Text

Attachment 1: Summary of Exelon Position
	ML18360A469
Person / Time
Site:	Clinton
Issue date:	12/14/2018
From:	; Exelon Generation Co
To:	; NRC/RGN-III, Office of Nuclear Reactor Regulation
Shared Package
ML18360A500	List: ML18360A469; ML18360A470; ML18360A471; ML18360A472; ML18360A473; ML18360A474; ML18360A475; ML18360A476; ML18360A477; ML18360A478; ML18360A479; ML18360A480; ML18360A481; ML18360A482; ML18360A483; ML18360A484; ML18360A485; RS-18-146, Evaluation of Preliminary White Finding;
References
	RS-18-146
	Download: ML18360A469 (22)
	v • d • e

ATTACHMENT 1 Summary of Exelon Position

Background

On May 17, 2018, an area operator identified the Division 2 Diesel Generator (DG) Air Receiver Outlet Valves isolated. Clinton Power Station (CPS) self-identified the unavailability and inoperability of the Division 2 DG at a time when it was relied upon for plant safety. During part of the time that the Division 2 DG was unavailable, the Division 1 DG was already out of service for planned maintenance. This resulted in an unplanned shutdown risk change as a result of having two onsite power sources unavailable with two, independent, offsite sources available.

During the period when neither the Division 1 nor Division 2 DGs were available, a loss*of offsite power (LOOP) would have resulted in a station blackout (S80) condition that could have resulted in a long-term loss of-the ability to cool the, reactor core.

Exelon Generation Company (Exelon or EGC) determined the root cause of the event to be CPS's use of logs as the sole means to track plant configuration, contrary to Exelon fleet governance for plant status control. In response to the everit, CPS took immediate corrective actions, including human performance oral boards for all operators, training on operator rounds, revisions to safety-related rounds points, and a three-day station-wide "carr:ipaign for change."

The U.S. Nuclear Regulatory Commission (NRC or Commission) issued an apparent violation of 10 CFR Part 50, Appendix 8, Criterion V, "Instructions, Procedures, and Drawings," and Technical Specification 3.8.2, Condition 8.3 (i.e., References 1 and 2). The NRC assigned a preliminary significance determination of White (low to moderate safety significance).

Introduction Exelon accepts the finding. However, Exelon disagrees with the NRC's characterization of the finding as White. As described further below, after appropriate consideration of realistic and best.available plant-related conditions while the DG was unavailable, the finding is of very low safety significance and should be characterized as Green.

From .an overall risk.

perspective, the risk of this event is very low for the following reasons:

Probability of a loss of offsite power is low;

Approximately 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months would have been available prior to core uncovery;

Recovery of the Division 2 DG is a simple task;

Extensive operator training on S80;

Specific procedures governing the power recovery methods;.

Site was staffed with significant resources; and

Four power recovery methods were viable in a timeframe that would avoid a safety impact.

On a more granular level, specific assumptions in the NRC's risk analysis described below do not accurately reflect how CPS would respond to the postulated S80 event. These assumptions are not consistent with Commission policy and guidance that govern NRC significance determinations. The Commission's "Policy Statement on the Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities" directs that PRA evaluations should be as realistic as practicable (i.e., Reference 3). NRC Inspection Manual Chapter 0609, "Significance Determination Process," states that significance determinations should be made Page 1

ATTACHMENT 1 Summary of Exelon Position using the best available risk insights and information (i.e., Reference 4). In this case, however, the NRC's risk evaluation does not reflect the as-built and as-operated actual plant response.

As explained more fu!IY below, the NRC's risk evaluation assumptions do not accurately reflect how CPS would actually respond to the SBO and DG recovery. The NRC's risk evaluation also incorrectly interprets how (or if) the station would declare an extended loss of AC power (ELAP),

and the reliability of.the Division 3 to Division 2 cross-tie and FLEX strategy implementation.

The NRC's risk evaluation is inaccurate because it does not appropriately model or credit several.key factors. Specifically, the NRC's evaluation does not properly reflect: (1) extensive operator knowledge, training, and experience; (2) expansive time available to take recovery actions; (3) specific procedures that control the event and drive it to successful resolution; and (4) resources available (including staffed Emergency Response Organization (ERO) and

Technical Support Center (TSC)). * ,

Realistic and best available information demonstrates that the event would not meet the definition of an ELAP, and therefore, CPS would have pursued recovery of installed equipment (i.e., the DG) first. The Division 2 DG would have been restored and injection would have been available within one hour. Moreover, there was expansive time. (which was not recognized by the NRC) to recover AC power and prevent core uncovery. In addition, recovery of installed equipment (i.e., the DG), instead of declaring an ELAP, would have continued beyond one hour into the event, in the unlikely event that the DG was not restored by that time. Efforts to restore the DG would not be abandoned as claimed by the NRC, as that would be inconsistent with procedures and training, and would not be in the best interest of nuclear safety. Lastly, alternative power recovery actions would have been pursued in parallel, not in series, without complicating the ability to achieve success using any of the available pathways.,

Appropriately reflecting the station's actual response to the eventin the NRC's risk evaluation changes the significance determination from White.to Green. Certain key performance shaping factor (PSF) multipliers in the NRC's analysis are based on overly-conservative assumptions regarding CPS's responsive actions to recover power, such as the available time, level of operator experience and training, and the complexity of those actions. When comparing the NRC's risk evaluation results to EGC's results for the change in core d.amage frequency (CDF)

(i.e., delta CDF), EGC's result is nearly a factor of 400 lower. When the PSF multipliers mentioned above are adjusted in the NRC's risk analysis to reflect realistic and best available information, the delta CDF is expected to drop from 3.BE-6/year (i.e.: the value in Reference 2) to very low safety significance (i.e., below 1E-6/year).

I ,

Specifically, as shown in the following table, EGC disagrees with muitiple assumptions in the NRC's analysis set forth in Reference 2.

Page 2

ATTACHMENT 1 Summary of Exelon Position s ummary of PRAA ssumpr10n o*1sagreements NRC Position Exelon Position Assumption 12

1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months available to recover AC power to

Air start valves found isolated within 29 Division 2 by recovering DG; ELAP minutes declared at 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and efforts to establish FLEX power to Division 2 would

ELAP not declared commence; efforts to recover the Division 2

Load shed recovery proceduralized and DG would halt does not complicate DG recovery

DG recovery complicated by SBO load

FLEX pre-staging only shedding that removes all DC control power from DG

FLEX electrical lineup impacts DG components Assumption* 13

Experience/training considered Low for DG

DG air start valve position easily identified in recovery diagnosis knowledge-based or procedure-based mode

Operators have not trained on, experienced,

Operators extensively trained on DG or been exposed to failed DG malfunctions Assumption 2

Time to top of active (TAF) does not appear

Operators will close one shutdown cooling to credit shutdown cooling (SOC) isola~ion valve per procedure to minimize potential RPV inventory loss. In the outage conditions, this would extend time to TAF from 10.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months to about 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Assunif)tions.14, 23, 24

FLEX implementation success credited as

NRG inspections confirm that FLEX strategy Low meets regulatory requirements

FLEX lineup experience/training considered

FLEX trained in accordance with Systematic Low Approach to Training

FLEX ergonomics considered Poor

FLEX tasks similar to normal Equipment Operator (EO) tasks and performed in non-adverse conditions Assumption 1~ -

Div 3 to Div 2 AC cross-tie is Complex

Procedure is straightforward and not complex

Time required to complete cross-tie is 5-6 hours

Time-validated at 90 ,minutes Page 3

ATTACHMENT 1 Summary of Exelon Position The bases for EGC's disagreement are described in detail below. Examining the various recovery pathways using realistic and best available information demonstrates that the NRC's positions set forth in the above table are overly-conservative and do not appropriately credit (or in some cases did not even model) key factors. ,

Overall, CPS had the knowledge, time, and resources to restore AC power and injection. These are supplemented through extensive training and high quality procedures. Appropriately crediting these factors leads to a conclusion that this was an event of very low safety significance and should be characterized as Green.

Exelon Position The success criterion for the LOOP initiated SBO event is to establish water injection into the Reactor Pressure Vessel (RPV) prior tb water level reaching TAF. Meeting this single criterion eliminates the potential for core damage. An injection flow rate of approximately 30 gallons per minute is sufficient to make up for steam leaving through Safety/Relief Valves (SRVs); flow, rates in excess of that amount could refill the RPV and "reset the clock" for time to TAF. As delineated above, there are several aspects of the NRC's risk evaluation that either do not model or do not realistically credit aspects of CPS's SBO response regarding this success criterion. The SBO response aspects not modelled or properly credited are related to the time available to restore AC power and subsequent RPV injection, the experience and training of CPS Operations staff regarding the available AC power recovery paths, and the detailed procedural guidance that would drive the site to* achieve the success criterion.

Following a detailed and comprehensive review of the postulated SBO event at CPS, EGC concludes that RPV injection would have been restored through multiple, independent, and diverse means prior to reactor water level lowering below TAF, terminating the postulated event.

Completion of either of two simple, proceduralized operator actions, extends the time to TAF out" to approximately 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . These actions provide significantly more time than modeled in the NRC risk evaluation for restoration of AC power or injection into the RPV.

Restoring AC power through one of four methods enables the injection of water into the RPV using AC powered injection sources. In addition, AC independent injection sources (e.g., FLEX) would also be available and could be used if necessary. The actions to extend the time available and restore AC power are governed by CPS procedures and well within the training, experience, and knowledge of the operators to successfully execute. '

Ultimately, when the elements discussed above and detailed below are modeled and appropriately credited in the NRC's risk evaluation, the finding becomes one of very low safety significance.

CPS Design and Plant Conditions The CPS AC electrical power system is designed to and complies with 10 CFR Part 50, Appendix A, General Design Criterion 17. There are three independent 4.16 kV Emergency Safety Feature (ESF) electrical buses (Division 1, 2, and 3). Each bus has two offsite power feeds; one from the 345 kV switchyard through the Reserve Auxiliary Transformer (RAT) and one from the 138 kV switchyard through the Emergency Reserve Auxiliary Transformer (ERAT).

Page4

ATTACHMENT 1 Summary of Exelon Position Additionally, each ESF bus is capable of being supplied electrical power via its own independent DG ..

During the 3.5 days that the Division 2 DG air start valves were closed, CPS was in Mode 4 (Cold Shutdown) with the RPV water level maintained between 9011 to 100" on Shutdown Range (about 21 feet above the TAF), which is below the bottom of the main steam lines (104" on Shutdown Range). Core decay heat load was low due to being shutdown for 14 days and "'

having recently completed core refueling. Both the RAT and ERAT were powered by their respective switchyards and providing AC power to the Division 1, 2, and 3 ESF buses. Due to a planned system outage window, the Division 1 ESF bus at the 480V level and below, and the Division 1 DG were out of service. The Division 3 DG was operable during this time. The Division 2 DG was not capable of starting due to the closed air start valves.

SBO Event and CPS Response The risk evaluation assesses the potential for core damage in the event of a LOOP while CPS was in the ~onfiguration _described above. As described in Reference 2, the dominant sequence of the NRC's risk evaluation is a LOOP event, with failure to recover the Division 2 DG resulting in an ELAP declaration, and includes the failure to maintain the reactor depressurized, the failure to cross-tie the Division 3 DG to the Division 2 ESF bus, and the failure to inject at high pressure.

The LOOP initiating event, coupled with the Division' 1 DG out of service for maintenance and the Division 2 DG unable to start due to the closed air start valves, would have resulted in an SBO. An SBO is defined in CPS procedure 4200.01, "Loss of AC Power," as a total loss of offsite power (including main generator) and a failure of the Division 1 and Division 2 DG power sources. The plant is analyzed to cope with an SBO from full power conditions for at least four hours; therefore, an SBO during a shutdown/low decay heat condition provides much more time to respond.

The LOOP and resultant SBO event would be easily and quickly diagnosed by the Control Room operators due to. plant indications and alarms, as well as the loss of normal lighting, with only battery powered emergency lights operating. As described by a Senior Reactor Operator (SRO) during the November 30 Regulatory Conference, it would be immediately obvious that CPS is experiencing an SBO. Upon this recognition, the Control Room operators would enter Procedure 4200.01, Loss of AC Povver. The use and content of this procedure is very familiar to the operators due to their extensive training and simulator drills on SBO / loss of AC power events. The fact that CPS was in an outage does not present any novel or unique challenges to an SBO event. The 4200.01 Procedure provides the operators with a comprehensive set of response actions and directions to mitigate the SBO event. The procedure drives the operator's response under three primary paths:.

AC Power Recovery - Four distinct methods: restoration of offsite power, restoration of the Division 2 DG, Division 3 DG crosstie to Division 2 ESF bus, and utilization of FLEX equipment and strategies.

Time Extension - Simple manual actions extend the time to TAF (isolate shutdown cooling and/or control RPV pressure low) and extend battery life to maintain RPV depressurized through SRVs (DC battery load shed)

Page 5

ATTACHMENT 1 Summary of Exelon Position

Emergency Response - Declaration of an Emergency Action Level (EAL) of Alert activates the ERO to be in position (e.g., TSC) within one hour.

These response paths are performed in parallel, and coordinated and executed by the Control Room staff's use of Procedure 4200.01. However, the AC Power Recovery path and the Time Extension path are discussed individually for clarity and understanding as each path alone, when appropriately modeled in the NRC risk evaluation, results in a finding of very low safety significance.

Time Extension Assumption 2 in Reference 2, states that the time to TAF will vary from approximately 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months depending on plant conditions. This assumption recognizes that if the RPV is maintained at low pressure, the time to TAF is approximately 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . However, the assumption states that if the RPV pressure increases, the time to TAF is limited to between 10 and 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months . In its risk evaluation, the NRC uses a value of approximately 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months between event initiation and RPV water level reaching TAF (TAF is a surrogate for core damage). The 13 hour1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months limit assumes CPS operators fail to maintain the RPV depressurized and no credit is given (because it is not modeled) for SOC isolation.

The time available to mitigate the postulated LOOP/SBO is more realistically set at approximately 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This conclusion is based on new battery analyses, as well as on existing procedurally directed instructions related to isolation of SOC, DC load shedding, and maintenance of RPV pressure low using SRVs. When this information is appropriately modeled in the risk evaluation, the time available is extended well beyond the current 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months , out to approximately 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . In addition, with the RPV pressure controlled low with the SRVs, the NRC's dominant sequence would change from a high pressure sequence to a low pressure sequence, for which any one of numerous systems (including AC independent systems) could be utilized to restore and maintain RPV water level.

The SOC outboard isolation_ valve (1 E12-F008) is an AC power motor operated valve (MOV) located in the Auxiliary Building Steam Tunnel (ABST). The valve is located on the SOC suction piping connecting the Residual Heat Removal (RHR) system to the Reactor Recirculation loop.

The RHR system contains a relief valve that opens as RPV pressure increases, resulting in an accelerated loss of RPV water inventory. During an SBO, the loss of AC power prevents Control Room operators from remotely isolating the SOC line. Therefore, CPS procedure 4200.01C004, "Manual CNMT Isolation During a SBO," directs the Control Room operators to dispatch an EO to the ABST to manually declutch the MOV and use the hand wheel to cycle the 1E12-F008 valve closed. Operators are also cued by CPS off-normal procedure 4001.02, "Automatic Isolation," which requires operators to shut this valve manually prior to reaching an RPV pressure of 104 psig. In addition, Operators are also cued through following the loss of shutdown cooling off-normal procedure 4006.01, "Loss of Shutdown Cooling," which directs the operators to secure the SOC mode of operation. DC load shedding does not remove power to the annunciators that would also serve as cues to the operators. This one simple action of closing the 1E 12-FOOS valve isolates the RPV from the RHR relief valve, preserving RPV water inventory and extending the time to TAF to approximately 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months even if there is no injection.

Page 6

ATTACHMENT 1 Summary of Exelon Position Additionally, RPV inventory will remain above TAF for approximately 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , Without any injection, through the use of SRVs to control RPV pressure low. SRVs would not be needed until approximately eight hours into the event based on the initial RPV water level and decay heat load. There are multiple station procedures that provide instructions and guidance to the Control Room operators to stabilize RPV pressure, including the emergency operating procedure EOP-1, "RPV Control." EOP-1 directs operators to hold RPV pressure below 104

-, psig until SOC is restored. In the SBO condition, SRVs are the only available method specified

- by EOP-1 for pressure control since the SRVs operate with DC power and are designed with air accumulators and backup air bottles. Exelon has analyzed the Division 1 and Division 2 DC battery systems (both of which were available duriQg the exposure time) and determined that both divisional batteries would have provided in excess of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of SRV operational capacity under outage loading conditions. The Exelon risk evaluation, which was performed prior to the completion of the detailed battery calculation, used 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months as the battery lifetime and showed that a few cycles of the SRVs within that timeframe would significantly extend the time to TAF.

This detailed battery calculation is new information that indicating that the ope~ators can operate the SRVs at any time throughout the first 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of the event, and in fact, beyond. Such action, by itself, extends the time to TAF to almost 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (i.e., almost a complete day).

Maintaining the RPV depressurized using installed plant equipment, operating procedures, and operator training and experience also prevents the SOC (RHR) relief valve from lifting, therefore preserving RPV inventory and extending the time available to mitigate the event. Either method

'of preventing loss of RPV inventory through the SOC relief valve (i.e., isolating the relief valve, or controlling RPV pressure low using SRVs) extends the time available to approximately 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Maintaining RPV pressure low also expands the number of paths and methods available to inject into the RPV, which increases the likelihood of satisfying the success criterion.

During the initial stages of the postulated event, operators may not have known the exact time to boil or how long the DC batteries might last. However, this knowledge is not essential to successfully responding to the event, and the lack of knowledge of exact times would not have modified the operators use of procedures or the initial responses taken to the SBO. In addition, when there is an important parameter degrading or that may degrade, in accordance with qperating procedures and reinforced through operator training, a critical value for that parameter is assigned along with a reporting rate. For example, because DC batteries would be depleting without chargers available, a critical parameter on DC bus voltage would be assigned and trended to determine the rate the batteries of depletion. Regardless of battery voltage, operators will attempt to open an SRV at any time required, as the SRVs open at lower voltages when the containment is not under LOCA conditions. RPV pressure and water level indications are available from the Nuclear System Protection System (NSPS) panels. Operators would establish reactor water level as a critical parameter and would trend this parameter using the NSPS. Three of the four NSPS divisions were operable during the exposure window. These are powered by safety related uninterruptible power supplies powered by the divisional batteries. The operators utilize the NSPS monitor mode every shift for surveillance checks.

The operators in the Control Room also utilize time to TAF curves for the refuel outage conditions. At the time of the postulated event (14 days into the outage (start of the exposure window)), the time to TAF curve indicated approximately 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months to TAF with the RPV water level elevated for SOC.

Page 7

ATTACHMENT 1 Summary of Exelon Position As stated earlier, the NRC risk evaluation did not model the SOC isolation and did not credit the operator action to maintain the RPV depressurized using SRVs with existing battery charge (i.e.,

the NRC's evaluation only credits the batteries if the FLEX DG or 8.5.b alternate power source are in service). Both of these actions (i.e., SOC isolation and RPV pressure control) are simple and driven by procedures, and thus must be considered to ensure that the risk evaluation is realistic. When either action is modeled and appropriately credited, the time available to recover AC power extends to approximately 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , as does the time to restore injection.

This single realistic change to the risk evaluation, of extending the time available to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , leads to a finding of very low safety significance (i.e., Green).

AC Power Recovery Several AC power recovery paths are delineated in the CPS 4200.01, "Loss of AC Power,"

procedure. The paths include restoring offsite power, restoring a shutdown DG, utilizing an electrical cross-tie from Division 3, and utilizing FLEX strategies and equipment. In its risk evaluation, the NRC recognizes and models each of these AC power recovery paths. However, the manner in which the NRC's risk evaluation calculates the human error probabilities (HEPs) associated with these recovery actions is overly conservative. The NRC HEP values (e.g., 20 percent failure rate for DG recovery), are not based ori the best available information and do not realistically model plant design and operation. Accurate modE;:Jling of the time available, the specific procedural guidance and direction, and the significant operator knowledge, experience, and training produces more realistic and lower HEP values and demonstrates that this postulated event was of very low safety significance.

AC Recovery :.... Division 2 DG The SBO occurs-following the LOOP due to the failure of the Division 2 DG to start. The SBO and Division 2 DG failure would be clear to the Operations staff due to loss of lighting and alarm indications. The training of the operators and proficiency in responding to alarms and events allows the operators to identify and prioritize alarms based on significance. In addition, the Main Control Room (MCR) staff, who *also have a copy of the alarm response procedure, will be communicating with the EO using the combined knowledge of the licensed operators to support the EO. Control Room staff and the EO will quickly identify why the Division 2 DG did not start, correct the problem, and start the DG to restore AC power. Due to the nature of the Division 2 DG's failure to start, Exelon has high confid~nce that the air start valves would be identified closed, reopened quickly, and the Division 2 DG would be restarted within an hour of the LOOP, thus allowing the restoration of RPV injection and terminating the event well before plant conditions degrade to the point of core damage.

The NRC agrees with Exelon that the Division 2 DG was recoverable and operator recovery was very likely. However, in its evaluation of the potential for operators to fail to recover the Division 2 DG, the NRC assigned a HEP value of 0.202 (20% chance operators fail to recover).

This HEP value is driven by two PSFs that do not realistically consider the straightforward, procedurally driven actions taken to restore the Division 2 DG, the extensive training, knowledge, and experience of the CPS EOs related to the DG, and the Shift Manager's assessment and decision-making, and the impact on the time available to restore the DG.

When either the Available Time PSF or the Experience/Training PSF are realistically modeled Page 8

ATTACHMENT 1 Sunim~ry of Exelon Position for the Division 2 DG recovery, the impact on the HEP value results in a very low safety significant p9tential event and a Green finding. ,

The Exelon HEP value of 0.5 percent was developed by reviewing the cµes and procedures, and by interviewing operators. Because of the expansive time, augmented staffing, and high level of knowledge on site at the time of the postulated event, the Exelon HEP also credits self~

correction and error correction (correcting misdiagnosis) by other crew members. The NRC's SPAR~H value is predominately diagnosis related, with the justification being that the operators will not find the closed valves. SPAR-H has no explicit or consistent apprpach to considering the positive impact of self-correction or of having other crew members (or crews) correct for any errors that may occur during diagnosis. SPAR-H suggests two ways to do this: (1) detailed HRA (which Exelon performed), or (2) consider those possibilities when assigning the PSF multipliers (Reference 2 makes no mention of taking any such creditf SPAR-H guidance also refers to .an "obvious" discovery, where a problem becomes so obvious that it would be difficult for an operator to misdiagnose. The most common and usual reason .is that validating, and/or convergent information becomes available to the operator, Which is the case for the Division 2 DG.

When such compelling cues are received, the complexity of the diagnosis for the operator is reduced. In Exelon's view, the NRC's PSF levels fail to recognize the positive influences (e.g., time, knowledge, resources) that improve the PSFs beyond "Nominal" or "Low," resulting in unfairly negative characterizations.

Available Time (NRC Setting: Nominal, EGC Position: Expansive)

The Available Time PSF is based on the time required to restore the Division 2 DG measured against the time a'vailable to restore the Division 2 DG. Exelon has evaluated and validated the time required to both identify the closed air start valves as the reason the Division 2 DG failed to start, and the time required to reconfigure and start the Division 2 DG.

0 At the initiation of the SBO, the Safe Shutdown EO is tasked with going to the Division 2 DG. Once in the Division 2 DG room, the EO can see the lockout relay tripped and see

.every trip cause between indications on the local alarm panel and the relay panel directly next to it. The 1::0 will observe the "Failure to Start" alarm annunciator lit indicating that

it caused the trip. In response to the "Failure to Start" annunciator, the EO will utilize the alarm response procedure located in the DG room. Based on the alarm procedure and the physical cues in the room, the EO would recognize that the DG did not start and there is no immediate indication of damage. The EO will request the DG Standby procedure from the* Control Room. While awaiting the pr_ocedure, the EO will follow the alarm response procedure and walk-down the DG based on system knowledge and experience. The only things that can prevent a DG from starting are air, fuel, or control circuits. As a result, based on training and experience, the EO would focus on diagnosing potential issues associated with those three areas. For example, the EO would not investigate the lube oil system as it does not prevent the DG from cranking/starting. Lube oil trips are not enabled until the engine is at speed for 50 seconds. In addition, no lube oil alarms would be in for the postulated event. The*

control circuits can be eliminated since the "Failure to Start" alarm is lit (it does not light unless a start signal is present).

Page 9

ATTACHMENT 1 Summary of Exelon Position There are several cues that direct the EO to walk-down the DG air start system (e.g., O psig indicated on the DG instrument panel for local air start pressure, no oil spray exhaust from the air start motors, starting air receiver pressure being in the normal band, and the Alarm Response Procedure possible causes list). The EO can quickly validate that air is the cause on the walkdown. Also, the "Low Starting Air Pressure" alarm not a

being lit cues an operator .that the DG did not get starting air. When DG starts on bus undervoltage, this alarm is normally received because the DG air_ compressors have no power until the DG energizes the bus. An EO would have experience with this from being involved with DG surveillance testing or prior actual plant conditions. For example, on a DG start for a undervoltage surveillance test, the low starting air alarm

comes in and the operator would have to reset it So, the starting air alarm not being lit would indicate that no air was discharged. Between the DG air start motors and the.

starting air receivers is a short run of pipe, air start valves, and the two ball style air receiver outlet isolation valves. Time validation for a CPS EO to follow the alarm procedure, walk-down the DG, and identify the out of position air start valves using only knowledge and experience was 1 t minutes.

In the event the EO did not identify the out of position air start valves during the initial knowledge-based walk-down, the arrival of the DG operating procedure 3506.01 P002 would dictate DG recovery actions. Using the procedure, the EO systematically walks down and restores the DG to a ready-to-start configuration. The prncedure includes a .

step to open each air start receiver outlet valve. The execution of this step provides the EO and Control Room operators a clear understanding of why the Division 2 DG did not start, and high confidence in the recovery of AC power. Time validation for a CPS EO to use the 3506.01P002 procedure to identify and correct the out of position air start valves was 29 minutes.

Once the air start valves are opened, the EO will follow the 3506.01 P002 procedure to make the Division 2 DG ready to start. (Note that per the 4200.01 procedure, Control Room operators will direct an EO to recover Division 2 DG DC control power (i.e., Circuit

14) if it was de-energized as part of the SBO load shedding sequencf?. Recovery of the DC control power involves manipulating one switch and does not prohibit or complicate the Division 2 DG recovery.) As directed, the EO resets the DG lockouts and the Division 2 DG will start and energize the Division 2 ESF bus. The CPS time validation demonstrated that the DG full lineup was complete within 40 minutes and the DG was in-service within 50 minutes.

As part of the DC load shedding process, Division 2 DG local alarms are stripped when Circuit 14 is opened. This is Understood bythe MCR staff. Based on experience and training, they would not load shed Circuit 14 until either initial troubleshooting of the DG failure to start issue is complete or at the one hour point dictated by the procedure for when load shedding must be completed. Once the decision is made to load shed , it will take five to' ten minutes for the MCR to dispatch the load shed procedure to the field, and then for an EO to walk to the Division 2 breakers located on the opposite (i.e., west) side of the plant (Divisions 1, 3, and 4 are all below the MCR on the east side of the plant).

Because of this timing, the load shedding of Circuit 14 would not occur prior to an EO entering the Division 2 DG room and observing the local annunciator panel.

Page 10

ATTACHMENT 1 Summary of Exelon Position To further validate and support the EGC position regarding the time required to identify the out of position air start valves and restore the Division 2 DG to a ready-to-start condition, EGC developed and performed a Job Performance Measure (JPM)-style activity for the Division 2 DG. This JPM was administered, using standard JPM controls and practices, to six EOs from EGC's Mid-Atlantic and Northeast sites. These six EOs were not familiar with the CPS DGs or the CPS procedures. Each EO was time validated as they used the CPS procedures to simulate the Safe Shutdown EO actions during an SBO. All six EOs identified the closed air start valves using the 3506.01 P002 procedure within 32 minutes anp were able to achieve full DG lineup within 37 minutes.

Time validation of DG recov~ry actions demonstrates that the time required for CPS operators to diagnose the closed air start valves is no more than approximately 30 minutes, and to lineup the DG in a ready-to-start configuration is approximately 40 minutes. -

The other aspect of the Available Time PSF is the time available or allowed to perform the .required action. In the NRC risk evaluation, the NRC caps the time available to the operators to restore the Division 2 DG at one hour. This one hour limit is based on NRC's interpretation of the CPS 4200.01 procedure guidance regarding an ELAP. The NRC assumes that if the Division 2 DG cannot be restored in one hour, all DG recovery actions will stop, and the site will execute ELAP actions. However, this is not an accurate interpretation of the procedure guidance and imposes an artificial and unrealistic limit on the time available.

The appropriate and correct interpretation of the 4200.01 procedure is that it does not require recovery of AC power within one hour; rather, it only requires the Shift Manager have high assurance that the Division 2 DG (or some other AC source) can be restored within fo*ur hours. High assurance is based on restoration of electrical power. Upon the determination that the Division 2 DG did not start due to the closed air start valves and actions are being taken to complete the restoration, the high assurance threshold is met, and an ELAP would not be declared. Following identification of the closed starting air valves, declaration of an ELAP and abandonment of Division 2 DG restoration would not have been in the best interest of nuclear safety. An ELAP is an event which is defined in procedure 4200.01, Section 1.5, in part as a sustainecl loss of AC power " ... which is expected to exceed the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months SBO coping period." The station would not have been in an ELAP in the circumstances of this event. The ELAP procedures are used to mitigate an extended station blackout. However; they are only activated per 4200.01, Section 4.4 (Station Blackout) if high assurance cannot be obtained that action has been initiated that will restore power in the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months SBO coping period. High assurance includes any of the following: the cause of the Division 2 DG failure to start being identified (such as the postulated status control issue) and recovery expecJed in under 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ; cross-tie of the Division 3 to Division 2 bus; or commitment from the power grid operator to restore offsite power. FLEX equipment is utilized: (1) When an ELAP is declared, or (2) When SBO recovery actions prove to be unsuccessful, or (3) When an SBO could exceed 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months and no ~ction has been initiated to provide high assurance that the SBO can be mitigated prior to exceeding the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months coping period, or (4) During EOPs and SAMGs where directed to restore and maintain critical safety functions, or (5) As directed by Page 11

ATTACHMENT 1 Summary of Exelon Position TSC/ERO. The earliest an ELAP may have been declared in this circumstance would have been 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months following the SBO.

To validate Exelon's interpretation of the ELAP procedure; six CPS Shift Managers were surveyed on four potential ELAP scenarios. All six Shift Managers stated that they: (1) would not declare an ELAP when action was taken to recover AC power within the four-hour SBO coping period, and (2) would not enter the ELAP/FLEX procedures once the DG air start valves are identified out of position. Additionally, 28 SROs from other stations (including non-Exelon stations) were given the CPS procedures and scenarios related to the postulated event. All SROs stated that they would remain in the Loss of AC procedure and not declare an ELAP at the one hour time _assumed by the NRC.

When this information is considered, it is clear that the NRC risk evaluation has not assigned the appropriate value to the Available Time PSF. The SPAR-H guidance on this PSF compares the time available to the time required to complete the task. As demonstrated above, a realistic assessment of the time required to diagnose the ylosed air start valves is 30 minutes and the time required to restore AC power via the Division 2 DG is less than one hour. As shown in Attachment 7, this time estimate was validated by multiple EOs from other stations. Compared to the actual time available (i.e.,

anywhere from four to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ), when not limited by an incorrect interpretation of an ELAP, there is significant time margin to restore the Division 2 D~.

Relying on more complete and thorough information related to the Available Time PSF demonstrates that assigning a level of "Expansive," in lieu of the NRC's choice of "Nominal," is supported and appropriate. It should be noted that even if the time*

available was set to two hours instead of the actual four to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months as discussed above, the assignment of "Expansive" would still be supported, as defined in the SPAR-H guidelines.

The Exelon risk evaluation selected two hours as "Time Available"-as a representation of the time operators would have in order-to restore the DG to illustrate that even if this limiting time is used (instead of at least four and up t6 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ), the HEP for failure to restore the DG is low. Given the NRC's use of SPAR-H and the definitions of Time Available that are employed in that method, two hours were also used by Exelon to demonstrate that allowing just one more hour beyond the one hour used by the NRC in Reference 2 (i.e., without taking full advantage of the actual time available of nearly 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) is sufficient to achieve "Expansive" time (given SPAR-H definitions), and thus to result in a SPAR-H HEP value that is reduced sufficiently to produce a Green significance. This demonstrates that even if less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is available, two hours is sufficient by itself. Note that in addition to being defined as "Expansive" time, two hours (or more) also provides even more time for error discovery and correction by the original EO or by other responders, further reducing the diagnosis portion of the HEP.

Adjusting the Available Time PSF to "Expansive" per the SPAR-H guidance reduces the Division 2 DG recovery HEP to 0.004, as calculated by the SPAR-H methodology (while retaining all of the other PSF multipliers at the levels assigned in the NRC's risk evaluation). The CDF of the 30 cutsets included in Reference 2 then reduces by a factor of approximately 50. This change of a single PSF multiplier in the NRC's risk evaluation Page 12

ATTACHMENT 1 Summary of Exelon Position alone changes the result of the finding to one of very low safety significance (i.e.,

Green).

Experience/ Training (NRC Setting: Low, EGC Position: Nominal)

This PSF refers to the experience and training of the operators involved in the task. In this .case, the task is to diagnose why the Division 2 DG did not start and then recover the DG to power the Division 2 ESF bus. Based on a detailed review of the best available information regarding the EOs' experience, training, and kriowledge of the DGs and the actions specifically required to recover the Division 2 DG, the appropriate PSF level is "Nominal," as opposed to "Low" as assessed by the NRC. EGC's conclusion is further supported by the statements by the SRO at the Regulatory Conference.

Due to the high importance of the DGs, the CPS EOs receive significant training on the DG system design and operation. This includes initial classroom training prior to becoming a qualified EO. Following qualification, the EOs are periodically tested through JPMs to demonstrate continued understanding and proficiency in DG operation.

The most recent JPMs administered to the CPS EOs involved manually overriding the air start system to start the DG and resetting the DG lockouts to start the DG. Both JPMs had a 100% pass rate during the last testing cycle.

CPS has three redundant and independent DGs that are required to be started and run every month for surveillance testing. As a result, CPS EOs monitor the start and operation of a DG more than 30 times per year, including performing prestart checks and air start motor verificatiorys. The same CPS 3506.01 procedure, "Diesel Generator and '

Support Systems," used to make the DG ready to start and to start the DG during an SBO is used by the EOs following DG maintenance windows. Additionally, EOs perform air start system performance tests each quarter that include air drop tests on the air start system and checks of the air start motors.

The NRC risk evaluation assigns an Experience/Training PSF value of "Low" to the EO task of diagnosing and "Nominal" for the actions taken in recovering the Division 2 DG.

The SPAR-H guidance defines "Low" as less than six months relevant experience and/or tr~ining, where the level of experience and training does not provide the level of knowledge and deep understanding to adequately perform the required tasks, does not provide adequate practice of-the tasks, or does not expose individuals to various abnormal conditions. A "Low" PSF level is clearly not commensur~te with, and not a realistic assessment of, the amount of training and experience the CPS EOs have with the DG and its air start system.

Rather, the appropriate PSF assignment for the Division 2 DG diagnosis and recovery is at least "Nomjnal." "N,ominal" is defined as more than six months relevant experience and training, which provides an adequate amount of instruction to ensure individuals are proficient in day-b-day operations and have been exposed to abnormal conditions. At the time of the potential event, each CPS EO assigned as the safe shutdown operator

was qualified for the EO position and had held the position for more than six months. As discussed above, the EOs frequently use the 3506.01 procedure and are proficient in the operation of the three CPS DGs. Their training and JPMs expose and test the EOs on Page 13

ATTACHMENT 1 Summary of Exelon Position DG troubleshooting and identification of abnormal conditions. SPAR-H discusses training ori the task. The task here is to diagnose and open at least one of two closed air start isolation valves. Specific training on specific scenarios is not needed. All actions are skill of the craft. Exelon trains EOs to a level to allow simple troubleshooting such as this without training on this specific scenario. Additionally, recovery of the Division 2 DG involved identification of one of two out of position valves, the simple act of manually opening one of them, and following the procedure they frequently use to lineup the DG.

Further, all but two of the six non-Clinton EOs performing the JPM activity described above, identified the closed valves while waiting to receive the requested pro_cedure.

The remaining two EOs had not yet progressed to this point in their walkdown prior to receipt of the procedure. Therefore, the PSF level of "Nominal" is warranted given a realistic assessment of the best available information related to the EOs' DG experience and training.

Adjusting just the Experience/Training PSF to "Nominal" per the SPAR-H guidance (and leaving all other PSF multipliers at the levels indicated in Reference 2) reduces the Division 2 DG recovery HEP to 0.022 (calculated using the SPAR-H method), and the CDF of the 30 cutsets included in Reference 2 reduces by a factor of approximately 10.

This modification to the NRC risk evaluation alone changes the result to a finding of very low safety significance (i.e., Green).

In summary, an adjustment to either the Time Available multiplier level,* from "Nominal" to "Expansive," or the Experience/Training multiplier level, from "Low" to "Nominal," results in a significant reduction in the SPAR-H calculated value for the HEP for failing to diagnose the reason for the failure to start of the Division 2 DG. That reduction in HEP, in turn, results in a finding of very low safety significance. Although adjusting either PSF multiplier results in a finding of very low safety significance, it is appropriate, however, to adjust both PSF multipliers.

Using the SPAR-H methodology, those adjustments (with no other changes to the PSF multipliers used in the NRC's analysis) produce a HEP of 0.0022, which, is lower than the HEP used in Sensitivity Case #3 in Table 1 of Reference 2. From Table 1 of Reference 2, that Sensitivity Case produces a delta CDF that is in the very low safety significance range (i.e., .

Green), and therefore the NRC's analysis supports the conclusion that an HEP calculated by adjusting both PSF multipliers will also be in the very low safety significance range.

AC Recovery - Cross-tie Division 3 DG to Division 2 ESF Bus In the very unlikely event the CPS operators are unable to diagnose and recover the Division 2 DG, the CPS 4200.01 procedure directs the use of the Division 3 DG to power the Division 2

ESF bus. The execution of the cross-tie has been time validated to be completed within '

approximately 90 minutes once started and is executed per procedures designed for SBO events. The implementation of the. cross-tie is performed at the direction of the TSC by CPS electricians and operators assigned to the Operations Support Center as part of the ERO response. Once the cross-tie is complete, the Control Room operators can immediately start the "B" Standby Liquid Control (SBLC) pump and the Division 2 RHR water leg pump for a total of 93 gpm injection. Also, Low Pressure Coolant Injection (LPCl)-C can be placed in service expeditiously if required to ensure adequate core cooling, and RHR-B can be re-aligned to the LPCI mode. The Division 3 DG has sufficient margin to operate one ECCS pump and one

\

Pa~e 14

ATTACHMENT 1 Summary of Exelon Position shutdown service water pump, plus valve loads, the Division 2 baUery charger, and other controls.

Consistent with practice for EP drills and exercises, the electricians and operators implementing the Division 3 DG cross-tie would be dedicated to this task, and not burdened by competing tasks and priorities. Based on Exelon's review of the cross-tie procedure, it is clear that the tasks required to perform the cross-tie evolution are well within normal training and experience.

The eptire procedure is only four pages long and has been human-factored to include pictures, locations, and diagrams to inform and simplify execution. The specific steps and actions in the field involve:

Opening one in-plant electrical disconnect,

Removing control power fuses for three breakers,

Op~ning four relay test switches, and

Removing one relay control power fuse.

All of the electrical breaker alignments are controlled and executed from the Control Room,*

while all in-field manipulations are performed in general plant areas ~sing tools that are pre-staged in designated locked Operation's cages. The actions to successfully execute the Division 3 DG cross-tie are within the expected electrician and operator skill of the craft.

Switchgear breaker and disconnect training occurs every two years. The cross-tie procedure*

results in backfeeding electrical power across existing connections that are normally energized by defeating relays that would prevent a backfeed and protect divisional separation. Thus, no circuit continuity concerns exist.

The NRC risk evaluation assigns an HEP value of 0.27 to CPS's execution of the Division 3 DG cross-tie (i.e., the risk evaluation indicates that CPS fails to successfully execute this AC recovery path 27% of the time). The NRC risk evaluation is driven by several PSFs that do not

. realistically assess and consider key information associated with this recovery path.

Specifically, this failure rate is driven by the combined effect of the Available Time, Experience/Training, Ergonotnics, and Complexity PSF levels assigned by th~ NRG.to the Action portion of the HEP.

Available Time (NRC Setting: Nominal, EGC Position: Extra)

As previously discussed, there is substantial time available (24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) to recover AC power and. restore RPV injection. The time required to successfully execute the four-page Division 3 DG cross-tie procedure has been validated to be approximately 90 minutes. Even if actions to cross-tie Division 3 to Division 2 are not considered and started until after operators attempt recovery of the Division 2 DG for an hour, and the NRC's assumption of sequential (versus parallel) actions is maintained, and it is further assumed that the efforts to restore the Division 2 DG continue for four hours, the time margin for.completing the action to cross-tie Division 3 to Division 2 is.approximately 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months . With the time required to complete the action being 90 minutes, under the SPAR-H guidance, NRC should assign a PSF level of "greater than or equal to 5 times nominal," which has a multiplier value (0.1) similar to that of "Extra" Available Time in the Diagnosis .evaluation.

Page 15

ATTACHMENT 1 Summary of Exelon Position Experience/ Training (NRC Setting: Low, EGC Position: Nominal)

CPS operators have been trained on the actions required to implement the Division 3 ,

DG cross-tie. The basic manipulations required to execute the four-page procedure are tasks that are routinely performed and well within electrician and operator skill and training.

The goal of training is to prepare the operators to manipulate the plant using approved procedures in a safe manner. To this end, tasks chosen for training are done. so using a graded approach to the Systematic Approach to Training (SAT) process. Nuclear Industry Standard Procedure NISP-TR-01 defines a graded approach as an "approach to performing SAT activities in which the level of analysis, documentation, and actions taken are tempered by factors such as the relative importance to nuclear safety, the relative importance to reliability, the complexity of the job performance requirements and the value to business (cost-effectiveness). A graded approach to training encourages the application of techniques that allow the most efficient use of personnel and resources in.training activities."

Determining when and how often a task should be trained on is done by analyzing the Difficulty, Importance, and Frequency of the task (DIF analysis). Determining the periodicity of a topic is' based on the risk or consequences associated. with improper performance, opportunities for incumbents to maintain proficiency on task performance, and plant and industry operating experience related to errors associated with performing the task. During a DIF analysis several questions are asked and point rating assigned to the task relating to the Difficulty, Importance, and Frequency of that task. These points are compared to a table c.ontained in the NISP procedure and the appropriate training actions are taken with concurrence of the Training Review Committee, which is chaired by the program owner.

Not all possible scenarios can be identified as having a training need. For the scenarios

. or tasks that have been identiffed, some of those items are considered similar in nature and are therefore not trained on individually. When developing a task, the NISP asks; Are there similar tasks that could be grouped? For example, if there are no unique characteristics for the XYZ pump, the task "line up XYZ pump for start" may be stated as "line up a centrifugal pump for start." Similarly, if two scenarios are alike, it's

unnecessary to train on both scenarios in many cases. By using the DIF process as outlined above, EGC ensures operators are prepared to perform their duties using approved procedures in a safe manner.

Therefore, the Experience/ Training PSF is best characterized as "Nominal."

Ergonomics (NRC Setting: Poor, EGC Position: Nominal)

The NRC risk evaluation for this PSF does*not appear to be based on an assessment of the situation and conditions under which the cross-tie is performed. During .the SBO,

emergency and portable lighting is available. While the tasks are performed in multiple locations, radio communication and coordination will be maintained through the Control Room, with support from the ERO and TSC. The actions required to execute the Page 16

ATTACHMENT 1 Summary of Exelon Position

(

procedure steps are in general plant areas and do not involve difficult environmental or physical conditions. *Therefore, a more realistic and accurate PSF level is "Nominal."

Complexity (NRC Setting: High, EGC Position: Moderate)

The tasks and procedural guidance to perform the Division 3 DG cross-tie are straightforward, conducted sequentially,'and well laid out with supporting diagrams and pictures. Lighting conditions do not add to the complexity because emergency qnd portable lighting is available. Although the Shift Manager and Control Room Supervisor may be following multiple procedures simultaneousli, the Control Room will be*

supported by the ERO and TSC .. Specific.to the cross-tie actions, the operators and electricians working on-the cross-tie implementation will be singularly focused o.n this task alone. Therefore, based on the best available information, the SPAR-H guidance supports assigning a level of no worse than "Moderate" complexity.

In summary, based on a realistic assessment of the tasks, actions, and conditions to implement the Division 3 DG cross-tie to Division 2 ESF bus, the PSFs should be adjusted as described .

above. Moreover, with 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months available, the likelihood of offsite power recovery increases beyond that used for the NRC's dominant sequences. When the increased likelihood of offsite power recovery is combined with appropriately-adjusted PSFs, the result is a finding of very low safety significance (i.e., Green). The same result stands even without adjusting the NRC's value for Division 2 DG recovery.

AC Recovery - FLEX Implementation In the very unlikely event that Division 2 AC power is not restored from the Division 2 DG or the Division 3 DG cross-tie, FLEX will be executed as directed by the CPS 4200.01 procedure.

FLEX implementation would be supported by the abundant operating and maintenance resources available via the ERO. To support timely and efficient implementation of. FLEX, the procedures allow personnel briefings and pre-staging of FLEX equipment in parallel with other AC recovery actions, but prohibit FLEX implementation until directed by procedure. From a command and control standpoint, the FLEX actions are coordinated with the other AC recovery actions to ensure the plant configuration is well-managed and understood.

Based on the defined FLEX implementation timeline, which was developed and validated based on a minimum staffing configuration, personnel briefs, pre-staging hoses and cable runs to their locations, and operating the FLEX generator in standby would all be completed in the first four hours of the event. Pre-staging, as instructed by procedure, involves moving equipment into position and routing hoses, cables, and connectors to their end points. Pre-staging, as a plain language definition would dictate, does not involve connecting FLEX equipment to installed plant equipment. This is a clear and common understanding of "pre-stage" that does not need specific procedure guidance or further explanation. The Shift Manager, who has overall command and control of the site recovery actions, will dictate when implementation of plant realignment actions, beyond simply pre-staging equipment, are to be executed.

Once directed, the battery charger would be in service powering the Division 2 batteries and low pressure RPV makeup would be available by the six-hour mark. At eight hours, decay heat removal and suppression pool makeup are available.

Page 17

ATTACHMENT 1 Summary of Exelon Position As mentioned previously, the above times are based on minimum staffing. However, during the exposure time for this event, CPS had abundantly more operators and maintenance personnel onsite, significantly increasing the likelihood of successful FLEX implementation, and decreasing the overall time required. For example, with the abundant personnel available, the time to establish the FLEX DG in service could be reduced to approximately four to five hours.

The likelihood of success is also enhanced by the FLEX implementation procedure structure, equipment layout, and the experience and training of the plant personnel. The FLEX equipment is organized, appropriately labeled for use, and stored to ensure all equipment is easily retrievable. The task-specific procedures are located in the field in FLEX designated cabinets and storage areas. The procedures and hard cards are designed to be "grab and go," contain pictures, diagrams, and color coding to ensure ease of use. There are prerequisite steps built into each procedure section to ensure all required manipulations are properly completed. Most of the FLEX implementation tasks, like racking in breakers, starting the FLEX generator (similar to the TSC generator), and routing cables and hoses are similar to tasks in which the EOs are already proficient.

The training related to the CPS FLEX program is developed and administered in accordance with the SAT process. The CPS FLEX program, strategies, and training have been reviewed and approved by the NRC, as documented in the Reference 5 Safety Evaluation. Additionally, the NRC inspected the CPS FLEX program under Temporary Instruction Tl-191 and concluded that CPS" ... has trained their staff to assure personnel proficiency in the mitigation of beyond DB events" (Reference 6). Through the issuance of the Safety Evaluation and the performance of the inspection, the NRC has acknowledged the adequacy of the CPS FLEX strategy and its implementation. The unfavorable PSF levels the NRC risk evaluation assigned are inconsistent with these prior NRC assessments and do not realistically model what the NRC itself has concluded with regard to FLEX implementation at CPS.

The NRC risk evaluation has not appropriately assessed or realistically modeled many of the known factors related to FLEX implementation at CPS, including the time available, conditions during the exposure time, straightforward and structured procedures, and personnel's experience and level of training. In addition, the NRC Mitigating Strategy Orders clearly are intended to require FLEX strategies that can be implemented with high assurance. The NRC and industry have created FLEX with well thought out designs, procedures, equipment, and training. Site audits and NRC inspections have verified proficiency.

Available Time (NRC Setting: Nominal, EGC Position: Extra)

As previously discussed, there is substantial time available (24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) to recover AC power using FLEX equipmen*t to support SRV operation and subsequent low pressure RPV injection. The FLEX timeline laid out above demonstrates that this path will be completed in approximately four to five hours, assuming parallel briefs, prestaging of equipment, and the abundant personnel available to support FLEX alignment.

Therefore, this justifies a SPAR-H PSF level of "greater than or equal to 5 times nominal," which has a multiplier value similar to that of "Extra" Available Time in the Diagnosis evalu.ation.

Page 18 C,'

ATTACHMENT 1 Summary of Exelon Position Experience I Training (NRC Setting: Low, EGC Position: Nominal)

The CPS operator training related to FLEX has been developed and administered in accordance with the SAT process and has demonstrated the operators' proficiency. The tasks that operators are executing (connecting hoses and cables, racking in breakers) are routinely performed within their day-to-day normal proficiency and qualifications.

FLEX pumps are operated once a year by Operations for PMs. The FLEX tractor is trained every 2 years for EOs, including driving the tractor. The fittings and connections are STORZ connections that are used in fire brigade/fire response, which the majority of operators are trained in using. The FLEX equipment has been in place for much longer than six months. Therefore, the Experience/ Training PSF ls best characterized as "Nominal."

Ergonomics (NRC Setting: Poor, EGC Position: Nominal)

The NRC risk evaluation level for this PSF is not based on an assessment of the situation. and conditions under which FLEX is implemented. During the SBO, emergency and portable lighting is available. While the tasks are performed in multiple locations, radio communication and coordination will be maintained through the Control Room.

Additionally, since a beyond design basis external event is not assumed, there are no impediments to accessing or manipulating FLEX equipment. Therefore, executjng the actions does not involve difficult environmental or physical conditions. All information required by the operator to assess the situation and receive feedback regarding its success will be easily available. A more realistic and accurate assigned level for this PSF is "Nominal."

Complexity (NRC Setting: High, EGC Position: Nominal)

The tasks and procedural guidance to perform FLEX implementation are straightforward, conducted sequentially, and are well laid out with diagrams and pictures. The lighting conditions do not add to the complexity because emergency and portable lighting is available. Although FLEX implementation may involve several in-field teams working in parallel, each team would be focused on its specific task and not be burdened by other teams. Overall, coordination of the teams is performed by the Shift Manager and Control. Room Supervisor (assisted by the ERO and TSC), and three-way communication would be m~intained. The NRC risk evaluation level of "High" is not justified considering the regulatory basis for FLEX and the intent to provide plant personnel with several well-structured and versatile approaches. A more realistic review of this information supports assigning a level of "Nominal" complexity.

Based on a realistic assessment of the tasks, actions, and conditions to implement FLEX at CPS, the PSFs should be appropriately adjusted as described above.* Moreover, with approximately'24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months available, the likelihood of offsite power recovery increases beyond that used for the NRC's dominant sequences. *When the increased likelihood of offsite power recovery is combined with the adjusted PSFs described above, the result is a finding of very low safety significance (i.e., Green). This result stands even without adjusting the NRC's value for Division 2 DG recovery.

Page 19

ATTACHMENT 1 Summary of Exelon Position Additional Risk Evaluation Perspectives The EGC risk evaluation does not assume 100% success for recovery of the Division 2 DG.

However, it is a realistic assessment of the key human failure events in the scenarios. The detailed EGC HEPs (calculated using caused-based decision tree methods) are appropriate for the knowledge, time and resources available. Those detailed HEPs were developed using industry standard approaches, and are consistent with HEPs developed for other, peer-reviewed, human failure events included within the CPS full power internal events model, and other moqels within the Exelon fleet. Consideration of these factors results in a very high likelihood of success.

The expansive amount of time available, as well as the augmented staffing, enable the Exelon HEPs to include credit for self-correction and error correction by other crew members. It is also acceptable to model multiple DG restoration actions - if the first attempt (crew member) failed, a second member could try, and then a third. Even using the NRC's simplified estimate of 0.2 for failure of the first attempt, and then assuming the second and third attempt each have conservative 50% failure likelihoods, the overall failure probability for restoring the DG before water level reaches TAF is 0.2 x 0.5 x 0.5 = 0.05 (i.e. 95% successful). This calculated HEP would provide a factor of 4 reduction in the NRC Reference 2 risk result for the 30 cutsets; a related factor of 4 reduction to. the delta CDF of 3.8E-6 in Reference 2 brings the delta CDF to below the Green-White threshold. In reality, each of the actual HEPs would be lower than used in the example, and the reduction factor thus larger than illustrated.

Regarding the "knowledge" of the operators at the time of the event, the thermal hydraulic analysis used to calculate the time to TAF, and the calculated battery capacity, are boundary conditions of the risk analysis. Operators need not know this predictive information (the physics of the situation) a priori to make decisions and take mitigative actions. The fact is that, for the scenarios of interest, greater than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of battery life exists and TAF/core uncovery is.

nearly 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months away. The dominant sequence of the NRC's risk evaluation assumes reaching TAF at 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months , with no credit for operator actions that would extend this time. In reality, the operators control and monitor RPV level and pressure, and make decisions based on those key parameters. They will also know how much battery life is left by observing realistic battery parameters. Input will also be available from the ERO and TSC, enabling the operators to make informed decisions based on realistic, at the moment, calculations of time to TAF.

Conclusion In summary, the NRC's PRA model should use the best available information by accurately reflecting how CPS would respond to this event. First, RPV injection would be restored prior to RPV water level lowering below TAF through at least one of multiple, independent, and diverse means. Second, there are simple, procedurally driven actions that would extend the time to TAF to approximately 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ., Third, as demonstrated above, the closed air start valves on the Division 2 DG would be quickly identified and recovery of the DG (i.e., opening the air start valves) is a simple task. These actions would provide the Shift Manager high assurance of Division 2 power recovery such that an ELAP would not be declared at one hour. Fourth, even in the very unlikely event that the Division 2 DG was not recovered quickly, other defense-in-depth actions, such as the Division 3 to Division 2 AC power cross-tie and FLEX, provide additional success paths within the expansive available time. These additional pathways would Page 20

ATTACHMENT 1 Summary of Exelon Position be pursued in parallel with thEj DG recovery, but would be undertaken in a procedurally-controlled manner to minimize complexity. Adjusting the PSF levels, as described above, to appropriately credit the station's response leads to a Green finding of very low safety significance.

Viewed conversely, in order to conclude that the finding is of White significance, the NRG must ascribe to several notions regarding CPS's response to the event. A White finding is predicated on the determination that the SBO condition would not be successfully mitigated because all of the following would occur:

Division 2 DG not recovered within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months ,

ELAP declared at 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months ,

.* SOC valve not isolated;

RPV pressure not controlled low,

Division 3 to Division 2 AC power cross-tie procedurally complex,

FLEX strategy inadequate and not sufficiently trained,

High pressure injection systems fail, and

Offsite power not recovered within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

This confluence.of overly-conservative assumptions simply does not reflect the best available and most realistic information and should not form the basis for the NRC's significance determination.

In conclusion, CPS had the knowledge, time, and resources to ensure injection to the RPV prior to the water level reaching TAF. The driving PSFs underlying the NRC's significance determination (e.g., available time, experience and training, complexity, and ergonomics) should be adjusted to accurately r~flect these factors, and the NRG should conclude that this event is a Green finding of very low safety significance.

References

1. Letter from P. L. Louden (U.S. NRG) to B. C. Hanson (Exelon Generation Company, LLC), "Clinton Power Station - NRC Inspection Report 05000461/2018051 and Preliminary ~ite Finding," dated October 15, 2018 [EA-18-104]

2. Letter from P. L. Louden (U.S. NRC) to B. C. Hanson (Exelon Generation Company, LLC), "ERRATA- Clinton Power Station - NRG Inspection Report 05000461/2018051 and Preliminary White Finding," dated November 6, 2018 [EA-18-104]

3. 60 FR 42622, Commission Policy Statement, "Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities," dated August 16, 1995

4. NRC Inspection Manual Chapter 0609, "Significance Determination Process," dated April 29, 2015

5. Letter from M. Halter (U.S. NRG) to B. C. Hanson (Exelon Generation Company, LLC),

"Clinton Power Station, Unit No. 1 - Safety Evaluation Regarding Implementation of Mitigating Strategies and Reliable Spent Fuel Pool Instrumentation Related to Orders ,

Page 21

ATTACHMENT 1 Summary of Exelon Position EA-12-049 and EA-12-051 (TAC Nos._MF0791 and MF0901)," dated December 23, 2015

6. Letter from A. M. Stone (U.S. NRG) to B. C. Hanson (Exelon Generation Company, LLC), "Clinton Power Station, NRG Temporary Instruction 2515/191, Mitigation Strategies, Spent Fuel Pool Instrumentation and Emergency Preparedness Report 05000461/2016/007," dated September 22, 2016 Page 22

ML18360A469

Text

Background

Navigation menu

Search