Text

November 2010 Issue Brief from the Union of Concerned Scientists on the 2003-Oct-21 Segmented Shutdown at Callaway
	ML16011A518
Person / Time
Site:	Callaway
Issue date:	11/02/2010
From:	; Union of Concerned Scientists
To:	;
	Criscione L
References
	FOIA/PA-2016-0203
	Download: ML16011A518 (22)
	v • d • e

2003 SEGMENTED SHUTDOWN AT CALLAWAY PURPOSE A significant factor in the two most famous nuclear power accidents (Three Mile Island and Chernobyl) was operator actions that violated fundamental principles of safe reactor operation.

The nuclear industry should not require an accident to draw lessons from similar operator mistakes. This brief describes a significant incident that occurred at the Callaway nuclear plant in Missouri on October 21, 2003. It has been written using terminology used by nuclear workers, who are the intended audience for this important information. Other readers may find it helpful to refer to the appendix for clarification.

Although the Nuclear Regulatory Commission (NRC) reviewed this incident and issued some nominal findings, they did not investigate its significant aspects. Neither the NRC nor the Institute of Nuclear Power Operations (INPO) shared details of this incident with the nuclear industry. While events of equal and even lesser severity are routinely disseminated throughout the nuclear industry by the NRCs information notices and INPOs significant event reports, these organizations have thus far chosen to withhold information about this event. Knowledge has no expiration date - even though this event happened in 2003, its lessons are as useful in preventing a similar event in the future as if the event had happened yesterday.

The Lessons to be Learned from this incident are presented at the end of this issue brief.

Although the technical lessons from this incident apply mostly to pressurized water reactors (PWRs), there are other lessons related to human performance and operating philosophy that apply to all reactor types.

SUMMARY

Operators at the Callaway nuclear plant in Missouri allowed the reactor to passively shut down from the buildup of Xenon-135. For 106 minutes the operators performed ancillary actions while relying on an informal estimation that Xenon-135 levels were high enough to prevent the reactor from restarting. When the control rods were finally inserted, personnel outside of the control room were under the impression the control rods were being used to shut down the reactor. No one outside of the control room was aware that the reactor had actually shut down 106 minutes earlier until the incident was accidently uncovered 40 months later during a review of past reactor shutdowns. When the incident was brought to the attention of plant management, all levels of management refused to investigate it. When the incident was brought to the attention of the NRC, only a nominal investigation occurred which resulted in several minor findings.

INPO likewise refused to investigate it.

During this event, safety was compromised because the reactor was not actively controlled during its shutdown and it could have inadvertently become critical again without further operator action. Xenon buildup caused the reactor to become subcritical. The failure to ensure shutdown conditions via complete insertion of control rods for the nearly two hours left the reactor vulnerable to inadvertently re-attaining criticality through either xenon burnout or moderator temperature reduction.

2003 SEGMENTED SHUTDOWN AT CALLAWAY DESCRIPTION OF INCIDENT Callaway is a Westinghouse 4-loop PWR licensed in 1984 and rated for 3,565 megawatts thermal power. Callaway is located 25 miles from Jefferson City, Missouri.

At 07:21 am on Monday, October 20, 2003, with the reactor operating at 100% power, a safety-related inverter failed, which caused entry into technical specification (TS) 3.8.7.A, a 24-hour action statement for the loss of a safety-related instrument bus.

At 01:00 am on October 21, 2003, the operators began reducing the reactor power level at 10%

per hour. Although six hours remained on the 24-hour clock, the licensee prudently began lowering the power level early to avoid the strain that a more aggressive down power rate places on both plant equipment and the operators.

At 07:21 am, the plant entered TS 3.8.7.B, a 6-hour action statement to shut down the reactor because the inverter was still inoperable.

At 08:21 am, at the request of Electrical Maintenance the operators placed the repaired inverter in service to retest it. The inverter failed its retest and the control room operators entered off-normal procedure for Loss of Safety-Related Instrument Bus. Since the operators were prepared for the loss of this bus, it took less than 15 minutes for them to work through the procedure. However, because one of the steps in the procedure required a valve lineup for parts of the auxiliary feedwater system, the off-normal procedure remained open while the crew waited for an equipment operator to become available to perform the valve lineup.

At 09:35 am, an uncontrolled cool-down of the reactor coolant system began when the operating crew attempted to stabilize reactor power. The NRC determined that this cool-down was driven primarily by the operators not adequately compensating for Xenon-135 buildup. Prior to 9:35 am, the operators had been lowering reactor power by a nominal 10% per hour for over 9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months . This rate of down power had caused a significant Xenon-135 transient to occur. During the down power, the buildup of Xenon-135 was aiding the reactor operators. The rate of negative reactivity inserted by Xenon-135 was substantially counteracting the positive reactivity being inserted by the down power (like all commercial US reactors, Callaway Plant has a negative power coefficient of reactivity). When the down power was secured at 9:35 am on October 21, the buildup of Xenon-135 was primarily checked by the decreasing average reactor coolant temperature (Tavg).

It is not known why the operating crew was attempting to stabilize reactor power. Since repairs to the inverter were still being attempted and since the reactor shutdown was three hours ahead of schedule, it is likely that the crew was stabilizing reactor power to provide Electrical Maintenance additional time to repair the inverter (had the inverter been repaired before the reactor was shut down, then the operators could have aborted the shutdown and returned to 100% power).

In addition to stopping the turbine load decrease at 09:35 am, the operators cycled the steam line drains. The procedural guidance for cycling the steam line drain valves was not clearly written and the operators left the drains open too long. As average reactor coolant temperature dropped 9°F over the next 25 minutes, the temperature drop was not recognized as the plant response to rising Xenon-135 levels but instead was attributed to the fact that the steam line drain valves were stuck open. There was confusion in the control room about which steam line drain valves remained open due to faulty equipment. Because the position-indicating lights on November 2010 Page 2 of 14

2003 SEGMENTED SHUTDOWN AT CALLAWAY the main control board for some of the valves were faulty, equipment operators in the field had to coordinate with the control room operators to ensure all the required valves were shut. During this time period, the operators were focused on closing the steam line drains and failed to recognize the need to mitigate the effect the Xenon-135 buildup was having on average coolant temperature.

The level of activity in the control room increased when the uncontrolled cool-down caused the letdown system to isolate at 10:00 am on low water level in the pressurizer. Also at 10:00 am, average reactor coolant temperature dropped below 551°F, the Minimum Temperature for Critical Operation (MTCO).

The NRC provided the following assessment of the transient causing this 9°F temperature reduction:

the operating crew did not anticipate the impact of the rapid shutdown from the reactivity management perspective, which then resulted in transients on the plant at the lower power operating levels operators did not recognize that the reactor was responding to the steady state main turbine demand through the reactor coolant system temperature decrease, which then caused the decrease in pressurizer level and the letdown system isolation.

With the reactor temperature below the MTCO and the crew busy performing the off-normal procedure for Loss of Letdown, the Shift Manager recognized that the crew would not be able to restore the reactor coolant temperature without aggressively adding positive reactivity.

Recognizing that this was not the conservative action to take, he instead advised the Control Room Supervisor to trip the main turbine to assist in recovering reactor coolant temperature.

Although this was the correct course of action to take, it was still focused on the steam plant transient and not on the reactivity transient being caused by Xenon-135. With the turbine off-line, the reactor itself needed to be either tripped or, if the level of activity in the control room allowed it, shut down by control rod insertion.

The no load average coolant temperature at Callaway is 557°F, which corresponds to a steam line pressure of 1,092 psig. In 2003, the procedure for tripping the main turbine instructed the operator to set the lift point of the condenser steam dumps to 1,092 psig and to place the selector switch in Steam Pressure mode. These procedure steps meant that if the main turbine was tripped with average coolant temperature below 557°F, there would be no steam demand until reactor coolant temperature rose to 557°F. In such a case, as Tavg rose to the steam dump lift temperature, the associated addition of negative reactivity could cause the reactor to become subcritical. Although the reactor might still be above the Point of Adding Heat by the time the reactor coolant system (RCS) heated up to 557°F, without operator action the reactor would remain subcritical and steam demand would be met by non-fission heat sources.

When the main turbine was tripped at 10:12 am, total power (as indicated by the core T instruments) was 6.0%, nuclear fission rate (as indicated by the Intermediate Range Nuclear Instruments or IRNIs) was 1.67E-5 ion chamber amps (ica), Start Up Rate (SUR) was -0.01 decades per minute (dpm). Reactivity in the reactor core was essentially balanced: the negative reactivity that had been added by Xenon-135 over the past half hour was balanced by the positive reactivity resulting from the drop of the average coolant temperature to 550.4°F.

Upon tripping the main turbine, the average coolant temperature rose more than 1°F within the first 20 seconds, 2.5°F in the first minute, and 4°F in the first two minutes. The removal of steam November 2010 Page 3 of 14

2003 SEGMENTED SHUTDOWN AT CALLAWAY demand and the rapid negative insertion of reactivity from the temperature rise caused the reactor plant to shut down. According to the NRC:

After the turbine trip, the reactor coolant system temperature increased to the programmed level adding negative reactivity. This, along with the Xenon accumulation, shut the reactor down Between 10:13 and 10:18 am, the operators were busy performing the Loss of Letdown procedure. At 10:18 am, they restored letdown flow to 75 gpm and exited the off-normal procedure. Total power was 2.4%, nuclear fission rate was 2.4E-6 ica, SUR was -0.16 dpm, and Tavg was 557°F. During those five minutes the fission rate had dropped by 80% and total power had dropped by one half. The reactor had shut down and total power levels were approaching the Non-Fission Heat Rate.

It is unclear whether the control room operators were aware that the reactor was shut down at this point. In testimony to the NRC, the Shift Manager indicated that, prior to tripping the main turbine, he had discussed with the Control Room Supervisor that the reactor would passively shut down following the turbine trip. However, neither the CRS nor the Shift Manager ensured that the reactor was actively shut down immediately following the turbine. From the point that the off-normal procedure for the Loss of Letdown was exited (10:18 am), 106 minutes passed before the operators took action to actively insert negative reactivity to ensure the reactor remained shut down under all conditions.

Between 10:20 and 10:25 am, Tavg increased from 557°F to 560°F. It is unclear if this increase was due to raising the condenser steam dump set point to 1,118 psig or to a loss of the condenser steam dumps and a transition to the atmospheric steam dumps. This rise in temperature had a slight but noticeable effect on SUR and served to further increase the margin by which the reactor was subcritical. It is unclear if the operators intended to use this temperature rise to insert negative reactivity or if the temperature rise occurred for other reasons.

By 10:25 am, nuclear fission power was below the Point of Adding Heat (POAH): total power was 1.8% and stable (indicating that total power was wholly due to the Non-Fission Heat Rate),

nuclear fission rate was 7.34E-8, SUR was -0.28 dpm, and Tavg was 560°F. Reactor power was steadfastly headed to the source range. During this time period, it is unclear why the operators did not insert the control rods.

By 10:39 am, reactor power was in the source range. The channel 2 IRNI was reading 1.1E-10 ica, total power was indicating 1.75% (trending with the NFHR for this shutdown), SUR was -0.03 dpm and was leveling out (because of the continual buildup of Xenon-135, SUR would eventually level out to -0.0065 dpm which equates to about half a decade drop in 75 minutes).

As reactor power transited through four decades of power from 10:18 to 10:39 am, the operators took no action to actively insert negative reactivity (i.e. insert control rods or add boron). During that time the only activities logged in the control room logs were the following:

1034 Stopped an Intake pump 1034 Placed Cooling Tower Blowdown in service 1038 Authorized to Start trip point and calibration check on the channel 2 PRNI November 2010 Page 4 of 14

2003 SEGMENTED SHUTDOWN AT CALLAWAY 1048 Raised letdown flow from 75 gpm to 120 gpm (to complete this by 1048, it was likely being performed by the Reactor Operator while power was transiting from the POAH to the source range)

These control room log entries strongly suggest that the operators failed to recognize the reactor had shut down. It is difficult to believe that, had the operators known the reactor was shut down with reactor power transiting to the source range, they would prioritize placing cooling tower blowdown in service over actively controlling the nuclear fission reaction by inserting the control rods or ensuring adequate monitoring of core parameters.

From 10:39 to 11:25 am, reactor power was in the source range without any of the Source Ranger Nuclear Instruments (SRNIs) energized. This was due to the Subcritical Multiplication afforded by the control rods still being at their critical rod heights. The reactivity difference afforded by the control banks being at their critical rod heights allowed subcritical neutron levels to be about 10 times higher than normal. As a result, when reactor power first entered the source range the ion chamber current of the Intermediate Range Nuclear Instruments was above the set point of the bi-stable that causes the SRNIs to energize. Over the course of 46 minutes the ion chamber current on the IRNIs steadily lowered from 1.1E-10 to 4.9E-11 ica due to the negative reactivity inserted by the continued buildup of Xenon-135. At 11:25 am, the channel 2 SRNI energized, causing an annunciator to sound an alarm on the Main Control Board. This same annunciator reflashed at 11:38 am when the channel 1 SRNI energized.

When the SRNIs energized, source range neutron levels were around 2800 counts per second (3044 cps for channel 2 and 2593 cps for channel 1).

During the 41 minutes that reactor power was in the source range with the SRNIs de-energized and the control rods at their critical rod heights, the only activities logged in the control room logs were the following:

1101 C Condensate pump stopped 1113 Notified Field Complete trip point and calibration check on the channel 2 PRNI 1114 Authorized to Start trip point and calibration check on the channel 3 PRNI These log entries strongly suggest that the operators failed to recognize the reactor was in the source range until the channel 2 SRNI energized. The condensate pump was secured as part of the normal steam plant shut down (since three condensate pumps were no longer needed, one was secured) and not in response to any abnormal occurrence. The surveillance procedures on the PRNIs were part of the routine calibrations done during the plant shutdown. It is difficult to believe that the licensed operators would prioritize these ancillary actions over actively controlling and monitoring core reactivity had they recognized the reactor was no longer operating in the power range. During this time, the primary indication used to monitor reactor power (the core T instruments) still indicated around 1.75% reactor power due to decay heat and reactor coolant pump heat.

The energizing of the SRNIs is not noted with a log entry until 11:34 am and this entry was made at some point after 11:42 am. The reason for this delay is not known.

From 11:25 am onward, it can reasonably be assumed the entire operating crew was aware that reactor power was in the source range with the control rods still at their critical rod heights. For unexplained reasons, no efforts were undertaken to actively insert negative reactive (i.e.

inserting control rods or adding boron) for another 40 minutes. From 11:25 am to 12:05 pm, the only activities logged in the control room logs were the following:

November 2010 Page 5 of 14

2003 SEGMENTED SHUTDOWN AT CALLAWAY 1134 Notified Field Complete, Aux feedwater valve lineup 1137 Exited off-normal procedure for Loss of Safety-Related Instrument Bus 1140 Started the motor driven feed pump 1142 Started Containment Mini-purge 1142 Authorized to Start Shutdown Margin calculation 1144 Notified Field Complete trip point and calibration of channel 3 PRNI 1145 Authorized to Start trip point and calibration of channel 4 PRNI 1151 Stopped the last turbine driven feed pump 1203 [the NRC refuses to release this entry - it concerns operation of the radioactive drains]

With the exception of the Aux feedwater valve lineup and the off-normal procedure for Loss of Safety-Related Instrument Bus, all the above log entries are for routine activities associated with the shutdown of the steam and reactor plants. None of these entries needed to be performed prior to the insertion of the control rods and none of these entries took priority over insertion of the control rods.

In his testimony to the NRC, the Shift Manager indicated that the need to exit the off-normal procedure for the Loss of Safety-Related Instrument Bus and the off-normal procedure for Loss of Letdown delayed the insertion of the control banks. He relied on the procedural hierarchy at Callaway, stating that off-normal procedures take precedence over normal operating procedures. The NRC did not challenge this statement, despite the fact that the crew had performed many other routine activities dictated by normal operating procedures during the time frame it was supposedly impeded from inserting control rods by the higher priority off-normal procedures.

Since the off-normal procedure for Loss of Letdown was exited at 10:18 am, which is the approximate time core reactivity reached the point that criticality could not be prudently recovered, this off-normal procedure could not possibly have contributed to the 106 minute delay.

The off-normal procedure for the Loss of Safety-Related Instrument Bus had been entered at 08:21 and the actions directly performed by the operators in the main control room were completed by 08:35 am. At 08:33, as part of an attachment to the off-normal procedure, the Control Room Supervisor authorized the start of an operations surveillance procedure to verify the alignment of valves in the auxiliary feedwater system. Because of the level of activity outside of the control room (i.e. the equipment operators were busy shutting down the steam plant), this surveillance procedure was not completed until 11:34 am. With this surveillance procedure complete, the Control Room Supervisor was now able to exit the off-normal procedure for Loss of Safety-Related Instrument Bus. Thus, although the off-normal procedure was not exited until 11:37 am, it had not burdened the control room operators after 08:33 am and was not a factor in the 106 minute delay in inserting the control banks. Concerning the off-normal procedures for Loss of Letdown and Loss of Safety-Related Instrument Bus, the NRC stated:

The NRC did not find that the implementation of either off-normal procedure prevented the control room operators from inserting the control rods at any time during the shutdown.

This NRC conclusion directly contradicts the sworn testimony of the Shift Manager as to the reason for the delay.

November 2010 Page 6 of 14

2003 SEGMENTED SHUTDOWN AT CALLAWAY At 12:05 pm, the reactor operators commenced inserting the control banks. This was the first time the operators took any action to actively control core reactivity since the reactor had passively shut down 106 minutes earlier.

It took ten minutes to insert the control banks. From 12:05 to 12:15, the following activities were logged in the control room logs:

12:05 Commenced control rod insertion 12:12 Notified Field Complete trip point and calibration of channel 4 PRNI 12:13 Authorized to Start trip point and calibration of channel 1 PRNI 12:15 All control banks fully inserted It should be noted that the insertion of the control banks only took ten minutes and that inserting the control rods did not place such a burden on the Control Room Supervisor that he could not perform other tasks (e.g. the CRS was able to authorize the start of an I&C surveillance during the control bank insertion). Based on the other activities that the operators performed in the preceding 106 minutes (e.g. placing cooling tower blowdown in service or raising letdown flow),

there was ample opportunity to manually insert the control banks prior to 12:05 pm.

At 12:55 pm, the operators finally officially declared MODE 3 based on the Shutdown Margin calculation indicating adequate negative reactivity margin to keep the reactor shut down. The MODE 3 completion time of TS 3.8.7.B had been met but the plant remained in TS 3.8.7.B because of the 36 hour4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months completion time to cool down to MODE 5 (the plant remained at Normal Operating Temperature (NOT) for the remainder of the day while Electrical Maintenance continued repairs to inverter NN11).

LESSONS TO BE LEARNED Several lessons can be learned from this incident, as discussed in the following sections.

Point of Adding Heat, Non-Fission Heat Rate and Temperature-Reactivity Feedback The Point of Adding Heat (POAH) is inherently connected with the Non-Fission Heat Rate (NFHR). As the NFHR rises due to decay heat, the reactor requires a larger amount of fission power to be above the POAH.

The POAH is mainly useful only during reactor start ups. During a start-up, the POAH is recognized by total core power rising noticeably with noticeable increases in fission power.

Once the POAH is reached, the reactor operator can rely on temperature-reactivity feedback to turn reactor power. Simply put, the negative reactivity introduced as the temperature of the reactor coolant increases acts to put the brakes on rising reactor power levels.

During a reactor shutdown, the POAH is not as relevant. Although the POAH is easily recognized by looking at historical trends of a reactor shut down, in real-time the POAH is nearly impossible to recognize. Giving instructions to reduce reactor power to just above the POAH is foolhardy: the POAH/NFHR cannot be recognized by the operator in real-time until it is too late to do anything about it and, since the POAH/NFHR varies with reactor power history, generic estimates cannot be used.

November 2010 Page 7 of 14

2003 SEGMENTED SHUTDOWN AT CALLAWAY Commercial nuclear power reactors in the United States typically operate with a negative moderator temperature coefficient (-MTC). Although some plants have a positive moderator temperature coefficient (+MTC) for a relatively short portion of their refueling cycle, the majority of the time most US reactors can take advantage of the temperature-reactivity feedback provided by the -MTC.

Operators rely heavily on temperature-reactivity feedback during startups because it makes the reactor power and temperature inherently stable. A rise in reactor power causes a rise in reactor temperature which causes reactor power to lower. A rise in reactor temperature causes a lowering of reactor power which causes reactor temperature to lower. Because of temperature-reactivity feedback, the operators need not directly control reactor power with active reactivity changes (i.e. control rod movement or boron concentration changes). The reactor operator can use active reactivity changes to control temperature and passively rely on temperature changes to control reactor power. That is, the reactor operator can passively rely on reactor power to respond to a change in steam demand and then actively take action to maintain temperature at the desired level. Because the temperature transient lags the power transient, the operators response can be taken at a more reasonable pace.

However, as the POAH/NFHR is approached during a power reduction, the inherent temperature-reactivity feedback starts to degrade. Figure 1 shows a graph of fission power (IRNI current) and total core power (T instruments) during the October 21, 2003 passive reactor shutdown at Callaway. The trace for total core power is plotted logarithmically and offset to follow the IRNI trace. From the plot, one can see that around 7% total power, the traces start to diverge indicating that total power is now close enough to the NFHR that the inherent feedback of a lowering of reactor power in response to rising temperature has been degraded because the NFHR does not lower in response to rising temperature. The NFHR for this shutdown (1.8%) was well into MODE 2 yet the point at which temperature-reactivity feedback started to degrade (7%) was well into MODE 1.

LESSONS TO BE LEARNED:

1. Temperature-reactivity feedback degrades during power reductions before a PWR enters MODE 2. Because of the challenges presented to the operators during a reactor downpower (e.g. transient Xenon-135, variable levels of decay heat, use of control equipment optimized for performance at higher power levels, loss of temperature-reactivity feedback), the operation of a PWR below 10% power should be minimized. Operation above 10% power ensures that the operators are able to use their reactivity control equipment in a manner familiar to them and avoids the difficult task of actively changing core reactivity to respond directly to power changes.

2. More generally, nuclear plant owners should ensure their procedures account for the way the plant is typically operated and minimize situations that place their operators in unfamiliar territory. (An example of such a situation is operation with a +MTC. Although a +MTC had nothing to do with the October 21, 2003 incident at Callaway, operation with a +MTC is an unfamiliar and error-prone situation for the operators and should be avoided.)

November 2010 Page 8 of 14

2003 SEGMENTED SHUTDOWN AT CALLAWAY Human Factors of Main Control Board instrumentation At Callaway, the control board has multiple and diverse instruments that indicate reactor power.

However, only one of these instruments is a reliable indicator of reactor power in MODE 2 and it is human factored for ascending (i.e. start up) operations.

The control board has four channels of Power Range Nuclear Instruments (PRNIs), four channels of core T instruments, four channels of computer points for secondary calorimetric power readings, and two channels of Intermediate Range Nuclear Instruments (IRNIs). The PRNIs and the core T instruments are scaled linearly and read out in percent of rated reactor power. The secondary calorimetric channels are digital computer points and display on a computer screen in megawatts-thermal. The IRNIs are scaled logarithmically and read out in ion chamber amps (ica).

The reactor power level is limited to 100% in MODE 1. In MODE 2 the reactor power level is limited to 5% rated. The operators typically use the PRNIs, core T instruments and secondary calorimetric computer points as their primary indications of reactor power because they are easy to read and are scaled in units that make sense.

Although the crews should also be in the habit of checking the IRNIs, no operator uses the IRNIs as the primary means for monitoring reactor power other than during a reactor start-up.

The IRNIs are human factored for conducting a reactor start up. The logarithmic scaling allows the operator to monitor reactor power as it increases through a half dozen decades. The units (ion chamber amps) remind the operator that these instruments are not there to give exact reference to 100% rated power but are instead there to provide an indication of how power is changing.

The IRNIs are not human factored for maintaining reactor power level while in MODE 2. The logarithmic scaling allows for minimal needle movement as power ranges from the POAH to 5%

rated power. The units of ion chamber amps are not useful when trying to sustain reactor power below 5% rated. The correspondence between ica and rated reactor power changes slightly every time the meters are calibrated and at any given time varies between the two channels.

Yet, the IRNIs are the only true indication of reactor fission power in MODE 2.

Near the POAH, decay gammas overwhelm fission gammas and cause the PRNIs to read as if the reactor is stable and in the power range even when it is not. Furthermore, cold leg neutron shielding causes the PRNIs to read low at low powers.

Near the POAH, the core T instruments are biased by the Non-Fission Heat Rate. During the October 21, 2003 inadvertent shutdown at Callaway, in the 5 minutes following the trip of the turbine, the nuclear fission power dropped by 80% but the reading on the core T instruments only dropped by 50%. Similarly, the secondary calorimetric computer points dropped by only 50%.

Near the POAH, the only accurate indication of nuclear fission power is IRNIs but these are not human factored to help the operator succeed in monitoring reactor power and maintaining it at less than 5% power yet greater than the POAH. The operator must use the core T instruments to monitor the upper limit and there are no good means to monitor the lower limit (as mentioned above, on the way down the POAH is nearly impossible to determine until the reactor operator has already passed it).

November 2010 Page 9 of 14

2003 SEGMENTED SHUTDOWN AT CALLAWAY LESSONS TO BE LEARNED:

3. Operators should never be asked to maintain reactor power in MODE 2 Descending for a PWR. If the reactor is to remain critical without the turbine on line, then it should be maintained at a high enough power level that the core T instruments and the secondary calorimetric computer points can be used to accurately monitor reactor power. Since the reliability of these instruments degrades close to the NFHR, the reactor should be maintained in low MODE 1.

4. More generally, procedures at nuclear plants should take into account the tools available to the operators and assess whether those tools are adequate for the operator to succeed at the required task. If the tools are not adequate, either the demands of the task must be relaxed or the tools must be refined.

Problem Identification & Resolution The October 21, 2003, inadvertent reactor shutdown was caused by a procedural flaw in the operation of the steam dumps. The inadvertent shutdown was not entered into the corrective action program until nearly 40 months later, which in turn delayed the fix to the procedural flaw until February 2007. The same procedural flaw caused a second inadvertent reactor shutdown at Callaway on June 17, 2005. This second shutdown, which was totally avoidable, cost the utility 31 hours3.587963e-4 days 0.00861 hours 5.125661e-5 weeks 1.17955e-5 months of lost generation in one of its highest sales months.

LESSON TO BE LEARNED:

5. For reasons of both nuclear safety and commercial reliability, abnormal operating events should be entered into the corrective action program as soon as possible. Such events provide opportunities for the organization to learn from and to improve its performance.

Self-Regulation by Industry Organizations Item I.C.5 of the TMI Action Plan requires that licensees shall:

prepare procedures to assure that operating information pertinent to plant safety originating both within and outside the utility organization is continually supplied to operators and other personnel and is incorporated into training and retraining programs.

Per Generic Letter (GL) 82-04 the NRC is allowing the licensees to meet Item I.C.5 by participating in the SEE-IN program run by INPO (Significant Event Evaluation and Information Network as run by the Institute of Nuclear Power Operations).

Although Ameren is an INPO member and thus technically participates in the SEE-IN program, it failed to submit a document to the SEE-IN program concerning the October 21, 2003, atypical reactor shutdown. As a result, the rest of the licensees have been unable to learn from the experience at Callaway and take steps to preclude recurrence. As reported above, Callaway replicated the October 21, 2003, event in June 2005.

In January 2009, INPO was informed of the incident by a state legislator from the Missouri House of Representatives. In a reply to the legislator, INPO stated:

Anytime INPO becomes aware of a potential safety issue, our practice is to inform management of the plant involved, as they are ultimately responsible for ensuring the November 2010 Page 10 of 14

2003 SEGMENTED SHUTDOWN AT CALLAWAY safety of their plant. We have notified senior management at Callaway of the concern you have expressed.

INPO is non-profit organization and is not in a position to conduct an independent investigation of concerns raised by employees of individual plants.

INPOs inability to conduct an independent investigation of the incident demonstrates the main problem with delegating regulatory roles to an industry-funded institute. Although INPOs mission is to promote the highest levels of safety and reliability - to promote excellence - in the operation of commercial nuclear power plants they are admittedly not in a position to investigate inadequate reactor plant management and must rely on the utilities to voluntarily ensure the safety of their own plants. INPO must also rely on utilities to voluntarily share information with the Significant Event Evaluation and Information Network.

LESSONS TO BE LEARNED:

6. The NRC should share significant operating experience with the United States and international nuclear industries via its generic communications program. Although this function is often met by INPO and WANO, since these organizations rely on the voluntary submittal of incidents from their members, INPO is unable to obtain information from a member that withholds such information.

7. Industry self-regulators are voluntary organizations and are in no position to enforce their standards on their members. Any time a regulatory function is delegated to an industry group, the regulatory agency must be willing and able to aggressively perform that function whenever the industry group fails to do so.

November 2010 Page 11 of 14

2003 SEGMENTED SHUTDOWN AT CALLAWAY REFERENCES September 17, 2010 letter from L. Criscione to William Borchardt (ADAMS #ML102640674)

April 27, 2010 letter from Lawrence Criscione to William Borchardt (ADAMS #ML101200401)

April 30, 2010 letter from Lawrence Criscione to William Borchardt (ADAMS #ML101230100)

October 21, 2003 plots of critical parameters during the passive reactor shutdown at Callaway Plant (FOIA #2009-0102)

October 9, 2002 revision of Callaway Plant off-normal procedure OTO-NN-00001, Loss of Safety Related Instrument Power (FOIA #2009-0102)

October 21, 2003 Callaway Shift Assignments (FOIA #2009-0102)

October 21, 2003 Callaway Reactor Operator Daily Log (FOIA #2009-0102)

October 21, 2003 Callaway Shift Supervisor Daily Log (FOIA #2009-0102)

March 31, 2008 transcript of NRC OI interview with Gerald Rauch (FOIA #2009-0064)

March 31, 2008 transcript of NRC OI interview with Ardell Lee Young (FOIA #2009-0064)

March 31, 2008 transcript of NRC OI interview with David Crider (FOIA #2009-0064)

March 31, 2008 transcript of NRC OI interview with David Lantz (FOIA #2009-0064)

May 29, 2009 letter from Jeanette Mott Oxford to Gregory Jaczko (FOIA #2010-0108)

May 14, 2009 transcripts from interview of Lawrence Criscione for OI Case 4-2009-43F (FOIA

2010-0223)

March 1, 2007 letter from Lawrence Criscione to Michael Peck (FOIA#2010-0109)

August 7, 2007 letter from Harry Freeman to Lawrence Criscione (FOIA #2010-0109)

May 9, 2008 summary report of OI Case 4-2007-049 (FOIA 2009-0011)

October 16, 2008 memorandum from Mike Taylor of the Missouri Public Service Commission January 30, 2009 letter from INPO to Jeanette Oxford November 2010 Page 12 of 14

2003 SEGMENTED SHUTDOWN AT CALLAWAY November 2010 Page 13 of 14

2003 SEGMENTED SHUTDOWN AT CALLAWAY November 2010 Page 14 of 14

APPENDIX This appendix provides background for the technical information presented in the report on the segmented shut down at Callaway.

FISSION FUNDAMENTALS Uranium is an element like carbon, oxygen, and nickel. Uranium atoms contain 92 protons and 92 electrons. There are several forms, or isotopes, of uranium atoms depending on the number of neutrons. The most common uranium isotope, Uranium-238 or U-238, has 146 neutrons. The isotope used as fuel in nuclear reactors is Uranium-235, which as 92 protons, 92 electrons, and 143 neutrons. The protons and neutrons reside in the center, or nucleus, of the isotope while the electrons circle around the nucleus like planets around the sun.

When the nucleus of a Uranium-235 isotope absorbs a neutron, it becomes unstable. It seeks stability by splitting, or fissioning, into two fragments. In the split, two or three neutrons are released from the nucleus as is a lot of kinetic energy. This kinetic energy is fission heat used to make steam and generate electricity at a nuclear power plant.

The neutrons released during fission can cause subsequent fissions. When, on average, one neutron released from fission causes one other fission, the reactor is said to be critical and reactor power is stable, neither increasing nor decreasing. When, on average, fewer than one fission results from each fission, the reactor is sub-critical and the reactor power decreases. When, on average, more than one fission results from each fission, the reactor is supercritical and power increases.

FISSION PRODUCTS AND DECAY HEAT The fragments produced when an isotope fissions are called fission products. For Uranium-235, around 600 different isotopes are formed as fission products, representing 40 different elements. In other words, a Uranium-235 isotope does not always split into the same two fission products; any two of nearly 600 different fission products could be created. One possible outcome is Xenon-135, which is an important fission product poison (defined below).

The majority of fission products are unstable themselves and seek stability by emitting radioactivity in the form of alpha, beta, and neutron particles or gamma rays. The thermal energy generated by these radioactive emissions is called decay heat. Isotopes decay at different rates. Half-life is a term related to that decay rate. The half-life of an isotope is the length of time needed for half of the material to decay. For example, consider an isotope with a half-life of 10 years. After 10 years, half of the original amount would have decayed. In another 10 years, half of that amount would have decayed, meaning that 75 percent of the original amount decayed in 20 years.

November 2010 Appendix Page 1 of 8

About 7% of an operating reactors power comes from decay heat and 92% comes from fission heat. About 1% comes from pump heat, which is the frictional heat generated by the large pumps circulating water through the reactor vessel and core.

When the reactor shuts down, the fission heat goes away but the decay heat remains for some time. It was the failure to remove the decay heat which caused the meltdown at Three Mile Island Unit 2 in March 1979 nearly two hours after its reactor had been shut down.

POINT OF ADDING HEAT AND NON-FISSION HEAT RATE The Non-Fission Heat Rate (NFHR) is the heat generated by non-fission sources and consists mainly of decay heat and pump heat. The Point of Adding Heat (POAH) is when fission heat becomes a significant heat source. Thus, the POAH occurs when fission heat is able to increase power above the NFHR.

There is typically very little decay heat present during a startup from an outage lasting longer than a week because the more radioactive fission products (i.e., those having short half-lives) decayed away when the reactor was shut down. Thus, the NFHR during typical startups is determined by pump heat and is usually around 1% of rated reactor power. For this condition, the POAH is reached when the total power level is increased above 1%.

During a manual shut down of the reactor using sequential control rod insertions, decay heat becomes a more significant contributor to the NFHR. During a reactor shutdown, the NFHR is typically at 2% rated reactor power, however, decay heat starts to have a masking affect on reactor power around 7%. (Note: During a shut down, the operators are reducing the reactor power level from 100% power to 0% power, so 7% power is reached before 2% power.)

The masking effect of decay heat during a reactor shut down can be difficult to tell when the reactor goes subcritical. At low power levels, most of the indications used by the reactor operators (e.g., temperature, pressure) will still read and trend the same once the reactor goes subcritical. Unless the reactor operators are closely monitoring the Intermediate Range Nuclear Instruments which provide more direct indications of fission heat and filter out decay heat and pump heat, they will probably not notice the reactor going subcritical. Consider the following analogy:

You are sitting in an idling car at a rest stop looking at a road map. You are not monitoring the RPM meter on the dash board, but you will know if the cars engine stalls because you can feel the slight vibrations stop and you will no longer hear engine noise.

Now suppose an idling tractor trailer is next to you as you pause to examine the road map. The vibration and noise from the trucks diesel is loud enough that it drones out the noise and vibration of your cars engine. If you are not monitoring the RPM gauge, you will likely not notice if your engine stalls.

Monitoring a reactor near the Point of Adding Heat is like monitoring an idling car near an idling truck - it can be successfully done, but close attention must be paid to certain indications that more directly reflect the condition of its engine (Intermediate Range Nuclear Instruments for the reactor and RPM gauge for the car).

November 2010 Appendix Page 2 of 8

POISONS Isotopes which have a high affinity for absorbing neutrons are called poisons because they rob neutrons which could otherwise be used to cause more fissions.

Some poisons are used to control the fission reaction. Boron-10 has more than six times the affinity for neutrons as Uranium-235. Adding small amounts of boron to the reactor coolant is a way to lower reactor power and coolant temperature. Large amounts of boron are added rapidly to ensure the reactor shuts down quickly when conditions warrant it. Boron is also used to keep the reactor subcritical during refueling operations.

Another poison used to control the fission reaction is Cadmium-113, which is contained in the control rods. Cadmium-113 has more than 35 times the affinity for neutrons as Uranium-235.

CONTROL RODS The reactor core is made up of fuel rods and control rods. The fuel rods contain Uranium-235 and are static - they do not move during reactor operation but they can be removed and replaced when the reactor is shutdown for refueling. The control rods contain Cadmium-113 (some plants use Hafnium) and are moveable - they are inserted and withdrawn to control reactor power level and reactor coolant temperature.

By inserting and withdrawing control rods, the operators can raise or lower reactor power and reactor coolant temperature. During a reactor trip, all control rods drop into the reactor core within seconds to shut down the reactor. A reactor trip signal is generated by certain conditions (such as low reactor coolant system pressure, low reactor coolant system flow, high reactor coolant system temperature or high neutron flux) which could damage the fuel rods. During a reactor shut down, the operators insert the control rods in banks to shut down the reactor. The control banks are the group of control rods used to control reactor power and reactor coolant temperature. The reactor will become subcritical before all the control banks are fully inserted; the remaining control banks are inserted to ensure the reactor remains shut down as conditions such as the amount of poisons change over time.

The reactor wants to be critical. It is designed such that if neutrons are not absorbed by a poison, then there will be enough neutrons present to cause the reactor to become critical.

The reactor is like a car parked on a hill. Just like the car wants to roll down the hill, the reactor wants to become critical and produce power. The car is prevented from rolling down the hill by applying the brakes, while the reactor is prevented from becoming critical by inserting the control rods.

FUEL DAMAGE The fuel is in the form of small ceramic pellets encased in metal tubes about 12 feet long with a diameter about the size of a standard pencil. The metal tube is called the fuel rods cladding.

The cladding is a barrier against the release of radioactive fission products. The cladding can fail from either high stress or high temperature.

The fuel pellets and the cladding expands as they heat up. The pellets expand faster than the cladding. The expanding fuel pellets press against the cladding, stressing the metal tubes. The rate of power increases is controlled to limit the stresses below the level that causes the November 2010 Appendix Page 3 of 8

cladding to fail. If excessive power increases occur, either locally in one region of the reactor core or globally across the entire core, high stresses can cause fuel cladding damage.

The fission heat and decay heat produced within the fuel pellets is conducted through the cladding and removed by the RCS water. If insufficient RCS water is available to remove this heat, the temperatures of the fuel pellets and cladding rises. The cladding temperature is normally around 700°F when the reactor is operating. If the cladding temperature rises above about 1,500°F, a chemical reaction begins between the cladding and the RCS water. This chemical reaction is exothermic, meaning it generates heat that exacerbates the claddings temperature rise. Significant cladding damage occurs if its temperature reaches 2,200°F.

FISSION PRODUCT POISONS There are two major fission product poisons: Xenon-135 and Samarium-149. Unlike other poisons, these isotopes are not intentionally added to the reactor, but instead are generated during reactor operation. They are among the approximately 600 isotopes which can be produced during fission.

Samarium-149 has an affinity for neutrons which is more than 68 times that of Uranium-235.

Although this is significant, it is minor compared to Xenon-135. Xenon-135 has the highest neutron affinity of any isotope - more than 4,000 times the neutron affinity of Uranium-235. If one Xenon-135 isotope were present among 4,000 Uranium-235 isotopes and a neutron were to pass through the area, it is more likely that the neutron would be absorbed by the single Xenon-135 isotope than by any of the Uranium-235 isotopes.

XENON TRANSIENT Fission product poisons, particularly Xeno-135, are important factors because, unlike control rods, their inventories - and thus their affect on reactor power level - vary with time when the reactor power level changes.

Xenon-135 is one of the fission products created when Uranium-135 atoms fission. Increasing the reactor power level increases the number of atoms that fission, thus increasing the amount of Xenon-135 being produced. But because Xenon-135 has a significantly higher neutron affinity than Uranium-135, the larger number of neutrons moving through the reactor core at higher power levels means that even more Xenon-135 isotopes are being lost due to neutron absorption. The net effect of a reactor power increase is to reduce the number of Xenon-135 isotopes - more Xenon-135 isotopes will be produced, but more Xenon-135 isotopes will be consumed.

A reactor power reduction has the opposite effect. The number of Xenon-135 isotopes being produced decreases as the number of fissions decreases. But the number of Xenon-135 isotopes being lost by neutron absorption decreases even more. The net effect of a reactor power reduction is to increase the number of Xenon-135 isotopes available in the reactor core.

Absent operator intervention, xenon transients tend to cause overshoots following reactor power level increases and reductions. The burnout of Xenon-135 due to a power increase reduces the amount of neutron poisons, causing the reactor power level to rise. Buildup of Xenon-135 due to a power reduction increases the neutron poison inventory, causing the reactor power level to drop further. The operators can compensate for changes in Xenon-135 by changing the boron concentration in the reactor coolant or by moving the control rods.

November 2010 Appendix Page 4 of 8

Xenon-135 is radioactive. It has a half-life of 9.1 hours1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , decaying to Cesium-135. Cesium-135 is not a reactor poison. It has an affinity for neutrons that is less than 2% than that of Uranium-235 and nearly 1/300,000 as that of Xenon-135. As Xenon-135 decays, the poison inventory which is absorbing neutrons is declining. If Xeno-135 buildup following a power reduction caused the reactor to go subcritical, the ensuing decay of Xenon-135 could result in the reactor again attaining criticality.

When a reactor, operating at low power, shuts down due to Xenon-135, it is a dangerous practice to leave the control banks withdrawn. If the intent is to shutdown the reactor, then, to ensure the reactor remains shutdown as the Xenon-135 decays, either the control banks must be inserted or boron must be added to the reactor coolant.

Consider the following analogy:

On a winter morning, a college student trying to park his car on an icy downhill street slides to a stop against a bank of plowed snow. The car stalls during the collision with the snow bank and, in his haste to inspect the car for damage, the student exits the car without placing it in park or setting the parking brake. The car remains stationary because the mass of snow is enough to prevent the car from rolling downhill.

Placing the car in park (or setting the parking brake) is analogous to inserting all the control banks into the reactor core. The snow bank keeping the car from rolling is analogous to Xenon-135. There was enough snow to initially stop the car, but the snow will eventually melt. At some point, there wont be enough snow to prevent the car from rolling down hill. Similarly, a reactor plant which shuts down on transient Xenon-135 still needs to have all its control banks inserted.

Otherwise, the Xenon-135 may decay to the point that there is not enough Xenon-135 to prevent reactor criticality.

TEMPERATURE FEEDBACK TO REACTIVITY Reactivity for a nuclear power reactor is like acceleration for a car. Acceleration refers to the rate of change in speed rather than a specific speed. Likewise, reactivity refers to the rate of change in the nuclear chain reaction rather than to the specific power level.

A car moving at a constant speed along a flat stretch of road as zero acceleration regardless of whether its speed is 35 mph, 50 mph, or 85 mph. To change its speed from 35 to 50 mph, a car accelerates. To reduce its speed from 85 mph to 50 mph, a car de-accelerates.

A nuclear reactor operating at steady state power as zero reactivity regardless of whether that power level is 35 percent, 50 percent, or 85 percent of rated output. To change power from 35 to 50 percent, positive reactivity is added. To reduce power from 85 to 50 percent, negative reactivity is added.

Positive reactivity causes the nuclear chain reaction rate to increase which in turn increases the reactors power level. Withdrawing control rods, decay of Xenon-135, and cooling down the RCS water temperature add positive reactivity.

Negative reactivity causes the nuclear chain reaction rate to decrease which in turn decreases the reactors power level. Inserting control rods, buildup of Xenon-135, and increasing the RCS water temperature add negative reactivity.

November 2010 Appendix Page 5 of 8

The RCS water is used to moderate (slow down) the neutrons released when isotopes fission.

Neutron moderation is important for two primary reasons: (1) the U-235 isotopes are much better at absorbing slow neutrons than fast neutrons, and (2) faster neutrons travel farther and thus become more likely to wander into the reactor vessel metal and other non-fuel areas.

When the RCS water becomes less dense (i.e. less water molecules per volume) then fewer neutrons are moderated and fewer fission reactions occur. Likewise, if the RCS water becomes more dense more neutrons are slowed down and more fission reactions occur.

Temperature feedback to reactivity refers to the effect that RCS water temperature has on reactivity. As RCS water temperature rises, negative reactivity is added. As RCS water temperature drops, positive reactivity is added.

PRESSURIZER LEVEL AND LET DOWN SYSTEM The reactor coolant system (RCS) contains the water that cools the reactor core. Callaway is a pressurized water reactor (PWR), meaning the reactor coolant is not supposed to boil. While the plant is operating, the RCS water temperature ranges from 557°F to 586°F at a pressure of 2,235 pounds per square inch (psig). This pressure, which keeps the reactor coolant from boiling, is maintained by the Pressurizer.

The pressurizer is a tank attached to the RCS. The tank is about half full of water and half full of steam. The tank has electric heaters which heat the water in the tank to 652°F, causing the steam pressure to be 2235 psig.

The water level in the pressurizer is the highest point in the RCS. If a loss of reactor coolant accident were to occur (caused by a piping break), one of the indications of the accident would be water level in the pressurizer decreasing as it drained to the RCS.

The Let Down System (not shown in the graphic) continuously removes a small portion of the RCS water so that it can be purified and returned to the RCS - similar to how the filtration system on a swimming pool keeps the pool water clean by continuously removing a small amount of water, filtering it, and returning it to the pool.

If water level in the pressurizer drops too low, valves automatically isolate the Let Down System to limit the loss of water from the RCS.

Although low water level in the pressurizer can indicate a reactor coolant leak, other things can also pressurizer water level to drop. When hot water cools down, it contracts (i.e. it fits into a November 2010 Appendix Page 6 of 8

smaller amount of space). Consequently, when the RCS water temperature cools, the water level in the pressurizer decreases due to contraction of the water.

TECHNICAL SPECIFICATIONS AND OPERATING MODE The technical specifications (abbreviated tech specs or T/S) are part of the operating licenses issued by the NRC. They govern the operation of the plant. The tech specs define the minimum complement of equipment needed to safety operate the plant in various conditions. The tech specs also define how long, and under what circumstances, the plant can continue to operate when that minimum complement is not met. Finally, the tech specs establish the types of tests, and their frequencies, that must be performed to verify the minimum complement of equipment is functioning properly.

The tech specs define six plant Operating MODEs:

MODE 1: 5% to 100% reactor power.

MODE 2: Less than 5% reactor power and less than 1% shutdown margin MODE 3: More than 1% Shutdown Margin and greater than 350°F MODE 4: 200°F to 350°F RCS water temperature MODE 5: Less than 200°F RCS water temperature and reactor vessel head tensioned MODE 6: Less than 200°F RCS water temperature and reactor vessel head not fully tensioned The minimum complement of equipment, the actions to be taken when the minimum is not met, and the associated testing requirements vary depending on the plants Operating MODE.

OFF-NORMAL, SURVEILLANCE AND GENERAL OPERATING PROCEDURES Off-Normal procedures are used to respond to a plant transient that did not cause a reactor trip.

Off- Normal procedures can direct actions which, if performed immediately, will prevent or minimize the plant transients. Off-Normal procedures also direct recovery actions. These actions return plant systems to their normal configuration.

Surveillance procedures are used to test equipment. Surveillance procedures verify that equipment will perform properly when needed. Surveillance procedures are performed at frequencies stated in the tech specs. In addition, surveillance procedures are conducted following maintenance on equipment to verify proper functioning before the equipment is placed back in service.

General Operating Procedures are used to control major evolutions such as plant heat up, reactor startup, turbine synchronization to the electrical grid, power operations, reactor shut down, and plant cool down.

PROBLEM IDENTIFICATION & RESOLUTION AND CONSERVATIVE DECISION MAKING Problem identification and resolution is more than a good idea or catchy slogan, its the law.

Specifically, Appendix B to 10 CFR Part 50 established quality assurance (QA) criteria. These QA criteria essentially require that nuclear plant owners find and fix safety problems effectively in a timely manner. Over the years (Appendix B was adopted in the 1970s), the QA terminology morphed to Corrective Action Programs and more recently to Problem Identification &

November 2010 Appendix Page 7 of 8

Resolution, but the underlying criteria remain unchanged. By any name, it is the process by which events and errors are analyzed so that corrective actions are implemented to prevent recurrence.

Conservative Decision Making is a nuclear safety attribute that is obvious in hindsight but was derived from actual operating experience in which producing electricity forged ahead of ensuring safety. Some attributes of Conservative Decision Making are:

Unanalyzed risks are not taken when operating a large commercial reactor.

Complex evolutions are conducted in a controlled manner.

The nuclear fission reaction is always actively controlled.

When a reactor plant shuts down due to a transient, active measures are taken, in a timely manner, to ensure it remains shutdown.

November 2010 Appendix Page 8 of 8