ML19039A354
ML19039A354 | |
Person / Time | |
---|---|
Site: | Callaway |
Issue date: | 02/08/2019 |
From: | Ameren Missouri |
To: | Office of Nuclear Reactor Regulation |
Shared Package | |
ML19039A352 | List: |
References | |
LDCN 16-0013, ULNRC-06482 | |
Download: ML19039A354 (17) | |
Text
Attachment 1 to ULNRC-06482 Page 1 of 17 RAI Questions and Responses This attachment provides responses to questions/requests transmitted in the NRC s Request for Additional Information (RAT) dated January 9, 201 9, in regard to Ameren Missouri s License Amendment Request (LAR) described in the cover letter to this attachment.
It should be noted that introductory/background information was included in the RAT letter, some ofwhich is repeated here. As an introduction to the NRC questions/requests contained in the RAT, Callaway licensing basis documents and references pertaining to the ultimate heat sink (UH$) in regard to its long-term heat removal capability and its function for supporting safe plant shutdown from postulated accidents and transients were identified. A reference to License Amendment 208 of the Callaway Operating License was included, by which revised UHS retention pond temperature and water level limits were approved, along with credited operator action to isolate one train of the essential service water (ESW) system within seven days after initiation of a large-break loss-of-coolant accident (assuming both ESW trains are running) to ensure the pond remains within its analyzed temperature and level.
Applicable regulatory basis requirements were also identified in the RAT letter, mainly in regard to the applicable General Design Criteria (GDCs) of 1 0 CFR 50 Appendix A, i.e., GDC 17, Electrical power systems; GDC 2, Design bases for protection against natural phenomena; and GDC 44, Cooling water. 10 CFR 50.46, Acceptance criteria for emergency core cooling systems for light-water nuclear power reactors, was also identified, particularly Section 50.46(b)(5), Long-term cooling.
A Background section was included in the RAT letter in which background information pertinent to the RAT questions/requests was provided. That background information is repeated below and is followed by the NRC s RAT questions/requests themselves along with the associated responses for Callaway.
Background
Section 3 .2, Single Cooling Train Operation, of the LAR s Attachment 2, ADAMS Accession No. ML1 8068A68$, references Callaways GOTHTC calculation, Callaway Control Building with Control Room Loss of Class TE A/C GOTHTC Room Heat Up With Tnstalled Fans and Louvers. This calculation evaluates the capability of one train of the Class 1 E Electrical Equipment A/C System to supply adequate cooling for both trains of the Class TE electrical equipment while one of the trains is inoperable.
The audit conducted at Callaway identified a supplemental calculation to the GOTHTC calculation above related to the electrical heat loads, titled, Electrical Heat Loads in the Control Building During Normal and ESFAS Conditions, which was used to support the room heat-up calculation.
Attachment 1 to ULNRC-06482 Page 2 of 17 This electrical heat load calculation specifically identified the heat loads at time T = 0, T = 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and T = 7 days. The NRC staff identified that there was a signifi cant reduction in heat load at T = 7 days, and the licensee stated that one operating train of safety related systems is procedurally secured after 7 days into an event.
This supplemental electrical heat load calculation also revealed, in its detailed calculation of heat load section, that:
a) for conservatism, the voltages from electrical calculation, case LOCA No. 1 are used to calculate the maximum continuous breaker currents, and that b) the power source for engineered safety feature (ESF) equipment is the Emergency Diesel Generator (NEO1), via the 4. 16-ky switchgear NBO1 1 1 breaker, with NEO1 at a maximum test load of6,201 kW @ 0.8 power factor.
The licensee is implementing plant modifications to maintain the enviro nment for Operability of onsite and offsite power systems required for conformance with GDC 1 7. In the LAR, the licensee has discussed the proposed temperature range for the GDC 1 7 required power sources.
The LAR proposes a new TS 3 .7.20 to allow 30-day operation with only one train of the HVAC system (i.e., Class 1E Electrical Equipment A/C system) operable for redundant electrical equipment. Shutting down a complete train of ESF equipment (after 7 days), with one HVAC train unavailable prior to (and during) an event, may complicate plant safety, considering the significant equipment in one train (with the inoperable HVAC) which may also not be available for an extended period.
The NRC staff is also reviewing the combinations of events and plant conditions that were considered for heat load calculations. The NRC staff is requesting the below additional information considering the actions to be taken to reduce heat loads follow ing an event.
The staff is requesting additional information on events and accide nts considered and equipment needed, during allowable ranges for room temperatures during norma l operation, for anticipated operational occurrences and for accident conditions.
RAI Questions/Requests and Responses NRC Staff Question No. 1 Please provide a tabulated listing (with descriptive names) of large loads, greater than 50 horsepower, that are operating at the onset of the event, including the nameplate rating, the brake horsepower used in the heat calculations, and the time that the load is disconnected. Please include discretional or procedure required loads that are manually started
, and include the duration of operation for the large loads.
Attachment 1 to ULNRC-06482 Page3 of 17 Callaway Response:
The tabulated listing with descriptive names of large loads, greater than 50 horsep ower, that are operating at the onset of the event (as activated by the load sequencer) are provid ed in the table below. The duration of operation of each load is given for three time periods: 0 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days, and 7 days to 30 days, as shown in the designated table columns.
Discretional or procedure-required loads that are manually started are those loads noted as being load shed or as a standby load or by operating procedure setting in the Loadi ng Basis column ofthe table.
Class 1E Electrical Loading Greater Than 50 Horsepower Used in Heat Load Calculation Component Operating Operating Nameplate Load Brake Real Reactive Total Condition Condition Operating Condition Numker Doncription 55g5e CoadirgBasis Power Power Power Oto24hours 24houro to 7days 7daysto3Odays ESF Train A Component NampIate Load Brake Number Real Reactive Total Operatiflg Condftion Operating Conthtkn Description ggpgoge Operating Condition LoadingBasis °owe Power Pow Oto24houns 24hoursto 7days 7daysto3odays
- Train B
Attachment 1 to ULNRC-06482 Page4 of 17 NRC Staff Question No. 2 FSAR Section 15.0.1 describes four categories ofplant conditions. Please provide a discussion explaining why loss of offsite power (LOOP) with a large break loss-of-coolan t accident (LBLOCA) is the limiting case in the supplemental electrical head load calcula tions, considering heat contribution from electrical equipment during the 30-day post-accident period, with one Class 1E electrical equipment A/C train initially inoperable, while balancing ESF equipment operating in redundant trains at the onset of the event.
Callaway Response:
For responding to this NRC staff question, the rationale supporting Callaw ay s position that the LBLOCA is the bounding plant condition described in Callaways curren t licensing basis, in regard to electrical heat loads in the Class 1 E electrical equipment rooms, is provided below.
Following that, a description is provided on how the electrical heat loads for the LBLOCA sequence were quantified to ensure that the values used in the room temper ature analysis conservatively bound the heat loads that would be present during the LBLO CA sequence described in the Callaway FSAR.
Bounding DBA Scenario When compared to the other accident sequences contained in the Callaway FSAR, the response to an LBLOCA results in the greatest usage of safety-grade systems and compo nents that are supported by the Class 1 E electrical equipment. For example, when operati on of the emergency core cooling system (ECCS) pumps is evaluated, the LBLOCA results in the greatest demands on ECCS. Other accident sequences such as a steam generator tube rupture
($GTR) or main steam line break (M$LB) retain pressure in the reactor coolant system such that the low and intermediate head ECC$ subsystems would be secured relatively early in the accident sequence.
Given the complete depressurization ofthe reactor coolant system follow ing an LBLOCA, all of the ECCS subsystems would be providing higher flows and therefore higher motor current demands, for the longest duration. An LBLOCA would also result in the longest duration of containment spray operation.
For small-break LOCA (SBLOCA) events, the RCS depressunzes much slower than an LBLOCA such that the ECCS injection time prior to cooling down to RHR entry conditions would be significantly longer than during a LBLOCA. However, the signifi cantly reduced flowrates result in lower associated electrical heat loads. Ameren calcula tions demonstrate that the longest ECCS injection phase for an SBLOCA is 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. During this injection phase the RCS would continue to cool down and depressurize via the SGs. Howev er, some additional time would be required to complete the cooldown to RHR cut-in conditions.
Although not explicitly quantified in the F$AR, this time would be significantly less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
Attachment 1 to ULNRC-06482 Page 5 of 17 Long-term decay heat removal via the RHR system is established for all non-LO CA events well before 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is reached. Once RHR cooling is established, all other ECCS pumps are secured with the exception that for some period, charging pump operation may be require d for boron addition or RC$ makeup. For some events, such as an SGTR, the time to reach RHR conditions is as shown in the FSAR Chapter 1 5 Sequence of Events tables. Specifically, Table 15.6.1 shows RHR cut-in conditions reached at 2 1 ,800 seconds (6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />). For other events
, such as an MSLB or loss ofAC power (LOAC), the core response analyses do not extend all the way to RHR cut-in. However, the radiological dose analysis applies a conservative assum ption of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> for the time to reach RHR cut-in conditions (FSAR 15. 1 .5.3, 15.2.6.3). This assumption would remain valid for FSAR Chapter 1 5 events not analyzed for dose consequences
, such as a loss ofnormal feedwater (LONF) or main feedline break (FLB).
Bounding Electrical Heat Loads In regard to the analysis of electrical heat loads during an LBLOCA sequence of events
, the electrical heat load calculation used conservative assumptions to maximize the heat produced in the rooms. Low bounding voltages were used for the operating equipment to maxim ize the running current and thereby increase the 12R heat losses from the current-carrying equipment (breakers, bus work transformers cables, etc.). The electrical loads are based on the worst loading for the driven load (i.e. maximum flow, maximum loading, runout, etc.)
The bounding electrical heat load case is based on a LBLOCA with safety injection and containment spray actuation signals occurring. Assuming no loss of off-site power is conservative in this case.
The electrical heat loads used in the room temperature analysis were kept at their design maximum, even though loads/flows could decrease through the event. Electrical loads on the electrical distribution systems/equipment were turned on or off per the applica ble emergency procedure. While non-safety related loads are designed to be shed from the safety busses with a safety injection signal, selected non-safety related loads were assumed to be added back in per the emergency procedures, at conservative load values. The electrical load profile was grouped into three time periods: time = 0 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days, and 7 days to 30 days. Even though loads could be secured earlier by emergency procedure guidance and accide nt progression, for conservatism they were shown operating until the next time change
. (For instance, a load may be turned off at 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> in the emergency procedure, but it was not turned offuntil 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> in the analysis.)
For additional conservatism, the battery chargers were assumed to be loaded at 50 percent of their rating even though the normal design load is much lower than this. For heat loss from cables, maximum design cable temperatures were assumed in order to maximize 12R heat losses.
Two non-safety related air compressors that are designed to be automatically shed were assumed to be re-loaded on to the safety busses and loaded to a conservative load of 50 percen t with constant operation. In addition, the non-safety related 125-Vdc battery chargers also designed to be automatically shed were assumed to be re-loaded on the safety busses.
Attachment 1 to ULNRC-06482 Page 6 of 17 A table for the loads larger than 50 horsepower and with composite motor contro l center loading is provided in the response to NRC staff Question No. 2. Design break horsepower, loading basis, and the operating condition at event time of 0 seconds to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 7 days, and 7 days to 30 days is provided for each load in the table.
Based on the above, it can be concluded that the LBLOCA represents the bound ing accident sequence and that the electrical heat loads used in the room temperature analys is conservatively bound the electrical heat loads that would be present in the Class 1 E electrical equipm ent rooms during the LBLOCA sequence described in the Callaway F$AR.
NRC Staff Question No 3 In the unlikely event of an external hazard (such as described in GDC-2) occurr ing with one Class 1E electrical equipment A/C train inoperable, and considering the post-ev ent 30 day heat rejection time period for the UH$ coupled with preplanned shutdown of one train of ESF equipment after 7 days, please provide a detailed discussion on ESF equipment that will be available for plant shutdown during the 30-day post-event period (with an inoper able Class 1E electrical equipment A/C train). If non-safety related systems such as offsite power are credited for restoration of systems, please provide a discussion on the capability to restore such sources following a GDC-2 event.
Callaway Response:
System functional response capability for the scenario involving a hazard with one Class 1 E electrical equipment A/C train inoperable, including assumptions applicable to such an assessment, is addressed as part ofthe response for NRC StaffQuestion No. 5. Howev er, additional points and details are provided as follows.
Assumptions applied in the design and analysis performed for hazard protection are given in the F$AR (Section 3 1 .2 and Appendix 5.4A), as presented below.
From FSAR Appendix 3B.2 ANALYSIS ASSUMPTIONS:
In the analysis of an event or hazard, it is assumed that the plant will be operated in accordance with the requirements of the Technical Specifications. Should the event result in a turbine or reactor trip, the plant will be placed in a hot standby conditi on. If required by a Limiting Condition of Operation or if recovery from the event will cause the plant to be shut down for an extended period of time, the plant will be taken to a cold shutdown condition. Safe shutdown is discussed in Appendix 5.4A During the hot standby condition, an adequate heat sink is provided to remove reactor core residual heat. Boration capability is provided to compensate for xenon decay and to
Attachment 1 to ULNRC-06482 Page 7 of 17 maintain the required core shutdown margin. Boration is required within 25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br /> after reactor shutdown to maintain the reactor in a hot standby condition.
Redundancy or diversity of systems and components is provided to enable continued operation at hot standby or to cool the reactor to a cold shutdown condition. If required, it is assumed that temporary repairs can be made to circumvent damages resulting from the hazard. Loss of offsite power is not assumed, unless a trip of the turbine generator system or the reactor protection system is a direct consequence ofthe hazard. All available systems, including nonsafety-related systems and those systems requiring operator action, may be employed to mitigate the consequences of the hazard.
In determining the availability of the systems required to mitigate the consequences of a hazard and those required to place the reactor in a safe condition, the direct consequences of the hazard are considered. The feasibility of carrying out operator actions are based on ample time and adequate access to the controls, motor control center, switchgear, etc.,
associated with the component required to accomplish the proposed action.
When the postulated hazard occurs in and results in damage to one of two or more redundant or diverse trains, single failures of components in other trains (and associated supporting trains) are not assumed. The postulated hazard is precluded, by design, from affecting the opposite train or from resulting in a design basis accident. For the situation in which a hazard affects a safety-related component, the event and subsequent activities are governed by Technical Specification requirements in effect when that component is not functional.
For the given scenario in this NRC staff question, at least one train of ESF equipment would be expected to remain available for plant shutdown during the 30-day, post-event period. The action taken within 7 days (post-event) to shut down one train of ESF/ESW equipment (for supporting the UHS cooling pond function in accordance with provisions described in License Amendment 208) would be for the train associated with the initially inoperable Class 1E electrical equipment A/C train. Assuming no additional failures, the other ESF train would remain available to effect or maintain plant shutdown.
FSAR Section 3 1 .3 addresses how SSCs important to safety, per the plants design, comply with the GDCs of 1 0 CFR 50 Appendix 2, including GDC-2., Design Bases for Protection Against Natural Phenomena. For GDC-2, the following is stated:
The structures, systems, and components important to safety are designed either to withstand the effects of natural phenomena without loss of the capability to perform their safety functions, or to fail in a safe condition. Those structures, systems, and components vital to the shutdown capability of the reactor are designed to withstand the maximum probable natural phenomena at the site, determined from recorded data for the site vicinity, with appropriate margin to account for uncertainties in historical data.
Attachment 1 to ULNRC-06482 Page$ofl7 Appropriate combinations of structural loadings from normal, accident, and natural phenomena are considered in the plant design. The nature and magnitude of the natural phenomena considered in the design ofthis plant are discussed in Chapte r 2.0. Chapter 3.0 discusses the design ofthe plant in relationship to natural events. Seismi c and quality group classifications, as well as other pertinent standards and information, are given in the sections discussing individual structures and components.
Due to the nature of natural hazards, no deterministic, bounding detailed or analyzed sequence of events (like what is presented for design-basis accidents) is given in the FSAR for such an event
( i.e., a tornado, for example), though design features or considerations for providing protection against such an event are included in the plant design, with bounding assum ptions applied for that purpose (as noted above).
The criteria given in FSAR section 3 1 .2 (as listed earlier) include consid eration that the use of all available systems, including non-safety related systems and those system s requiring operator action, may be employed to mitigate the consequences of a hazard. Furthe r, for the situation in which a hazard affects a safety-related component, the event and subseq uent activities are recognized to be governed by Technical Specification requirements in effect when that component is not functional.
For beyond-design basis events or hazard effects not addressed in the FSAR
, it can be assumed that actions would be taken to the fullest extent possible to bring the plant to a safe shutdown condition. Achieving hot shutdown is highly likely via the protected equipm ent within the power block. During the long-tenn post-event period, operator actions may be able to be taken and damaged equipment may be able to be repaired within a reasonable time to enable cold shutdown, in the long run.
For damage to the UHS from a hazard, FSAR Section 9.2.5.3 describes actions that could be taken to make up or compensate for lost pond inventory, but these are defens e-in-depth measures only. Although they may be consistent with the types of actions describ ed in FSAR Section 3 1 .2 (noted above), the need for them would only be likely for a beyond-design basis event.
NRC Staff Question No. 4 Callaways FSAR Section 9.2.1, Station Service Water System, states that a method of adding makeup to the UHS is to use the Service Water System. During the audit, the licensee stated that although Callaways FSAR discusses some defense-in-depth options for refilling the ESW pond post-accident, these options make use of non-safety related, non-seismic systems, structures and components (SSCs). Hence, SSCs that are not qualified to withstand such events may not be available. Additionally, use of these options would likely require local operato r actions in areas that might be exposed to a postaccident, radioactive plume.
Attachment 1 to ULNRC-06482 Page 9 of 17 Considering the UH$ 30-day heat rejection time period and the preplanned shutdown ofone train of E$F equipment after 7 days, coupled with one HVAC trains unavailability (i.e., the unavailability of one train of the Class 1E Electrical Equipment A/C system), please provid ea discussion on the E$F equipment that will be available for plant shutdown during the four categories of events discussed in FSAR Chapter 15.0.1.
Callaway Response:
Section 15.0.1 ofthe Callaway FSAR describes the classification ofplant conditions (events
)
based on the American Nuclear Society (ANS) classification of plant conditions, which divide s
plant conditions into four categories in accordance with anticipated frequency of occurr ence and potential radiological consequences to the public. (
Reference:
ANSI-N18.2, Nuclear Safety Criteria for the Design of Stationary PWR Plants, 1973.) The four categories are as follow s:
- a. Condition I: Normal operation and operational transients
- b. Condition II: Faults ofmoderate frequency
- c. Condition III: Infrequent faults
- d. Condition IV: Limiting faults The basic principle applied in relating design requirements to each of the conditions is that the most probable occurrences should yield the least radiological risk to the public, and those extreme situations having the potential for the greatest risk to the public shall be those least likely to occur. Where applicable, reactor trip system and engineered safeguards functio ning is assumed to the extent allowed by considerations, such as the single failure criterion, in fulfilli ng this principle. This means that seismic Category I, Class 1E, and IEEE qualified equipm ent, instrumentation, and components are used in the ultimate mitigation of the consequences of Conditions II, III, and IV events.
Each ofthese types ofevents is addressed as follows.
Condition I Events With regards to Condition I events, a typical list is provided by the Callaway FSAR:
- a. Steady state and shutdown operations 1 . Power operation
- 2. Startup 3 . Hot standby 1
These listed conditions correspond to the MODES specified in the plant Technical Specifications, wherein MODE is defined in Section 1 1 (Definitions) and all of the MODES are listed in Table 1 .1-1 of the Technical Specifications.
Attachment 1 to ULNRC-06482 Page 10 of 17
- 4. Hot shutdown
- 5. Cold shutdown
- 6. Refueling
- b. Operation with permissible deviations Various deviations from normal operation which may occur during contin ued operation as permitted by the Technical Specifications must be considered in conjun ction with other operational modes. These include:
1 Operation with components or systems out of service
- 2. Leakage from fuel with limited clad defects 3 Excessive radioactivity in the reactor coolant (a) Fission products (b) Corrosion products (c) Tritium
- 4. Operation with steam generator leaks
- 5. Testing
- c. Operational transients 1 Plant heatup and cooldown
- 2. Step load changes (up to +/-1 0 percent) 3 Ramp load changes (up to 5 percent/minute)
- 4. Load rejection up to and including design basis 50% load rejection transient The Condition I events do not result in the plant entering the Emergency Operating Procedure (EOP) network. Therefore, a discussion ofthe UHS 30-day heat rejectio n time period and the preplanned shutdown of one train of ESF equipment within 7 days follow ing the initiation of a postulated accident sequence would not be applicable to Condition I events
. With regards to availability of ESF equipment, the plant would be operated in accordance with the Technical Specifications, and the ESF equipment required by Technical Specification s for the applicable MODE corresponding to the Condition I event would be available.
Conditloit II Events The Callaway FSAR provides the following list ofCondition II Events a) Feedwater system malfunctions that result in a decrease in feedwater temperature.
b) Feedwater system malfunctions that result in an increase in feedwater flow.
c) Excessive increase in secondary steam flow.
d) Inadvertent opening of a steam generator relief or safety valve.
e) Loss of external electrical load.
f) Turbine trip.
g) Inadvertent closure ofrnain steam isolation valves.
Attachment 1 to ULNRC-06482 Page 11 of 17 h) Loss of condenser vacuum and other events resulting in turbine trip.
i) Loss of nonemergency ac power to the station auxiliaries.
I) Loss ofnormal feedwater flow.
k) Partial loss of forced reactor coolant flow.
- 1) Uncontrolled rod cluster control assembly bank withdrawal from a subcritical or low power startup condition.
m) Uncontrolled rod cluster control assembly bank withdrawal at power.
n) Rod cluster control assembly misoperation (dropped full length assembly, dropped full length assembly bank, or statically misaligned full length assembly).
o) Startup of an inactive reactor coolant pump at an incorrect temperature.
p) Chemical and volume control system malfunction that results in a decrease in the boron concentration in the reactor coolant.
q) Inadvertent operation of the emergency core cooling system during power operation.
r) Chemical and volume control system malfunction that increases reactor coolant inventory.
s) Inadvertent opening of a pressurizer safety or relief valve.
t) Break in instrument line or other lines from reactor coolant pressure boundary that penetrate the containment.
Condition II events, at worst, result in a reactor trip and are not expected to result in fuel rod failures or reactor coolant system or secondary system over-pressurization. With respect to when these events may occur, the range of events extends from MODE 6 to MODE 1 (For example, some events could only occur during shutdown conditions; others could occur only during plant operation.) The E$F equipment available to mitigate the event would be dependent upon which MODE the event initiates from and the Technical Specifications applicable to the MODE of operation.
With regards to the UHS 30-day heat rejection time period and the preplanned shutdown of one train of ESF equipment within 7 days following the initiation of a postulated accident sequence, coupled with one HVAC trains unavailability, it should be noted that the supplemental cooling system would ensure that the remaining train of HVAC operating in conjunction with the supplemental cooling system would maintain both trains of Class 1 E electrical equipment rooms within an acceptable temperature range such that both trains of ESF equipment would remain available to mitigate a Condition II event throughout a postulated 30-day mission time (assum ing no additional failure).
Condition III Events By definition, Condition III occurrences are faults which may occur very infrequently during the life of the plant. They will be accommodated with the failure of only a small fraction of the fuel rods, although sufficient fuel damage might occur to preclude resumption of operation for a considerable outage time. The release of radioactivity will not be sufficient to interrupt or restrict public use ofthose areas beyond the exclusion radius. A Condition III fault will not, by
Attachment 1 to ULNRC-06482 Page 12 of 17 itself, generate a Condition IV fault or result in a consequential loss of function of the reactor coolant system or containment barriers.
The Callaway F$AR provides the following list of Condition III events:
a) Steam system piping failure (minor).
b) Complete loss of forced reactor coolant flow.
c) Rod cluster control assembly misoperation (single rod cluster control assemb ly withdrawal at full power).
d) Inadvertent loading and operation of a fuel assembly in an improper position.
e) Loss-of-coolant accidents resulting from a spectrum of postulated piping breaks within the reactor coolant pressure boundary (small break).
f) Radioactive gas waste system leak or failure.
g) Radioactive liquid waste system leak or failure.
h) Postulated radioactive releases due to liquid tank failures.
i) Spent fuel cask drop accidents.
With regards to the Condition III events, it should be noted that events f, h, and g, i listed above would not result in the rejection ofheat loads to the UHS and are ofrelatively short duration such that a discussion of the preplanned shutdown of one train of ESF equipment within 7 days following the initiation of a postulated accident sequence is not applicable to these events.
For the remaining Condition III events, with regards to the UHS 30-day heat rejectio n time period and the preplanned shutdown of one train of ESF equipment within 7 days, coupled with one HVAC trains unavailability, it should be noted that the supplemental coolin g system would ensure that the remaining train of HVAC operating in conjunction with the supple mental cooling system would maintain both trains of Class 1 E electrical equipment rooms within an acceptable temperature range such that both trains of ESF equipment would remain availab le to mitigate a Condition III event throughout a postulated 30-day mission time.
The preplanned shutdown of one train of ESF equipment within 7 days would not result in the unavailability of that train. Although operation of both trains is not required to mitiga te any design basis event, the secured train would remain available for use and be suppor ted by the supplemental cooling system during the remainder of a postulated 30-day accide nt mitigation mission time, if no additional failure is assumed. Additionally, it should be noted that per Section 3 1 .2 of the Callaway FSAR, it is not necessary to postulate a hazard in conjunction with a Condition III event.
Condition IVEvents The Callaway FSAR provides the following list of Condition IV event:
a) Steam system pipe break.
Attachment 1 to ULNRC-06482 Page 13 of 17 b) Feedwater system pipe break.
c) Reactor coolant pump shaft seizure (locked rotor).
d) Reactor coolant pump shaft break.
e) Spectrum of rod cluster control assembly ejection accidents.
0 Steam generator tube rupture.
g) Loss-of-coolant accidents, resulting from a spectrum ofpostulated piping breaks within the reactor coolant pressure boundary (large break).
h) Design basis fuel handling accidents.
Condition IV occurrences are faults which are not expected to take place, but are postulated because their consequences would include the potential for the release of significant amounts of radioactive material. They represent limiting design cases. Condition IV faults are not to cause fission product release to the environment resulting in an undue risk to public health and safety in excess of guideline values of 1 0 CFR 1 00. A single Condition IV fault is not to cause a consequential loss of required functions of systems needed to cope with the fault, including those of the emergency core cooling system and the containment.
With regards to item h listed above, the design basis fuel handling accident, it should be noted that this accident would not result in the rejection ofheat loads to the UHS. Additionally, the design basis fuel handling accident is of relatively short duration such that a discussion of the preplanned shutdown of one train of ESF equipment within 7 days following the initiation of a postulated accident sequence is not applicable to the design basis fuel handling accident.
For the remainder ofthe Condition IV events listed in the Callaway FSAR, with regards to the UHS 30-day heat rejection time period and the preplanned shutdown of one train of ESF equipment within 7 days, coupled with one HVAC trains unavailability, it should be noted that the supplemental cooling system would ensure that the remaining train of HVAC operating in conjunction with the supplemental cooling system would maintain both trains of Class 1 E electrical equipment rooms within an acceptable temperature range such that both trains of ESF equipment would remain available to mitigate a Condition IV event throughout a postulated 30-day mission time (assuming no additional failure).
The preplanned shutdown of one train of ESF equipment within 7 days would not result in the unavailability ofthat train. Although operation ofboth trains is not required to mitigate any design basis event, the secured train would remain available for use and be supported by the supplemental cooling system during the remainder of a postulated 30-day accident mitigation mission time, if no additional failure is assumed. Additionally, it should be noted that per Section 3 1 .2 of the Callaway FSAR, it is not necessary to postulate a hazard in conjunction with a Condition IV event.
Attachment 1 to ULNRC-06482 Page 14 of 17 NRC Staff Question No. 5 With regard to Callaways License Amendment 208 for the UH$, which addressed mainta ining UH$ operability and shutting down one train of ESW$ after seven days, the premise for the amendment is that:
- a. Both E$F trains of equipment are assumed to be operating for 7 days without a single failure and that
- b. A design basis accident is in progress.
The proposed license amendment to add new T$ 3 .7.20 will have a Completion Time of 30 days for restoring an inoperable Class lE electrical equipment A/C train to Operable status. In the event of an accident occurring with one Class 1 E electrical equipment A/C train inoper able, the preplaimed shutdown of one ESF train seven days after the accident would also have to be met.
When discussing this scenario during the audit, the licensee stated that if equipment issues were to occur on the operating train, the train that was secured would remain available for possib le restart.
Assuming that the ESF train with the associated inoperable Class 1 E electrical equipm ent A/C train is secured after 7 days, in the event of equipment failure in the operating E$F train, please provide a discussion on how the train without an available Class 1 E electrical equipment A/C train could be restarted to provide cooling for the E$F equipment required to support plant shutdown after a postulated event. Please include references to applicable plant proced ures.
Callaway Response:
As described in the LAR and its supplement, upon implementation ofplant modification MP 1 6-0024, two supplemental cooling trains, will be installed such that one train of supple mental cooling can be operated in conjunction with one Class 1 E Electrical Equipment A/C Train, to cool both trains of Class 1E electrical equipment, in the event that one Class 1E Electrical Equipment A/C train is declared inoperable. For such a condition, redundancy at the suppor ted system level is preserved, but not at the support system level. Without single-failure protect ion, it is appropriate that proposed Condition A and its Required Action be entered and tracked
, and then only for a limited period of time (3 0 days) before plant shutdown is required.
Callaways licensing basis is consistent with regulatory requirements in regard to how the plants design and safety analyses include consideration of the capability to withstand a single additional failure without loss of safety functions(s). Assumptions regarding single-failure protection are addressed in Section 3 1 .2 of the Callaway FSAR.
In general, the Limiting Conditions for Operation (LCOs) for systems and functions addres sed by the Technical Specifications represent the minimum allowed functional capability or performance levels of equipment required for safe operation of the facility, as specified per 10
Attachment 1 to ULNRC-06482 Page 15 of 17 CFR 50.36 (c)(2). As further specified therein, when an LCO is not met, the licensee shall shut down the reactor or follow any remedial action penriitted by the Technical Specifications until the LCO is met.
For systems/functions having fully redundant and separate trains (in order to provide for single failure protection), compliance with the applicable TS LCO ensures the system/function can withstand a single failure and remain functional. With one train inoperable (i.e., with the LCO not met), a Condition and Required Action(s) must be entered, as appropriate, since such a condition is one in which single-failure protection is no longer assured. Generally, continued plant operation is allowed for only a limited period of time for such a condition, as the Completion Time for restoring the inoperable train to operable status imposes the time limit that must be met before entry into a Required Action for plant shutdown is required.
NRC Staff Question No. 5 describes a scenario in which an accident occurs with one Class 1 E
electrical equipment A/C train inoperable (i.e., as an initial condition). After the onset of the accident, the described scenario includes securing an ESF (ESW) train after 7 days (per the provisions described in License Amendment 208), which would be the train associated with the initially inoperable Class 1E A/C electrical equipment train. At that same time (7 days), an additional failure is assumed such that there is an equipment failure in the operating ESF train.
The question requests discussion on how the train without an available Class 1 E electrical equipment A/C train could be restarted to provide cooling for the ESF equipment needed to support plant shutdown after the accident.
What should first be noted about the given scenario is that it is one that is outside the plants licensing basis. Since the scenario begins with an inoperable train (with a TS Required Action in effect) single-failure protection is not assured and is not expected to be assured for the time that the Required Action is in effect. While there is a risk associated with this condition (i.e.,
with the Required Action in effect), an accident occurring under such conditions can still be mitigated in accordance with the plants licensing basis, assuming no additional failure.
With the introduction of the additional failure (at 7 days), loss of function(s) is likely as such a
condition involves a level ofinoperability (i.e., more than one failure) that is beyond the licensing basis of the facility. Per the plants licensing basis, there is no requirement to ensure or demonstrate functional capability for such a scenario.
With the above basis acknowledged, the following three scenarios are summarily addressed:
1 . The plant is operating with Condition A (i.e., Required Actions A. 1 A.2 and A.3) of LCO 3 .7.20 in effect (i.e., with one train of the Class 1 E Electrical Equipment A/C system inoperable) and no accident or hazard exists or occurs (but plant shutdown may be needed).
- 2. The plant is operating with Condition A of LCO 3 .7.20 in effect and an accident (DBA LOCA) occurs.
3 The plant is operating with Condition A of LCO 3 .7.20 in effect and a hazard (such as a tornado) occurs.
Attachment 1 to ULNRC-06482 Page 16 of 17 Each of these is addressed summarily with bullets providing the key points and assumptions involved.
Plant is operating with Condition ?At? of LCO 3.7.20 in effect:
. One SGKO5A/B unit is inoperable, and one supplemental cooling train is in operation.
. Single-failure protection is not met. [Thus, the plant cannot (and is not expected to meet) its licensing basis in the event of another single failure.]
. Plant risk ofbeing in Required Action A.3 for its 30-day Completion Time and the likelihood of an accident occurring during the time that the Required Action is in effect is considered as part of establishing the Required Action and Completion Time for the TS.
0 The 30-day Completion Time for Required Action A.3 has no connection with the 3 0-day mission time ascribed to certain safety-related functions features (such as the UHS).
0 The 30-day Completion Time is risk-based (even if only based on engineering judgment), whereas the 30-day mission time is deterministically based (as required by regulatory guidance).
0 Plant may not (and is not required to) meet its licensing basis with the occurrence or assumption of another failure while Condition A is in effect.
Plant is operating with Condition A in effect and experiences an accident (e.g., DBA LOCA):
. A concurrent LOOP may be assumed, but with the Required Actions of Condition A in effect, no additional failure is required to be assumed (as single-failure protection is already not met, and it may be assumed that this was considered in assessing the risk associated with Required Action A.3 and its associated Completion Time).
. The safety train of equipment associated with the inoperable Class 1E electrical equipment A/C train is turned off at 7 days (i.e., major pumps and equipment are secured, but electrical safety bus/distribution remains energized) in order to preserve UHS function (as selected by the plant operators).
0 UHS mission time is 30 days.
0 EDG mission time is 7 days.
0 Offsite power restored in 7 days.
. Remaining train of safety-related equipment enables plant cool-down and long term core cooling.
. Class 1 E electrical equipment for operating safety train is cooled by its Class 1 E electrical equipment A/C train (with no supplemental cooling needed).
Attachment 1 to ULNRC-06482 Page 17 of 17 Plant is operating with Condition A in effect and experiences a hazard (natural event such as a tornado):
. A concurrent LOOP may be assumed, but no additional failure is required to be assumed.
. The safety train of equipment associated with the inoperable Class 1 E electrical equipment A/C train is turned off at 7 days (i.e., major pumps and equipment are secured, but electrical safety bus/distribution remains energized) in order to preserve UH$ function (as selected by the plant operators).
. Mission times are not specified for hazards.
0 UHS mission time is 30 days.
0 EDG mission time is not specified but may be assumed to be 7 days per Reference 1.
0 Offsite power restoration not addressed (but may be assumed to be restored in 7 days per Reference 1.
. Remaining train of safety-related equipment enables plant cool-down.
. Class 1E electrical equipment for operating safety train cooled by its Class 1E Electrical Equipment A/C train (with no supplemental cooling needed).
. Use ofnon-safety equipment, operator actions, and other provisions apply (as described in F$AR Section 3.1.2 and Appendix 3B).
With regards to the postulated post-accident scenario involving additional equipment failures after an ESF train has been secured within 7 days, procedural guidance for the restoration of safety functions is provided in the function restoration (FR) series of the Callaway EOP network.
It should be acknowledged that such additional equipment failures would be beyond accident analysis assumptions described in the Callaway FSAR.
References 1 . NRC letter, Response to Task Interface Agreement 2014-10 Related to the Regulatory Position on Emergency Diesel Generator Mission Time for Operability Evaluations at Callaway Plant, Unit No. 1 (CAC No. MF5099, EPID L-201 5-LRA-000l), dated October 19, 2018.