05000390/LER-2013-001, Regarding Latent Design Input Inconsistencies Adversely Affect Probable Maximum Flood Analysis
| ML13101A309 | |
| Person / Time | |
|---|---|
| Site: | Watts Bar  |
| Issue date: | 04/08/2013 |
| From: | Tennessee Valley Authority |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| LER 13-001-00 | |
| Download: ML13101A309 (9) | |
| Event date: | |
|---|---|
| Report date: | |
| Reporting criterion: | 10 CFR 50.73(a)(2)(i) 10 CFR 50.73(a)(2)(vii), Common Cause Inoperability 10 CFR 50.73(a)(2)(ii)(A), Seriously Degraded 10 CFR 50.73(a)(2)(viii)(A) 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition 10 CFR 50.73(a)(2)(viii)(B) 10 CFR 50.73(a)(2)(iii) 10 CFR 50.73(a)(2)(ix)(A) 10 CFR 50.73(a)(2)(iv)(A), System Actuation 10 CFR 50.73(a)(2)(x) 10 CFR 50.73(a)(2)(v)(A), Loss of Safety Function - Shutdown the Reactor 10 CFR 50.73(a)(2)(v)(B), Loss of Safety Function - Remove Residual Heat 10 CFR 50.73(a)(2)(i)(A), Completion of TS Shutdown 10 CFR 50.73(a)(2)(v), Loss of Safety Function 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications |
| 3902013001R00 - NRC Website | |
text
ENCLOSURE 1 Watts Bar Nuclear Unit 1 Licensee Event Report 50-390/2013-001-00
RC FORM 366 U.S. NUCLEAR REGULATORY COMMISSION APPROVED BY OMB NO. 3150-0104 EXPIRES 10/31/2013 (10-2010)
, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
- 3. PAGE Watts Bar Nuclear Plant (WBN) Unit 1 05000390 1 of 8
- 4. TITLE Latent Design Input Inconsistencies Adversely Affect Probable Maximum Flood Analysis
- 5. EVENT DATE
- 6. LER NUMBER
- 7. REPORT DATE
- 8. OTHER FACILITIES INVOLVED YEAR YEAR SEQUENTIAL REV MONTH DAY YEAR FACILITY NAME DOCKET NUMBER MOTH DA EAIYA NUMBER NO._
FACILITY NAME DOCKET NUMBER 02 06 2013 2013 -
001 00 04 08 2013
- 9. OPERATING MODE
- 11. THIS REPORT IS SUBMITTED PURSUANT TO THE REQUIREMENTS OF 10 CFR §: (Check all that apply)
[o 20.2201(b)
El 20.2203(a)(3)(i) 0l 50.73(a)(2)(i)(C)
El 50.73(a)(2)(vii) o 20.2201(d)
[E 20.2203(a)(3)(ii)
[E 50.73(a)(2)(ii)(A)
El 50.73(a)(2)(viii)(A) 1E 20.2203(a)(1)
El 20.2203(a)(4) 0 50.73(a)(2)(ii)(B)
[I 50.73(a)(2)(viii)(B) 20.2203(a)(2)(i)
El 50.36(c)(1)(i)(A)
E] 50.73(a)(2)(iii) 0 50.73(a)(2)(ix)(A)
- 10. POWER LEVEL El 20.2203(a)(2)(ii)
[I 50.36(c)(1)(ii)(A)
[I 50.73(a)(2)(iv)(A)
El 50.73(a)(2)(x)
[I 20.2203(a)(2)(iii)
[I 50.36(c)(2)
ED 50.73(a)(2)(v)(A)
[1 73.71(a)(4)
[I 20.2203(a)(2)(iv)
El 50.46(a)(3)(ii) 0 50.73(a)(2)(v)(B)
El 73.71(a)(5) 100 El 20.2203(a)(2)(v)
[I 50.73(a)(2)(i)(A)
El 50.73(a)(2)(v)(C)
[E OTHER El 20.2203(a)(2)(vi)
El 50.73(a)(2)(i)(B)
El 50.73(a)(2)(v)(D) spec3fyin Abstractbelo...
nNRC
- 12. LICENSEE CONTACT FOR THIS LER FACILITY NAME TELEPHONE NUMBER (Include Area Code)
Julie Hough, Licensing Engineer 423-365-8048CAUSE SYSTEM COMPONENT MANU-REPORTABLE
CAUSE
SY MANU-REPORTABLE FACTURER TO EPIX FACTURER TO EPIX
- 14. SUPPLEMENTAL REPORT EXPECTED
- 15. EXPECTED SUBMISSION MONTH DAY YEAR El YES (If yes, complete 15. EXPECTED SUBMISSION DATE)
[
NO DATE ABSTRACT (Limit to 1400 spaces, i.e., approximately 15 single-spaced typewritten lines)
On July 28, 2009, the Tennessee Valley Authority (TVA) identified latent design input inconsistencies in hydrological computer modeling used for probable maximum flood (PMF) calculations.
The root causes of the condition were an organizational behavior which allowed the latent input inconsistencies to go undetected and management failure to provide oversight of the impact of river system changes on the calculated value of the PMF. The corrective actions to prevent recurrence are to procedurally require a Flood Protection Program, develop formal Flood Protection Program Management Implementing Procedure(s) and Design Standards/Guides, create a formal documented risk management process for all engineering products, formalize the elements of engineering technical rigor, and implement an upper tier integrated risk management process.
Upon discovery, TVA implemented both immediate and interim corrective actions to ensure the Fort Loudoun, Cherokee, Tellico and Watts Bar dams would not overtop during an assumed PMF event.
- 1.
Plant Operating Conditions Before the Event
At the time of discovery, Watts Bar Nuclear Plant (WBN) Unit 1 was in Mode 1 at approximately 100 percent rated thermal power.,
Ill.
Description of the Event A. Event On July 28, 2009, Tennessee Valley Authority (TVA) identified latent computer modeling inconsistencies that adversely affected probable maximum flood (PMF) analyses.
Specifically, TVA identified the potential to overtop and fail earthen embankments at Cherokee, Fort Loudon, Tellico and Watts Bar Dams. The potential to overtop and fail earthen embankments was identified based on an ongoing effort at that time to update, revalidate and verify the design basis flooding calculations for TVA nuclear plants.
The updating of the affected calculations included (1) unit hydrograph changes, (2) software code errors, (3) dam rating curve changes, (4) median reservoir level changes, (5) flood operation changes, (6) Dallas Bay omission (impacting Browns Ferry Nuclear Plant (BFN) only), (7) and overflow areas at Watts Bar Dam. The overtopping and failure of the specified earthen embankments could have resulted in an increase in the PMF level at WBN, Sequoyah Nuclear Plant (SQN) and BFN and had the potential to affect systems required for safe shutdown. At the time, this condition represented an unanalyzed condition at all three sites. Subsequent analysis determined that the calculated increase in flood level at WBN from a PMF event in which the specified earthen embankments were overtopped and failed rendered existing flood mode procedures ineffective. This exposure existed for some period of time prior to the identification of the unanalyzed condition in 2009.
Upon discovery, TVA implemented interim and immediate corrective actions to ensure the Fort Loudoun, Cherokee, Tellico and Watts Bar dams would not overtop during an assumed PMF event.
B. Status of Structures, Components, or Systems that were Inoperable at the Start of the Event and that Contributed to the Event
There were no inoperable structures, components, or systems that contributed to the event.
C. Dates and Approximate Times of Occurrences
Date
Description
1960-1970s TVA develops hydrology modeling software (Simulated Open Channel Hydraulics (SOCH)).
1982 TVA begins dam safety program consistent with Federal Guidelines for Dam Safety.
Date
Description
1985 TVA's Engineering Laboratory issues the spillway coefficient report, "Method for Estimating Discharge at Overflow Spillways with Curved Crests and Radial Gates." TVA estimates orifice discharges using a single curve in the U.S. Army Corps of Engineers' Hydraulic Design Criteria (HDC).
1998 TVA reassesses effects of dam safety modifications on PMF using SOCH.
2003 TVA Water Management initiates River Operations Study (ROS) Environmental Impact Statement (EIS) to evaluate impacts of potential changes to operation of the TVA reservoir system.
October 30, TVA submits the Bellefonte Nuclear Plant (BLN) Units 3 and 4 2007 Combined License Application (COLA). The 1998 flood reassessment calculation is used as the basis for the BLN Final Safety Analysis Report section 2.4.
March 19, NRC issues Notice of Violation for failure to implement the 2008 quality assurance program for the SOCH modeling.
March 2008 During verification and validation of SOCH inputs and codes, to latent inconsistencies and necessary changes in PMF eptember calculations are identified. The cumulative effects of these 2012 inconsistencies and changes predict potential dam overtopping at Fort Loudoun, Cherokee, Watts Bar and Tellico dams during a PMF.
July 28, TVA determines that based on certain PMF modeling concerns 2009 the Fort Loudoun Dam could be overtopped and fail and the resulting PMF levels could exceed the original design and licensing basis elevations.
August 14, TVA determines that if the Cherokee Dam were to overtop and 2009 fail, the PMF levels could exceed the original design and licensing basis elevations.
September TVA determines that if the Tellico and Watts Bar Dams were to 24, 2009 overtop and fail, the PMF levels could exceed the original design and licensing basis elevations at WBN.
Date
Description
December HESCO modular flood barrier installation at affected dams to 30, 2009 raise earthen embankments.
February 6, TVA notified the NRC that due to the potential to overtop and 2013 fail earthen embankments at four dams, WBN was in an unanalyzed condition that could have resulted in an increased PMF.
D. Manufacturer and Model Number (or other identification) of Each Component that Failed During the Event There were no failed components associated with this condition.
E. Other Systems or Secondary Functions Affected
There were no other systems or secondary functions affected by this condition.
F. Method of Discovery of Each Component or System Failure or Procedural Error
On July 28, 2009, as part of an ongoing validation of SOCH model and sub-codes, TVA concluded that the spillway discharge coefficient previously used in the Fort Loudoun Dam Rating Curve was inconsistent with more recent model test data. Additional research revealed that the same was true for Cherokee, Tellico, and Watts Bar dams.
G. The Failure Mode, Mechanism, and Effect of Each Failed Component
There were no failed components.
H. Operator Actions
There were no operator actions.
I. Automatically and Manually Initiated Safety System Responses
There were no safety system responses.
Ill.
Cause of the Event
A. The cause of each component or system failure or personnel error, if known:
There were no component or system failures or personnel errors associated with this event.
B. The cause(s) and circumstances for each human performance related root cause:
TVA identified two root causes for this condition, each having human performance related aspects.
- 1. An organizational behavior, rooted in over-confidence that TVA was the industry hydrology expert, resulted in the input errors (latent computer modeling inconsistencies) during the development of the SOCH model going undetected.
- 2. TVA Nuclear management's failure to provide oversight of the impact of changes to the river system on the calculated PMF at WBN and failure to apply safety-significant conservative decision-making for those changes demonstrated that nuclear safety was not the overriding priority.
TVA identified two relevant contributing factors.
- 1. Formal process controls were not established that ensure the flood protection program protects critical safety systems for the TVA nuclear sites.
- 2. TVA demonstrated less than adequate shared understanding of the applicable regulatory requirements under which the nuclear sites, as integral components of the river system, must operate.
In 1998 and again in 2004, significant changes to the design of the dams and operation of the river system were implemented. In both cases, the model was used to calculate the impact to the nuclear sites. The Nuclear organization acted upon those results without questioning the validity of the model, the calculations that it supported, or its conclusions.
TVA Nuclear remained over-confident in the belief of the accuracy of the model throughout this period.
Since they had been used to license the nuclear stations, the software and model were believed to be correct. The over-confidence in the model continued to exist as late as 2008 when the model was employed in support of the BLN license submittal.
It was not until 2009, during validation of the hydrology model, that TVA realized that there were inconsistencies in the model inputs which, when corrected, resulted in the realization that some upstream dams could overtop and fail. The failure of the dams would overwhelm the planned flood protection actions to protect the safety systems at the TVA nuclear stations.
In summary, the latent design input inconsistencies, and a lack of rigor and oversight due to the overconfidence in the evaluation of changes in the operation of the river system over time, resulted in unrecognized inaccuracies in the PMF calculations.
IV. Analysis of the Event
Reportability Analysis:
This condition is being reported in accordance with Title 10 of the Code of Federal Regulations (10 CFR) 50.73(a)(2)(ii)(B), 50.73(a)(2)(v) and 50.73(a)(2)(ix)(A), as any event or condition that resulted in the nuclear power plant being in an unanalyzed condition that significantly degraded plant safety, as an event that could have prevented the fulfillment of safety function, and as a
single cause that could have prevented the fulfillment of a safety function for two or more trains or channels in different systems.
Operational Analysis:
If a PMF had occurred prior to identification of this previously unanalyzed condition, the event would have likely made maintenance of core cooling impossible at WBN with the prevailing procedural guidance.
The stipulated flooding conditions would result in the loss of systems currently credited during a PMF event. These systems are among those required to ensure adequate heat removal from the reactor core and SFP. As a result, during a PMF in which the affected dams were overtopped, the ability to maintain cooling of the core and spent fuel pool would likely have been lost.
V. Assessment of the Safety Consequences A. Availability of systems or components that could have performed the same function as the components and systems that failed during the event:
Based on the above information, a potential for a reduction in the defense-in-depth to nuclear safety existed. As a result, this event could potentially have adversely affected the health and safety of plant personnel or the general public had an actual flooding event occurred. There have been no probable maximum precipitation or PMF events and no safety related structures systems or components (SSCs) were placed in jeopardy due to actual flooding conditions.
B. For events that occurred when the reactor was shut down, availability of systems or components needed to shutdown the reactor and maintain safe shutdown conditions, remove residual heat, control the release of radioactive material, or mitigate the consequences of an accident:
Based on the above information, a potential for a reduction in the defense-in-depth to nuclear safety existed. As a result, this event could potentially have adversely affected the health and safety of plant personnel or the general public had an actual flooding event occurred. There have been no probable maximum precipitation or PMF events and no safety related structures systems or components (SSCs) were placed in jeopardy due to actual flooding conditions.
C. For failure that rendered a train of a safety system inoperable, an estimate of the elapsed time from discovery of the failure until the train was returned to service:
There was no failure that rendered a train of a safety system inoperable during this condition.
VI.
Corrective Actions - Corrective actions are being managed by TVA's corrective action program under Problem Evaluation Report 682212.
A. Immediate Corrective Actions
In July and August 2009, TVA implemented interim measures to mitigate impacts of the potential increase in PMF levels. River Operations procedures were modified to require site
notifications if greater than or equal to five inches of average rainfall over 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> occurs over the Fort Loudoun/Tellico dam watershed area. At the same rainfall threshold, TVA would mobilize the necessary heavy equipment at the Fort Loudoun Marina Saddle dam to effect the saddle dam removal to preserve the integrity of Fort Loudoun Dam. During this period, TVA also began installation of HESCO modular flood barriers on the Cherokee, Fort Loudoun, Tellico, and Watts Bar dams.
B. Corrective Actions to Prevent Recurrence or to reduce probability of similar events occurring in the future
- 1. Revise the Conduct of the Engineering Organization procedure to include a Flood Protection Program within the Corporate Nuclear Engineering Organization with the primary function to ensure that the nuclear plant critical safety systems are protected from all postulated flooding conditions.
- 2. Develop a formal Flood Protection Program Management implementing procedure or procedures. This procedure would (for example) define the Flood Protection Program policy, ownership of the procedures, roles and responsibilities; identify nuclear regulatory requirements; establish governance and oversight expectations, periodic program reviews, training and qualification requirements; and implement flood protection change control board process, and program health reports.
- 3. Develop Flood Protection Program Design Standard(s) or Design Guide(s) in accordance with engineering programs and processes to control Flood protection calculations.
- 4. Formalize the elements of engineering technical rigor in the Conduct of the Engineering Organization procedure.
- 5. Create a formal documented risk management process for all engineering products, informed by INPO 12-008, Excellence in Integrated Risk Management, which includes flood related issues to evaluate including river system operation changes, nuclear plant design changes, design input changes, procedure changes impacting flood protection, Environmental and/or National Environmental Policy Act (NEPA), and Project Management.
- 6. The TVA Nuclear Organization will implement an upper tier integrated risk management process, informed by INPO 12-008.
VII.
Additional Information
A. Previous Similar Events at the Same Plant LER 390/2012-02 reported an increase in PMF level at the WBN site that resulted in an unanalyzed condition. Additional potential overflow/rim leakage areas were identified during hydrologic analysis for the proposed TVA Clinch River site that resulted in an increase in the WBN PMF level.
B. Additional Information
The corrective action document for this report is PER 682212.
C. Safety System Functional Failure Consideration
In accordance with Nuclear Energy Institute (NEI) 99-02, this condition is considered a safety system functional failure.
D. Scram With Complications Consideration This event did not include a scram.
VIII. Commitments
There are no cemmitments.