05000483/LER-2010-001

1. DESCRIPTION OF STRUCTURE(S), SYSTEM(S) AND COMPONENT(S):

The Emergency Core Cooling System (EGGS) at Callaway consists of three separate subsystems: centrifugal charging (high head) [EllS system: BQ], safety injection (SI) (intermediate head) [EllS system: BQ], and residual heat removal (RHR) (low head) [EllS system: BP]. Each subsystem consists of two redundant, 100% capacity trains. Both trains (each with all three subsystems) are required to be operable in MODES 1, 2, and 3.

The ECCS flow paths consist of piping, valves [EllS component: V], heat exchangers [EllS component: HX], and pumps [EllS component: P] such that water from the Refueling Water Storage Tank (RWST) [EllS system: CB, component: TK] can be injected into the Reactor Coolant System (RCS) [EllS system: AB] following a loss of coolant accident (LOCA). The major components of each subsystem are the centrifugal charging pumps (for the high-head ECCS function) [EllS system: BQ, component: P], the RHR pumps (for the low-head ECCS function) [EllS system: BP, component: P], heat exchangers, and the SI pumps (for the intermediate-head ECCS function) [EllS system: BQ, component: P]. Each of the three subsystems consists of two 100% capacity trains that are interconnected and redundant such that either train is capable of supplying 100% of the flow required to mitigate the accident consequences. This interconnecting and redundant subsystem design provides the operators with the ability to utilize components from opposite trains to achieve the required 100% flow to the core.

Technical Specification (T/S) 3.5.2 specifies ECCS requirements for MODES 1, 2, and 3; T/S 3.5.3 specifies ECCS requirements for MODE 4. In MODE 4, only one ECCS train is required to be operable. The required ECCS train for MODE 4 consists of two subsystems: centrifugal charging (high head) and residual heat removal (RHR) (low head). Per the wording of the Bases for T/S 3.5.3, "During an event requiring ECCS actuation, a flow path is required to provide an abundant supply of water from the RWST to the RCS via the ECCS pumps and their respective supply headers to each of the four cold leg injection nozzles [EllS system: AB, component: NZL].

2. INITIAL PLANT CONDITIONS:

The discrepancy between the applicable plant procedure and the required MODE 4 ECCS injection capability described in the Bases for T/S 3.5.3 was discovered while the plant was in MODE 1 at 100% power. The issue was then documented in the Callaway Plant corrective action program. It was determined that within the last three years, this adverse condition occurred when the plant was in MODE 4 during the last two (2) refueling outages, i.e., when cooling down for Refuel Outage 15, in 2007 and Refuel Outage 16, in 2008, and when heating up for normal operations after Refuel Outages 15 and16. The timeframes during Refuel Outages 15 and16 when the plant was in MODE 4 are in the table below. There have been no other outages subsequent to Refuel 16 when the plant has entered MODE 4 up to the time of discovery of this condition.

MODE 4 Entry� MODE 4 Exit� Duration 4/2/07 3:01� 4/2/07 6:05� 3:04Refuel 15 � 4/4/07 11:26 � 4/5/07 18:05� 30:39 10/11/08 4:18� 10/11/08 9:43� 5:25Refuel 16 � 11/3/08 15:22� 11/4/08 18:17� 26:55 3.� EVENT DESCRIPTION:

On January 22, 2010, Nuclear Oversight identified an adverse condition pertaining to MODE 4 ECCS procedural guidance. Specifically, off normal procedure OTO-BB-00010, SHUTDOWN LOCA, did not instruct operators to align the RHR cross-tie valves (EJHV8716A/B) [EllS system: BP, component: V] to supply flow to each of the four (4) RCS cold leg injection nozzles in the event of a LOCA.

Callaway Technical Specifications require one train of ECCS to be OPERABLE in MODE 4. A note provided in T/S 3.5.3 states, "An RHR subsystem may be considered OPERABLE during alignment and operation for decay heat removal, if capable of being manually realigned to the ECCS mode of operation." In addition, the Bases for T/S 3.5.3 state, "During an event requiring ECCS actuation, a flow path is required to provide an abundant supply of water from the RWST to the RCS via the ECCS pumps and their respective supply headers to each of the four cold leg injection nozzles. In the long term, this flow path may be switched to take its supply from the containment sump and to deliver its flow to the RCS hot and cold legs.

During plant shutdown, when the plant enters MODE 4 (with the reactor subcritical and T-ave between 200° F and 350° F), one RHR train is typically aligned in the shutdown cooling mode to facilitate RCS cooldown. In this alignment, the RHR pump and heat exchanger are aligned to take suction from the RCS and return cooled flow to the RCS. Due to industry-identified concerns about the potential effects of a loss of RCS subcooling, the RHR shutdown cooling loop is isolated such that heat-up of the suction side is avoided by closing the cross-connect valves between the two trains. (The cross-connect valves are maintained open during MODES 1, 2, and 3 to support ECCS requirements for those modes during which both trains of ECCS are required per T/S 3.5.2, "EGGS — Operating.") Thus, after MODE 4 is entered, one RHR train is typically placed in a shutdown cooling alignment while the other train is in an ECCS standby alignment. The latter is typically credited to meet the RHR ECCS requirement of T/S 3.5.3. However, the RHR train in its shutdown cooling mode may alternately be credited to meet the one-train RHR ECCS requirement as long as the train is capable of being manually realigned (below the appropriate temperature limit) to the ECCS mode per the Note in T/S 3.5.3 as mentioned above.

Various plant procedures prescribe system alignments for meeting requirements of the many operating conditions the plant may encounter. These include normal, off normal and emergency operating procedures. Off normal procedure OTO-BB-00010, issued on October 10, 2008, was intended to provide specific guidance for responding to a leak or break in the RCS during MODE 4. As such, it includes guidance for alignment of the ECCS to provide sufficient injection to mitigate such a condition, starting from a normal MODE 4 operating alignment (including having one RHR train in the shutdown cooling mode). However, as confirmed at the time of the discovery of the identified discrepancy between the procedure and the Bases for T/S 3.5.3, the procedure did not provide specific guidance for plant operator actions that would ensure RHR injection into the RCS via all four cold leg nozzles in the event of a LOCA. In particular, it did not include a step for opening (or ensuring the opening) of the cross-tie valves (EJHV8716A/B) so that the discharge of a single RHR pump could be aligned to all four cold legs for ECCS injection.

Although plant operators would still have had the ability to manually open the RHR cross-tie valves during a LOCA in MODE 4, there was no explicit procedural guidance to do so by OTO- BB-00010, Rev 0.

0 Without such guidance, it must be concluded that the low-head ECCS injection capability required by T/S 3.5.3 for mitigation of a LOCA in MODE 4 could not be met.

The discrepancy between the plant procedure (OTO-BB-00010) and the T/S 3.5.3 Bases prompted further review and confirmation of the plant's licensing basis with respect to the accident analysis for a LOCA in MODE 4. This led to identification of a licensing topical report that is not properly documented in the FSAR but which is consistent with the T/S 3.5.3 Bases and is an underlying document for industry guidance on which OTO-BB-00010 was supposed to be based. The topical report provides a generic analysis for LOCA mitigation in MODE 4, and has been confirmed to be applicable to Callaway. Included in the topical report are assumptions regarding the size of the pipe break assumed for a MODE 4 LOCA, required ECCS flows, and operator response times for when the ECCS pumps are started after the onset of the LOCA.

Review of OTO-BB-00010 against the assumptions of the topical report revealed that in addition to the four-nozzle injection flow issue, the assumed time for manually starting the RHR pump was not supported by OTO-BB-00010.

4.A ASSESSMENT OF SAFETY CONSEQUENCES:

Due to the stable conditions associated with operation in MODE 4 and the low probability of a large-break LOCA (LBLOCA) during this mode, only the ECCS capability required per T/S 3.5.3 is needed to mitigate the consequences of a LOCA in MODE 4, for which only a small-break LOCA (SBLOCA) is required to be postulated. There is no plant specific analysis described in the Callaway Final Safety Analysis Report (FSAR) for a SBLOCA in MODE 4. However, as explained above, further review of the discrepancy between the plant procedure for MODE 4 LOCA mitigation (OTO-BB-00010) and the T/S 3.5.3 Bases led to identification of the licensing topical report that describes Callaway's accident analysis for the MODE 4 LOCA, including key assumptions and limitations.

As it appeared that some of the assumptions, such as the time assumed for initiation of RHR flow, were too restrictive or required further clarification, an evaluation from the vendor that prepared the noted topical report was requested. The evaluation confirmed that low-head (RHR) injection capability via either four cold-leg nozzles or two cold-leg nozzles is sufficient for SBLOCA mitigation in MODE 4, coupled with the capability of the high-head pump (CCP) which is aligned to all four cold legs via the boron injection header. The evaluation also extended the assumed time for starting the RHR pump and clarified important assumptions such as the subcritical decay time that elapses between reactor shut down (subcritical) and when MODE 4 is entered.

Based on the accident evaluation confirmed and clarified by the above, it is concluded that the inadequate procedure guidance provided in OTO-BB-00010 was not a significant safety issue.

That is, the absence of written procedural guidance to align low-head pump discharge flow to all four cold-leg injection nozzles has been reviewed and concluded to have low nuclear safety significance based on the following reasons:

1) As noted above, additional evaluation has confirmed that injection capability from the low-head pump (RHR) via two cold-leg nozzles is sufficient for SBLOCA mitigation in MODE 4, coupled with the capability of the high-head pump (CCP) which is aligned to all four cold legs via the boron injection header.

2) The additional evaluation also analytically demonstrated that MODE 4 LOCA mitigation is achieved with assumed times for starting the high-head and low-head ECCS pumps that were capable of being met by Callaway's OTO-BB-00010 procedure (despite its noted inadequacy).

3) In MODE 4, all ECCS subsystems are typically available during plant shutdown because they would all have been required to be operable when the plant was in MODES 1, 2, and 3 (and they would remain available as the plant transitions into MODE 4 as part of the plant shutdown). They are also available in MODE 4 during plant startup as the plant is about to enter MODE 3 when the subsystems must be made operable for entry into that mode. During the periods in Refuel Outages 15 and 16 when the plant transitioned into MODE 4, high-head and intermediate-head ECCS pump functionality was available and credited in the shutdown risk assessments.

4) Notwithstanding the requirements of T/S 3.5.3, the written procedural guidance available to plant operators provided direction to utilize all available ECCS (high-head, intermediate-head, and low-head, as needed) for mitigation of a LOCA in MODE 4.

5.�REPORTING REQUIREMENTS:

This LER is submitted pursuant to 10CFR50.73(a)(2)(i)(B) as a condition prohibited by the Technical Specifications. OTO-BB-00010 Rev 0 did not provide adequate guidance for ensuring the capability of the low-head ECCS subsystem (RHR) to be aligned for injection in the manner required by T/S 3.5.3, i.e., for injection into the RCS via all four cold leg nozzles as described in the Bases for T/S 3.5.3.

This LER is also submitted pursuant to 10CFR50.73(a)(2)(v)(D) as an event or condition that could have prevented fulfillment of a safety function because of a procedural deficiency. OTO­ BB-00010 did not contain sufficient procedural guidance to ensure proper or prompt lineup of the RHR subsystem for its required ECCS function in MODE 4. Without specific procedural guidance, it is conservatively concluded that fulfillment of the required low-head ECCS function could have been prevented.

6.� CAUSE OF THE EVENT:

This event was evaluated using a seven-step root cause analysis process. The Root Cause Team concluded that there was a single Root Cause with one Causal Factor.

The Root Cause Team determined the Causal Factor for this event to be inadequate written instructions for implementing the low-head ECCS injection capability required by T/S 3.5.3 for MODE 4 LOCA mitigation. From a historical review performed for this event, it was identified that in response to LER 85-027 (See Section 8), several evaluations were completed to address RHR alignment during all modes of operation. The evaluations contained inadequate detail and flawed conclusions. One evaluation addressing cooldown flows within the RHR system in MODE 4 had an accompanying letter from a vendor stating that the evaluated flows were adequate. This letter was misinterpreted, however, when it was subsequently used for another evaluation to justify adequate flows for two-nozzle injection using a single RHR pump for mitigation of a postulated SBLOCA in MODE 4. This second evaluation became the basis for Callaway's MODE 4 analysis.

During the Improved Technical Specifications (ITS) initiative to standardize T/Ss, the Bases for T/S 3.5.3 was modified to include the statement, "During an event requiring ECCS actuation, a flow path is required to provide an abundant supply of water from the RWST to the RCS via the ECCS pumps and their respective supply headers to each of the four cold leg injection nozzles.

For the one RHR subsystem required to be operable per T/S 3.5.3, the provisions of T/S 3.5.3 permit either RHR subsystem to be credited, whether it is the train aligned in the shutdown cooling mode or the other train typically aligned in its standby ECCS mode, as long as the credited train can be realigned to the injection mode required by the T/S. However, because of industry-identified concerns about the potential adverse effects from heat-up of the RHR train used for shutdown cooling, it became practice to maintain the cross-connect valves closed between the two trains (in MODE 4), notwithstanding the ITS Bases wording requiring injection capability via four cold leg nozzles and the provision for realigning to the required configuration.

(The heat-up concerns for an RHR train in the shutdown cooling mode also resulted in temperature limitations being imposed on such a train before it can be aligned for ECCS injection.) All of these concerns should have been considered or reconciled in the existing implementing procedure, OTO-BB-00003, REACTOR COOLANT EXCESSIVE LEAKAGE.

An Abnormal Response Guideline (ARG) was developed by the industry and described generic actions to be taken in the event of a LOCA. From this process OTO-BB-00010 was created using a rule-based template (the applicable ARG) which was fundamentally based on a licensing topical report intended for use by licensees. The impact of basing the procedure on the topical report was not assessed, thus resulting in a flawed procedure. Multiple contributors for failing to recognize the importance and provisions of the topical report have now been identified, including no Emergency Operating Procedure (EOP) Committee review of OTO-BB­ 00010, and the fact that the topical report was withdrawn from NRC review and removed as a reference from Callaway's FSAR.

An error precursor relevant to the event is complacency or overconfidence. The process utilized for creating OTO-BB-00010 did not incorporate an adequate level of review that would have required input from the Safety Analysis group at Callaway, in terms of ensuring compliance with the topical report. The new procedure was viewed to be merely an expansion of the existing ARG procedure model and the OTO-BB-00003 procedure. The Root Cause Team determined the Root Cause to be the failure to recognize that the topical report supported the applicable safety analysis for T/S 3.5.3 and that the MODE 4 LOCA mitigation capability required by LCO 3.5.3 was not fully implemented within site procedures.

7. CORRECTIVE ACTIONS:

A site-specific MODE 4 LOCA flow evaluation (based on the noted topical report as clarified by the noted evaluation) for confirming the applicable ECCS requirements was developed as the Corrective Action to Prevent Recurrence (CATPR). Implementation of this CATPR includes revision of OTO-BB-00010, the FSAR, and the T/S Bases for T/S 3.5.3.

8. PREVIOUS SIMILAR EVENTS:

On May 30, 1985, Callaway Plant LER 85-027-01 reported a violation of Technical Specification 3.5.2 while in MODE 1 and at 100% power. During the performance of a surveillance to verify Residual Heat Removal (RHR) pump 'A' operability, two of the four Reactor Coolant System Cold leg injection pathways were isolated. The plant Safety Analysis assumed four (4) leg injection from RHR.