ML23289A216
| ML23289A216 | |
| Person / Time | |
|---|---|
| Site: | Callaway  (NPF-030) |
| Issue date: | 10/16/2023 |
| From: | Ameren Missouri, Union Electric Co |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML23289A214 | List: |
| References | |
| ULNRC-06825, LDCN 22-0029 | |
| Download: ML23289A216 (1) | |
Text
Attachment 1 to ULNRC-06825 Page 1 of 23 Responses to Regulatory Audit Questions Regarding LAR to Clarify Support System Requirements for the Residual Heat Removal and Control Room Air Conditioning Systems to ULNRC-06825 Page 2 of 23 Responses to Original Audit Plan Questions/Requests (ADAMS Accession No. ML23065A321)
Shutdown Risk Questions Question 1:
Describe how the licensee's proposed change, including the Essential Service Water (ESW) and the Service Water (SW) systems supporting it, will meet the two shutdown initiatives described in Generic Letter (GL) No. 88-17, "Loss of Decay Heat Removal - 10 CFR 50.54(f)," dated October 17, 1988 and NUMARC 91-06, "Guidelines for Industry Actions to Assess Shutdown Management," dated December 1991, during Mode 5 operation with the loops not filled and Residual Heat Removal (RHR) and Coolant Circulation with Low Water Level.
Response
GL 88-17 references a handful of relevant licensee events and requires various actions and enhancements to be taken by all addressees with respect to:
monitoring various reactor coolant system (RCS) parameters (temperature, level, decay heat removal (DHR) system performance),
training and procedures provided to operators to facilitate response to reduced inventory operation and off-normal conditions that may occur during reduced inventory operation, controls to reduce the likelihood, risk, and consequences associated with losses of decay heat removal (DHR),
providing additional means of adding inventory to the RCS, ensuring all hot legs are not simultaneously blocked without adequate venting, conducting analyses to obtain a complete understanding of nuclear steam supply system behavior during non-power operation, Technical Specification (TS) revisions, if needed to realize the safety benefits of the GL 88-17 actions.
Union Electric (dba Ameren Missouri) responded to GL 88-17 in letters ULNRC-1900, "Response to Generic Letter 88-17 Loss of Decay Heat Removal 10 CFR 50.54(f)," dated February 1, 1989, and ULNRC-2330 "Programmed Enhancements for Generic Letter 88-17, 'Loss of Decay Heat Removal,' for Callaway Plant," dated November 29, 1990. The proposed TS changes now being requested have been reviewed against the responses to GL 88-17, and it was determined that there is no impact to the responses previously provided. The responses, as they relate to the items summarized above and the proposed amendment request, are summarized below.
RCS parameters and DHR system performance are monitored at the BB (Reactor Coolant) and EJ (RHR) system levels. The site's response and the GL do not go into detail where support systems (e.g., Component Cooling Water (CCW), ESW, SW, Ultimate Heat Sink, etc.) are concerned. RCS parameters and DHR system performance will continue to be monitored as described in the GL 88-17 response.
to ULNRC-06825 Page 3 of 23 The off-normal procedure for a loss of RHR, i.e., OTO-EJ-00001, "Loss of RHR Flow,"
acknowledges that cooling water may be provided via the ESW or SW systems. Training was (and is) provided to operators on this procedure.
Outage activities and risk are managed using the process described in NUMARC 91-06, as implemented via site procedure APA-ZZ-00315, "Configuration Risk Management Program." For shutdown conditions, APA-ZZ-00315, Appendix E, "Configuration Risk Management Program -
Shutdown," applies. This process recognizes use of either the SW or ESW systems to provide cooling water flow to the CCW system and its supported systems (including RHR and Control Room Air Conditioning System (CRACS)). Additional risk management actions are specified for periods where only one train of ESW is available and SW is used as a sole support system for the opposite train.
The systems for providing additional inventory to the RCS (Safety Injection (SI) pump or Centrifugal Charging Pump (CCP)) are not directly reliant on ESW or SW as a source of cooling water. The ESW or SW pumps provide cooling flow to the CCW system and to the room coolers for the SI pump and CCP rooms, but they do not provide the water source for SI pump or CCP to draw from. (The water source is provided by the Refueling Water Storage Tank (RWST).) The venting considerations covered for the hot legs in the original GL 88-17 response are not affected by the requested change.
The additional analyses conducted to determine the impacts of RHR air ingestion and RCS heat-up following losses of DHR (per WCAP-11916, Accession No. ML12006A164) were agnostic with respect to the support function to remove heat from the CCW system. Either the ESW system or the SW system can provide adequate heat removal for the CCW system.
The TS revisions submitted at the time of the GL 88-17 response were focused on RHR and SI system requirements and not on the support system function provided by either ESW or SW.
NUMARC 91-06 provides guidance on outage scheduling, risk management, and the defense-in-depth philosophy applied to ensure that key shutdown safety functions remain met throughout periods of plant shutdown. NUMARC 91-06 recognizes the use of non-essential systems to provide risk mitigation and defense in depth to ensure key safety functions remain met during shutdown conditions. Callaway's shutdown risk management program recognizes the use of the SW system to provide an acceptable source of cooling water in lieu of the ESW system.
to ULNRC-06825 Page 4 of 23 Question 2:
Describe how the SW system is protected from hazards and events such as tornadoes, floods, missiles, pipe breaks, fires, and seismic events compared to the ESW system.
Response
The SW system is not specifically analyzed for protection from hazards. However, the system meets robust ANSI design standards as described in Callaway Final Safety Analysis Report (FSAR) Standard Plant (SP) 9.2.1.1.2.2.
FSAR SP 9.2.1.1.2.2 The SWS [Service Water System] piping and valves are carbon steel and are designed to meet the requirements of ANSI B31.1. Valves EAV0001, EAV0004, EAV0006, EAV0008, EAV0043, EAV0184, EAV0185, EAV0186 and EAV0187 are stainless steel and meet ANSI B31.1. The design ratings of the SWS supply lines are 200 psig and 150°F, and discharge lines to the circulating water system are 85 psig and 150°F.
Additional detail with respect to high wind resistance is provided in the responses to Additional Audit Questions 2 and 3 on pages 20 and 21 of this attachment, as well as in the section titled "Risk Perspectives on External Hazards" on page 18 of this attachment.
STSB Questions Question 1:
Provide detailed information related to SW system design, operation, maintenance, quality, reliability and power supply characteristics, and any additional controls to meet the requirements of 10 CFR 50.36, Technical Specifications, for the use of one safety-related train and one non-safety-related train each supporting a respective RHR train when TS require two operable RHR trains.
Response
System Design & Operation The SW system design is described in FSAR Site Addendum (SA) 9.2.1 and FSAR SP 9.2.1.1. Refer to Piping & Instrumentation Drawings M-22EA01 and M-22EA02 (i.e., FSAR (SP) Figure 9.2-1, Sheets 1 and 2, respectively) for the system layout. The SW system is in continuous operation for the life of the plant.
Starting and stopping the SW pumps is a manual operation from the main control room. Loss of a SW pump will automatically start a backup pump. The design basis for the system is defined as follows.
FSAR SP 9.2.1.1.1.2 to ULNRC-06825 Page 5 of 23 The SWS provides sufficient cooling water for the heat removal from nonessential auxiliary plant equipment and from the ESWS [Essential Service Water System] over the full range of the normal reactor operation and normal shutdown.
Section 9.2.1.1.2.2 discusses the redundancy of the SW pumps. The 50 percent system capacity described for each pump is relevant to full power operation. A single SW pump is able to support shutdown cooling and plant heat loads in the shutdown modes.
FSAR SA 9.2.1.1.2.2 (Paragraph 1)
SW pumps - The three 50 percent system capacity service water pumps are single stage, double-suction, vertical, constant-speed dual-volute centrifugal type. Each pump is equipped with a hydraulically operated butterfly valve on the discharge for isolation of the pump from the system. The valve is also programmed for quick closure to prevent reverse flow of water and pressure surge in the event of a pump trip. Refer to Table 9.2-1 for SW system component data.
SW piping and valves are designed to meet ANSI standards as defined in section 9.2.1.1.2.2.
FSAR SP 9.2.1.1.2.2 The SWS piping and valves are carbon steel and are designed to meet the requirements of ANSI B31.1. Valves EAV0001, EAV0004, EAV0006, EAV0008, EAV0043, EAV0184, EAV0185, EAV0186 and EAV0187 are stainless steel and meet ANSI B31.1. The design ratings of the SWS supply lines are 200 psig and 150°F, and discharge lines to the circulating water system are 85 psig and 150°F.
The Callaway Design Basis Document for the SW system, ULDBD-EA-001, provides additional detail and references for system design and was provided via the audit database.
Maintenance The SW system is in the scope of the Maintenance Rule (10 CFR 50.65) Program for Callaway.
Unavailability monitoring criteria and performance data for the past 18 months are given below.
System Train PCID Maint Rule Perform Criteria (OOS Hours per 18 Months) 75% of the Maint Rule Perform Criteria (OOS hours per 18 Months)
Total OOS Time for 18-Month Monitoring Period Remaining OOS hours allowed for the 18-month monitoring period Percent of Perform Criteria used in the 18-month monitoring period EA 2
Pumps EA-A002 72 54 0.0 72.0 0%
EA Sum of all 3 Pumps EA-A-
001 1500 1125 582.3 917.7 39%
to ULNRC-06825 Page 6 of 23 Quality & Reliability FSAR SP 9.2.1.1.4 notes that reliability of the SW system is demonstrated by its history of continuous operation.
FSAR SP 9.2.1.1.4 Preoperational testing is described in Chapter 14.0. The performance and structural and leaktight integrity of all cooling water system components is demonstrated by continuous operation.
Reliability of the SW system is also informed by Probabilistic Risk Analysis (PRA). Callaway normally supplies cooling water to the CCW system (both at power and when shutdown) via the SW system. Since the SW system is already aligned, there are no components that are required to change state to continuously provide a cooling water source to CCW (in support of RHR and CRACS). Additionally, only one of the three SW pumps is typically required to supply adequate cooling water flow to support shutdown cooling loads. When the SW system is aligned, either multiple component failures (i.e.,
multiple pump and/or valve failures) or a single, much less probable, failure (spurious valve closure) is required to result in a failure of the system to provide cooling water flow. Over a 24-hour period, the PRA failure probability of a single SW pump to start is 2.186 E-03, and the PRA failure probability of a single pump to run is 3.340 E-03. With the SW system already aligned to provide cooling water flow, failure would require at a minimum, a failure to run and two failures to start, for which the probability of each occurrence would be multiplied to determine the combined probability of failure. In addition, since the SW system can be aligned to either or both safety trains, there is more redundancy and flexibility available to both safety trains.
In contrast, with the SW system aligned to provide cooling flow, the ESW system has at least two components that have to change state, the pump has to start and run, and EFHV0037 has to open (or EFHV0038 depending on which train of ESW is operable). Either of these components (the pump or the flow return valve) represent a single occurrence which would lead to the overall failure for ESW to provide cooling flow. Over a 24-hour period, the PRA failure probability of a divisional ESW pump to start is 5.695 E-04, and the PRA failure probability of the pump to run is 9.773 E-04.
Power Supply Characteristics Redundancy in the electrical supply to the SW pumps is provided as described in FSAR SA 8.3.1.1.
The transformers serving the river intake, the circulating water pumps and the service water pumps are substation type, rated for normal operation at 55 degrees C rise and with nonreduced BIL rating (13.8-kV windings with 110-kV basic impulse rating).
to ULNRC-06825 Page 7 of 23 FSAR SA 8.3.1.1 (Paragraph 7)
The circulating water pumps and service water pumps are normally served by three transformers, each of which serves one circulating water and one service water pump. If one transformer or its 13.8-kV feeder should fail, one of the two remaining transformers and its associated feeder will serve two circulating water pumps and two service water pumps within the 65 degree C rise fan-cooled rating of the transformer. The 4160-V switchgear feeder and tie circuit breaker are interlocked to prevent any single transformer and its feeder from serving more than two circulating water pumps and two service water pumps.
10 CFR 50.36 Requirements The SW system does not meet any of the 10 CFR 50.36 requirements for inclusion in the plant TS. TS Operability requirements are not imposed on the system.
Question 2:
Proposed Callaway TS Bases submitted with the TS conversion request contained two paragraphs in the BACKGROUND section for TS 3.4.8. Between the time of the request and more recent version of the Bases, a third paragraph discussing RHR appears to have been added. Provide documents supporting the third paragraph in the BACKGROUND section for TS 3.4.8 and any NRC staff-generated documents related to the third paragraph.
Response
The paragraph in question was added to the TS Bases in 2007 under TS Bases Change Notice (TSBCN)07-011. The basis and background for TSBCN 07-011 were documented under Corrective Action Request (CAR) 200704021, specifically in the response to Action 3 of the CAR. The intent of the change, in part, was to reconcile the TS requirements for redundant RHR trains during shutdown conditions (per TS 3.4.8 and TS 3.9.6) with the reduced TS requirements for supporting electrical sources and distribution during shutdown conditions (per TS 3.8.2, TS 3.8.5, TS 3.8.8 and TS 3.8.10). The noted documents were provided in the Audit Database.
The Basis writeup from the CAR Action is provided below, which reflects the Callaway position prior to submittal of the LAR for which this LAR supplement is being provided:
Question: Can an RHR train be considered OPERABLE in Mode 5 and Mode 6 when Service Water is aligned to provide cooling to the A ESW system loads? Evaluate for fuel movement in progress and with fuel movement not in progress.
Response
An RHR train can be considered OPERABLE during MODES 5 and 6 with Service Water aligned to provide cooling (via the associated CCW train). This is consistent with TS requirements and provisions for shutdown conditions.
to ULNRC-06825 Page 8 of 23 However, because the Technical Specifications require one diesel generator (DG) to be OPERABLE during these MODES, the required DG will likely have its associated ESW train available in order for the DG to be considered OPERABLE (if an as-designed plant cooling water system(s) is to be utilized to provide the necessary cooling). Thus, when two RHR trains are required to be OPERABLE (such as during reduced inventory), one of the two RHR trains will consequently have its associated ESW train available.
The movement of irradiated fuel assemblies itself does not affect RHR requirements. The other specified condition of during movement of irradiated fuel assemblies invokes other TS requirements that apply during such conditions, but those are not the subject of this Action (regarding RHR requirements/support).
Basis for Response:
In general, TS LCO requirements for TS-required systems, structures, and components are based on the accident analyses that require or credit those SSCs for mitigation of the applicable accidents postulated and analyzed in the FSAR. Many of the worst-case accidents are postulated to occur during plant operation, but some may be postulated to occur during shutdown conditions (such as a fuel handling accident). For design-basis accidents that are postulated to occur during plant operation (such as with the reactor at 100% power), it is generally required that for the associated, bounding accident analysis, a worst-case single failure AND a loss of offsite power must be assumed.
In general, however, and as noted in the TS Bases for Technical Specifications that apply only during shutdown conditions (e.g., TS 3.8.2, TS 3.8.5, TS 3.8.8, and TS 3.8.10), conditions during shutdown are such that it is not necessary to assume a single failure and concurrent loss of offsite power for accidents that may occur during such conditions. As stated in the TS bases, The rationale for this is based on the fact that many design-basis accidents (DBAs) that are analyzed in MODES 1, 2, 3, and 4 have no specific analysis in MODES 5 and 6. Worst-case bounding events are deemed not credible in MODES 5 and 6 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and the corresponding stresses result in the probabilities of occurrences being significantly reduced or eliminated, and in minimal consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCOs for required systems. Thus, requirements for many systems addressed in the Technical Specifications are relaxed or reduced for when the plant is in a shutdown condition (MODE 5 or 6).
Based on the above, for example, even for systems required to mitigate a fuel handling accident (FHA) during shutdown conditions, it may be noted that the Technical Specifications require two trains of Control Room Emergency Ventilation System (CREVS) (and CRACS) to be Operable, but only one DG is required to be Operable during MODES 5 and 6. The requirement for having two CREVS trains Operable ensures that a single failure can be accommodated for mitigation of the FHA. The requirement for having one DG Operable provides for ensuring FHA mitigation capability in the event of a loss of offsite power (LOOP). Since a single failure and LOOP are not required to be assumed concurrently, it is not necessary to require both DGs AND both CREVS trains Operable. Accordingly, TS 3.7.10 requires two CREVS trains to be Operable while TS 3.8.2 only requires one DG to be Operable, during shutdown conditions.
to ULNRC-06825 Page 9 of 23 With regard to TS requirements for the RHR system during such MODES (5 and 6), it may be noted that although core decay heat removal is a required function, it is not associated with any specific accident like an FHA that is postulated and analyzed (with bounding assumptions, assumed initial conditions, etc.) in the FSAR. Thus, even the relaxed assumptions that must be applied to mitigation functions for accidents that are analyzed in the FSAR and postulated to occur during shutdown conditions are more restrictive than what is required for the RHR / decay heat removal function. In this regard, it may be noted that for RHR requirements and decay heat removal capability, the Improved (Standard) Technical Specifications (ITS) do not specify what heat sink (cooling water system) must be available for an RHR train to be considered Operable.
The Bases for the RHR system Technical Specifications (TS 3.4.7/3.4.8 for MODE 5 and TS 3.9.5/3.9.6 for MODE 6) essentially state that an Operable RHR loop requires an RHR pump, an Operable flow path, and an Operable heat exchanger. In effect, RHR Operability is based on having the capability to remove decay heat, without regard to all of the assumptions and conditions that would otherwise apply for functions/systems required to mitigate accidents that are specifically analyzed in the FSAR. As such, the RHR decay heat removal function can be satisfied or supported with Service Water aligned (in lieu of using only the ESW system) to serve as the heat sink (with CCW as the intermediary heat transfer system).
It should be noted, however, that ESW may be considered an essential support system for DG Operability. [The relationship between a DG and its associated ESW train is circular. The DG needs cooling water to perform its function, but since it may be assumed that the DG would be required in the event of a loss of offsite power, it must ultimately depend on ESW to be the heat sink needed for the DG to operate during such an event since only the ESW pump (and not the Service Water pump) can use DG-supplied power in the event of a LOOP.] Because the Technical Specifications require one DG to be Operable during MODES 5 and 6, and because ESW may be needed to support that DG, at least one train of ESW is typically available during MODES 5 and 6.
Thus, when two trains of RHR are required to be Operable during MODES 5 and 6 (such as at reduced inventory), at least one of the RHR trains will likely have its associated ESW train available.
With regard to when two RHR loops are required to be Operable, i.e., TS 3.9.6 in MODE 6 or TS 3.4.8 in MODE 5, the Technical Specifications require two RHR trains to be Operable with one of the trains in operation. Again, despite the requirement for having both RHR trains Operable, only one DG is required to be Operable during these Modes. The train having the Operable DG must in turn have its associated ESW (and CCW) train available. In this case, the RHR train associated with the Operable DG will have its associated ESW train Operable/available. It does not matter, however, whether the DG-ESW-supported RHR train is the one that is in operation or not, since the capability to switch from one train in operation to the other train in operation would exist.
(
Reference:
CAR 200402789) to ULNRC-06825 Page 10 of 23 SCPB Questions Question 1:
Provide the duration that the plant will be using non-safety-related SW in lieu of ESW.
Response
Callaway does not have a planned duration to utilize the SW in lieu of ESW. Callaway does not intend to place a limit to the duration that SW can be used in lieu of ESW. However, the duration that the plant is in the mode of applicability for LCO 3.9.6 and 3.4.8, with water level < 23 ft above the top of the reactor vessel flange, is typically a short period during the transition into and out of refueling operations. The recent history of use of this configuration was provided in the audit database and was limited to the duration of concern for the related non-cited violation, i.e., between May 13 and May 17 of 2022.
Question 2:
Describe operating procedures containing the requirements and procedures for the startup, operation, and monitoring associated with using the non-safety related SW configuration.
Response
OTN-EA-00001, "Service Water System," describes the operation of the SW system at Callaway. The procedure provides guidance on the system lineup, starting and stopping the system pumps, instrument line flushes, chemistry department monitoring, filling, and venting the system, and cold weather/reduced power operations. The procedure references various system checklists used in system operation. A copy of this procedure and the various checklists was provided in the audit database.
System monitoring is provided by Operations Technicians during their shift rounds. Specifically, the SW system is monitored by the Outside Operator per procedures ODP-ZZ-0016E, "Operations Technicians Watchstation Practices and Rounds," and ODP-ZZ- 0016E, Appendix 1, "OT General Inspection Guide."
ODP-ZZ-0016E provides general walkdown guidance, frequency of monitoring dependent on operational constraints (radiation area, components in operation, etc.), and practices for various off-normal conditions. ODP-ZZ-0016E, Appendix 1, provides monitoring guidance based on component type; Step 1.11.5 provides specific guidance for the SW pumps. Copies of these procedures were also provided in the audit database.
to ULNRC-06825 Page 11 of 23 Responses to Additional Audit Questions/Requests (Recorded/Added During Audit)
Question 1:
Provide further information on when the site uses 1 or 2 Service Water pumps when shut down.
Response
This is dictated by OTN-EA-00001, "Service Water System," (provided in the response to SCPB Question 2 in the audit database, as noted on page 10 of this attachment) and is dependent on overall system pressure. Typically, one pump is operating and adequate to cool plant loads when shut down. The normal pump discharge pressure is maintained in an operating band of 60 to 80 psig.
Question 2:
A SW system pump delivers 19,000 gpm at 165 ft total developed head (TDH), and a ESW pump delivers 15,000 gpm at 328 ft TDH. What if any impact is there of the difference in TDH on the cooling functions the systems provide?
Response
The difference in TDH does not have an impact on the capability of the SW system to handle the generated heat loads from the RHR system when shutdown. The SW system was designed to be capable of removing the plant heat loads during normal operating and shutdown conditions and has continuously demonstrated this capability throughout the life of the plant.
Question 3:
Is the SW/CW pumphouse protected from the 100-year windspeed?
Response
The 100-year return period wind speed for the Callaway Site is presented in FSAR SA Table 2.3-10 and varies based upon height and considers potential gust factors. For the height of interest, 30 ft, the wind speed is 85.0 miles per hour with a gust factor of 1.30. The SW/CW pumphouse is not specifically protected for the range of wind speeds with gust factor applied relative to the 100-year return period wind speeds. The section titled "Risk Perspectives on External Hazards" on page 18 of this attachment provides additional detail on the assumed failure conditions for the involved systems from high wind conditions.
to ULNRC-06825 Page 12 of 23 Question 4:
For the accumulator(s) used to provide a reserve source of borated water during shutdown conditions with low inventory/mid-loop, are the valves that require repositioning to provide this water source supplied from a safety or non-safety related power source (i.e., what is their power source, from a historical perspective of plant performance)?
Response
Power is supplied by safety grade power sources, backed by a Class 1E emergency DG, when the station drains the RCS to support vessel head removal/reinstallation and vacuum fill.
Question 5:
Provide the results of the analysis from previous refueling cycles that covers the time to boil following a loss of residual heat removal, for the worst case analyzed conditions.
Response
Time to RCS boiling (t-boil) and time to core uncovery (t-uncovery) following a postulated loss of RHR are calculated each refueling outage for all planned plant conditions. A t-boil software tool is also provided to the operators if real-time calculations are needed to respond to changing plant conditions.
RCS boiling and core uncovery calculations assume a complete loss of shutdown cooling. Core decay heat is calculated using the standard ANSI/ANS-5.1-1979, "Decay Heat Power in Light Water Reactors."
Callaway does not enter mid-loop conditions with a hot-core (pre-offload). (The proposed TS changes shown via the mark-ups provided in the enclosure of this LAR supplement include a limitation to ensure this.) Mid-loop conditions with fuel in the core are only entered to enable RCS vacuum fill with a reload core (i.e., cold-core). Due to the significant decay time at this point in the refuel, t-boil and t-uncovery times are much longer than if mid-loop was entered with a hot core prior to core offload. A review of historical and planned refuel data shows a minimum decay time of 19 days before mid-loop conditions are entered. Conservatively calculated t-boil and t-uncovery for these conditions would be 51 minutes and 223 minutes respectively.
The most limiting t-boil/t-uncovery times calculated in previous outages do not occur during mid-loop conditions where a reload core (i.e., cold-core) is present. They are seen during RCS drain-down to less than 6-inches below the flange prior to reactor head removal at the start of a refueling outage (i.e., pre-reload with a hot-core). Decay heat is much higher during this evolution. A review of historical outage data shows calculated t-boil times as low as 18 minutes and corresponding t-uncovery as low as 114 minutes during this period.
to ULNRC-06825 Page 13 of 23 Question 6:
What restrictions on mid-loop operation is the licensee considering for this change (e.g., duration, additional risk management actions)?
Response
The station limits time in the mid-loop operation with fuel in the vessel to the time required to achieve conditions to establish vacuum fill, for those outages where maintenance requires the RCS to be taken to mid-loop conditions (i.e., those requiring steam generator tube inspections). When maintenance is performed at mid-loop otherwise, all irradiated fuel assemblies are located in the spent fuel pool due to a full core offload (i.e., when the plant is in "No Mode"). Due to the risk of low water inventory in the RCS and the shortened time to boil, several risk mitigation strategies are already in place as provided in APA-ZZ-00315, Appendix C, "Risk Management Actions," section 4.2.3 (provided in the audit database),
and OTN-BB-00002, Addendum 6, "Draining the RCS to Limited Inventory or Reduced Inventory - IPTE" (also provided in the audit database).
Question 7:
Are the non-safety 4kV buses supplying the SW system protected from fire/flooding/hot work/other hazards/etc. (similar to question 5 above)?
Response
The buses at the Circulating Water/Service Water Pumphouse are located in their own room within the pumphouse. This room and the pumps are located 4 to 5 feet above grade. The buses in the turbine building are located at the 2033' elevation and there are large sections of grating nearby which would allow water to drain to ground level (2000') and run out of the building or be collected in sumps. All areas are protected from fire, large combustible sources, and hot work, via administrative processes dictated in APA-ZZ-00700, "Fire Protection Program"; APA-ZZ-00701, "Control of Fire Protection Impairments"; and APA-ZZ-00741, "Control of Combustible Materials" (which were provided in the audit database). Commercial grade fire protection is provided in commercial grade buildings (e.g., walls, doors, floors meet fire ratings required by building code and commercial grade fire protection/detection is provided). Additional information regarding system protection schemes and fire protection is provided in the response to Additional Audit Question 2 on page 20 of this attachment.
to ULNRC-06825 Page 14 of 23 Question 8:
In general, what is the response to events for losses of decay heat removal (operator actions, time to respond, hazardous environments, etc.)? One of particular interest is whether the site would employ a cross tie of the ESW system and how this is accomplished.
Response
Responses to a loss of DHR are covered under site procedures OOA-ZZ-SSM01, "Shutdown Safety Monitoring"; OTO-EJ-00001, "Loss of RHR Flow"; and OTO-EJ-00003, "Loss of RHR while Operating at Reduced Inventory or Mid-Loop Conditions." These procedures have been provided in the audit database.
Operator actions and time to respond are covered under APA-ZZ-00395, "Significant Operator Response Timing." However, this procedure is for design basis events, and those events are generally assumed to occur at power. Losses of DHR are not modeled or timed in this manner and thus not reflected. The containment closure procedures, covered under the following question, cover time and capability for containment closure.
The only guidance currently in Callaway processes to utilize the ESW cross-connect line is within FLEX procedures. This guidance is not directly linked to the guidance discussed here otherwise, but it is possible that it could be used in the case of a severe event.
Question 9:
Provide APA-ZZ-00150 and OSP-GT-00003, which cover containment closure and outage preparation/execution.
Response
OSP-GT-00003, "Containment Closure," covers the checks and preparation to ensure that containment closure can be achieved following a loss of the shutdown cooling (decay heat removal) capability/function required by TS 3.9.5 and TS 3.9.6.
APA-ZZ-00150, Appendix M, "Containment Closure" covers the requirements for initiating containment closure in modes 5 and 6.
Both of these procedures were provided in the audit database.
to ULNRC-06825 Page 15 of 23 Question 10:
Can SW provide a cooling water source to an Emergency Diesel Generator (EDG) and can an EDG provide a power source to SW?
Response
The SW system can provide a cooling water source to an EDG. However, an EDG cannot provide a power source to the SW system.
Question 11:
With respect to the site's response to GL 88-17, where two additional injection systems are available to respond following a potential loss of decay heat removal (Safety Injection and Centrifugal Charging Pumps are used for this), does the site ensure these additional injection systems are in the same division as the operable EDG and ESW train?
Response
Yes, the site ensures the SI and CCP providing the additional injection sources are on the same division as the operable EDG and ESW train.
Question 12:
If the licensee has an existing analysis of an assumed loss of the RHR during mid-loop operation, provide a discussion of the analysis for supporting the TS clarification (change). The information (if available) should include the methodology and assumptions used for analysis, and results demonstrating that the vessel water level would not be boiled off down to the top of the fuel, and thus assuring the fuel integrity. If the operator actions are assumed for mitigation, specify the required actions and times, and discuss how the required operator action times are met from the human engineering factor consideration.
Response
Generic Letter 88-17 Discussion Total loss of the RHR system during mid-loop operation was considered as part of Callaway's response to GL 88-17, "Loss of Decay Heat Removal," as documented under letter ULNRC-1880 dated January 3, 1989. Expeditious Action Item 6 of the GL requires the following:
(6) Provide at least two available* or operable means of adding inventory to the RCS that are in addition to pumps that are a part of the normal DHR systems. These should include at least one high pressure injection pump. The water addition rate capable of being provided by each of the to ULNRC-06825 Page 16 of 23 means should be at least sufficient to keep the core covered. Procedures for use of these systems during loss of DHR events should be provided. The path of water addition must be specified to assure the flow does not bypass the reactor vessel before exiting any opening in the RCS.
Callaway satisfies this action item by maintaining a combination of at least two SI Pumps or one SI pump and a CCP available to inject inventory from the RWST. Action to establish pumped injection is taken by the Control Room operators and is procedurally directed under off-normal operating procedure OTO-EJ-00003, "Loss of RHR While Operating at Reduced Inventory or Mid-Loop Conditions," which is based on the industry developed Abnormal Response Guideline ARG-1, "Loss of RHR While Operating at Mid-Loop Conditions." The procedure provides figures with required flowrates to maintain the RCS subcooled as well as reduced flowrates required to maintain the core covered at saturation conditions. The figures are presented as a function of required flowrates vs time after shutdown. The data for each figure is based on Callaway calculations and verified to be bounding each operating cycle. Calculation EC-45 Revision 0, Addendum 2, "Flow Requirements to Respond to a Loss of RHR Event," provides the most recently calculated values. The adequacy of this makeup strategy was also analyzed under WCAP-11916 and Callaway's review of the WCAP under calculation EJ-06, Revision 0, "Loss of RHRS Cooling/RCS Partially Filled - Generic Letter 88-17."
Defense in Depth RCS Makeup Methods As described under the Generic Letter 88-17 discussion, the primary success path for providing RCS makeup following a loss of decay heat event is to establish pumped injection from the RWST using the CCP or SI pumps. However, additional defense-in-depth options are available to make up RCS inventory, including RWST gravity feed, SI accumulator injection, steam generator reflux cooling, and FLEX pump makeup. These strategies are contained in Callaway's implementation of Abnormal Response Guideline ARG-1, "Loss of RHR While Operating at Mid-Loop Conditions," per procedure OTO-EJ-00003.
RWST Gravity Feed:
With a properly vented RCS, gravity feed from the RWST can be established that does not rely on pumped injection. Calculation EJ-51 Revision 0, Addendum 3, "RWST Level Needed to Gravity Feed from RWST to RCS at Reduced Inventory Levels and Loss of RHR," establishes the minimum RWST tank level needed to provide a minimum 4-hour supply of RCS makeup. This makeup option is procedurally implemented through OTO-EJ-00003 Attachment E, "RWST Gravity Feed."
SI Accumulator Injection:
One SI accumulator is normally left with a pressure of 50 psig for injection into the RCS if required. This option would only be exercised if no means for pumped injection is available. This option would require local operator action within containment to locally open the SI accumulator isolation valve.
FLEX Pump Makeup:
Callaway's flexible coping strategies (FLEX) include the capability to provide RCS makeup injection using onsite FLEX equipment. If a loss of all AC power were to occur while operating at mid-loop conditions, the FLEX strategies in FSG-14, "Shutdown RCS Makeup," would be implemented as procedurally directed to ULNRC-06825 Page 17 of 23 by off-normal operating procedure OTO-NB-00005, "Loss of All AC Power While on RHR," or OTO-EJ-00003 Attachment H, "RCS Makeup Using FLEX Equipment."
Summary The primary strategy for mitigating a loss of DHR event is to provide injection from the RWST using the CCP or SI pumps. Additional defense-in-depth strategies are defined in plant procedures. Credited operator actions to respond to loss of shutdown cooling event are procedurally defined and trained on.
These operator actions are not considered time-critical or time-sensitive actions and are not controlled under Callaway's Significant Operator Response Time program implemented per procedure APA-ZZ-00395.
Time to RCS boiling and time to core uncovery following a postulated loss of RHR are calculated each refueling outage for all planned plant conditions. A t-boil software tool is also provided to the operators if real-time calculations are needed to respond to changing plant conditions. A review of t-boil times from recent refueling outages for mid-loop conditions and the more limiting conditions during RCS draindown for reactor head removal shows adequate response time is available before core boiling would occur, with significant additional margin available before core-uncovery and core damage.
to ULNRC-06825 Page 18 of 23 Responses to Additional Audit Questions/Requests (Transmitted via E-mail on July 27, 2023, Accession No. ML23208A105)
Risk Perspectives on External Hazards External events and hazard frequencies are not dependent on plant mode, and as such, the online failure probabilities associated with external hazards are used to provide the following insights for shutdown modes.
Fires and Flooding: Fires and internal flooding in both the ESW Pump rooms and the Circulating/Service Water Pumphouse are modeled. In the case of fires or flooding in these areas, the entire room is modeled as lost; that is, the impact of a fire or flood in any one of these areas (ESW Pump Room A, ESW Pump Room B, Circulating/Service Water Pumphouse) has the same result, i.e., the loss of cooling water to the supported train.
Seismic and High Winds: The ESW system is both more seismically robust and more resistant to high winds than the SW system. However, with respect to the TS allowance to use a reliable power source to support one of the two safety-related trains when in Modes 5 and 6 (as described in the Bases for TS 3.8.2 and TS 3.8.10), the use of the SW system to support one safety related train of the RHR system and the CRACS is essentially identical from a risk perspective for seismic and high wind events. For high winds, the failure probability of offsite power ranges from 0.1 to 0.7 for F1 wind speeds (73-112 mph using the Fujita Scale) and the failure probability of the SW system ranges from 0.05 to 0.5 over the same range. At F2 wind speeds and above (112 mph and up using the Fujita Scale) both offsite power and the SW system failure probabilities are at or near 1, i.e., they are assumed to be failed. For seismic, the median capacities of the SW system and the offsite power system differ by only 0.06g. This translates to the SW system and reliable offsite power source being well correlated, with only marginal differences in their failure rates due to external hazards.
Audit Letter Question Responses Question 1:
Discuss the expected duration of one train of ESW outage. Discuss why an ESW outage must take place during reduced inventory conditions as opposed to periods of greater coolant inventory consistent with industry guidance. Additional justification would be needed for no duration limits or for unusually long duration limits (no justification was provided in the LAR).
Response
As previously provided in response to SCPB Audit Question 1 (on page 9 of this attachment), Callaway does not schedule pre-planned windows to be in reduced inventory conditions while an ESW outage is ongoing; that is, the planned durations discussed below for the ESW system and reduced inventory conditions are not pre-planned to overlap. For context, "reduced inventory conditions," as used in this to ULNRC-06825 Page 19 of 23 response, is meant to refer generically to those conditions where either TS 3.4.8, "RCS Loops - MODE 5, Loops Not Filled," or TS 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level," would apply, i.e., for TS 3.4.8, the Loops Not Filled conditions where the RCS level has been lowered to the top of the RCS hot leg or lower, the Steam Generator U tubes have been drained, or when the RCS is not capable of being placed in an intact condition to support natural circulation cooling, and for TS 3.9.6, when RCS water level is less than 23 feet above the top of the reactor vessel flange.
The refuel level indications corresponding to these levels can be as low as or lower than 29" and up to 110" for TS 3.4.8 (depending on RCS conditions) and 376" and lower for TS 3.9.6. This clarification is necessary as "reduced inventory conditions" is typically defined as RCS level lower than three feet below the reactor vessel flange, which corresponds to the 64" level for refuel level indication at Callaway. This arrangement is defined within OTN-BB-00002 Addendum 6, "Draining the RCS to Limited Inventory or Reduced Inventory - IPTE."
In the past four refueling outages and in the current refueling outage in 2023, the planned duration for having one ESW train out of service has ranged from 3 to 16 days (during periods when only one RHR train is required). The planned duration for reduced inventory conditions during these same refueling outages has ranged from about 1.25 to 4.5 days, with approximately 3 days being the normal duration for reduced inventory conditions. Planned emergency DG work during these same refueling outages has been scheduled for a range of 4.5 to 18 days, with one outlier in scheduling for approximately 0.5 days.
Unlike periods of reduced inventory, emergency DG work is typically scheduled to overlap with the ESW work for the same train.
Historically, Callaway has ensured both trains of ESW are available during reduced inventory conditions, with one exception. This exception was between May 13, 2022, and May 17, 2022, and was the topic of the non-cited violation referenced in the subject LAR. This exception was due to the discovery of a condition during the B ESW planned maintenance outage that caused the outage to extend beyond its pre-planned window and into the period of reduced inventory conditions.
In Modes 5 and 6, the site has an unlimited duration for having one DG out of service in accordance with TS 3.8.2, "AC Sources - Shutdown." The site's position is that a similar duration for use of SW system is appropriate. This is due in part to the assumptions of the transient and hazard analysis essentially applying identically to either configuration, where nonsafety-related offsite power supports one RHR train or the similar configuration where SW supports one RHR train, and in part due to similarities in risk impact for external events for these configurations (as previously described in the "PRA Perspectives on External Hazards" section on page 18 of this attachment).
The SW system is highly reliable. In the past 23 years Callaway has not had to down-power the unit or take a unit trip due to challenges with the system. At power, two SW pumps are in constant operation to support station needs with a third pump in standby with an automatic starting capability upon shutoff of one of the two operating pumps. When the plant is offline and turbine building loads have been secured, one SW pump is sufficient to support the remaining plant and safety system loads. This would leave two pumps in standby, with the capability of being started in the event of trouble with the operating pump.
In the shutdown risk assessments performed per the current APA-ZZ-00315 Appendix E, "Configuration Risk Management Program - Shutdown," the SW system and the second train of the ESW system are largely considered to be equivalent with respect to the functions these systems can perform during to ULNRC-06825 Page 20 of 23 shutdown conditions. That is, when a second train of cooling water is required, either the ESW system or the SW system can supply this cooling water and provide the system availability required for defense in depth by the NUMARC 91-06 shutdown risk management program.
Question 2:
Describe the compensatory measures to protect the nonsafety-related SWS and its support systems (such as nonsafety-related AC power) from internal hazards such as internal fires, internal floods, and operator error, which can occur due to maintenance during shutdown.
Response
The SW Pumps and their support systems are protected when required via the Shutdown Safety Plan developed in accordance with APA-ZZ-00315 Appendix E, "Configuration Risk Management Program -
Shutdown." The physical protection includes barriers, signs, and ribbon in accordance with APA-ZZ-00315 Appendix C, "Risk Management Actions," and ODP-ZZ-00002 Appendix 1, "Protected Equipment Program." The SW system protection from fire/flooding/hot work/other hazards/etc. is through a combination of physical design, engineering controls, and administrative processes. The buses at the Circulating/Service Water Pumphouse are located in their own room within the pumphouse. This room and the pumps are located 4 to 5 feet above grade. The buses in the turbine building that feed out to the Circulating/Service Water Pumphouse are located at the 2033' elevation, and there are large sections of grating nearby which would allow water to drain to ground level (2000') and run out of the building or be collected in sumps. All of these areas are protected from fire, large combustible sources, and hot work, via administrative processes dictated in APA-ZZ-00700, "Fire Protection Program"; APA-ZZ-00701, "Control of Fire Protection Impairments"; APA-ZZ-00741, "Control of Combustible Materials";
and APA-ZZ-00742, "Control of Ignition Sources." The Circulating/Service Water Pumphouse is a commercial grade building. Commercial grade buildings at Callaway are provided with commercial grade fire protection systems, e.g., walls, doors, floors meet fire ratings required by building code and commercial grade fire protection/detection is provided. The Circulating/Service Water Pumphouse is provided with smoke detectors that will alarm to the Control Room, but it has no automatic suppression capabilities installed.
When protected, manipulations of the SW system or its support systems should not be necessary and are generally prohibited by administrative controls in ODP-ZZ-00002 Appendix 1, "Protected Equipment Program." Control room manipulations require peer checks per ODP-ZZ-00001, "Operations Department-Code of Conduct," and all Operator manipulations are required to be conducted based upon some form of written instructions e.g., procedure, Job task, log taking instructions, worker protection placement orders. When establishing the boundaries for protected equipment a walk down of the area is performed to identify any degradations, abnormalities, or temporary items (e.g., power, lighting, scaffold, transient combustibles) that could impact equipment functionality. The area is subsequently walked down during operations rounds each shift to ensure the postings remain established, that there is no work ongoing in the area, and that there remains nothing in the area that would interfere with the functioning of the equipment.
to ULNRC-06825 Page 21 of 23 Anytime the SW system is used to support RHR when required for either TS 3.4.8 or TS 3.9.6, APA-ZZ-00315, Appendix C, "Risk Management Actions," requires that the system and its support systems are protected in a manner as described above. APA-ZZ-00315, Appendix C is part of the overall APA-ZZ-315, "Risk Management Programs," procedure scheme, which is built in part on the guidance of NUMARC 91-06, "Guidelines for Industry Actions to Assess Shutdown Management." Based on the above, risk management actions are commensurate with protections provided for the ESW system when relied upon to support RHR functions. Therefore, no additional risk management actions are proposed for the SW system when utilized in support of RHR or CRACS under TS 3.4.8, TS 3.9.6, or TS 3.7.11.
Question 3:
Describe what compensatory measures will be taken if severe weather is predicted since the nonsafety-related SWS and its support systems are not protected against high winds and other external hazards.
Response
Generally, Operations takes actions per off-normal procedure OTO-ZZ-00012, "Severe Weather," which is applicable both when at power and during plant shut down conditions. Actions dictated therein include ensuring safety train doors are closed, equipment hatch is closed, securing any switchyard work, securing overhead cranes, and stopping surveillances that could impact available safety train equipment. The severe weather procedure is entered upon tornado or severe thunderstorm watches or warnings, or high wind warnings (sustained wind in excess of 40 mph or gusting winds greater than 58 mph), for Callaway County, where the Callaway Plant resides.
For the containment equipment hatch and containment equipment hatch missile shield, their closure is dictated by APA-ZZ-00750, "Hazard Barrier Program," Attachment 4, and is estimated to take approximately 30 minutes. The procedure sets a weather monitoring distance for each missile shield and equipment hatch to be closed based upon an assumed storm translation speed of 70 mph. For the containment equipment hatch and missile shield, this ties to a weather monitoring distance of 40 miles.
Other actions listed within the procedure have weather monitoring distances of up to 105 miles.
Security and Operations both perform weather monitoring actions under APA-ZZ-00750 and OTO-ZZ-00012 using diverse forecasting and weather reporting means. The containment equipment hatch is closed using MTM-SM-00001, "Containment Equipment Hatch Operation for Temporary Opening and Closing," and using a temporarily staged diesel generator, so that hatch closure can be completed without emergency or offsite power available.
The actions taken per OTO-ZZ-00012 protect, to the extent possible, the power supplies for the SW system and the offsite power connections that feed them. Otherwise, there are no specific actions that would directly provide additional defense-in-depth for the SW system itself that are not already being taken per the protected equipment program and the severe weather response process.
to ULNRC-06825 Page 22 of 23 Question 4:
Accumulator injection is listed by the licensee as a defense-in-depth makeup method for adding water to the RCS in response to prior audit questions 7 and 14. Given the nitrogen cover gas in the accumulator, please discuss the results of analysis to show that, for the configuration proposed in the LAR, the entrainment of nitrogen in the RCS does not impact RCS level instrumentation, RHR function in decay heat removal mode, or mitigation of a loss or interruption of RHR, especially during a reduced inventory condition.
Response
Callaway's shutdown safety plan ensures that prior to entering a reduced inventory state, a single SI accumulator is available with a volume of 6200 gallons and nitrogen cover pressure of 50 psig. During a postulated loss of DHR, if no means of pumped injection is available, the accumulator can be manually injected to restore core inventory. This is considered a defense in depth measure only taken to restore core inventory once other core cooling and inventory replacement strategies have failed.
With respect to DHR, prior to entering a reduced inventory condition, RCS vent paths are established precluding RCS pressurization. If the relatively small volume of injected nitrogen collects in the steam generator U-tubes, it could inhibit natural circulation and primary-to-secondary heat transfer. However, for the postulated scenario, primary-to-secondary heat transfer is already precluded by the reduced inventory condition. The other likely nitrogen collection point would be the upper head. Nitrogen in this location would be vented through the open reactor head vents. In addition, if nitrogen were to accumulate in the head, it would not prevent restoration of pumped injection if available from the RHR system or another source.
With respect to level indication, two independent means of level indication are available to the control room operators with diverse reference legs (pressurizer and containment atmosphere). In the unlikely event that nitrogen impacts one of the indications, the operator would observe a mismatch in the indications and investigate. It should be noted, however, that an error in RCS level indication at this stage of the event would not impact measures taken to restore DHR capabilities. Additionally, these level indications are only used during shutdown conditions and do not drive any actions when the plant is at power.
Procedure OTN-BB-00002 Addendum 6, "Draining the RCS to Limited Inventory or Reduced Inventory -
IPTE," describes the drain down process, OTN-BB-00001, "Reactor Coolant System - IPTE," describes the Vacuum Fill process, and OTN-BB-00007, "Dynamic Fill and Vent of the RCS," describes the dynamic fill and vent process. Effectively, the draining process involves creating a mismatch between the RCS charging flow and RCS letdown flow and draining the excess volume to either the Reactor Coolant Drain Tank or to the RWST. The filling process involves either drawing a vacuum on the reactor vessel head or venting the reactor vessel head and creating the inverse mismatch between RCS charging flow and RCS letdown flow to fill rather than drain volume. The filling processes recognize the possibility for entrainment of gases within the system and describe means to identify, diagnose, and mitigate these possibilities. In alignment with the procedures described above, if a loss of RHR occurred during the vacuum filling operations, the site would break vacuum on the RCS. Doing so creates additional margin to the time to boil and time to core uncovery calculated for these evolutions and provides additional time to restore RHR or provide supplemental means of cooling the RCS.
to ULNRC-06825 Page 23 of 23 Additional Clarification/Information Based upon discussions held during the audit, the following clarifying information is provided.
Specifically, it should be noted that during each refueling outage, the time to boil and time to core uncovery are calculated for all planned plant conditions. The most limiting times to boil are seen at the beginning of the refueling outage when decay heat is at a maximum. Based on historical data, outside of vacuum filling operations, the most limiting times to boil and times to core uncovery are seen during the initial drain-down to allow for reactor head removal, which occurs prior to the refueling operations
("hot core" conditions). When vacuum filling operations are in progress, if there is a loss of the DHR function, breaking vacuum restores the time to boil and time to core uncovery to values well above the time for containment closure and above the times seen during initial drain down at the start of a refueling outage. It is not the site's intent to utilize the SW system to support one of the RHR trains in-lieu of having an operable ESW train for mid-loop operations during the "hot core" period. The intent is to allow the capability to utilize the SW system in support of one of the two TS 3.4.8-required RHR trains when not in mid-loop conditions or following the refueling period of the outage, when the core is considered a "cold core." The TS changes proposed per this LAR supplement reflect this intent.