IR 05000305-05-0011(DRP); on 04/15/2005 - 08/25/2005; Kewaunee Power Station; Flood Protection Measures

ML052800430
Person / Time
Site:	Indian Point, Kewaunee
Issue date:	10/06/2005
From:	Satorius M Division Reactor Projects III
To:	Christian D Dominion Energy Kewaunee
References
EA-05-176 IR-05-011
Download: ML052800430 (27)
v • d • e

Text

October 6, 2005

SUBJECT:

NRC INSPECTION REPORT 05000305/2005011(DRP)

PRELIMINARY GREATER THAN GREEN FINDING KEWAUNEE POWER STATION

Dear Mr. Christian:

On September 6, 2005, the U.S. Nuclear Regulatory Commission (NRC) completed an inspection at your Kewaunee Power Station (KPS). The results of this inspection were discussed on September 6, 2005, with Mr. Michael Gaffney and other members of your staff.

The inspection examined activities conducted under your license as they relate to safety and compliance with the Commissions rules and regulations and with the conditions of your license.

The inspectors reviewed selected procedures and records, observed activities, and interviewed personnel.

This report documents one finding that appears to have substantial to high safety significance.

As described in Section 1R06 of this report, this NRC-identified finding involves the potential impact from turbine building flooding scenarios on multiple safety related equipment trains that are used to reach and maintain safe shutdown of KPS. Specifically, the KPS design may not have been adequate to prevent the loss of safety function for the auxiliary feedwater (AFW)

system, 480 and 4160 volt electrical buses, and the emergency diesel generators (EDGs).

This finding was assessed based on the best available information, including influential assumptions, using the Reactor Safety Significance Determination Process (SDP) and was preliminarily determined to be a Greater than Green Finding. The final resolution of this finding will convey the increment in the importance to safety by assigning the corresponding color (i.e., (White) a finding with some increased importance to safety, which may require additional NRC inspection; (Yellow) a finding with substantial importance to safety that will result in additional NRC inspection and potentially other NRC action; or (Red) a finding of high importance to safety that will result in increased NRC inspection and other NRC action). The finding appears to have substantial to high safety significance because the likelihood of core damage increased significantly due to a potential loss of decay heat removal and electrical power needed to ensure the plant could be safely shutdown and maintained shutdown for design and license basis events. This finding did present an immediate safety concern in that the inadequate flood protection could have resulted in the loss of multiple trains of safety equipment during certain scenarios. The safety concerns associated with this finding were resolved by the completion of extensive system and structural modifications.

The finding is also an apparent violation of NRC requirements and is being considered for escalated enforcement action in accordance with the NRC Enforcement Policy. The current Enforcement Policy is on the NRC website at:

http://www.nrc.gov/what-we-do/regulatory/enforcement/enforce-pol.html.

The attached report contains the basis for the staffs preliminary significance determination for this finding. The staff reviewed your preliminary risk analysis and identified what appears to be both conservative and non-conservative assumptions in the analysis. Before the NRC makes a final decision on this matter, we are providing you an opportunity to participate in a Regulatory Conference where you would be able to provide your perspectives on the significance of the finding and the basis for your position. In a telephone conversation with Mr. Tom Kozak of my staff on September, 13, 2005, Mr. Mike Gaffney of your staff requested that a Regulatory Conference be held for this issue. Accordingly, we have scheduled the Regulatory Conference for 1:00 p.m., central standard time, on November 8, 2005, at the NRC Region III Office in Lisle, Illinois. We encourage you to submit your evaluation and any differences with the NRC evaluation on the docket at least 1 week prior to the conference in an effort to make the conference more efficient and effective. The Regulatory Conference will be open for public observation. The NRC will also issue a press release to announce the Regulatory Conference.

Since the NRC has not made a final determination in this matter, no Notice of Violation is being issued for the inspection finding at this time. In addition, please be advised that the characterization of the apparent violation described in this letter may change as a result of further NRC review.

In accordance with 10 CFR 2.390 of NRC "Rules of Practice," a copy of this letter and its enclosure will be available electronically for public inspection in the NRC Public Document Room or from the Publicly Available Records (PARS) component of the NRC document system (ADAMS), accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html (the Public Electronic Reading Room).

Sincerely,

/RA/

Mark A. Satorius, Director Division of Reactor Projects Docket No. 50-305 License No. DPR-43

Enclosure:

Inspection Report 05000305/2005011(DRP)

w/Attachment: Supplemental Information See Attached Distribution

DOCUMENT NAME:C:\\MyFiles\\Roger\\ML052800430.wpd G Publicly Available G Non-Publicly Available G Sensitive G Non-Sensitive

• See previous concurrence To receive a copy of this document, indicate in the concurrence box "C" = Copy without attach/encl "E" = Copy with attach/encl "N" = No copy OFFICE RIII:DRP,TSS RIII:ORA,EICS RIII:DRP NAME TKozak*:dtp KOBrien*

MSatorius DATE 09/15/05 09/23/05 09/28/05 OFFICIAL RECORD COPY

REGION III==

Docket No.:

50-305 License No.:

DPR-43 Report No.:

05000305/2005011(DRP)

Licensee:

Dominion Energy Kewaunee Inc.

Facility:

Kewaunee Power Station Location:

N 490 Highway 42 Kewaunee, WI 54216 Dates:

April 15 through September 6, 2005 Inspectors:

J. Lara, Chief, Engineering Branch 1 L. Kozak, Senior Reactor Analyst S. Burton, Senior Resident Inspector P. Higgins, Resident Inspector J. Giessner, Reactor Engineer, Region III C. Baron, Mechanical Engineering Consultant Approved By:

M. A. Satorius, Director Division of Reactor Projects

Enclosure

SUMMARY OF FINDINGS

IR 05000305/20050011(DRP); 04/15/2005 - 8/25/2005; Kewaunee Power Station; Flood

Protection Measures.

The inspection was a baseline inspection to address an internal flooding performance deficiency. In addition, part of the biennial review of permanent plant modifications and 10 CFR 50.59 evaluations was performed concurrently. The inspection was conducted by regional inspectors with mechanical consultant assistance. One finding was assessed as preliminarily being Greater Than

Green.

The significance of most findings is indicated by their color (Green, White, Yellow, Red) using Inspection Manual Chapter (IMC) 0609, Significance Determination Process. Findings for which the SDP does not apply may be Green, or may be assigned a severity level after NRC management review. The NRC's program for overseeing the safe operation of commercial nuclear power reactors is described in NUREG-1649, "Reactor Oversight Process," Revision 3, dated July 2000.

Inspection Findings

Cornerstone: Mitigating Systems

• To Be Determined. The inspectors identified a finding that was preliminarily determined to be of substantial to high safety significance because the licensee failed to provide adequate design control to ensure that Class I equipment was protected against damage from the rupture of a pipe or tank resulting in serious flooding or excessive steam release to the extent that the Class I equipments function is impaired.

Specifically, the design of Kewaunee Power Station (KPS) did not ensure that the auxiliary feedwater (AFW) pumps, the 480-volt (V) safeguards buses, the safe shutdown panel, emergency diesel generators (EDGs) 1A and 1B, and 4160-V safeguards buses 1-5 and 1-6 would be protected from random or seismically induced failures of non-Class I systems in the turbine building. The finding is also an apparent violation of 10 CFR Part 50, Appendix B, Criterion III, "Design Control," for not ensuring that the design of KPS prevented turbine building flooding from impacting multiple safety related equipment trains needed for safe shutdown of the plant. The inspectors determined that a primary cause of this finding was related to the cross-cutting area of Problem Identification and Resolution, because there was an earlier opportunity to discover and correct this issue based on the licensees 2003 experience when minor flooding from the turbine building had challenged safety equipment located adjacent to the turbine building basement.

The finding was more than minor because it impacted Mitigating Systems cornerstone attributes of design control (initial design and plant modifications) and protection against external factors (internal flood hazards and seismic events) and it impacted the Mitigating Systems cornerstone objective to ensure availability, reliability and capability of multiple trains of safety related equipment to respond to events to prevent core damage. A Significance Determination Process Phase 3 risk analysis determined that this finding was preliminarily of substantial to high safety significance. The licensee has taken significant corrective actions, including extensive system and structural modifications to address this issue. (Section 1R06)

REPORT DETAILS

REACTOR SAFETY

Cornerstone: Mitigating Systems

1R02 Evaluations of Changes, Tests, or Experiments

Review of Evaluations and Screenings for Changes, Tests, or Experiments

a. Inspection Scope

The inspectors reviewed one 10 CFR 50.59 evaluation and four screenings for changes, tests, and experiments. These documents were reviewed to ensure consistency with the requirements of 10 CFR 50.59. The inspectors used Nuclear Energy Institute (NEI) 96-07, Guidelines of 50.59 Evaluations, Revision 1, to determine acceptability of the completed evaluations and screenings. The NEI document was endorsed by the NRC in Regulatory Guide 1.187, "Guidance for Implementation of 10 CFR 50.59, Changes, Tests, and Experiments," November 2000. The inspectors also consulted Inspection Manual, Part 9900, "10 CFR GUIDANCE: 50.59." Documents reviewed during the inspection are listed at the end of the report.

This review constituted five inspection samples.

b. Findings

No findings of significance were identified.

1R06 Flood Protection Measures

Review of Internal Flood Protection Measures

a. Inspection Scope

The inspectors walked down and reviewed piping configurations in the following internal flood zones, constituting one inspection procedure sample. Comparisons with the assumptions made in the plant internal flood analysis were also made.

• Zone 2B EDG 1A Room;

• Zone 5B 480-V Switchgear Buses 1-51 and 1-52;

• Zone 5B-2 1A AFW Pump Room;

• Zone 3B EDG 1B Room;

• Zone 5B-1 480-V Switchgear Buses 1-61 and 1-62; and

• Zone 5B-3 1B AFW Pump Room.

The inspectors evaluated internal flooding hazards in these areas and evaluated the flood protection features, such as area doors, door gaps, and room drains to determine whether the flood protection features were in satisfactory physical condition, unobstructed, and capable of providing adequate flood protection.

The inspectors also reviewed design basis documents and risk analyses to determine plant vulnerabilities and protective features for the areas inspected. In addition, the inspectors reviewed the past operability and detailed preliminary risk assessment completed by the licensee. The detailed assessment of past operability evaluated the different flooding scenarios that were part of the licensing basis, the actions operators would have taken to mitigate the event, and the impact to equipment based on various flood heights. Detailed models were created to assess the height of water over time in the different safety related rooms.

b. Findings

Potential Failure of Multiple Safety Related Trains During Internal Flooding Events

Introduction:

The inspectors identified a finding that was preliminarily determined to be of substantial to high safety significance because the licensee failed to provide adequate design control to ensure that Class I equipment was protected against damage from the rupture of a pipe or tank resulting in serious flooding or excessive steam release to the extent that the Class I equipments function is impaired. Specifically, the design of KPS did not ensure that the AFW pumps, the 480-V safeguards buses, the safe shutdown panel, EDGs 1A and 1B, and 4160-V safeguards buses 1-5 and 1-6 would be protected from random or seismically induced failures of non-Class I systems in the turbine building. The finding is also an apparent violation (AV) of 10 CFR Part 50, Appendix B, Criterion III, "Design Control," for not ensuring that the design of KPS prevented turbine building flooding from impacting multiple safety related equipment trains needed for safe shutdown of the plant. The inspectors determined that a primary cause of this finding was related to the cross-cutting area of Problem Identification and Resolution, because there was an earlier opportunity to discover and correct this issue based on the licensees 2003 experience when minor flooding from the turbine building had challenged safety equipment located adjacent to the turbine building basement. This issue has been previously discussed as an Unresolved Item (URI) in NRC Inspection Reports 05000305/2004009 and 05000305/2005002. This URI will be closed in this inspection report and an AV will be opened.

Discussion: KPS was designed with the following safety related equipment being located below ground level and immediately adjacent to the turbine building basement:

the AFW pumps, the 480-V safeguards buses, the safe shutdown panel, EDGs 1A and 1B, and 4160-V safeguards buses 1-5 and 1-6. The area containing this safety related equipment is referred to as safeguards alley. The equipment in safeguards alley is clearly designated with a Nuclear Safety Design Classification of Class I in KPS Updated Safety Analysis Report (USAR), Appendix B, Table B.2-1. Class I systems are defined, in part, as those structures and components whose failure might cause or increase the severity of a loss-of-coolant accident (LOCA), and those structures and components vital to safe shutdown and isolation of the reactor. In addition, USAR Section B.5 states, in part, that Class I items are to be protected against damage from the rupture of a pipe or tank resulting in serious flooding or excessive steam release to the extent that the Class I function is impaired. The turbine building contains several non-Class I systems which have a large supply of water and/or steam, including the circulating water, fire protection water, service water, feedwater, and main steam systems. Random or seismically induced failures of these systems could result in serious flooding in the turbine building.

Protection from internal flooding was discussed during the initial licensing of KPS. In a letter dated September 26, 1972, the Atomic Energy Commission requested the licensee to provide information on conditions such as flooding that might potentially adversely affect the performance of safety related equipment. In a letter dated October 31, 1972, the licensee responded, in part, as follows: It has been determined that consequences of failure of non-Class I systems could potentially adversely affect the performance of engineered safety systems. Specifically, the non-Class I items are the fire protection lines in the turbine building basement and the reactor makeup water and demineralized waterline in the auxiliary building basement. However, because of safety equipment redundancy and design arrangement, the functional purpose of the safety equipment would not be jeopardized in the event of failure of any of these lines.

While conducting IP 71111.06, Flood Protection Measures, on September 14, 2004, the inspectors determined that there was a direct piping connection from the turbine building sump to a trench in safeguards alley. The inspectors determined that there were no check valves located in the piping to prevent water spills in the turbine building basement from backing up into safeguards alley. This trench also received discharge flow from all of the AFW pump lube oil coolers. The inspectors also noted that there were no flood barriers installed that were specifically designed to protect equipment in safeguards alley from flooding in the turbine building basement nor were there seals on the doors leading to safeguards alley that could effectively prevent water from entering this area through the doors. Finally, the inspectors noted that if a large flood were to occur, the water would, in all likelihood, accumulate in safeguards alley due to limited paths available for the water to flow out of the area.

The inspectors identified a previous entry in the licensees Corrective Action Program (CAP 016375, dated May 10, 2003) regarding overflowing of the safeguards alley trench on May 9, 2003. At the time of the event, AFW pumps 1A and 1B were running with their respective lube oil coolers discharging directly to the trench. Apparent Cause Evaluation (ACE) 002299, written for CAP 016375, stated that at the time of this flooding event, the floculator in the turbine building basement overflowed and a significant amount of water entered the turbine building sump. The turbine building sump overflowed to the point where water no longer entered the sump and backed up into safeguards alley. The flow rate was calculated to be approximately 120 gpm. As a result of this flood, water slightly accumulated in safeguards alley and flowed into the turbine building basement from under the door barrier between safeguards alley and the turbine building. The CAP noted that this was a recurring problem that had not been adequately addressed. The prompt operability evaluation indicated that flooding had been eliminated by the use of temporary pumps and therefore there was no operability concern.

According to the licensee, the apparent cause for not addressing the flooding in a more proactive manner was the failure of the crew to realize that the water in the turbine building sump would prevent draining of water from safeguards alley. The extent of condition assessment did not address other flooding scenarios or flood flow rates. The extent of condition review for CAP 016375 focused on this specific case and determined that the instance was unique and had no generic implications. The potential for turbine building water to communicate with multiple, diverse trains of safety equipment was not identified or reviewed. No assessment of other licensing basis floods, which could be several orders of magnitude greater, was completed to assess the operators performance time and actions to ensure the safety related equipment needed to perform its safety function could perform that function.

Given the KPS configuration and previous minor flooding occurrences, the inspectors determined that random or seismically induced failures of non-Class I systems in the turbine building could potentially damage the equipment located in safeguards alley to the extent that the Class I function of this equipment could be impaired. During plant startup at the conclusion of the 2004 refueling outage, the inspectors asked the licensee to provide information regarding the operability of the AFW pumps, considering the potential sources of flooding in the turbine building basement and the impact of such flooding on the safety related equipment in safeguards alley, including the AFW pumps.

The licensee responded with a position paper stating that the consideration of flooding events in the turbine building basement and their potential impact on safety related equipment in safeguards alley were not within the plants licensing basis and were therefore not an operability or reportability concern. The position paper also stated that the condition should be reviewed and compensatory actions and/or modifications should be implemented that address this concern.

On January 7, 2005, CAP 24848 was issued and indicated that a PRA update revealed a potentially significant increase in risk from internal plant flooding, including flooding in the turbine building basement that could affect equipment in safeguards alley. On January 13, 2005, CAP 24957 was issued and indicated that compensatory actions had been established to mitigate the consequences of such flooding. These actions included the use of sandbags to protect equipment in safeguards alley from potential floods and assigning a dedicated person in safeguards alley to immediately open doors upon indication of flooding or notification by the control room that flooding was occurring.

These compensatory actions were intended to prevent water levels in safeguards alley from reaching levels that would impact safety related equipment. During the implementation of these compensatory actions by the licensee, the inspectors continuously questioned the effectiveness of such measures to protect safety related equipment from water levels that could be reached following the failure of large water pipes in the turbine building basement, including expansion joints on circulating water (CW) piping.

Numerous discussions were held between NRC inspectors/management and licensee representatives during inspections in January, February, and March to discuss the licensees position that internal flooding was not considered a part of the KPS licensing basis. The licensee subsequently reversed its previous position and acknowledged that internal flooding and the protection of safety related equipment from such flooding was included in the licensing basis. The licensee reported, in Event Notification 41496 on March 15, 2005, that the KPS design might not mitigate the consequences of piping system failures and, in Licensee Event Report (LER) 05000305/2005-004-00 on May 16, 2005, that safe shutdown was potentially challenged by unanalyzed flooding events and inadequate design. Additionally, the licensee reported in the LER that a complete internal plant flooding analysis was not developed during or subsequent to the plants original design.

Based on the licensee-reported potential for internal flooding to damage equipment necessary for safe shutdown, the NRC staff evaluated and provisionally rated the KPS event Level 2 (Incident) on the International Nuclear Event Scale (INES) and posted it on the Nuclear Events Web-based System (NEWS) as Plant Design for Flooding Events May Not Mitigate the Consequences of Piping System Failures.

The licensee entered a forced outage on February 19, 2005, to correct issues identified with the protective instrumentation for the Auxiliary Feedwater Pumps (see Inspection Report 05000305/2005010). On March 18, the licensee submitted a letter to the NRC describing actions that would be completed prior to unit re-start, which included addressing the turbine building flooding concerns. During the forced outage, extensive corrective actions, including facility modifications, were completed to ensure safety related equipment will be adequately protected against postulated failures of non-safety related piping systems, including high energy line breaks, random pipe failures, and seismically induced pipe failures. These corrective actions included:

1. Compilation of design and licensing bases for internal flooding to support current

and future flooding design,

2. Seismic qualification of selected piping and components, and

3. Design modifications to protect Class I plant SSCs as defined in the KPS USAR,

including:

a.

installation of check valves in selected floor drains b.

auxiliary feedwater pump lube oil cooler and drain flow path revisions c.

installation of circulating water pump trip on high turbine building basement water level d.

flood barriers at doors to safety related equipment rooms (safeguards alley)e.

enhanced supports for auxiliary feedwater pump steam supply piping The modifications performed to address the issue are evaluated in section 1R17.1 of this report. Prior to plant restart from the forced outage, NRC inspectors reviewed the licensees actions to ensure plant systems were operable and that the commitments in the March 18 letter were met. The inspectors determined that the licensee met all pre-restart commitments and that safety related equipment was operable (see Inspection Report No. 05000305/2005008).

Performance Deficiency: The licensee failed to meet requirements in 10 CFR Part 50, Appendix B, Criterion III, (Design Control) in that the licensee failed to adequately ensure that Class I equipment was protected against damage from the rupture of a pipe or tank resulting in serious flooding or excessive steam release to the extent that the Class I function is impaired. Specifically, the design of KPS did not ensure that the AFW pumps, the 480-V safeguards buses, the safe shutdown panel, EDGs 1A and 1B, and 4160-V safeguards buses 1-5 and 1-6 would be protected from random or seismically induced failures of non-Class I systems in the turbine building.

The failure to meet these requirements was within the licensees ability to foresee and correct. The licensee was specifically requested in a September 26, 1972, letter to address internal flooding vulnerabilities during initial licensing of the plant. The licensee reviewed this request and, although it was identified by the licensee that the consequences of the failure of non-Class I systems could potentially adversely affect the performance of engineered safety systems, the licensee determined that the functional purpose of the safety equipment would not be jeopardized in the event of failure of any of these systems. In addition, recurring problems with turbine building flooding were identified as late as May 2003 but were not adequately addressed by the licensee. The licensee had the opportunity to, but did not identify and correct the lack of flood barriers between non-safety related and safety related SSCs that could have resulted in a common mode failure of electrical and mechanical equipment during an internal flooding event. Finally, although clearly described in the USAR, the licensee incorrectly determined that flooding events in the turbine building basement and their potential impact on safety related equipment in safeguards alley were not within the plants licensing basis.

Due to the licensee failing to meet design control requirements and the cause being within the licensees ability to foresee and correct, the inspectors determined that the licensees inadequate design and design control to protect against damage to Class I equipment from internal flooding was a performance deficiency warranting a significance evaluation.

Old Design Issue Considerations: The NRC-identified performance deficiency was evaluated to determine if it met the criteria for an old design issue. NRC IMC 0305, "Operating Reactor Assessment Program," Section 04.07, defines an "Old Design Issue" as a finding that involved a past design-related problem in an engineering analysis or installation of plant equipment (e.g., a modification) that does not reflect a performance deficiency associated with an existing program or procedure. IMC 0305, Section 06.06(a) provides guidance for the treatment of Old Design Issues, and states that the NRC may refrain from considering safety significant findings if the Old Design Issue satisfies, in part, the following criteria: licensee identified and not likely to have been previously identified by on-going licensee efforts. However, in this case, a performance deficiency exists, and the issue with internal flooding impacting safety related trains was NRC-identified. Although the licensee had identified an issue with safeguards alley flooding from the turbine building in 2003, the event was self-revealing, a condition adverse to quality was not identified, and no long-term corrective actions were taken.

Therefore, because this design-related finding did not satisfy the above criteria, it is not considered to be an Old Design Issue and is being treated similar to any other inspection finding, in accordance with IMC 0305, Section 06.06(a). This guidance is consistent with Section VII.B.3 of the NRC Enforcement Policy.

Analysis:

The inspectors concluded that the finding was greater than minor in accordance with IMC 0612, Power Reactor Inspection Reports, Appendix B, Issue Screening. The finding impacted the Mitigating System cornerstone attributes of design control (initial design) and protection against external factors (internal flood hazards and seismic); and it impacted the objective of the Mitigating System cornerstone to ensure availability, reliability, and capability of multiple trains of safety related equipment to respond to events to prevent core damage. Since a turbine building flood could impact both trains of electrical buses (480-V and subsequently 4160-V) as well as impact all three AFW pumps, the mitigating system cornerstone was screened for impact to safety function. Since the failure to identify the potential common mode impact to safety related equipment from flooding resulted in a potential loss of function in certain flooding scenarios, the Seismic, Flooding and Severe Weather Screening Criteria of Attachment 1 to IMC 0609, Appendix A, Significance Determination of Reactor Inspection Findings for At-Power Situations was used to assess risk. Since the safety equipment assumed to fail would degrade multiple trains and cause a loss of safety functions, a Phase 3 significance determination process (SDP) analysis using plant specific information was performed.

Phase 3 Analysis The licensee performed a preliminary evaluation of the risk associated with the performance deficiency and estimated the change in core damage frequency (CDF) to represent a finding of substantial safety significance (Yellow). The licensees analysis considered turbine building flooding resulting from seismic events and from random pipe breaks in the circulating water, fire protection, service water, feedwater, and main steam systems. The RIII SRA and the inspectors reviewed the licensees evaluation and technical basis as a phase 3 SDP analysis. The NRCs review of the random flooding events and seismically induced flooding events are discussed in the following sections of this report.

Random Flooding Events The licensees analysis considered the following initiating events (pipe breaks) that could result in turbine building flooding and impact safety related equipment in safeguards alley:

1. Circulating Water System supply line

2. Circulating Water System return line

3. Service Water System line

4. Fire Protection System line

5. Feedwater or Condensate System line break that actuates all fire sprinklers (full

flow from fire pumps)

6. Feedwater or Condensate System line break that actuates a portion of the fire

protection sprinklers

7. Main Steam System line break that actuates all fire sprinklers

8. Main Steam System line break that actuates a portion of the fire protection

sprinklers The dominant contributor to the CDF is a circulating water inlet expansion joint failure which results in a 58,000 gpm flood rate. This flood rate precludes timely operator actions to prevent damage to equipment in safeguards alley and ultimately results in core damage. The second highest contributor to the CDF is a feedwater line break which actuates all of the fire sprinklers resulting in an additional flood source to the inventory released by the feedwater system. This event also precludes operator intervention to prevent damage to equipment and ultimately results in core damage.

For the other flooding events, the licensee has determined that sufficient time is available for operator intervention to isolate the flood source prior to equipment damage.

Key operator actions to isolate the flood source are considered for each initiating event.

The first key operator action is to isolate the flood source before the safety related 480-V motor control centers (MCCs) 51/52 and 61/62 are affected. If this action is successful, then safety related equipment remains available and the event would proceed similar to a loss of main feedwater event. If the action is unsuccessful, both trains of safety related 480-V power are failed as the flood levels adversely affect the operation. The consequence of this is the failure of the motor driven AFW pumps, battery chargers, charging pumps, component cooling water pumps, and the high pressure recirculation function. Failure of these buses will also result in an reactor coolant pump (RCP) seal LOCA event due to the lack of seal cooling.

If the operator action to isolate the flood source before the 480-V MCCs are affected and subsequently fail, the second key operator action is to isolate the flood source before the turbine driven auxiliary feedwater (TDAFW) pump fails. The critical flood height at which the TDAFW pump fails is higher than the critical flood height at which the 480-V MCCs fail and as a result some additional time is available for operators to isolate the flood source. If this action is successful, then the TDAFW pump will be available for eight to nine hours before the batteries fail due to the lack of a battery charger. The loss of the battery charger is critical since operators rely on steam generator level indication to maintain a heat sink. The loss of the battery would affect the operators ability to monitor steam generator level to prevent overfeeding the steam generator which would result in water entering the steam suction of the TDAFW pump resulting in failure of the pump.

The licensee has an alternate battery charger which can be connected to provide power to the safety related batteries. Failure to connect the alternate battery charger within eight hours is assumed to result in the failure of the turbine driven AFW pump. These sequences are assumed to result in core damage.

Seismic Flooding Events The licensees evaluation of the risk due to seismically induced floods considered all of the same flood sources as random floods but also included flooding due to sudden catastrophic failure of the condensate storage tanks (CSTs). The analysis also considered the fact that multiple pipe breaks in multiple systems could occur due to the seismic event. The dominant sequence involved the failure of the CSTs, in which no opportunity for intervention by the operator is possible. The event leads directly to core damage. The next highest contributors to the seismic CDF are sequences involving seismic damage such that flooding occurs from multiple sources, particularly the service water and fire protection water systems that were determined to have the lowest seismic fragilities, but also from the feedwater and circulating water systems. Many of these scenarios also do not credit any possible operator intervention and lead directly to core damage.

NRC Assessment of Licensees Evaluation The licensee essentially evaluated this issue by establishing an initiating event frequency for random and seismically induced flooding events, estimating the water level that would result from these events and whether or not that would result in equipment damage (critical flood height), and determining the likelihood that operators would be successful in identifying and isolating the flood source prior to equipment damage (including human error probabilities (HEPs)). In reviewing the licensees evaluation, the NRC identified the following potentially non-conservative inputs which, if evaluated differently, could result in a higher CDF:

• The initiating event frequencies for main steam system and feedwater system line breaks may be non-conservative. The licensee used data and information from a November 1991 EG&G study titled Component External Leakage and Rupture Frequency Estimates to determine the frequency of pipe ruptures for the main steam and feedwater systems. Then the licensee applied a factor of ten reduction to the frequency citing improved implementation of flow accelerated corrosion (FAC) programs since the time of the study. The application of this factor is still under NRC review to determine if it is appropriate.

• The critical flood height of the 480-V MCCs 51/52 and 61/62 is uncertain and potentially non-conservative. The licensee determined the critical flood height for the 480-V MCCs to be 6 inches. This corresponds to the height at which the water level will begin to cover the stabs on the lower breakers. At a flood height as low as 2 inches, breaker contacts will begin to be wetted. The licensee has determined that breaker control power may be lost prior to water level reaching the 6 inch level but that the entire bus will not be affected until the 6 inch level is reached. The critical flood height is used to determine the time available to operators to stop the flood source before equipment is damaged. Therefore, if the actual critical flood height is lower than the licensee assumed, then less time is available for operator action, and human error probabilities would be higher.

• The HEPs for the operator failing to isolate the flood source for fire protection, feedwater, and main steam system line breaks are optimistic. For this action, an operator is required to travel through the area that is flooding (turbine building and safeguards alley) to the screen house to close the discharge valves on the operating fire pumps to stop flow to the fire sprinklers. There is no specific procedure guidance to perform this action other than a generalized alarm response procedure to investigate the perceived fire. The licensee has estimated that to investigate the alarm and take the action will take between 17 and 23 minutes (actual time depends on the flood that is occurring). In some flood scenarios, only 26 minutes is estimated to be available to perform this action before damage to equipment occurs. If these actions are feasible, an estimate of the HEP using the NRCs SPAR-H method would produce higher values than used by the licensee, as these would be actions requiring diagnosis under stressful conditions with limited or no procedural guidance, and with a small time margin between the time available and the time required.

• The assumptions for all of the HEPs for detection and isolation of the flood source are that detection of the problem is immediate and there is essentially no delay to dispatching an operator to investigate. The cue for the detection of the flood are the annunciator response procedures for the turbine building sump alarm and the fire system actuation response. For many of the flood events, multiple alarms will be occurring in the control room and operators will be entering emergency procedures since the reactor will also be tripped due to the loss of feedwater. Therefore, dispatching of the operator to investigate the turbine building sump alarm may be delayed by several minutes. If the time estimates for operator action to isolate the flood are increased, the HEPs for these actions will also increase.

• The assumptions regarding the ability to connect an alternate battery charger to the safety related battery are optimistic. The licensee has spare non-safety related battery chargers at the plant that can be connected to the safety related batteries to extend the life of the batteries. The licensee estimates that it will take five to six hours to perform this action. Approximately half of that time is for the determination of the need for the alternate charger and half of the time is for the actual connection. The action would require connection to a spare welding receptacle in the turbine building. The procedural guidance for this action is poor and does not include the location of the spare welding receptacles that would have to be determined during an ongoing event. The licensee used the NRCs SPAR-H method to determine a HEP for this action and was estimated at 0.2.

This evaluation assumes that for the diagnosis portion of the HEP, extra time is available. Based on inspection of this issue, the NRC believes that the time to determine how to connect the battery charger is longer than the licensee estimated. If this is factored into the HEP estimate, the HEP would likely double.

Licensee Conservatisms The licensee developed a list of conservatisms in the analysis that if evaluated further could decrease the estimated CDF; however, these conservatisms have not been quantified. The staff reviewed the licensees list and agreed that several of the issues represent conservative assumptions. The assumptions discussed below are conservatisms that the staff believes could decrease the estimated CDF if they were quantified.

• The dynamic flood analysis shows that water level rises at different rates in different areas; however, the equipment was assumed to be failed at time zero if it would ultimately be affected by the flood. For example, although the licensee assumed that MCCs 51/52 and 61/62 failed at the same time, buses 61/62 would actually fail sometime after buses 51/52, allowing time for equipment on buses 61/62 to operate and allowing additional time for operator intervention.

• A static flood analysis was used to determine the time to failure of the 480-V buses. If the dynamic analysis was used, the time to bus failure increases by 15 percent or more, which would allow additional time for operator action.

• Fire pump failure coincident with 480-V bus failure was not assumed, even though the fire pumps would be deprived of motive power since they are fed from buses 51 and 61. When the fire pumps stop running, the flood level stops increasing, allowing more time for operator intervention before 4160-V bus failure.

• For feedwater line breaks, it was assumed that the entire hotwell inventory of 80,000 gallons would be pumped onto the turbine building floor. However, the feedwater pumps would likely be tripped resulting in a smaller volume of water and more time for operator intervention.

• The seismic flood analysis only considered the plant configuration in which the 6 inch curb that existed in the EDG 1B room was removed. The curb that existed would have protected bus 6 from flooding for a longer period of time. The curb was removed in late 2004. The random flood analysis does consider both plant configurations - with the curb and without the curb. Due to resource limitations, the licensee did not perform the seismic analysis for both cases.

• No consideration of dewatering either the turbine building or safeguards alley was evaluated.

• The ability of operators to maintain steam generator water levels following a loss of DC power was not considered. DC power is assumed to fail after eight to nine hours if the alternate battery charger is not connected to the safeguards battery.

If this action fails, core damage is assumed. However, the battery is necessary only to provide steam generator water level indication to ensure that operators do not overfill the steam generators which would result in the loss of the TDAFW pump. Although not considered, there is some likelihood that operators would maintain proper steam generator levels even without level indication.

In addition to the conservatisms presented by the licensee, the Region III senior reactor analysts (SRAs) determined that the licensees analysis for both random and seismic floods did not determine the baseline risk and so a true delta CDF was not estimated.

Many of the severe floods evaluated, particularly the seismically induced floods, would present some risk with todays plant configuration in which there is no performance deficiency (i.e., the safety related equipment is protected from the design basis flood).

The baseline risk is expected to be lower than the risk with the performance deficiency but it may not be negligible compared to the risk calculated with the performance deficiency.

Conclusion: Given the potential non-conservative assumptions in the licensees analysis, particularly with operator actions, the best estimate for the change in CDF due to the finding may be greater than that estimated by the licensee. On the other hand, consideration of the unquantified conservative assumptions in the licensees analysis could result in a lower estimate for the change in core damage frequency than that estimated by the licensee. Therefore, pending further refinement of the risk estimate, including additional review and quantification of the uncertainties in the analysis, the finding is preliminarily determined to be Greater than Green and appears to have substantial to high safety significance.

The inspectors, also determined that a primary cause of this finding was related to the cross-cutting area of Problem Identification and Resolution, because there was an earlier opportunity to discover and correct this issue based on the licensees 2003 experience when minor flooding from the turbine building had challenged safeguard alley.

Enforcement:

10 CFR Part 50, Appendix B, Criterion III, "Design Control," requires, in part, that measures be established to assure that the design basis for safety related functions of structures, systems, and components are correctly translated into specifications, drawings, procedures, and instructions. Further, Criterion III requires that the design control measures shall provide for verifying or checking the adequacy of designs. Contrary to the above, NRC inspectors identified that the licensee failed to adequately implement design control measures to adequately ensure that Class I items were protected against damage from the rupture of a pipe or tank resulting in serious flooding or excessive steam release to the extent that the Class I function is impaired.

Specifically, the design of KPS did not ensure that the AFW pumps, the 480-V safeguards buses, the safe shutdown panel, EDGs 1A and 1B, and 4160-V safeguards buses 1-5 and 1-6 would be protected from random or seismically induced failures of non-Class I systems in the turbine building. Pending final determination of the safety significance, this finding is considered an apparent violation of NRC requirements (AV 05000305/2005011-01). Corrective actions to address this issue included extensive plant modifications that were completed during this time period and are evaluated below.

1R17 Permanent Plant Modifications

.1 Modifications for Flood Protection-Turbine Building

a. Inspection Scope

The inspectors reviewed four modifications associated with flood protection in the turbine building. These modifications included the construction of multiple flood barriers between the turbine building, safeguards alley, and the auxiliary building; modification of the turbine building/safeguards alley drain line to prevent communication between the areas; and rerouting of discharge flow lines from the AFW pumps. Also, a design change was completed to create an automatic trip circuit for the CW pumps based on turbine building sump level. The inspectors also reviewed design change descriptions and details, associated calculations and flooding scenario assumptions, and performed walkdowns of components. In addition, reviews were conducted of new post-maintenance testing procedures and acceptance criteria. Several tests were observed and discussion with site personnel was conducted. Finally, training was observed and training materials were reviewed by the inspectors to ensure the information was accurate and cogent. A brief description of the design changes follows.

DCR 3578, Flood Barriers; DCR 3571, Install Floor Sweeps and Weather Stripping on Doors 4, 6, 14, 16 and 401; and DCR 3592, Install Flood Barrier at Door 8; were designed to provide protection for flooding by installing barriers that are capable of mitigating floods as high as 30 inches. Analysis was reviewed and operator action was validated to ensure that for all credible design flooding scenarios, the postulated flood heights were less than the provided barriers for the various doors. In addition, the inspectors reviewed modifications that were performed that enhanced to door sealing capabilities for various doors. The licensee indicated they would submit to the NRC the flooding design and licensing basis.

DCR 3570, Install Check Valves in Floor Drains From Cardox Room, Safeguards Alley, and Bus 1 and 2 Rooms; was designed to provide check valves in drain lines between the turbine building and safeguards alley, and between the turbine building and Cardox rooms. The licensee provided information that the check valves would withstand a seismic event and that the valves would be periodically tested. In addition, sump pumps with non-safety related battery power supplies were installed in the safeguards alley to provide additional flood protection.

DCR 3577, Change AFW Pump Lubricating Oil Coolers and Bearing Oil Coolers Drain Flow Path; addressed the fact that a portion of the AFW pumps discharge flow was diverted through the pump lubricating oil coolers and the turbine driven pumps bearing oil coolers to the trench in safeguards alley, and ultimately to the turbine building sump.

To eliminate the potential for this water to contribute to the flooding of safeguards alley, modification DCR 3577 re-routed the cooler discharge piping to drain funnels in the turbine building.

DCR 3581, Circulating Water Pump Internal Flooding Trip; was designed to provide an automatic trip of the CW pumps during a turbine building flood based on turbine building water level. Three level detectors were designed having diverse safety related power supplies with diverse trip logic to ensure spurious trips would not occur. The circuitry was designed so that a CW pump trip would occur when two of three signals were present. Although the automatic trip of the CW pumps was not credited as occurring for terminating an internal flooding event, a control room alarm and new procedures were in place to ensure that the CW pump would be secured by operators promptly to keep flood levels below the barriers. The procedures used were validated by the site and training was provided.

This review constituted four inspection samples.

b. Findings

No findings of significance were identified.

OTHER ACTIVITIES (OA)

4OA2 Problem Identification and Resolution (PI&R)

.1 Review of Condition Reports

a. Inspection Scope

The inspectors reviewed a sample of condition reports associated with modifications and 10 CFR 50.59 evaluations. The inspectors focused on system or components used to mitigate internal flooding events.

b. Findings

No findings of significance were noted.

4OA3 Event Followup

.1 (Closed) LER 05000305/2005-002-00 Auxiliary Feedwater Pumps Assumed To Fail

From Postulated Loss Of Primary Water Source - Safe Shutdown And Accident Analysis Assumptions Not Assured - Inadequate Design Of Pump Protective Equipment.

This LER has been described in detail in IR 05000305/2005010 and the final significance determination of White for the finding associated with this issue was forwarded in IR 05000305/2005014. This LER is closed.

.2 (Closed) LER 05000305/2005-004-00 Safe Shutdown Potentially Challenged By

Unanalyzed Internal Flooding Events and Inadequate Design.

This LER has been described in detail in Section 1R06 of this report. An apparent violation that was preliminarily determined to be of substantial to high safety significance was identified. This LER is closed.

4OA4 Cross-Cutting Aspects of Findings

A finding described in Section 1R06 of this report had as a primary cause the cross-cutting area of Problem Identification and Resolution, because there was an earlier opportunity to discover and correct this issue based on the licensees 2003 experience when minor flooding from the turbine building had challenged safeguards alley. In May of 2003, a self-revealing internal flooding event caused the turbine building sump to overflow into safeguards alley, an area containing safety related equipment.

Although no actual loss of function occurred at that time, the potential impact to safety related equipment was not identified, evaluated, or corrected especially in the light of potential flooding scenarios several orders of magnitude greater than what occurred.

Evaluation of the flooding scenarios would have indicated that licensing basis flooding events in the turbine building could impact both trains of safety related electrical power on the 480-V and 4160-V buses; and could impact all three AFW pumps.

4OA5 Other

The inspectors reviewed items discussed in previous inspection reports to determine if further regulatory action was required to be taken.

.1 (Closed) Unresolved Item URI 05000305/2004009-03:

Potential vulnerability of safety related equipment to flooding in the Turbine Building Basement. This issue is reviewed in Section 1R06 of this report. An apparent violation that was preliminarily determined to be of substantial to high safety significance was identified.

4OA6 Meetings, Including Exits

Exit Meeting The inspectors presented the inspection results to Mr. Michael Gaffney, and other members of licensee management on September 6, 2005. The licensee acknowledged the findings presented.

The inspectors asked the licensee whether any materials examined during the inspection should be considered proprietary. Proprietary information was reviewed during the inspection, as documented in the list of documents. The inspectors confirmed that the proprietary material had been returned and discussed the likely content of the inspection report. The licensee did not indicate any potential conflicts with information presented.

4OA7 Licensee-Identified Violations

None.

SUPPLEMENTAL INFORMATION

KEY POINTS OF CONTACT

Licensee

M. Gaffney, Site Vice-President

L. Hartz, Recovery Director

K. Hoops, Site Director

K. Davison, Plant Manager

J. Ruttar, Operations Manager

J. Stafford, Assistant Operations Manager

L. Armstrong, Engineering Director

P. Phelps, Design Engineering Manager

T. Hanna, Flooding Issue Manager

W. Hunt, Maintenance Manager

J. Holly, Safety Analysis Engineer

E. Coen, Risk Engineer

A. Perez, Design Mechanical Engineering, Supervisor

B. Prebeck, EQ Engineer

LIST OF ITEMS OPENED, CLOSED, AND DISCUSSED

Opened

AV

05000305/2005011-01 Failure of Multiple Safety Related Trains During Internal Flooding Events (EA 05-176)

Opened and Closed

None.

Closed

LER

05000305/2005-002-00 Auxiliary Feedwater Pumps Assumed to Fail from Postulated Loss Of Primary Water Source - Safe Shutdown And Accident Analysis Assumptions Not Assured - Inadequate Design Of Pump Protective Equipment LER

05000305/2005-004-00 Safe Shutdown Potentially Challenged By Unanalyzed Internal Flooding Events and Inadequate Design URI

05000305/2004009-03 Potential Failure of Multiple Safety Related Trains During Internal Flooding Events

Discussed

None.

LIST OF DOCUMENTS REVIEWED