of Appendix B. The base model does not explicitly include modeling of the 480 V AC portion of the electrical distribution system. During the event, the 4.16 kV bus 1A1 breaker 1AP07EJ, which feeds both division 1 480 V buses (1AP11E and 0AP05E), opened due to a fault on 480 V transformer 1A. This caused the unavailability of the LPCS pump, RHR pump A, and the division 1 EDG. To account for the dependency of these pumps on 480 V AC power, a new basic event ACP-BAC-LP-480V-DIV1 (480V division 1 buses are unavailable) was inserted in the LPCS fault tree (under the LCS-MDP-SS subtree), RHR pump A fault tree (under the RHR-MDPA-SS subtree), and DGA-SS fault tree (under gate DGA-SS8).4 These modified faults trees are shown in Figure B-2, Figure B-3, and Figure B-4 of Appendix B. The loss of division 1 480 V buses also resulted in the loss of normal battery charging for the division 1 batteries. During the event, operators successfully aligned the class 1E swing charger to supply the division 1 batteries. To account for the loss of normal battery charging on the division 1 batteries and the potential for aligning the swing charger, fault tree DCP-125V-1A-LT (Clinton division I 125 VDC power is unavailable) was modified. Specifically, a new AND gate was added under the top gate with the new basic events ACP-BAC-LP-480V-DIV1 and a DCP-XHE-SWINGCHARGER (operators fail to align the swing charger) inserted under this new gate. Basic event DCP-XHE-SWINGCHARGER was set to IGNORE in the base model. This modified fault tree is shown in Figure B-5 of Appendix B. The only modeling of instrument air system in the current SPAR model is via house event HE-LOIAS (loss of instrument air system initiating event has occurred), which is used alone or within the IAS (Clinton instrument air) fault tree. Dependency on the instrument air system is limited in the current SPAR model (e.g., power conversion 3 The applicable EDG recovery basic events: EPS-XHE-XL-NR30M (operator fails to recover emergency diesel in 30 minutes), EPS-XHE-XL-NR02H (operator fails to recover emergency diesel in 2 hours), EPS-XHE-XL-NR04H (operator fails to recover emergency diesel in 4 hours), and EPS-XHE-XL-NR12H (operator fails to recover emergency diesel in 12 hours) were set to TRUE in the base SPAR model. 4 The ZT-BAC-LP (AC bus fails to operate) default template was used for this basic event.

LER 461-2017-010-02 5 system, condenser, containment venting, RCIC).5, 6 During the event, the loss instrument air was limited to components/systems inside containment and, therefore, only containment venting and power conversion system were affected.7 The PCS fault tree assumes that PCS is rendered unavailable given a complete loss of instrument air, which would fail MFW because of lack of makeup to condenser hotwell and render the condenser heat sink unavailable due to the closure of MSIVs. Since instrument air was only lost in containment, feedwater and the condenser heat sink remained available throughout the event and operators were able to align the MSL drains to the condenser, two changes were made to the PCS fault tree. First, the IAS transfer tree and a new basic event PCS-XHE-XM-MSLDRAINS (operators fail to align the MSL drains to the condenser) were added under a new AND gate. Basic event PCS-XHE-XM-MSLDRAINS was set to IGNORE in the base model. The modified PCS fault tree is shown in Figure B-6 of Appendix B. Second, the IAS transfer tree was deleted from the CDS-HW (Clinton condensate hotwell makeup is unavailable) fault tree. The modified CD-HW fault trees are shown in Figure B-7 of Appendix B. Errors associated with late injection modeling were identified in two event trees, 1SORV (Clinton transfer - one stuck open SRV) and LOOP-1 (Clinton transfer - one stuck open SRV). Specifically, transient (TRANS) sequences 65-33 and 67-38-19 incorrectly assumed a failure of late injection. The transfers for these two sequences were changed from LI02 (Clinton late injection fault tree) to LI00 (Clinton late injection fault tree). Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this initiating event assessment: The operators manually scrammed the reactor due to low scram header air pressure; therefore, the probability of IE-TRANS (general plant transient initiating event) was set to 1.0. All other initiating event probabilities were set to zero. Basic event ACP-BAC-LP-480V-DIV1 was set to TRUE due to the loss of the division 1 480 V AC buses caused by the opening of the 4.16 kV bus 1A1 breaker 1AP07EJ as result of the transformer fault. Basic event HE-LOIAS was set to TRUE to account for the loss of instrument air inside containment. Recovery potential for instrument air to the containment was not credited in this analysis since that portion of the air system was not recovered for over 16 hours after initiation of the event. The human failure event (HFE) DCP-XHE-SWINGCHARGER was evaluated using SPAR-H (Ref. 3 and Ref. 4); see Appendix C for additional information. The human error probability (HEP) for DCP-XHE-SWINGCHARGER was calculated to be 1x10-2. 5 The CND (main condenser heat sink) fault tree also has an instrument air system dependency; however, this fault tree is only used in the loss of feedwater event tree. Modeling associated with the condenser is included in the PCS (power conversion system) fault tree for the TRANS (general transient) event tree. 6 The use of house event HE-LOIAS in the RCIC pump modeling in the RCI-SS-LT (RCIC support systems) subtree corresponds to different support system requirements needed for different initiating events and was not intended to model a RCIC system dependency for instrument air. Therefore, this modeling does not need to be modified for this event analysis. 7 In addition to the condensate and feedwater systems, the power conversion system includes modeling of the MSIVs.

LER 461-2017-010-02 6 The HFE PCS-XHE-XM-MSLDRAINS was evaluated using SPAR-H; see Appendix C for additional information. The HEP for PCS-XHE-XM-MSLDRAINS was calculated to be 1x10-3. ANALYSIS RESULTS CCDP. The conditional CCDP for this analysis is calculated to be 8.3x10-6. The ASP Program acceptance threshold is a CCDP of 1x10-6 or the CCDP equivalent of an uncomplicated reactor trip with a non-recoverable loss of feed water or the condenser heat sink), whichever is greater. This CCDP equivalent for Clinton Power Station is 2.3x10-6.8 Therefore, this event is a precursor. Dominant Sequence. The dominant accident sequence is transient sequence 67-40-06 (CCDP = 1.4x10-6), which contributes approximately 17 percent of the total internal events CCDP. The dominant sequences that contribute at least 1.0 percent to the total internal events CCDP are provided in the following table. The dominant sequence is shown graphically in Figure A-1, Figure A-2, and Figure A-3 and Appendix A. Sequence CCDP Percentage Description TRANS 67-40-06 1.44x10-6 17.40% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; HPCS succeeds; operators fail to recover offsite power in 12 hours; containment venting fails resulting in a loss of all injection TRANS 67-40-24 1.39x10-6 16.80% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; HPCS fails, but RCIC succeeds; operators successfully shed DC loads; operators fail to recovery offsite power in 4 hours TRANS 67-40-30 7.83x10-7 9.50% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; RCIC and HPCS fail; operators fail to recovery offsite power in 30 minutes TRANS 67-35 5.15x10-7 6.20% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS fail; reactor depressurization succeeds; low-pressure injection succeeds; suppression pool cooling and containment spray fails; containment venting fails resulting in a loss of all injection TRANS 67-40-31-13 5.06x10-7 6.10% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; recirculation pump seals fail resulting in a small loss-of-coolant accident (SLOCA); RCIC and HPCS fail TRANS 67-40-32-13 4.85x10-7 5.90% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; a stuck-open relief valve results in a SLOCA; RCIC and HPCS fail 8 For BWRs, a loss of condenser heat sink initiating event typically assumes that the condensate system is available to provide a source of low-pressure injection to the reactor.

LER 461-2017-010-02 7 Sequence CCDP Percentage Description TRANS 65-07 4.80x10-7 5.80% Successful reactor trip; a stuck-open relief valve results in a SLOCA; feedwater succeeds; suppression pool cooling and containment spray fails; containment venting fails resulting in a loss of all injection TRANS 67-13 3.15x10-7 3.80% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; HPCS fails, but RCIC succeeds; suppression pool cooling fails; reactor depressurization succeeds; low-pressure injection succeeds; containment spray fails; containment venting fails resulting in a loss of all injection TRANS 67-07 2.87x10-7 3.50% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS succeed; suppression pool cooling and containment spray fails; containment venting fails resulting in a loss of all injection TRANS 63 2.52x10-7 3.10% Successful reactor trip; power conversion system fails; feedwater fails; RCIC and HPCS fail; reactor depressurization succeeds; low-pressure injection fails TRANS 67-40-31-06 1.60x10-7 1.90% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; recirculation pump seals fail resulting in a SLOCA; HPCS succeeds; operators fail to recover offsite power in 12 hours; containment venting fails resulting in a loss of all injection TRANS 67-40-31-09 1.54x10-7 1.90% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; recirculation pump seals fail resulting in a SLOCA; HPCS fails but RCIC succeeds; operators successfully shed DC loads; operators fail to recovery offsite power in 4 hours TRANS 67-40-32-06 1.53x10-7 1.90% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; a stuck-open relief valve results in a SLOCA; HPCS succeeds; operators fail to recover offsite power in 12 hours; containment venting fails resulting in a loss of all injection TRANS 67-40-32-09 1.48x10-7 1.80% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; a stuck-open relief valve results in a SLOCA; HPCS fails but RCIC succeeds; operators successfully shed DC loads; operators fail to recovery offsite power in 4 hours TRANS 67-28 1.45x10-7 1.80% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC fails, but HPCS succeeds; suppression pool cooling and containment spray fails; operators fail to recover the power conversion system; containment venting fails resulting in a loss of all injection TRANS 67-37 1.03x10-7 1.30% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS fail; operators fail to depressurize the reactors

LER 461-2017-010-02 8 Sequence CCDP Percentage Description TRANS 67-40-28-31 9.81x10-8 1.20% Successful reactor trip; consequential LOOP occurs; EDGs fail resulting in a SBO; RCIC and HPCS fail; operators successfully recovery offsite power in 30 minutes; reactor depressurization succeeds; low-pressure injection fails TRANS 67-38-14 9.42x10-8 1.10% Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; a stuck-open relief valve results in a SLOCA; HPCS fails, but RCIC succeeds; low-pressure injection succeeds; suppression pool cooling and containment spray fails; operators fail to align the MSL drains; containment venting fails resulting in a loss of all injection Key Modeling Uncertainties. The base SPAR models provide credit for EDG repair and recovery; however, it is up to the analyst to determine whether credit should be applied given the specific circumstances surrounding the event being analyzed. This ASP analysis does not credit repair of postulated EDG failures. A sensitivity analysis was performed crediting EDG repair of postulated failures of the division 1 EDG using the unplanned unavailability MSPI data. With this credit applied, the CDP for the second exposure period decreases from 8.3x10-6 to 6.9x10-6 (a decrease of approximately 17 percent). Successful equipment operation is treated probabilistically in ASP analyses (i.e., success is not assumed), while observed failures are modeled as such.9 However, barring any postulated failures, the division 1 EDG would run until the fuel supply in its associated day tank was depleted (approximately 2 hours). To show the effects of this modeling uncertainty, a sensitivity analysis was performed allowing an additional 2 hours for operators to recover offsite power during postulated LOOP scenarios. With this credit applied, the CDP for the second exposure period decreases from 8.3x10-6 to 6.2x10-6 (a decrease of approximately 25 percent). REFERENCES

1. Clinton Power Station, "LER 461/17-010 Division 1 Transformer Failure Leads to Instrument Air Isolation to Containment Requiring a Manual Reactor Scram, dated January 17, 2019 (ADAMS Accession No. ML19022A264).
2. U.S. Nuclear Regulatory Commission, ERRATA Clinton Power Station NRC Special Inspection Report 05000461/2017012, dated January 29, 2018 (ADAMS Accession No. ML18029A863).
3. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ADAMS Accession No. ML051950061).
4. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ADAMS Accession No. ML112060305).

9 This general modeling technique is called the failure memory approach.

LER 461-2017-010-02 A-1 Appendix A: Key Event Tree Figure A-1. Clinton General Transient Event Tree IE-TRANS GENERAL PLANT TRANSIENT RPS REACTOR PROTECTION SYSTEM OEP CONSEQUENTIAL LOSS OF OFFSITE POWER SRV SRV'S CLOSE PCS POWER CONVERSION SYSTEM MFW FEEDWATER RCI RCIC SPC SUPPRESSION POOL COOLING CRD CRD INJECTION HCS HPCS DEP MANUAL REACTOR DEPRESSURIZATION CDS CONDENSATE LPI LOW PRESSURE INJECTION VA ALTERNATE LOW PRESS INJECTION SPC SUPPRESSION POOL COOLING CSS CONTAINMENT SPRAY PCSR POWER CONVERSION SYSTEM RECOVERY CVS CONTAINMENT VENTING LI LATE INJECTION End State (Phase - CD) 1 OK 2 OK 3 OK 4 OK 5 OK LI00 6 CD 7 OK LI01 8 CD 9 OK 10 OK 11 OK 12 OK LI00 13 CD 14 OK LI01 15 CD 16 OK 17 OK 18 OK LI00 19 CD 20 OK LI01 21 CD 22 OK 23 OK 24 OK LI00 25 CD 26 OK LI03 27 CD 28 OK 29 OK 30 OK LI00 31 CD 32 OK LI03 33 CD 34 OK 35 OK 36 OK LI00 37 CD 38 OK LI03 39 CD 40 CD 41 CD 42 OK 43 OK 44 OK 45 OK LI00 46 CD 47 OK LI01 48 CD 49 OK 50 OK 51 OK 52 OK LI00 53 CD 54 OK LI03 55 CD 56 OK 57 OK 58 OK 59 OK LI00 60 CD 61 OK LI03 62 CD 63 CD 64 CD P1 65 1SORV P2 66 2SORVS 67 LOOPPC 68 ATWS

LER 461-2017-010-02 A-2 Figure A-2. Clinton (Plant-Centered) LOOP Event Tree IE-LOOPPC LOSS OF OFFSITE POWER INITIATOR (PLANT-CENTERED) RPS REACTOR PROTECTION SYSTEM EPS FS = FTF-SBO EMERGENCY POWER SRV SRV'S CLOSE RCI RCIC SPC SUPPRESSION POOL COOLING HCS HPCS DEP MANUAL REACTOR DEPRESSURIZATION LPI LOW PRESSURE INJECTION VA ALTERNATE LOW PRESS INJECTION SPC SUPPRESSION POOL COOLING CSS CONTAINMENT SPRAY PCSR POWER CONVERSION SYSTEM RECOVERY CVS CONTAINMENT VENTING LI LATE INJECTION End State (Phase - CD) 1 OK 2 OK 3 OK 4 OK LI04 5 CD 6 OK LI01 7 CD 8 OK 9 OK 10 OK LI04 11 CD 12 OK LI03 13 CD 14 OK 15 OK 16 OK LI04 17 CD 18 OK LI03 19 CD 20 CD 21 CD 22 OK 23 OK 24 OK 25 OK LI04 26 CD 27 OK LI01 28 CD 29 OK 30 OK 31 OK 32 OK LI04 33 CD 34 OK LI03 35 CD 36 CD 37 CD P1 38 LOOP-1 P2 39 LOOP-2 40 SBO 41 ATWS 42 CD

LER 461-2017-010-02 A-3 Figure A-3. Modified Clinton SBO Event Tree EPS FS = FTF-SBO EMERGENCY POWER SRV SRV'S CLOSE RPSL RECIRC PUMP SEAL INTEGRITY HCS01 FS = FTF-SBO HPCS RCI01 FS = FTF-SBO RCIC DCL DC LOAD SHEDDING EXT ACTIONS TO EXTEND ECCS OPERATION DEP02 FS = FTF-SBO MANUAL REACTOR DEPRESS FWS FIRE WATER INJECTION OPR OFFSITE POWER RECOVERY DGR DIESEL GENERATOR RECOVERY CVS CONTAINMENT VENTING LI LATE INJECTION End State (Phase - CD) OPR-12H 1 SBO-OP OPR-12H 2 OK DGR-12H CVS01 3 OK LI00 4 CD CVS01 5 OK LI05 6 CD OPR-12H 7 SBO-OP OPR-12H 8 OK DGR-12H CVS01 9 OK LI-EXT 10 CD CVS01 11 OK LI01 12 CD OPR-12H 13 SBO-OP OPR-12H 14 OK DGR-12H CVS01 15 OK LI00 16 CD CVS01 17 OK LI01 18 CD OPR-04H 19 SBO-OP OPR-04H 20 OK DGR-04H 21 CD OPR-04H 22 SBO-OP OPR-04H 23 OK DGR-04H 24 CD OPR-02H 25 SBO-OP OPR-02H 26 OK DGR-02H 27 CD OPR-30M 28 SBO-OP OPR-30M 29 OK DGR-30M 30 CD 31 SBO-1 P1B 32 SBO-1 P2 33 SBO-2

LER 461-2017-010-02 B-1 Appendix B: Modified Fault Trees Figure B-1. Modified Containment Venting Fault Tree CVS CONTAINMENT VENTING CVS-1 VENT PATHS ARE UNAVAILABLE CVS-2 CONTAINMENT SPRAY HEADER VENT PATH IS UNAVAILABLE Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE 8.16E-04 RHR-MOV-CC-F027A RHR A CONTAINMENT VENT MOV 27A FAILS TO OPEN 8.16E-04 RHR-MOV-CC-F028A RHR A CONTAINMENT VENT MOV 28A FAILS TO OPEN 4.59E-04 CVS-XVM-CC-F099 MANUAL VENT VALVE F099 FAILS TO OPEN 4.59E-04 CVS-XVM-CC-FC090 MANUAL VENT VALVE FC090 FAILS TO OPEN 4.59E-04 CVS-XVM-CC-FC177 MANUAL VENT VALVE FC177 FAILS TO OPEN CVS-4 CONTAINMENT VENTING THROUGH CTM CONTINUOUS PURGE (CCP) Ext IAS CLINTON INSTRUMENT AIR SYSTEM FAULT TREE Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE False HE-LOOP HOUSE EVENT - LOSS OF OFFSITE POWER IE HAS OCCURRED 7.55E-04 CVS-AOV-CC-VR06B CONTINUOUS PURGE VENT VALVE 1VR006B FAILS TO OPEN 7.55E-04 CVS-AOV-CC-VR06A CONTINUOUS PURGE VENT VALVE 1VR006A FAILS TO OPEN CVS-3 CONTAINMENT UPPER POOL VENT PATH (VIA FC) IS UNAVAILABLE Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE Ext ACP-4KVBUS-1B1 CLINTON DIVISION II AC POWER SYSTEM FAULT TREE 4.59E-04 CVS-XVM-CC-FC012B MANUAL VENT VALVE FC012B FAILS TO OPEN 8.16E-04 CVS-MOV-CC-FC007 CONT VENT MOV FC007 FAILS TO OPEN 8.16E-04 CVS-MOV-CC-FC008 CONT VENT MOV FC008 FAILS TO OPEN Ext CVS-XHE-EQK OPERATOR FAILS TO VENT CONTAINMENT GIVEN SEISMIC EVENT 1.00E-03 CVS-XHE-XM-VENT OPERATOR FAILS TO VENT CONTAINMENT

LER 461-2017-010-02 B-2 Figure B-2. Modified LCS-MDP-SS Fault Tree LCS-MDP-SS LPCS LCS-MDP-SS-1 LPCS PUMP ROOM COOLING IS UNAVAILABLE Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE Ext DCP-125V-1A-LT CLINTON DIVISION I 125 VDC POWER IS UNAVAILABLE 2.29E-05 ACP-BAC-LP-480V-DIV1 480V DIVISION 1 BUSES ARE UNAVAILABLE

LER 461-2017-010-02 B-3 Figure B-3. Modified RHR-MDPA-SS Fault Tree RHR-MDPA-SS CLINTON FAILURE OF RHR MDP 1A RHR-MDPA-SS-1 FAILURE OF ROOM COOLING FOR RHR PUMP A Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE Ext DCP-125V-1A-LT CLINTON DIVISION I 125 VDC POWER IS UNAVAILABLE 2.29E-05 ACP-BAC-LP-480V-DIV1 480V DIVISION 1 BUSES ARE UNAVAILABLE

LER 461-2017-010-02 B-4 Figure B-4. Modified DGA-SS Fault Tree DGA-SS DIESEL GENERATOR 1A SUPPORT SYSTEM FAILURES DGA-SS-1 DIESEL GENERATOR 1A ELECTRICAL FAULTS DGN-SSWA External SSW SYSTEM FAILS TO DG1A DGA-SS3 FAILURE OF DG1A HVAC DGA-SS8 DG1A FUEL OIL FAILURES FHS-MDP-FS-DO1A 7.84E-04 FUEL OIL PUMP 1A FAILS TO START FHS-MDP-FR-DO1A 3.87E-04 FUEL OIL PUMP 1A FAILS TO RUN FHS-MDP-CF-FS 6.23E-06 FO PUMPS A,B,C FAIL FROM COMMON CAUSE TO START FHS-MDP-CF-FR 2.90E-06 FO PUMP A,B,C FAIL FROM COMMON CAUSE TO RUN FHS-MDP-CF-FSAB 1.99E-05 FO PUMPS A,B FAIL FROM COMMON CAUSE TO START FHS-MDP-CF-FSAC 1.99E-05 FO PUMPS A,C FAIL FROM COMMON CAUSE TO START ACP-BAC-LP-480V-DIV1 2.29E-05 480V DIVISION 1 BUSES ARE UNAVAILABLE

LER 461-2017-010-02 B-5 Figure B-5. Modified DCP-125V-1A-LT Fault Tree DCP-125V-1A-LT CLINTON DIVISION I 125 VDC POWER IS UNAVAILABLE DCP-125V-1A-LT-2 LOSS OF DIVISION 1 POWER RESULTS IN LOSS OF BATTERY CHARGING CAPBILITY 2.29E-05 ACP-BAC-LP-480V-DIV1 480V DIVISION 1 BUSES ARE UNAVAILABLE Ignore DCP-XHE-XM-SWINGCHARGER OPERATORS FAIL TO ALIGN SWING CHARGER Ext ACP-4KVBUS-1A1 CLINTON DIVISION I AC POWER SYSTEM FAULT TREE Ext DCP-BCH-EQ DC BATT CHARGERS FAILURE FROM SEISMIC EVENT 5.21E-06 DCP-BDC-LP-1A FAILURE OF DIVISION I 125VDC BUS 1A 6.17E-05 DCP-BCH-LP-1A FAILURE OF DIVISION I 125VDC BATTERY CHARGER 2.10E-07 DCP-BCH-CF-CHRS BATTERY CHARGERS FAIL FROM COMMON CAUSE

LER 461-2017-010-02 B-6 Figure B-6. Modified PCS Fault Tree PCS POWER CONVERSION SYSTEM Ext MFW FEEDWATER PCS-1 FAILURE OF STEAM CONDENSING FUNCTION OF PCS PCS-2 STEAM SYSTEM FAILS 7.44E-06 MSS-MSV-OC-STEAM STEAM LOOP VALVES FAIL TO OPEN/REMAIN OPEN 3.12E-03 MSS-TBV-CC-BYPAS TURBINE BYPASS VALVES FAIL TO OPEN PCS-3 MSIVS AND MSL DRAINS ARE ISOLATED Ext IAS CLINTON INSTRUMENT AIR SYSTEM FAULT TREE Ignore PCS-XHE-XM-MSLDRAINS OPERATORS FAIL TO ALIGN MSL DRAINS Ext MCW CLINTON MAIN CIRCULATING WATER IS UNAVAILABLE False HE-LOCHS HOUSE EVENT - TOTAL LOSS OF CONDENSER HEAT SINK INITIATOR

LER 461-2017-010-02 B-7 Figure B-7. Modified CDS-HW Fault Tree CDS-HW CLINTON CONDENSATE HOTWELL MAKEUP IS UNAVAILABLE CDS-HW-1 FAILURE OF HOTWELL INVENTORY CDS-HW-3 FAILURE TO MAINTAIN HOTWELL INVENTORY 1.00E-03 CDS-XHE-XM-HOTWELL FAILURE TO CONTROL CD/CB FLOW TO PREVENT EMPTYING HOTWELL 6.26E-06 CDS-TNK-FC-CYMC set to PSA value of 0.067 2.49E-03 ACP-CRB-CC-501A FAILURE OF CIRCUIT BREAKER 501A TO OPEN (UAT) 2.49E-03 ACP-CRB-CC-501B FAILURE OF CIRCUIT BREAKER 501B TO OPEN (UAT) 7.55E-04 CDS-AOV-CC-039 SJAE MIN FLOW TO COND VALVE 1CD039 FAILS TO CLOSE CDS-HW-2 INITIATORS WITHOUT STEAM RETURN TO HOTWELL 2.00E-03 PPR-SRV-OO-2VLVS TWO OR MORE BWR SRVS FAIL TO CLOSE 9.60E-02 PPR-SRV-OO-1VLV ONE BWR SRV FAILS TO CLOSE False HE-SLOCA HOUSE EVENT - SMALL LOSS-OF-COOLANT ACCIDENT INITIATOR False HE-IORV INADVERTENT OPEN RELIEF VALVE (IORV) HAS OCCURRED False HE-LOCHS HOUSE EVENT - TOTAL LOSS OF CONDENSER HEAT SINK INITIATOR Ext CDS-TNK-EQ CONDENSATE STORAGE TANK FAILURE FROM SEISMIC EVENT 6.26E-06 CDS-TNK-FC-CST CONDENSATE STORAGE TANK IS UNAVAILABLE 7.55E-04 CDS-AOV-CC-MKUP2 HOTWELL LEVEL CONTROL VALVE 2 FAILS 7.55E-04 CDS-AOV-CC-MKUP1 HOTWELL LEVEL CONTROL VALVE 1 FAILS

LER 461-2017-010-02 C-1 Appendix C: Evaluation of Key HFEs Evaluation of DCP-XHE-SWINGCHARGER (operators fail to align the swing charger). Definition Operators swing charger to supply the division 1 batteries. Description and Event Context If normal battery charging capability is lost via the 480 V division 1 AC buses, operators can align the swing charger to prevent a loss of division 1 direct current (DC) power. Operator Action Success Criteria Operators successfully align the swing charger to supply the division 1 batteries prior to batter depletion (2 hours). Key Cue(s) Low DC bus voltage Procedural Guidance CPS 3503.01C006, Class 1E Swing Battery Charger 1DC11E Feed to Safety-Related DC Bus Checklist Diagnosis/Action This HFE only contains both diagnosis and action activities. PSF Multiplier Diagnosis/Action Notes Time Available 1 / 1 The nominal battery depletion time of the safety-related batteries is 2 hours without shedding of DC loads. With successful load shedding, the battery life can be extended to 4 hours. In addition, During the event, a loss of division 1 AC loads (as occurred during the event) reduces the depletion rate. The time estimated to align the swing charger is approximately 1 hour. This would leave a maximum of 1 hour available for diagnosis under the most restrictive scenario (i.e. nominal depletion rate and, low bus voltage threshold quickly reached). However, there could be less time. Given this uncertainty, the diagnosis PSF for available time is set to Nominal. Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 4 for guidance on apportioning time between the diagnosis and action components of an HFE.

Stress, Complexity, Procedures Experience/Training, Ergonomics/HMI, Fitness for Duty, Work Processes 1 / 1 No event information is available to warrant a change in these PSFs (diagnosis or action) from Nominal for this HFE.

The HEP is calculated using the following SPAR-H formula: HEP = (Product of Diagnosis PSFs x Nominal Diagnosis HEP) + (Product of Action PSFs x Nominal Action HEP) = (1 x 0.01) + (1 x 0.001) = 1x10-2 Therefore, the human error probability for DCP-XHE-SWINGCHARGER was set to 1x10-2.

LER 461-2017-010-02 C-2 Evaluation of PCS-XHE-XM-MSLDRAINS (operators fail to align the MSL drains to the condenser). Definition Operators use MSL drains for reactor pressure control. Description and Event Context If the condenser is available, but the MSIVs are closed (or expected to close) operators can align the MSL drains to for reactor pressure control. Operator Action Success Criteria Operators align MSL drains to the main condenser to maintain steam path prior to closure of all MSIVs. Key Cue(s) MSIV(s) closing or expected closure of MSIVs Procedural Guidance EOP-1, RPV Control and CPS 4411.09, RPV Pressure Control Sources Diagnosis/Action This HFE only contains both diagnosis and action activities. PSF Multiplier Diagnosis/Action Notes Time Available 0.01 / 1 During the event, the last inboard MSIV did not close until approximately 4 hours after instrument air to containment was isolated. The time estimated to align the MSL drain is conservatively estimated to be 30 minutes. This would leave at least 3.5 hours available for diagnosis. The nominal time for diagnosis is estimated to take 5 minutes. Since the 3.5 hours available for diagnosis is greater than 2x nominal time and greater than 30 minutes, the diagnosis PSF for available time is set to Expansive. Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 4 for guidance on apportioning time between the diagnosis and action components of an HFE.

Stress, Complexity, Procedures Experience/Training, Ergonomics/HMI, Fitness for Duty, Work Processes 1 / 1 No event information is available to warrant a change in these PSFs (diagnosis or action) from Nominal for this HFE.

The HEP is calculated using the following SPAR-H formula: HEP = (Product of Diagnosis PSFs x Nominal Diagnosis HEP) + (Product of Action PSFs x Nominal Action HEP) = (.01 x 0.01) + (1 x 0.001) = 1x10-3 Therefore, the human error probability for PCS-XHE-XM-MSLDRAINS was set to 1x10-3.}}

Retrieved from "https://kanterella.com/w/index.php?title=ML19050A510&oldid=4937186"