05000483/LER-2017-002

From kanterella
Revision as of 00:44, 3 March 2018 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
LER-2017-002, Inadequate Protection from Tornado Missiles Identified Due to Nonconforming Design
Callaway Plant Unit 1
Event date: 08-15-2017
Report date: 10-13-2017
Reporting criterion: 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications
10 CFR 50.73(a)(2)(v)(A), Loss of Safety Function - Shutdown the Reactor
10 CFR 50.73(a)(2)(vii)(A), Common Cause Inoperability
10 CFR 50.73(a)(2)(ix)(A)
10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition
4832017002R00 - NRC Website
v  d  e

LER 17-002-00 for Callaway Plant, Unit 1, Regarding Inadequate Protection from Tornado Missiles Identified Due to Nonconforming Design
ML17285A630
Person / Time
Site: Callaway Ameren icon.png
Issue date: 10/13/2017
From: Cox B L
Ameren Missouri, Union Electric Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
ULNRC-06392 LER 17-002-00
Download: ML17285A630 (9)
v  d  e


comments regarding burden estimate to the Information Services Branch (T-2 F43), U.S. Nuclear Regulatory Commission, Washington, DC 20555.0001, or by e-mail to NEOB-10202. (3150-0104), Office of Management and Budget, Washington. DC 20503. If a means used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.

Callaway Plant Unit 1 05000-483 - 00 2017

1. DESCRIPTION OF STRUCTURE(S), SYSTEM(S) AND COMPONENT(S):

The Callaway Plant auxiliary feedwater system (AFS) [EIIS Code: BA] has two motor-driven auxiliary feedwater pumps (MDAFPs) [EIIS Code: P] and one turbine-driven auxiliary feedwater pump (TDAFP) [EIIS Code: P] which supply a flow of auxiliary feedwater to the steam generators during normal, safe shutdown, or accident conditions. During operation of the MDAFPs and TDAFP, the pumps' suction may be aligned to the safety-related essential service water (ESW) system or to the non-safety related condensate storage tank (CST) [EIIS Code: TK] or hardened CST (HCST). Automatically controlled valves that are located in the AFS lines downstream of the MDAFPs and TDAFP maintain steam generator levels by providing sufficient flow to replace the water that is converted to steam during decay heat removal without allowing steam generator levels to increase beyond design limits. To prevent damage to the MDAFPs and TDAFP, a minimum flow through the pumps must be maintained. The recirculation lines for the MDAFPs and TDAFP are designed to ensure that the minimum flow requirements for the pumps are maintained by returning a portion of discharge flow from each pump back to the CST.

The Callaway Plant main steam supply system (MSSS) [EIIS Code: SB] functions to convey steam generated in the steam generators to the turbine-generator system and auxiliary systems for power generation. The main steam line from each steam generator is protected from overpressure by five main steam safety valves (MSSVs) [EIIS Code: RV], which open and close automatically to relieve pressure by releasing steam to the atmosphere when pressure exceeds the setpoint value. In addition, one power-operated atmospheric steam dump valve (ASD) [EIIS Code: RV] is installed in each main steam line, which may be opened and closed automatically or manually to release steam as needed to remove residual heat during reactor shutdown and cooldown. Steam flow from each MSSV and ASD is conveyed to the atmosphere through vent stacks. For the ASDs, the vent stacks incorporate silencers for noise reduction.

The Callaway Plant emergency diesel generator (DG) fuel oil storage and transfer system (EDEFSTS) [EIIS Code: DE] provides onsite storage and transfer of fuel oil to the DG engines [EIIS Code: ED]. For each of the two DGs, a transfer pump [EIIS Code: P] transfers fuel oil from the DG's fuel oil storage tank to its associated day tank [EIIS Code: TK]. In order to prevent a loss of suction head for the diesel fuel oil transfer pumps, both diesel fuel oil storage tanks and both day tanks are provided with vents [EIIS Code: VTV].

The design of the each of these systems is subject to 10 CFR 50 Appendix A, General Design Criterion (GDC) 2, which states in part that structures, systems, and components important to safety shall be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without loss of capability to perform their safety functions. The following safety design bases are identified in the Callaway FSAR and ensure compliance with GDC 2.

  • FSAR 10.4.9.1.1 states in part, "The AFS is protected from the effects of natural phenomena, such as earthquakes, tornadoes, hurricanes, floods, and external missiles.
  • FSAR 10.3.1.1 states in part, "The safety-related portion of the MSSS is protected from the effects of natural phenomena, such as earthquakes, tornadoes, hurricanes, floods, and external missiles.
  • FSAR 9.5.4.1.1 states in part, "The EDEFSTS is protected from the effects of natural phenomena, such as earthquakes, tornadoes, hurricanes, floods, and external missiles.

2. INITIAL PLANT CONDITIONS:

At the time of each identified condition (beginning on August 15, 2017), the plant was in Mode 1 at 100% power. No inoperability of structures, systems, or components (SSCs) at the start of each event contributed to the condition identified for each event.

3. LER NUMBER

- 002 I 05000-483 used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to the information collection

3. EVENT DESCRIPTION:

On August 15, 2017, during the evaluation of protection for safety-related equipment from the damaging effects of tornados (i.e., tornado-generated missiles) Callaway Plant personnel identified an unanalyzed condition related to the recirculation lines for the auxiliary feedwater pumps. The recirculation lines penetrate the tornado missile resistant Auxiliary Building below grade level and are routed underground to the CST valve house, where they connect to the CST.

The CST and CST valve house are not designed to be resistant to tornado missiles, and therefore, the portion of recirculation lines within the CST valve house is not protected from damage from tornado missiles. The recirculation lines may be sheared or experience a pipe break without resulting in an adverse impact to the MDAFPs or TDAFP; however, crimping of the recirculation lines to the extent that flow rates are restricted below the minimum requirements would result in damage to the affected pumps, potentially rendering them incapable of performing their safety function. There is currently no analysis demonstrating that if a tornado missile were to strike the recirculation lines, they would still be able to provide sufficient flow to prevent damage to the MDAFPs or TDAFP. This tornado missile vulnerability for the portion of the recirculation lines located within the valve house has existed since the plant was originally designed and constructed.

At 1209 Central Daylight Time (CDT) on August 15, 2017, the Train A and B MDAFPs and the TDAFP were declared inoperable due to tornado missile vulnerability. Under Technical Specification (TS) Limiting Condition for Operation LCO 3.7.5, "Auxiliary Feedwater (AFW) System," Callaway Plant entered Condition C (for one AFS train inoperable for reasons other than ESW or steam supply source inoperable), Condition D (for two AFS trains inoperable), and Condition E (for three AFS trains inoperable). At 1222 CDT, initial compensatory measures for providing additional protection or minimizing plant vulnerability to tornado-driven missiles, such that the likelihood of adverse tornado missile effects was lessened, were confirmed to be in place. These measures included verification that applicable guidance in unit threat procedures, emergent issues response procedures, severe weather procedures, abnormal and emergency operating procedures, and FLEX procedures were in place and that training, as applicable, was current for those procedures.

Measures were also taken to establish a heightened level of station awareness and preparedness relative to the identified tornado missile vulnerability. In accordance with the enforcement discretion provisions of NRC Enforcement Guidance Memorandum (EGM) 15-002, "Enforcement Discretion for Tornado-Generated Missile Protection Noncompliance," the Train A and B MDAFPs and the TDAFP were declared Operable but nonconforming, and TS LCO 3.7.5 Conditions C, D, and E were exited at 1225 CDT. In addition, at 1407 EDT, an 8-hour, non-emergency report to the Nuclear Regulatory Commission (NRC) was made in accordance with 10 CFR 50.72 (per Event Notification No. 52905). The initial compensatory measures were followed-up with a comprehensive compensatory measure that was implemented within 60 days, in accordance with the EGM.

Subsequent to identification of the tornado missile vulnerability for the auxiliary feedwater pump recirculation lines on August 15, 2017, continued extent-of-condition investigation led to the identification of additional tornado missile vulnerabilities (in which the design for the affected SSC(s) is not in conformance with GDC-2). On August 31, 2017, it was identified that the exposed MSSV and ASD steam exhaust stacks are vulnerable to tornado missile damage. The MSSVs and ASDs were thus declared inoperable at 1240 CDT on August 31, 2017. For the MSSVs, under TS 3.7.1, "Main Steam Safety Valves (MSSVs)," Condition A (for one or more steam generators with one MSSV inoperable and the Moderator Temperature Coefficient (MTC) zero or negative at all power levels), Condition B (for one or more steam generators with two or more MSSVs inoperable), and Condition C (for one or more steam generators with greater than or equal to 4 MSSVs inoperable) were entered. Likewise, for the ASDs, under TS 3.7.4, "Atmospheric Steam Dump Valves (ASDs)," Condition A (for one required ASD line inoperable for reasons other than excessive ASD seat leakage), Condition B (for two required ASD lines inoperable for reasons other than excessive ASD seat leakage), and Condition C (for three or more required ASD lines inoperable for reasons other than excessive ASD seat leakage) were entered (also at 1240 CDT).

EsTrated burden per response to comply with this mandatory collection request. 80 hours9.259259e-4 days <br />0.0222 hours <br />1.322751e-4 weeks <br />3.044e-5 months <br />. Reported comments regarding burden estimate to the Information Services Branch (T-2 F43), U.S. Nuclear Regulatory Commission. Washington.

DC 20555-0001, or by e-mail to IrtcoLects Reso2rceerrc.gov and 10 the Desk Of'cer Cff ce of Informaton and Regulatory A`fa;rs.

NEDB-'0202. (3150-8104). Crce cf Management a,:d Budget Washing:or DC 20503. l' a means used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.

3. LER NUMBER

Callaway Plant Unit 1 05000-483

NO

Initial compensatory measures were promptly completed to address these nonconformances, and 'n accordance with the EGM 15-002 guidance, the MSSVs and ASDs were declared Operable (but nonconforming) such that all of the Conditions that had been entered under TS 3.7.1 and TS 3.7.4 for the identified nonconformances were able to be exited at 1322 on August 31, 2017. Follow-up. 60-day comprehensive measures were also completed in accordance with the EGM guidance.

On September 21, 2017, the DG fuel oil storage and day tank vents were identified to be vulnerable to tornado missile damage (in noncompliance with GDC 2). In response, Operations declared both diesel generators inoperable. and under TS 3.8.1,"AC Sources — Operating," Condition B (for one DG inoperable) and Condition E (for two DGs inoperable) were entered at 1249. These Conditions were subsequently exited at 1258 that same day, once the appropriate, initial compensatory measures were completed, in accordance with EGM 15-002. These actions were followed up with completion of comprehensive actions within 60 days, also in accordance with the EGM.

4. ASSESSMENT OF SAFETY CONSEQUENCES:

During a postulated design basis tornado, the conditions documented could have resulted in a loss of safety function for the AFS, main steam supply system and the DGs. The affected structures, systems and components are used to achieve safe shutdown, remove decay heat, and mitigate the effects of postulated design-basis accidents.

However, as documented in EGM 15-002, tornado missile scenarios that may lead to core damage are very low probability events because safety-related SSCs are typically designed to withstand effects of tornados. For a tornado missile-induced scenario to occur, a tornado would have to strike the site and result in the generation of missiles that would hit and fail vulnerable, unprotected safety-related equipment and/or unprotected safety-related subcomponents in a manner that is non-repairable and non-recoverable. In addition, because plants are designed with redundancy and diversity, the tornado missiles would have to affect multiple trains of safety systems and/or means of achieving safe shutdown.

The NRC has completed a generic risk analysis of potential tornado missile protection noncompliances to examine the risk significance of these scenarios. This assessment documents a conservative, bounding-type analysis of the risk significance for plant facilities. The generic analysis assumed that if a tornado were to strike a plant located in the most active tornado region in the country, it would cause a tornado-generated missile to fail all emergency core cooling equipment at the plant with no ability to recover, resulting in core damage. Given this conservative assumption, the staff's study established that the core damage frequency (CDF) associated with tornado missile-related noncompliances is well below the CDF threshold requiring immediate regulatory action.

In summary, the generic bounding risk analysis performed by the NRC concluded that this issue is of low risk significance.

5. REPORTING REQUIREMENTS:

This LER is submitted pursuant to:

  • 10 CFR 50.73(a)(2)(v)(A), -(B) and —(D) as a condition that could have prevented the fulfillment of the safety function of structures or systems that are needed to shut down the reactor and maintain it in a safe shutdown condition, remove residual heat, or mitigate the consequences of an accident:
  • 10 CFR 50.73(a)(2)(vii)(A), —(B) and —(D) as an event where a single cause or condition caused at least one independent train or channel to become inoperable in multiple systems or two independent trains or channels to comments regarding burden estimate to the Information Services Branch (T-2 F43): U.S. Nuclear Regulatory Commission, Washington. DC 20555-0001. or by e-mail to used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor. and a person is not required to respond to, the information collection.

Callaway Plant Unit 1 05000-483 NUMBER NO.

become inoperable in a single system designed to shut down the reactor and maintain it in a safe shutdown condition, remove residual heat, or mitigate the consequences of an accident;

  • 10 CFR 50.73(a)(2)(ix)(A)(1), -(2) and -(4) as a condition that as a result of a single cause could have prevented the fulfillment of a safety function for two or more trains or channels in different systems that are needed to shut down the reactor and maintain it in a safe shutdown condition, remove residual heat, or mitigate the consequences of an accident.

6. CAUSE OF THE EVENT:

The condition is an original plant design legacy issue. Preliminary evaluation has determined that the condition resulted from the lack of a clear understanding of the applicable regulatory guidance, resulting in inadequate consideration of tornado missile protection requirements, during the plant's design and licensing phases.

7. CORRECTIVE ACTIONS:

Initial compensatory measures and subsequent comprehensive compensatory measures were implemented in accordance with the guidance of EGM 15-002 for each identified nonconforming condition. Long-term permanent resolution for each of the identified conditions will involve one or more of the following actions:

  • The performance of additional analyses to more precisely analyze the impact of a tornado missile strike(s) on the vulnerable component, in order to further determine the degree to which a loss of function would occur.
  • A license amendment request (LAR) for obtaining NRC approval of a permanent change to the licensing basis.

One approach to the LAR being considered is use of the Tornado Missile Risk Evaluator (TMRE) methodology that has been developed by the industry for evaluation of tornado missile protection/vulnerability.

8. PREVIOUS SIMILAR EVENTS:

In 2014, from performance of an NRC-conducted Problem Identification and Resolution inspection at the Callaway Plant, a "green" non-cited violation of 10 CFR 50, Appendix B, Criterion III, "Design Control," was identified for Callaway due to failure to verify the adequacy of the design of the turbine-driven auxiliary feedwater pump exhaust stack for withstanding the effects of natural phenomena, specifically, a tornado-generated missile. For this condition, the auxiliary feedwater system was determined to be Operable but nonconforming. Long-term resolution of the condition is tied to the long-term effort for resolving the conditions identified in this LER.

Retrieved from "https://kanterella.com/w/index.php?title=05000483/LER-2017-002&oldid=454112"