05000483/LER-2010-004
| Callaway Plant Unit 1 | |
| Event date: | 3-2-2010 |
|---|---|
| Report date: | 4-30-2010 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(v), Loss of Safety Function 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition |
| 4832010004R00 - NRC Website | |
1.
2.
INITIAL PLANT CONDITIONS:
The plant was in MODE 1, Power Operation, at 100% reactor power when the subject condition was discovered. No structures, systems, or components were inoperable at the time of discovery that contributed to this event.
EVENT DESCRIPTION:
On March 2, 2010, a question pertaining to the design of the essential service water (ESW) system [EIIS system: BI] and associated ultimate heat sink (UHS) [EIIS system: BS] at Callaway, with respect to conformance to 10CFR50 Appendix A General Design Criteria (GDC) 44, was identified. GDC 44 states that a system transferring heat from structures, systems, or components (SSCs) to the UHS shall be provided and function under normal and accident conditions. Suitable redundancy and isolation capabilities of this system shall be provided such that the safety functions can be accomplished, assuming a single failure.
Specifically, based on a review of the UHS thermal performance analysis calculation, it was questioned whether a particular single active component failure should have been considered for the UHS cooling tower bypass valves [EIIS system: BS, component: HCV], and if so whether or not UHS calculations bound this single failure scenario. Further review of the UHS calculations determined that the most limiting single active failure with respect to the thermal capacity of the UHS, i.e., the failure of a UHS cooling tower bypass valve, had not been identified or evaluated. This condition was entered into Callaway's Corrective Action Program as CAR 201001813.
The UHS consists of a seismic Category I mechanical draft cooling tower [EMS system: BS, component:
CTW] and a seismic Category I source of makeup water (retention pond [EIIS system: BS, component:
RVR]) for the tower. The UHS cooling tower provides heat dissipation from the ESW system for safe shutdown of the unit following an accident. The UHS cooling tower is divided into four cells with one fan [EMS system: BS, component: FAN] assembly (fan, gear reducer [EIIS system: BS, component: RGR], and motor [EIIS system: BS, component: MO]) per cell. Two of the four cells (one train of the ESW) are required for safe shutdown. Supply headers and spray pipes [EIIS system: BI, component: PSP] for each train of ESW from the power block are separated by interior walls. Freeze protection of the UHS cooling tower fill (cross-pack corrugated asbestos cement board that increases the surface area of the water flowing through it in order to maximize heat transfer) is provided by automatic bypass of the spray system.
With the UHS cooling tower bypass valves (EFHVO065 for Train 'A' and EFHVO066 for Train 'B') open, ESW from the power block is diverted directly into the cooling tower basin [EIIS system: BS, component:
RVR], thus bypassing the UHS cooling tower.
When the ESW system is put into operation, water is drawn from the UHS retention pond by means of the ESW pumps. It is then pumped through the power block components and returned to the UHS cooling tower basin. As noted above, ESW discharge water from the power block is directed into the UHS cooling tower basin through a normally open UHS spray system bypass valve (in each train). The UHS bypass valves will automatically close when discharge water temperature is at or above 91 degrees Fahrenheit in order to direct water through the UHS cooling tower fill. As described in the Callaway Final Safety Analysis Report (FSAR), operator action may be necessary to maintain UHS pond temperature within allowable limits by defeating the automatic bypass of the UHS spray system and manually closing the UHS bypass valve in order to send return water over the fill. This allows UHS pond cooling and performance monitoring during plant operation when freezing in the tower is not a concern.
With respect to the question raised on March 2, 2010, it was recognized that during an accident, a failure of one of the UHS bypass valves would allow one train of ESW to flow directly into the UHS pond without any cooling from the UHS cooling tower, while flow from the other ESW train is cooled by the UHS cooling tower. The introduction of the warmer water into the UHS pond would cause the pond temperature to increase rapidly. With the UHS pond initially at the Technical Specification (TS) defined minimum level of 13.25 feet (or approximately 58%) and TS defined maximum temperature of 90 degrees Fahrenheit, under the worst case meteorological conditions at the beginning of a Large Break Loss of Coolant Accident (LBLOCA) with a Loss of Offsite Power (LOOP), calculations showed that the UHS pond temperature would exceed the design basis accident (DBA) maximum of 92.3 degrees Fahrenheit in 60.7 minutes with no operator action. (If initial conditions were more favorable, the UHS pond DBA maximum temperature being exceeded would be delayed or possibly avoided.) The increase of the UHS pond temperature would lead to an increase of the ESW pump [El IS system: BI, component: P] inlet temperature, which is used to determine the heat transfer capacity of the heat exchangers [EllS system: BI, component: HX] and room coolers [EllS system: BI, component: CLR], including the component cooling water heat exchangers [El IS system: CC, component: HX] and the containment coolers [EllS system: BK, component: HX], in the ESW system. The heat exchangers' and room coolers' performance calculations are based on the DBA maximum UHS pond temperature of 92.3 degrees Fahrenheit. If the UHS pond temperature were to rise above this limit, then all of the calculations analyzing the heat transfer performance of the ESW heat exchangers and room coolers would no longer be bounding with respect to analyzed conditions.
Identification of the unanalyzed single-failure condition prompted a review of design and licensing-basis documents dating back to construction of the facility. The Callaway site was originally designed for two units, with the second unit having an identical mechanical draft cooling tower. The UHS retention pond was sized as a common source of makeup water for both cooling towers. Maximum water temperature limits/requirements for the UHS pond were analyzed for one unit having a Loss of Coolant Accident (LOCA) along with the simultaneous safe shutdown of the other unit. In the original UHS design basis document, only one train in each of the two cooling towers was assumed to operate during the LOCA and/or safe shutdown at any time. With the cancellation of the second unit, the second cooling tower was not required and therefore not installed. The UHS retention pond itself was completed per the original design.
Per the original design, all of the heat removed from the ESW loads was intended to be rejected to the atmosphere such that the UHS pond would not heat up even if running both trains of ESW over all four UHS cooling tower cells of fill during a LOCA. However, records show that in 1978 an issue was identified such that there was a question of whether the UHS mechanical draft cooling tower was undersized. Since construction of the cooling tower was already underway, a resolution was achieved wherein the tower performance estimates (though short of originally specified performance) could still be accepted.
Specifically, it was shown that for the first 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> after the onset of a design basis LOCA, the pond temperature could be maintained with flow from both trains of ESW being sent through the UHS mechanical draft cooling tower with the water flowing over the tower fill with fans running on high. Then, at 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> post-LOCA, one train of ESW would be required to be shut down for the remainder of the 30-day post-LOCA period in order to limit the UHS pond temperature.
It was further determined (from calculations completed in the 1978 timeframe) that if both UHS bypass valves were to fail open such that the flow from both trains of ESW would be directed into the UHS pond (and around the UHS cooling tower) initially at the TS limit of 90 degrees Fahrenheit, it would take 48.8 minutes post-LOCA for the UHS pond to reach the maximum DBA temperature of 95 degrees Fahrenheit (which was the analyzed limit at that time). The calculations concluded that an operator would be able to respond within 30 minutes, i.e., would become aware of the bypassed train(s) and close the bypass valve to ensure that ESW flow is directed to the UHS cooling tower. At the time it was established, the 30-minute operator response time was considered acceptable. However, in 1997, the NRC established criteria for crediting operator actions following an accident. In response to this guidance, operator response times listed in the FSAR for various accident scenarios were prioritized and either eliminated or verified using the simulator. As the scope of the effort for verifying and/or reconsidering operator response times was focused on those identified in the FSAR, the operator response time assumed for ensuring that both ESW trains are aligned to the UHS cooling tower was not re-evaluated since it was identified only in a calculation and not explicitly identified in the FSAR.
In addition, for unknown reasons, the calculation claiming the 30-minute operator response time was superseded and the 30-minute operator response time was not included in other or subsequent calculations. Since it was removed from the UHS calculation, no operator response for performing this action was incorporated into plant procedures.
At the time when the single-failure issue was identified on March 2, 2010, the state of the UHS calculations was such that they assumed both ESW trains are in service post-LOCA and flowing over four tower cells for the first 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> of a LBLOCA. (Only two cells i.e., one train of ESW, are depended upon after the first 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.) Per the UHS calculations, the limiting single passive failure was assumed to be the failure of one discharge header within the cooling tower, and the limiting single active failure was assumed to be the failure of one cooling tower fan or an emergency diesel generator [EllS system: EK, component: DG], thus resulting in a loss of power to two cooling tower fans. The conclusion contained in the calculation was that the remaining two cells and two fans of the cooling tower (i.e., one train) are adequate to remove heat from the redundant ESW train, which is consistent with the plant's original single active failure analysis for the UHS/ESW systems. The calculation thus determined the UHS pond temperature for the loss of one ESW train. It has now been concluded that running both ESW trains may have a larger impact on the UHS pond temperature than what was previously considered to be the limiting scenario. That is, with respect to the single failure that yields the greatest heat-up of the UHS pond, the failure of a UHS bypass valve is the most limiting, with the UHS calculation assumption that both ESW trains continue to operate post-LOCA (for up to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />).
In summary, from the historical research that was performed, it appears that the single-failure analysis for the UHS was not revised after identification of the UHS cooling tower sizing issue during plant construction.
Thus, the loss of an ESW train was and remained the single failure of record for many years with no consideration for the loss of a UHS cooling tower bypass valve as a potentially more limiting single active failure for analysis of UHS/ESW system performance or design.
In addition, it is now recognized that a single active mechanical failure may be equivalent to a single passive electrical failure in effect. Therefore, with respect to UHS performance, the loss of the UHS cooling tower load centers [El IS system: ED, component: BU] must also be considered. The loss of either load center would result in the loss of the affected UHS bypass valve and UHS fan motors for the respective train. For the analytical analysis of the UHS pond temperature, this condition would produce results equivalent to the mechanical failure of a UHS bypass valve.
The condition addressed in this LER is only applicable to accidents requiring cooling by the ESW system, with the most limiting case being a LBLOCA with a LOOP along with the UHS pond level at its lowest and pond temperature at its highest, coupled with a failure of a UHS bypass valve. At the time of discovery of the unanalyzed single-failure condition, Callaway Plant was in MODE 1 with relatively cool UHS pond temperatures, and thus there was no immediate operability concern. In the past three years, the valves, fans, breakers [EIIS system: BS, component: BKR], and load centers have always passed their surveillances and were only taken out of service for scheduled maintenance.
3. ASSESSMENT OF SAFETY CONSEQUENCES:
This event was evaluated with the Callaway probabilistic risk assessment (PRA) model. The conditional core damage probability (CCDP) calculated for this event/condition was less than 1E-6; therefore, this event was of very low risk significance. Use of the PRA model to evaluate the event provides for a comprehensive, quantitative assessment of the potential safety consequences and implications of the event, including consideration of alternative conditions beyond those analyzed in the FSAR.
Despite the low risk significance, the unanalyzed single failure identified in this LER is considered to be a condition that significantly degraded nuclear safety. The Emergency Operating Procedures (EOPs) did not provide a mechanism to enable licensed control room personnel to reliably diagnose and remediate this single failure if it had occurred. If this single failure had occurred and gone undetected and uncorrected, the UHS pond bulk temperature could have exceeded its limit in the event of an accident requiring the ESW/UHS heat removal function. This would have had the potential to adversely impact the capability of both trains of diesel generators and emergency core cooling system (ECCS) to perform their specified safety functions.
This concern affects the deterministic LBLOCA analysis. Callaway response to a LBLOCA without emergency diesel generators and following the loss of all ECCS pumps (assuming occurrence of the subject single failure) would result in an unacceptable end state. Therefore, this event has been determined to be an unanalyzed condition that significantly degraded nuclear safety.
4. REPORTING REQUIREMENTS:
This LER is submitted pursuant to 10 CFR 50.73(a)(2)(ii)(B) to report a condition that resulted in the nuclear power plant being in an unanalyzed condition that significantly degraded plant safety.
With respect to 10 CFR 50.73(a)(2)(v), i.e., a condition that could have prevented the fulfillment of the safety function of structures or systems that are needed to shutdown the reactor and maintain it in a safe shutdown condition, remove residual heat, control the release of radioactive material, or mitigate the consequences of an accident, the identified condition was determined to not be reportable per this criterion. A review of operating data over the last three years confirmed no instance of when a UHS cooling tower bypass valve was inoperable (except when the associated train was removed from service for maintenance). In addition, per the guidance given in NUREG 1022 for this criterion, "In determining the reportability of an event or condition that affects a system, it is not necessary to assume an additional random single failure in that system." Since the equipment operated properly and as expected when it was called upon to do so in the last three years, in conjunction with the fact that an additional random single failure does not need to be assumed, it can be assumed that the UHS/ESW system would have been capable of performing its heat removal function described in the FSAR in the event of a LOCA. Thus, the condition did not constitute a condition that could have prevented fulfillment of a safety function.
5. CAUSE OF THE EVENT:
Design basis documents and calculations for the UHS did not identify the failure of the UHS cooling tower bypass valves as a single active failure that should be considered in the UHS design. Because the original analysis identified that the two-train ESW system met redundancy requirements and that only one train of ESW would be operating in any DBA or for safe shutdown, the single failure that was identified to be the most limiting was the loss of one train of ESW. Further, because only one train of ESW was assumed or required to provide cooling water during a DBA or safe shutdown sequence, the design of the UHS pond (as a common source for both trains of ESW) was considered to be acceptable "as-is".
The effect of the UHS design (having a common retention pond) is that when both ESW trains are utilized to mitigate a DBA and/or effect safe shutdown, a single point failure in one ESW train, i.e., failure of the UHS bypass valve in one train to close, could cause the UHS pond to become degraded (overheated) which could in turn degrade both ESW trains. The unanalyzed single failure condition stems from the incomplete resolution of an early design-basis issue involving a question of whether the UHS cooling tower was undersized, as prompted by a non-conservative specification given to the tower design vendor with limited experience in Seismic Category I tower design.
The effect of the undersized tower (in light of the assumption that both ESW trains may likely be operated for some time following the onset of an accident) is that all of the energy being removed by the ESW system during a DBA is not transferred to the atmosphere but that some is put into the UHS pond causing it to heat up more than originally estimated. This led to claiming operator actions to mitigate the over- heating of the UHS pond. Even though operator actions are claimed in the FSAR and the Technical Support Center (TSC) procedures, operator actions are not included in the EOPs to address UHS temperature issues during safe shutdown or LOCA scenarios because when Callaway responded to the NRC guidance regarding verifying DBA operator action response times this was not included in the scope.
This issue has been identified as a latent design issue. There have been no equipment failures. The error precursor is the mindset that the UHS pond was designed to support two units, so minimal or inadequate attention or consideration was given to changes after the second unit was canceled. A latent organizational weakness in the form of a lack of clear communications between the Engineering and Operations Departments existed such that after Engineering discovered the UHS cooling tower sizing issue and operator actions would be required to protect the UHS pond temperature during a LOCA, Operations did not include the operator actions in the EOPs.
The extent-of-condition review determined the scope to include those structures, systems, or components which have a portion or volume that is common to multiple trains such that the failure of a single component could compromise the operability of multiple trains. These common portions or volumes include:
- Control room HVAC [EMS system: VI]
- Natural draft cooling tower [EllS system: NN, component: CTW]
- Refueling water storage tank (RWST) [EllS system: CB, component: TK]
- Volume control tank (VCT) [EllS system: CB, component: TK]
- Spent fuel pool (SFP) [EMS system: ND] Research was performed to see if this condition or a similar one could be applicable to each of these common volumes and based on multiple criteria including safety related classification, if the volume is credited in a DBA, if the volume requires a single failure analysis, valve specifications (normal position, if it fails as-is, etc.), if there is complete redundancy among trains (only one train is ever required to be run at a time), etc. All of the scope of the extent-of-condition was eliminated with the exception of the condition noted below in Section 7.
6. CORRECTIVE ACTIONS:
Corrective actions for this condition include a revision of the EOPs to support operator action response times for a LOCA with the loss of either UHS bypass valve or UHS cooling tower load center and a revision to the TSC procedures to clarify Engineering's recommended operator actions during a LOCA with the loss of either UHS bypass valve or UHS cooling tower load center. Modifications are being made to annunciators [EllS system: NA, component: ANN] on the main control board [EllS: system: NA, component: MCBD] to increase operator awareness of the status of the UHS bypass valves, and the alarm response procedures will be revised to provide actions if either a UHS bypass valve or UHS cooling tower load center is lost. Applicable calculations, sections of the FSAR, and other documents will be updated as needed. The corrective action to prevent recurrence (CATPR) is an update of design procedures to minimize the probability of generating non-conservative specifications, using non-conservative design inputs and assumptions in a calculation, and not evaluating single active failure in plant modifications.
7. PREVIOUS SIMILAR EVENTS:
A search of the Callaway corrective action request system (CARS) identified one occurrence similar to the condition addressed in this LER:
- In December 2003, the loss of the control room filtration fan [EllS system: VI, component: FAN] was postulated, which would allow air filtered only once (as opposed to once when entering the control building and once when entering the control room envelope) to enter the control room by means of the compromised train of the control room HVAC. As both trains of control room HVAC take return air from the control room (common volume), both trains of control room HVAC would contain higher levels of contamination than allowed for control room habitability. The CATPR for this condition was adding operator actions to the EOPs. As this CATPR was specific to control room HVAC, it would not have prevented the postulated condition addressed by this LER.
8. ADDITIONAL INFORMATION:
The system and component codes listed below are from the IEEE Standard 805-1984 and IEEE Standard 803A-1984 respectively.
System: BI, Essential Service Water System Components: CLR, Cooler HX, Exchanger, Heat P, Pump PSP, Pipe (Spool) System: BK, Containment Fan Cooling System (PWR) Component: HX, Exchanger, Heat System: BS, Ultimate Heat Sink System Components: BKR, Breaker CTW, Cooling Tower FAN, Fan HCV, Valve, Control, Hand MO, Motor RGR, Gear, Reduction RVR, Reservoir System: CB, Chemical and Volume Control/Makeup and Purification System (PWR) Component: TK, Tank System: CC, Closed/Component Cooling Water System Component: HX, Exchanger, Heat System: ED, Low-Voltage Power System — Class IE Component: BU, Bus System: EK, Emergency Onsite Power Supply System Component: DG, Generator, Diesel System: KA, Condensate Storage and Transfer System Component: TK, Tank System: NA, Control Building/Control Complex Components:
ANN, Annunciator MCBD, Control Board (Main) System: ND, Fuel Building System: NN, Circulating Water Structures Component: CTW, Cooling Tower System: VI, Control Building/Control Complex Environmental Control System Component: FAN, Fan