Part 21 Report - 1997-600
ACCESSION #: 9508080294
LICENSEE EVENT REPORT (LER)
FACILITY NAME: TURKEY POINT UNITS 3 AND 4 PAGE: 1 OF 23
DOCKET NUMBER: 05000250
TITLE: DESIGN DEFECT IN SAFEGUARDS BUS SEQUENCER TEST LOGIC
PLACES BOTH UNITS OUTSIDE THE DESIGN BASIS
EVENT DATE: 11/03/94 LER #: 94-005-02 REPORT DATE: 07/17/95
OTHER FACILITIES INVOLVED: TURKEY POINT UNIT 4 DOCKET NO: 05000251
OPERATING MODE: 1/5 POWER LEVEL: 100/0
THIS REPORT IS SUBMITTED PURSUANT TO THE REQUIREMENTS OF 10 CFR
SECTION:
10 CFR 50.73(a)(2)(ii), (a)(2)(v), (a)(2)(vii), 10 CFR 21
LICENSEE CONTACT FOR THIS LER:
NAME: C. L. Mowrey, Licensing OEF TELEPHONE: (305) 246-6204
Engineer/Analyst
COMPONENT FAILURE DESCRIPTION:
CAUSE: B SYSTEM: JE COMPONENT: 34 MANUFACTURER: A160
REPORTABLE NPRDS: Y
SUPPLEMENTAL REPORT EXPECTED: NO
ABSTRACT:
On November 3, 1994, Turkey Point Unit 3 was in Mode 1 at 100% power, and
Unit 4 was in Mode 5 during a refueling outage. During the Unit 4
Integrated Safeguards Test, the 3A sequencer failed to respond to the
Unit 4 Safety Injection signal. A defect was found in the sequencer
software logic which, for a limited period of time, could inhibit any or
all of the four sequences from responding to specific valid signals. The
defect only affects the sequences during manual or automatic testing.
The sequences were installed in late 1991.
Monthly manual testing of the sequencer has been resumed. Front panel
visual examinations are being performed every 8 hours, and internal
visual examinations are being performed every 24 hours. A permanent
repair to the software logic is being evaluated. Independent consultants
performed an assessment of the existing sequencer design, software
design, and the Validation and Verification process. Two other
conditions were discovered, one involving Containment Spray (CS) pump
autostart, and one involving the 480 Volt Load Center feeder breaker
autoclosure. Both were determined to have minimal safety significance.
The CS system and the 480 Volt Load Centers remain operable.
END OF ABSTRACT
TEXT PAGE 2 OF 23
Supplement 2 of this LER reports on (1) the original test logic defect
discovered last November, and reported in the original LER; (2) the
Containment Spray Autostart issue discovered in January as part of the
design review described in corrective action #9, and reported in
Supplement #1; and (3) an additional condition involving 480 Volt Load
Center feeder breaker autoclosure, discovered in June while preparing the
software modifications to fix the earlier two issues. Where applicable,
each major section of the LER contains subsections appropriate to each of
the three issues listed.
I. DESCRIPTION OF THE EVENT
I.a ORIGINAL TEST LOGIC DEFECT
On November 3, 1994, Turkey Point Unit 3 was operating in Mode 1 at 100%
power, and Unit 4 was in Mode 5 during a refueling outage. During the
Unit 4 Integrated Safeguards Test, a failure of the 3A sequencer [JE:34]
to respond to the opposite unit's Safety Injection (SI) signal occurred.
Troubleshooting resulted in the discovery of a defect in the sequencer
software logic which, under certain conditions, could inhibit the
sequencer from responding to a valid emergency signal. The defect
manifested itself in the failure of the 3A High Head Safety Injection
(HHSI) pump [BQ:p] to start. Turkey Point has four HHSI pumps; one per
train, per unit. Each HHSI pump is capable of providing 50 percent of
system requirements, therefore two of the four are required to mitigate
the consequences of accidents analyzed in the Updated Final Safety
Analysis Report (UFSAR). In order to meet single failure criteria, each
sequencer signals its associated HHSI pump to start, and the opposite
unit's sequences signal their associated HHSI pumps to start. For
example, an SI signal on Unit 3, Train A, signals the 3A sequencer and
both of the Unit 4 sequences. With no equipment failures, all four HHSI
pumps will respond to an SI signal on either unit.
The software logic defect is limited to the test function, but the defect
is common to all four sequences (one sequencer per train, per unit). The
design intent of the sequences is such that should a "real" emergency
signal occur while the sequencer is being tested, the test signal clears,
allowing actuation of the Engineered Safety Features controlled by the
sequencer.
Because the sequences would not have responded properly to an SI signal
as designed, Turkey Point Units 3 and 4 have been operating outside their
design basis. This condition was reported to the NRCOC at 1609 on
November 3, 1994, in accordance with 10CFR50.72(b)(ii)(B).
I.b CONTAINMENT SPRAY PUMP AUTOSTART ISSUE
The detailed review of the sequencer software, described in Corrective
Action #6, resulted in the discovery of one other error in the software,
which is independent of the test mode. A potential condition was
identified which, for a remote set of circumstances, would preclude the
automatic start of the Containment Spray (CS) pumps [BE:p]. The
condition identified occurs when the Hi-Hi Containment Pressure (HHCP)
signal is received by the sequencer during an approximate 60 millisecond
(ms) time window just prior to the end of sequencer load block 3 for Loss
of Coolant Accident (LOCA) or Loss of Offsite Power coincident with LOCA
(LOOP/LOCA) events. The sequencer is designed to autostart the CS pumps
11 to 13 seconds after an SI
TEXT PAGE 3 OF 23
signal (without LOOP) if the HHCP signal is present or at or after 44
seconds under conditions where the HHCP signal occurs more than 13
seconds after receipt of the SI signal. For a LOOP/LOCA, these times are
shifted by the bus stripping and Emergency Diesel Generator (EDG) [EK:dg]
start delay of approximately 16 seconds. Thus the 60 ms window occurs
12.886 to 12.945 seconds after receipt of an LOCA signal, or 28.886 to
28.945 seconds after receipt of a LOOP/LOCA signal.
Although Turkey Point is licensed to accommodate a LOCA with or without a
concurrent LOOP, the sequencer was designed to accommodate non-concurrent
LOOP/LOCA sequences as well. As a result, for certain non-concurrent
events, a Main Steam Line Break or a Small Break LOCA (but large enough
to cause a HHCP signal) can also create conditions under which this error
may manifest itself.
Automatic CS pump start actually involves two HHCP signals; one via the
sequencer logic as described above, and one directly from Engineered
Safety Features Actuation System (ESFAS) relay [JE:44]. Because of the
minimum pulse required to assure CS pump breaker [BE:bkr] closure, and a
potential relay race with a CS pump start permissive from ESFAS, the CS
pump breaker may not receive a close signal of sufficient duration to
assure breaker closure. The identified condition is unique to the start
of the CS pump because the CS pump start signal duration decreases as the
postulated receipt of a HHCP signal approaches the end of load block 3.
All other sequenced equipment receives a start pulse of fixed duration,
either 2 or 5 seconds. This condition was determined to be not
significant, in part because the manual start capability of the CS pump
is not affected (and is adequately proceduralized), and in part because
the probability of occurrence of the condition is lower than the
probability of a common-mode failure of both trains of containment spray.
The significance of the condition is discussed further in Section III.
I.c 480 VOLT LOAD CENTER FEEDER BREAKER AUTOCLOSURE CONDITION
During verification and validation of modifications associated with the
corrective actions for the original defect, an additional condition was
discovered wherein the 4.16 KV breakers [EA:52] which feed the safety-
related 480 Volt Load Centers [ED] may fail to automatically close during
certain unique events.
If an SI signal is received between 15.5 and 16 seconds after a LOOP, the
sequencer will provide a breaker close signal to the 4.16 KV breakers
which feed the 480 Volt Load Centers at the same time that a breaker
strip signal is present. This will result in the Load Centers not being
automatically reloaded onto the bus. The failure of the Load Centers to
automatically load can occur on all four sequences if a simultaneous
undervoltage signal occurs for both units (complete LOOP) and signals
from both trains of SI are present.
When a LOOP event takes place, the sequencer initiates bus stripping
approximately 1 second after the undervoltage input. Approximately 8
seconds later the EDG output breaker closes. The first LOOP load block
is sequenced on at 16.5 seconds after the loss of offsite power. The
design intended that if an SI signal is received prior to 16 seconds
after the LOOP, the LOOP/LOCA loads are automatically sequenced on
without re-stripping the bus. If an SI signal is received after the EDG
output breaker is closed, then the LOOP loads are re-stripped from the
bus, the sequencer timers would reset and after a time delay, the
LOOP/LOCA loads would be sequenced on. The sequencer pulse to strip the
bus is 1 second in duration.
TEXT PAGE 4 OF 23
If the Load Center breakers receive a close pulse when a strip pulse is
present, the breaker control logic prevents the breaker from responding
to the close signal. This breaker control logic, commonly known as an
"anti-pumping" circuit, is designed as a protective feature for the
breaker. The breaker will not respond unless the strip and close signals
are both removed and the close pulse is reapplied. Since, under the
identified condition, the sequencer can provide a strip signal concurrent
with a close signal, followed by removal of the close signal (which is
not reapplied), the load center breakers would not automatically close.
This condition was determined to be one which alone could have prevented
the fulfillment of the safety function of a system needed to mitigate the
consequences of an accident. It was reported to the NRCOC on June 19,
1995, in accordance with 10 CFR 50.72(b)(2)(iii).
I.d SEQUENCER DESIGN BASIS AND FUNCTIONAL REQUIREMENTS
Each of the four sequences, 3C23A-1, 3C23B-1, 4C23A-1, and 4C23B-1, is
associated with a given train (3A, 3B, 4A, and 4B, respectively). They
are designated Class 1E, Seismic Category I, since their operation is
required for safe shutdown of the reactor in the event of a LOOP and to
mitigate the consequences of a design basis accident.
The sequences are Programmable Logic Controller (PLC)-based cabinets
using a PLC for bus stripping and load logic and control. The signal
path structure of the PLC uses dedicated input modules, control logic,
and dedicated output modules.
LOOP Signal Only
On a LOOP in a given unit, both sequences associated with that unit will
respond accordingly to clear their associated buses, stripping all 4.16
KV loads and specified 480 Volt loads within one second after the LOOP
signal is generated. The Emergency Diesel Generators (EDGs) [EK:dg] will
start, and within 15 seconds the EDG output breakers [EK:bkr] close, then
loads required for safe reactor shutdown are sequentially connected to
the corresponding bus; the first load block output signal is generated
16.5 seconds after the onset of the LOOP. The first load block output
signal closes the 480 Volt Load Center feeder breakers.
LOCA Signal Only
If either unit experiences a LOCA, and preferred (offsite) power is
available, bus stripping signals and EDG breaker closure permissive
signals will not be initiated by the sequences. Vital loads will be
sequentially connected to the buses by the sequences (including the
opposite unit's HHSI pumps). If an EDG is already operating and
parallelled to offsite power, and either unit experiences a LOCA, the EDG
breaker will trip. The EDG will continue to run in a standby condition.
On the LOCA unit, Engineered Safety Features (ESF) equipment will be
sequentially loaded onto the bus by the sequencer. Following a LOCA, if
any given train experiences undervoltage, bus stripping, EDG breaker
closure, and sequential loading will be directed.
TEXT PAGE 5 OF 23
LOOP/LOCA
After a LOOP on both units, if one unit experiences a LOCA, the buses
associated with the LOCA unit will be stripped and ESF loads will be
loaded onto the bus. On the non-LOCA unit, both buses are stripped
again, and reloaded with essential equipment; both HHSI pumps will also
start.
Sequencer Testing
Each sequencer is provided with Manual test and Automatic Self-test
capability. The test mode is determined by a three-position Test
Selector switch. The three positions are AUTO (self-tests 15 steps or
scenarios in the automatic test sequence), MAN (each test is manually
initiated), and OFF (no test signals are generated). In the automatic
test mode, the sequencer continuously tests the input cards, output
cards, and output relay coils, and exercises the program logic. The
sequencer is designed to abort the manual and automatic test modes in
response to a valid input. The automatic self-test function is normally
in operation, however it is not required to be in service for the
sequencer to perform its safety function. The manual test, in addition
to testing all the conditions covered by the automatic test, actuates the
output relays. However, blocking relays energize before the output
relays energize, and the output relays de-energize before the blocking
relays de-energize.
Placing the Test Selector switch in MAN stops automatic self-testing.
Manual testing involves five stripping/clearing scenarios (bus clearing,
480 Volt undervoltage with SI present, 480 Volt degraded voltage, 4.16 KV
undervoltage, and safety injection [LOCA] on an isolated bus). Upon
completion of the stripping tests, sequencing scenarios are tested
manually by rotation of a Sequencing Mode Test Selector switch through
eleven steps or loading scenarios (LOOP; LOOP/LOCA same train; LOOP/LOCA
other unit; LOCA same train; LOCA other unit; LOOP/LOCA same train with
concurrent HHCP; LOOP/LOCA same train with HHCP before 13 seconds;
LOOP/LOCA same train with HHCP after 13 seconds; LOCA same train with
concurrent HHCP; LOCA same train with HHCP before 13 seconds; LOCA same
train with HHCP after 13 seconds).
Automatic self-testing cycles through 15 of the 16 test steps in the same
order (the bus clearing scenario is not tested in AUTO). The test steps
start roughly an hour apart, and there is one hour in the automatic test
sequence in which no testing takes place, so a full cycle of automatic
self-testing takes approximately sixteen hours. Then the cycle begins
again. Should a valid process input signal be received during manual or
automatic testing, the testing stops, the test signal clears, and the
inhibit signal is supposed to clear if present, allowing the valid signal
to sequentially energize the output relays and their associated ESF
equipment.
TEXT PAGE 6 OF 23
II. CAUSE OF THE EVENT
II.a TEST LOGIC DEFECT
The 3A sequencer failed to respond as expected to an opposite unit SI
signal. The 3A sequencer had dropped out of the Automatic Self-Test
without alarming, indicating that it had received a valid input signal.
During troubleshooting, the input LED for a 4A SI signal was found to be
lit, indicating the signal was still present. The 3A sequencer response
should have been to start the 3A HHSI pump after a 3 second delay.
However, the pump failed to start because it did not receive a start
signal from the sequencer.
Following the failure of 3A HHSI pump to start in response to a 4A SI
input signal as described above, an analysis of the sequencer software
logic was performed to determine the root cause of the failure. A
software design defect was discovered whereby the start signal for the 3A
HHSI pump remained inhibited during sequencer automatic test step 3
(LOOP/LOCA Other Unit) even though a valid process input was present. In
parallel with the above analysis, this particular fault was duplicated on
the sequencer simulator which is identical to the 3C23A-1 (3A) sequencer.
This is in contrast to the original design bases of the sequencer
Automatic Self-Test and Manual Test functions.
The review was then expanded to include additional test modes, process
inputs, and required outputs. It was found that the problem exists
during both manual and automatic testing, during sequencer test steps 2,
3, 6, 8, and 10. These steps correspond to the following scenarios:
Step 2 LOOP/LOCA
Step 3 LOOP/LOCA Other Unit
Step 6 LOOP/LOCA with concurrent High High Containment Pressure
Step 8 LOOP/LOCA with High High Containment Pressure less than 13
seconds later
Step 10 LOOP/LOCA with High High Containment Pressure more than 13
seconds later
Note that these are tested scenarios, not potential plant events. Note
too that all five of the affected test step scenarios involve LOOP and
LOCA.
If a valid SI signal is received 15 seconds or later into one of the
above tests, the test signal clears as intended, but the inhibit signal
is maintained by means of latching logic. This latching logic is
originally established by the test signal, but may be maintained by the
process input signal if it arrives prior to removal of the test signal.
Since the above condition is applicable to both the automatic self-test
and manual testing, the sequencer must be considered inoperable during
both testing modes. Note, however, that this defect will not cause a
sequencer operating malfunction with the Test Selector switch in any
position for any design basis scenario which involves a loss of offsite
power.
TEXT PAGE 7 OF 23
This software logic defect was introduced during the detailed logic
design phase of the software development. The detailed logic designer
and the independent verifier failed to recognize the interaction between
some process logic inhibits and the test logic. The defect in the
software logic was not detected during the Validation and Verification
process (V&V) because the response to valid inputs was not tested during
all stripping and loading sequences of the automatic and manual testing
logic. FPL has evaluated the V&V for the sequences and concluded that
the existing V&V adequately addresses operation of the sequences with the
Test Selector switch in OFF.
This logic defect can occur when the sequencer is in either the manual or
automatic test mode, and the test sequence currently being executed is
loading sequence test 2, 3, 6, 8, or 10. This was determined based on a
review of the sequencer logic drawings for the 15 steps in the automatic
test sequence, and design basis event signals. The sequencer simulator
was used to confirm the results of the review. The defect cannot affect
sequencer operation with the Test Selector switch OFF.
In loading sequence tests 2, 6, 8, or 10, the sequencer may be inhibited
from responding to a valid SI signal on the same train. In loading
sequence test 3, the sequencer may be inhibited from responding to a
valid SI signal on the opposite unit.
II.b 480 VOLT LOAD CENTER CONDITION
For the 480 Volt Load Center feeder breaker autoclosure failure, the
design implementation failed to account for the duration of time between
closing of the EDG breaker, which is the permissive for re-stripping, and
the beginning of LOOP load sequencing at 16 seconds. During this window
of time, if an SI signal is received an unnecessary strip pulse occurs.
For the most part, the unnecessary pulse is inconsequential since the bus
is already strapped. However, if the strip pulse occurs between 1 second
and 0.5 seconds prior to the first LOOP load block (between 15.5 and 16
seconds after offsite power loss), the strip pulse overlaps the breaker
close pulse. After 16 seconds, receipt of an SI signal resets the load
sequence timers and the overlap does not occur.
A test was conducted on the sequencer in the Training Building to confirm
that both stripping and sequencing signals to the Load Center feeder
breakers could be simultaneously generated by a LOOP followed by a LOCA
during an approximate half second window of Load Block 1. The test was
performed using the EDG 3A sequencer logic in the training sequencer.
The PLC software was modified to simulate the timing for a valid SI same
train signal upon receipt of a valid LOOP (4.16 KV undervoltage input)
over the 15.5 to 16 second window. The testing confirmed that the
overlapping strip/load signals could occur as described.
III. ANALYSIS OF THE EVENT
III.a TEST LOGIC DEFECT
As a result of the erroneous inhibit signals, the potential exists for
any sequencer output to be prevented from being generated when required.
Exactly which output or outputs is(are) determined by a combination of
factors, i.e., which test scenario is in progress, how long since the
test scenario was initiated, and which process input or inputs are
received. In
TEXT PAGE 8 OF 23
general, for the approximate one-hour duration of each of the above test
steps (with the Test Selector switch in AUTO), the sequencer will not
respond correctly to a valid process input signal.
With the sequencer Test Selector switch in AUTO, the sequencer steps
sequentially through sixteen steps as described above; first the five bus
stripping/clearing steps, followed by the eleven LOOP and/or LOCA
scenarios. Note that the five test steps affected by the software defect
are all in the loading sequence test steps, so the first affected step is
the seventh step in the total testing sequence. During each of these
affected test steps, fifteen seconds after the initiation of the step,
the sequencer would not have responded properly to a valid process input
signal. So the sequencer was inoperable for about five hours out of each
sixteen hour period as long as its Test Selector switch was in AUTO. The
sequencer was also inoperable for the duration of any Manual test of the
five test steps listed above. A complete manual test on one sequencer
takes about one hour.
The review of the sequencer logic determined that improper operation of
the sequencer could occur for only certain sequencer stripping/loading
scenarios in which an SI signal without LOOP occurs. The sequencer logic
software defect does not affect any scenarios where a LOOP also occurs,
whether before, after, or concurrent with an SI signal. A failure modes
and effects matrix identified the following four potential plant events
where the logic software defect could affect the operation of the
sequencer, depending upon which of the five affected test steps
(discussed above in CAUSE OF THE EVENT II.a) are being performed when the
SI signal is received by the sequencer:
#1 LOCA Same Train
#2 LOCA on other Unit
#3 LOCA w/High High Containment Pressure (HHCP) < 13 seconds
#4 LOCA w/HHCP > 13 seconds
Note that these are potential plant events, not test step scenarios.
Note too that in contrast to the list of affected test step scenarios
presented earlier, none of the potential plant events affected involve a
LOOP.
For each of these events, the sequencer could receive a valid SI signal
but the logic defect could inhibit the sequencer from starting equipment.
Events #1, #3, and #4 above each have four logic test steps out of a
total of sixteen which would inhibit the sequencer from providing a start
signal to the equipment it controls while event #2 is affected by only
one of the sixteen logic test steps.
The probability that an individual sequencer would not respond to a valid
same train SI signal is 4 hours/16 hours = 2.5E-1. The probability that
an individual sequencer would not respond to a valid opposite unit SI
signal is 1 hour/16 hours = 6.25E-2.
The equipment affected due to the failure of a sequencer was identified
from plant drawings. The equipment listed below is specific to the 3A
sequencer. The equipment lists would be similar for the other three
sequences.
TEXT PAGE 9 OF 23
For event #1, the following equipment would not be automatically loaded
by the sequencer:
Residual Heat Removal Pump 3A [BP:p]
HHSI Pump 3A
Intake Cooling Water Pumps 3A (1) and 3C (1) [BI:p]
Emergency Containment Cooler Fan 3B and 3C [BK:fan]
Component Cooling Water Pumps 3A (1) and 3C (1) [CC:p]
Emergency Containment Filter Fans 3B and 3C {BK:fan]
Note (1): The equipment identified may already be in operation and
may not require manual action to start.
For events #3 and #4 (LOCA w/HHCP < 13 sec; LOCA w/HHCP > 13 sec),
Containment Spray Pump 3A would be affected in addition to the equipment
identified above for event #1.
For event #2 (LOCA Other Unit), only the 3A HHSI Pump would not be
automatically started.
It should be noted that one of the initiating signals for Auxiliary
Feedwater (AFW) system [BA:p] is bus stripping, which is controlled by
the sequencer. No credit is taken, however, for bus stripping in the
accident analyses for initiating AFW. AFW is also initiated on low-low
steam generator level, SI, manual initiation and trip of all Main
Feedwater pumps [SJ:p].
Using the above information, the defect in the sequencer test logic
represents a potential concern for events where SI is required for
mitigation and no LOOP is experienced.
III.b CONTAINMENT SPRAY AUTOSTART ISSUE
Using the Turkey Point baseline Probabilistic Safety Assessment (PSA)
model, the probability of dual train failure of the CS system if called
on to operate has been estimated to be approximately 2.6E-3. This
estimate reflects CS system and support system component failure
probabilities not including either of the software errors reported here.
The failure to automatically start a CS pump due to this software error
can only occur under a very remote set of circumstances. The 60 ms
window is on the same order as the tolerance on relay pick-up times and
the sequencer processing and timing tolerances. Even with sophisticated
timing equipment, it is unlikely that the failure mode could be
demonstrated repeatedly. The probability of receipt of a HHCP signal
during a 60 ms window of vulnerability compared to the range of timing
conditions for which the sequencer is designed is considerably smaller
than the overall system reliability identified above. If it is assumed
that HHCP can occur at any time within approximately two minutes after
the SI signal (the earliest time at which SI is postulated to be reset),
then the probability of the evaluated condition occurring on one train
is:
0.060 sec/(2 min x 60 sec/min) = 5.0E-4
The estimate of the probability of a CS pump not starting automatically
in a LOCA or LOOP/LOCA due to the reported software error is therefore
approximately a factor of five below the estimated probability of both CS
trains failing during a design basis event.
TEXT PAGE 10 OF 23
The probability of the software error affecting both trains is
considerably lower, since it would require: 1) the initiating SI signals
to be at the sequencer inputs within 60 ms of each other; 2) the two
trains of HHCP both occurring within the 60 ms window of vulnerability;
3) the sequencer input processing times to be identical; and 4) the
timing of the two sequences in synchronization. The difference in the
cumulative delay time for relay actuations on the two trains of ESFAS and
differences in sequencer processing, in all likelihood would be
sufficient to preclude the condition on both trains. This conclusion is
supported by a review of previous Integrated Safeguards Test data.
The difference between the train A and B CS pump recorded start times
during a simulated LOOP/LOCA has been between 90 and 500 ms. Since some
timing differences between the trains can be expected, and timing
differences greater than 60 ms have been recorded during previous
safeguards tests, the probability that the specific error could affect
both trains of Containment Spray is therefore considerably less than the
single train probability.
III.c 480 VOLT LOAD CENTER CONDITION
The limiting components affected by loss of the load centers are the Unit
4 EDGs auxiliary equipment, including cooling fans. The loss of the Unit
4 EDG auxiliaries means that the EDG will start to heat up in a short
period of time. At full EDG loading, the EDG would exceed its
temperature ratings after about 8 minutes. However, because the load
centers were not energized, the EDG would only be partly loaded.
Considering lower pump flows, Unit 4 EDG loading is estimated below:
LOAD KW
SI Pump 220 KW
RHR Pump 140 KW
CS Pump 110 KW
ICW Pump 265 KW
CCW Pump 380 KW
______________________
Total 1115 KW
Under these lower loading conditions, overheating of the Unit 4 EDGs is
not expected to occur for approximately 14 minutes. Other loads lost as
a result of the loss of the load centers include motor operated valves
which must open to allow high and low head safety injection flow. These
valves are significant primarily to analyzed accidents, specifically
Small Break LOCAs, as discussed below.
Effect on Analyzed Accidents
III.d TEST LOGIC DEFECT
A review of the Turkey Point UFSAR Chapter 14 Accident Analyses was
performed to determine which accidents would be potentially affected by
the sequencer test software logic defect. This review identified 7 of
the 22 accidents which may be affected. Two of the seven, "Loss of
External Load" and "Loss of A.C. Power" were determined to be dependent
on the sequencer but not affected, since the inhibited sequencer failure
mode applies to LOCA scenarios only, i.e., no LOOP.
TEXT PAGE 11 OF 23
The five accidents which both require SI, and are affected by the
sequencer test software logic defect, are the following:
1. Large Break Loss-of-Coolant Accident (LBLOCA)
2. Small Break LOCA (SBLOCA)
3. Rupture of a Steam Pipe (Main Steam Line Break, or MSLB)
4. Steam Generator Tube Rupture (SGTR)
5. Rupture of a Control Rod Mechanism Housing
The effects of the sequencer test logic defect will be discussed below
for each of the five accidents. In each case, the transient is described
and equipment necessary for mitigation of accidents is identified. Each
transient is then evaluated assuming all four sequences fail to operate
properly. Credit is assumed for operator action to start HHSI pumps as
well as other ESF equipment within 10 minutes as described below.
LARGE BREAK LOSS OF COOLANT ACCIDENT
A LOCA would result from a rupture of the Reactor Coolant System (RCS) or
any line connected to that system up to the first closed valve. For a
postulated LBLOCA, a reactor trip is initiated by pressurizer low
pressure (1790 psig) while the SI signal is actuated by pressurizer low
pressure at 1636 psig. The consequences of the LBLOCA are limited in two
ways:
1. Reactor trip and borated water injection supplement void
formation in causing rapid reduction of nuclear power to a
residual level corresponding to fission product decay.
2. Injection of borated water ensures sufficient flooding of the
core to prevent excessive temperatures and provide long term
cooling.
The reactor is designed to withstand the thermal effects caused by a
LBLOCA including the double ended severance of the largest RCS pipe. The
reactor core and internals, together with the Emergency Core Cooling
System (ECCS), are designed so that the reactor can be safely shutdown
and the essential heat transfer geometry of the core will be preserved
following an accident.
The LBLOCA analysis presented in Section 14.3 of the UFSAR assumes that 2
of 4 HHSI pumps and 1 of 2 RHR pumps are automatically actuated during
the accident. If all four sequences were inoperable because of the
simultaneous presence of the test logic defect, SI actuation would not
occur automatically.
The LBLOCA is a design basis event whose probability of occurrence is
extremely small. A LBLOCA is considered to be a break with a total
cross-sectional area equal or greater than 1.0 ft**2.
LBLOCA sensitivity studies, performed in 1988 to assess the impact of
delaying SI, indicate that the maximum permissible SI delay is about 1
minute in order not to exceed the Peak Clad Temperature criteria of 10
CFR 50.46, and about 5 minutes to avoid exceeding fuel melt temperature,
for a generic Westinghouse four-loop PWR. As a result of the test logic
defect, Turkey Point tested operator reaction times to manually start SI
in the absence of an automatic start (described below under MITIGATION OF
SEQUENCER FAILURE MODES). The maximum time did not exceed 4 minutes.
This information was provided to Westinghouse, who then determined that
if SI is delayed 3 minutes and 15 seconds, the peak clad temperature for
the hot rod will not exceed 1922 degrees Fahrenheit. If a conservative
adiabatic heat
TEXT PAGE 12 OF 23
up rate of six degrees per second is assumed for the fuel, SI may be
delayed until four minutes into the LOCA without exceeding 10 CFR 50.46
PCT criteria. Therefore,if reasonable operator action is credited, no
core damage would be expected.
Containment Response to a LBLOCA
A LBLOCA results in a significant mass and energy release into
containment that results in pressurization of the containment structure.
The UFSAR indicates that the pressurization event is limited by the size
of containment, by containment heat sinks, and by the operation of
containment cooling equipment (containment sprays and emergency
containment coolers).
The containment analysis for the LBLOCA was assessed using better
estimate techniques in 1989 by Westinghouse. This analysis showed that
peak containment pressure for a Double Ended Pump Suction (DEPS) to be on
the order of 42 to 45 psig. Using the mass and energy release values
developed for the design basis reconstitution work, Westinghouse
re-performed the Turkey Point containment analysis assuming no operation
of the containment spray pumps or the emergency containment coolers, for
ten minutes. This reanalysis shows that the peak pressure of the DEPS
LOCA to be approximately 44.3 psig. Accordingly, since this peak
pressure is less than the design pressure of 55 psig and less than the
originally analyzed peak pressure of 49.9 psig, the results are
acceptable. The ultimate strength of the Turkey Point containments is
estimated to be approximately 140 psig based on the Individual Plant
Examination (IPE) analysis work.
Dose Consequences for a LBLOCA
The UFSAR contains an offsite dose evaluation that assumes a total core
release (100% noble gas, 50% halogens) occurring at time t = 0 with
results that remain within 10 CFR Part 100 guidelines. The event under
review, however, is different than that evaluated in the UFSAR in that
engineered safety features are assumed to be delayed. Using knowledge
learned from observation of accident phenomena and advanced light water
reactor development programs, it has been concluded that an instantaneous
core melt and release of fission products to containment is not credible.
Rather, significant release to the containment would not be expected to
occur during the first 10 minutes of an accident. During this time,
credit is taken for operator action to start SI, containment sprays, etc.
Manual actuation of the containment sprays and emergency filters would
provide for fission product cleanup within containment. While a
calculation has not been performed, it is expected that the offsite dose
consequences for this event will not exceed those stated in the UFSAR.
Operation of sprays and filters will provide radioactive material cleanup
prior to any significant fission product release from the containment.
SMALL BREAK LOSS OF COOLANT ACCIDENT (SBLOCA)
SBLOCAs are slow transients which take longer to initiate SI and
therefore are less sensitive to delays in the actuation of the HHSI
pumps. Containment response and dose consequences for the SBLOCA event,
for the original software defect involving Autotest, are bounded by
LBLOCA discussions above.
TEXT PAGE 13 OF 23
The 480 Volt Load Center condition involves the SBLOCA analyses, since a
specific size of small break would be required to generate the specific
event timing which leads to the condition (SI signal 15.5-16 seconds
after a LOOP). The effect of that condition on the SBLOCA analyses is
discussed later.
MAIN STEAM LINE BREAK
The UFSAR analyzes two separate steam line break events; opening a relief
or safety valve, and main steam piping failure. The piping failure
bounds the opening of the relief or safety valve. Since the sequencer
issue is only a concern for the offsite power available case, only a main
steam piping failure with offsite power available will be addressed. The
most limiting cooldown event occurs at zero power with no decay heat. As
indicated in the UFSAR, credit is taken for a single HHSI pump to provide
borated water to return the core to a subcritical state.
Westinghouse re-performed the limiting MSLB accident with offsite power
available assuming SI was not available for 10 minutes. The results of
this analysis indicate that the event can be accommodated without SI for
10 minutes with acceptable results.
A Main Steam Line Break inside containment also results in a containment
pressurization transient. This event was rerun by Westinghouse assuming
no active containment pressure mitigating features (i.e. no containment
sprays or containment coolers). Assuming no safeguards actuation, peak
containment pressure for the MSLB was 48.8 psig occurring approximately
300 seconds (5 minutes) into the transient. This is within the
containment design pressure of 55 psig and is therefore acceptable.
STEAM GENERATOR TUBE RUPTURE
The event examined in the UFSAR is a complete tube break adjacent to the
tube sheet. Each steam generator tube has a nominal diameter of 0.875
inches with a wall thickness of 0.050 inches. Accordingly, the cross-
sectional break area of a double ended tube rupture is less than 1.0
square inches. This very small break area shows that this event is
bounded by the SBLOCA in terms of assessing the potential for core damage
resulting from this event, and that dose releases for this event will not
increase as a result of delayed SI.
RCCA EJECTION - RUPTURE OF A CONTROL ROD MECHANISM HOUSING
The event examined in the UFSAR is a failure of a control rod mechanism
pressure housing such that RCS pressure would eject the control rod and
drive shaft to a fully withdrawn position. The consequence of this
mechanical failure is a rapid positive reactivity insertion together with
an adverse core power distribution. The reactivity transient is
terminated by the Doppler reactivity effects of the increased fuel
temperature, and by subsequent reactor trip before conditions are reached
that can result in fuel melt.
Actions are included in the Emergency Operating Procedures (EOPs) to
address a SBLOCA that could be caused by a failed control rod mechanism
pressure housing. Accident consequences of a SBLOCA in the reactor
vessel upper head are bounded by the design-basis SBLOCA.
TEXT PAGE 14 OF 23
Summary of Potential Accident Consequences
Of the five UFSAR accidents affected, four are bounded by the LBLOCA.
Consequences of a LBLOCA are acceptable if operator action to start ESF
equipment takes place within four minutes of the start of the accident.
Consequences of the SBLOCA, SGTR, and RCCA ejection are acceptable even
if no operator action is taken for 10 minutes. The consequences of a
MSLB are acceptable without operator action for 10 minutes, since
containment pressure peaks, below the design pressure, 5 minutes into the
accident.
III.e 480 VOLT LOAD CENTER CONDITION
The UFSAR analyzed a spectrum of SBLOCAs, as provided below:
BREAK SIZE
1.5-inch 2.0-inch 3.0-inch
Break Initiation, sec. 0.0 0.0 0.0
Reactor Trip Signal, sec. 67.3 35.2 15.0
Safety Injection Signal, sec. 107.5 56.2 25.8
Top of Core Uncovered, sec. approximately
3500 1562 700
Accumulator Injection Begins N/A N/A approximately
1200
Peak Clad Temp. Occurs, sec. 5034 2692 1305
Top of Core Recovered, sec. >5050 >4000 approximately
3000
A LOOP is assumed to occur concurrent with a reactor trip. Assuming an
instantaneous LOOP at reactor trip and extrapolating from the above
table, a break size of about 2.5 inch equivalent diameter would result in
the timing sequence of concern.
The credibility of the occurrence of the UFSAR analyzed scenario creating
the conditions necessary to cause the loss of the 480 Volt Load Center
feeder breaker automatic function has been evaluated. The two major
mechanistic possibilities for such a loss would be either; (1) a failure
of the transfer of both buses from the auxiliary to start-up transformers
(fast bus transfer); or (2) the loss of the switchyard or transmission
system due to the loss of a Turkey Point unit.
For a LOOP caused by the failure of the fast bus transfer, it is
improbable that it would occur simultaneously with the reactor trip
because of the delay time designed into the reactor trip/turbine
trip/generator lockout logic sequences.
A reactor trip caused by low pressurizer pressure initiates a turbine
trip. Provided there are no other events and/or failures which would
cause a direct generator lockout signal, there is a designed 30 second
time delay between turbine trip and generator lockout. At the end of the
30 second time delay, a generator lockout signal will be generated. The
generator lockout signal will trip the generator field breaker, the
generator mid and
TEXT PAGE 15 OF 23
east switchyard breakers, the auxiliary transformer breakers and will
close the startup transformer breakers (fast bus transfer). Failure of
the fast bus transfer would cause a LOOP, pickup of the undervoltage
relays, strip the 4.16 KV buses, start the EDGs and sequence the
emergency loads on the EDGs. Therefore, on the failure of both the A bus
and B bus fast transfer, the LOOP would be expected to be initiated 30+
seconds after a reactor trip without an SI.
If at any time during this 30 second time delay an SI signal is
generated, the auxiliary transformer breaker will open and fast bus
transfer to the start-up transformer will be initiated. Should the fast
bus transfer fail, a LOOP would be generated and the sequence above would
not occur. The resultant event is essentially a "simultaneous" LOOP/LOCA
and the sequencer would operate as designed. Therefore, the break would
have to be of a specific size which would generate the conditions
necessary to initiate SI at approximately 46 seconds after
reactor/turbine trip occurs and the operators do not manually initiate
the SI signal.
The other mechanistic scenario, loss of the transmission system due to
loss of a single unit is also very unlikely since the grid is operated in
such a manner as to remain stable in any single contingency situation
such as loss of a unit or a large transmission line.
As part of the original safety review performed in November 1994 for the
sequencer auto-test issue, FPL evaluated the impact of delaying safety
injection for 10 minutes for a spectrum of SBLOCAs. Using the EPRI MAAP
code, small breaks of 2 and 6 inch equivalent diameter were examined.
For the 6 inch break, the accumulator would not deplete for more than 20
minutes and core melt would not be expected for more than 50 minutes.
For the 2 inch break, the accumulator did not deplete and core melt was
not expected to occur. It was judged that provided the accumulator had
not depleted and SI was restored, core damage would not occur (i.e. peak
clad temperature would not exceed 2200 degrees F). Westinghouse has
subsequently performed a SBLOCA analysis using NOTRUMP, which is an NRC
approved code, for a 2.3 inch equivalent diameter break (the break size
was iterated on to obtain the proper delay between LOOP and SI) assuming
safety injection is restored 10 minutes into the event. For this event,
a peak clad temperature of 954 degrees F occurred at 1818 seconds
(approx. 30 minutes) into the event. Based on this event sequence,
additional time would be available to the operator beyond 10 minutes to
restore safety injection.
MITIGATION OF SEQUENCER FAILURE MODES
Because the presence of an SI signal during sequencer testing (automatic
or manual mode) may render the sequencer inoperative, the dependence on
SI was the primary consideration for determining the five affected
accidents. For each of the affected accidents, the EOPs were reviewed to
determine what mitigating actions would be taken by the operator. The
effectiveness of the mitigating actions was also assessed based on its
sequence within the procedures.
Upon initiation of any of the five affected accidents discussed above,
the reactor would trip placing the operators in procedure 3/4-EOP-E-0,
"Reactor Trip or Safety Injection." At Step 4 in EOP-E-0, the operator
verifies whether SI is actuated or is required. If an SI is required,
the operator verifies that HHSI and RHR pumps have started, or he is
required to manually start these pumps in Step 8. These two steps are
part of the immediate actions to be taken by an operator following a
reactor trip.
TEXT PAGE 16 OF 23
In addition, the foldout pages for EOP-E-0 contains specific reactor trip
and SI actuation criteria which require operators to start the HHSI
pumps. Therefore FPL concludes that for these five accidents, there is a
high probability that timely mitigating actions would have been taken by
the operators to activate safeguards equipment even if the sequencer had
failed.
To assess the operators' ability to accommodate sequencer test software
logic defects, the Turkey Point Training Department constructed three
different scenarios involving design basis accidents with failed
sequences. The failure mode modeled was a failure of the sequencer to
load safeguards equipment. These scenario runs were completed on
November 5, 1994. The three scenarios were:
1. A LOOP/LBLOCA with Unit 3 sequences failed.
2. A LBLOCA with no LOOP, with Unit 3 sequences failed.
3. A SBLOCA with no LOOP, with Unit 3 sequences failed, Unit 4
HHSI pump breakers racked out, and the Unit 3 HHSI pump control
switches in PULL TO LOCK on the Unit 4 control board.
Six control room crews ran each of the three scenarios, for a total of 18
simulator exercises. The Training Department was primarily interested in
determining how long it took the control room crew to successfully
energize all available safeguards equipment. A summary of the control
room crew response times follows:
RESPONSE TIMES FOR FULL SAFEGUARDS
INITIATION (IN MIN.SEC)
CREW LOOP/LOCA LBLOCA SBLOCA
SCENARIO SCENARIO SCENARIO
A 2:40 2:30 2:45
B 2:00 2:10 1:40
C 2:50 1:30 1:30
D 8:00 1:30 1:55
E 4:40 3:15 1:05
F 2:50 1:32 1:20
The simulator training coordinator stated that the longest time required
to initiate SI flow was during Crew D's 8 minute LOOP/LOCA scenario; it
took them approximately 4 minutes. However, the sequencer defect is not
present for LOOP scenarios. The longest non-LOOP response time was 3
minutes and 15 seconds. The longest time to energize all available ESF
loads, even with a LOOP, was 8 minutes, which applies to the Containment
Spray issue and the 480 Volt Load Center issue. An assumed operator
response time of 10 minutes is therefore conservative.
TEXT PAGE 17 OF 23
In addition to the scenario exercises described above, a review of
earlier observations of operating crews in simulator training during July
and August 1994 was made. These observations illustrated that it took
each crew 4 to 5 minutes from event initiation to complete alignment of
the required safeguards equipment associated with a full sequencer
failure.
Operator verification of SI, and HHSI pump flow, is performed within the
immediate action steps (Steps 4 and 8 respectively) of EOP-E-0. The
first 14 steps are memorized by the control room crew. In addition,
immediate action steps are required to be re-verified by the operators.
Therefore FPL concludes that the control room crew would be successful in
timely initiation of HHSI pump flow in the event of a sequencer
malfunction.
PROBABILISTIC SAFETY ASSESSMENTS
III.f TEST LOGIC DEFECT
A probabilistic safety assessment was performed to estimate the safety
impact of inhibited emergency sequencer operation due to a logic error in
the software associated with the test feature. The assessment is based
on the Turkey Point IPE Submittal and subsequent updates, and includes
the effect of the failure of all four sequences. The recovery actions
are added to the model for different scenarios, e.g., recovery for LBLOCA
vs. SBLOCA. These operator actions are calculated based on the time
available to do the actions (NUREG/CR-4550, Vol. 3, Rev. 1, Part 1), and
the time it takes the operators to perform the actions obtained from a
review of 3/4-EOPs-0 and from simulator scenario runs.
The probabalistic safety assessment determined that the estimated change
in the Core Damage Frequency (CDF) under the above conditions, with all
four sequences inoperable, is 6.3E-6/yr. However, all four sequences
were not inoperable at all times. Each sequencer is inoperable during 5
of the 16 tests. In order for all sequences to fail simultaneously, all
sequences would have to be in an affected test. This would happen most
often if all four sequencer test cycles were synchronized. Even if all
four sequences were synchronized on the same test cycle, the sequences
would all be inoperable during only 5 of the 16 tests. Therefore, all
four sequences would be inoperable approximately one-third of the time.
This results in an estimated change in CDF of 2.1E-6/yr. This change in
core damage frequency increases the baseline CDF by 3.2%. The PSA
calculation considers an average probability over a one year period.
The 3.2% increase in the CDF is a conservative estimate for this
situation. This increase in CDF is not safety significant, based on the
acceptance criteria stipulated in the draft EPRI PSA Application Guide.
The estimated risk impact of loss of sequences for LBLOCAs is relatively
low due to the low initiating event frequency of LBLOCAs, and recovery
actions described in the early steps of the EOP E-0 for reactor trip and
SI. Although SBLOCAs have a higher initiating event frequency the risk
is relatively low because the operator has more time available to perform
recovery actions.
TEXT PAGE 18 OF 23
III.g CONTAINMENT SPRAY AUTOSTART ISSUE
An estimate of the potential risk impact of the failure of the CS pumps
to automatically start was performed. The scenario is assumed to occur
for a certain size LOCA or MSLB such that the HHCP signal is generated at
the 12.9 to 13.0 second window during which the sequences may not actuate
CS pumps automatically. A further assumption is that failure of all
containment spray with a medium LOCA leads directly to core damage. The
core damage frequency increase is thus estimated to be:
CDF = (frequency of event [medium and small LOCAs, MSLBJ) times
(probability of "right size" break to cause the event)
times (probability of failure of manual starting of CS
pumps)
= (1.0E-4 + 1.0E-3 + 1.0E-4) x (5.0E-4) x (6.0E-3)
= 3.6 E-9/year
Note that the frequency of the event is conservatively estimated to be
that of the medium LOCA (6-13.5 inches), the small LOCA (2-6 inches) or a
MSLB. Since a specifically-timed LOOP would be required for either the
small LOCA or the MSLB to be of concern, the CDF is actually lower.
A estimated increase in the CDF of 3.6E-9/yr is insignificant compared to
the baseline CDF of 6.63E-5/yr.
III.h 480 VOLT LOAD CENTER ISSUE
To provide a bounding estimate of the probability of such an event over
the half second interval of interest, the following expression is used:
Probability of a certain size LOCA * Conditional probability of induced
LOOP which coincides with the LOCA that satisfies the certain half second
interval.
1.26E-3/Yr * 1.0E-3 * .5/60 = 1.05E-8/Yr
where:
1.26E-3/Yr = the frequency of a small-small LOCA, plus stuck open Power
Operated Relief Valve (PORV) (not recoverable)
1.OE-3 = the probability of LOOP given a reactor trip
.5/60 = the exact timing fraction for the certain break size that
results in scenario of interest (see below)
This calculation includes all the LOCA scenarios that can generate an SI
signal between 15.5 and 75.5 seconds after the reactor trip (the LOOP is
postulated to occur from 0 to 60 seconds after the reactor trip).
Considering the timing between the trip and SI actuation, FPL concluded
that there are two scenarios that can cause such events; (1) a
small-small LOCA (between 3/8" and 2.5" breaks); or (2) a PORV sticks
open and hardware or operators fail to isolate the leak. For the case of
a small-small LOCA, the initiating event frequency is 1.0E-3/Yr . For
the case of one PORV sticking open, the initiating event frequency is
2.6E-2/Yr. Normally the PORVs close if the pressure drops below 2000
psi; if they fail to close, the operator can block the leak by using
block valves. A recovery action failure probability of .01 can be
conservatively assumed for controlling the PORV opening. Therefore, the
overall non-recoverable PORV sticking open initiating event frequency may
be estimated as 2.6E-4/Yr (2.6E-2 * .01 = 2.6E-4).
TEXT PAGE 19 OF 23
Based on a study performed by the Federal Power Commission, the
probability that offsite power would be lost as a result of the generator
trip caused by a LOCA is estimated to be 1.0E-3. For the specific break
size to coincide in a certain half second interval the fraction of LOOP
then SI event timing may be estimated as .5/60. This estimate assumes a
uniform distribution for the coincident LOOP and SI signals within a 60
second interval.
Note that the above estimates are conservative in several aspects.
First, all SI events may not present the same degree of challenge to the
plant safety systems. Secondly, no operator actions are credited for
mitigating the core damage scenarios. Thus the scenarios initiated by a
LOCA followed by a LOOP and subsequent actuation of SI contribute at most
1.05E-8/Yr to the CDF. These scenarios are not considered safety
significant. if operator recovery action is considered, the core damage
frequency would be expected to drop one to two orders of magnitude.
Comparing this event to NRC stated safety criteria for the industry shows
that this event is several orders of magnitude less severe than that
which would require NRC action. Comparison to industry developed PSA
criteria shows that this scenario is several orders of magnitude below
that which would require action.
SAFETY SIGNIFICANCE AND OPERABILITY
III.i TEST LOGIC DEFECT
The periodic inoperability of all four sequences, as described above, has
existed since the sequences were installed during the dual unit outage in
1990/1991. The sequences were accepted as operational in September and
October, 1991, for Units 3 and 4, respectively. From early December,
1991, until November, 1992 (Unit 3) and May, 1993 (Unit 4) the sequences'
Test Selector switches were in OFF except for monthly manual tests, as
described in LER 251/91-007.
Since then, there have been four challenges to the bus sequences (between
the two units). LER 251/92-004 reported an inadvertent Safety Injection
on Unit 4; all plant equipment responded as designed, including the Unit
3 HHSI pumps. LERs 250/92-009 and 250/92-013 reported a LOOP (due to
hurricane Andrew), and an inadvertent 3A bus stripping. In these three
instances the sequences Test Selector switches were not in AUTO, and they
performed as designed.
LER 250/94-002 reported an inadvertent ESF actuation on Unit 3, in which
all equipment responded as design, except the 4A HHSI pump. At that time
the failure of the 4A HHSI pump was attributed to an intermittent
failure, which could not be reproduced. As a result of the discovery of
the defect reported herein, that earlier event can now be reproduced at
will on the sequencer simulator. FPL believes that the 4A HHSI pump
failed to start because of the same defect that caused the 3A HHSI pump
failure to start, reported in this LER. Since there have been no actual
events requiring Engineered Safety Features actuation to protect the
plant, the health and safety of the public has not been affected by the
periodic inoperability of the sequences.
This event is reportable under the requirements of 10 CFR 50.73
(a)(2)(i)(B), (a)(ii)(A), (a)(ii)(B), (a)(v), (a)(vii), and 10 CFR 21.
TEXT PAGE 20 OF 20
III.j CONTAINMENT SPRAY AUTOSTART ISSUE
Regarding the second software error involving the CS pump autostart, FPL
has concluded that the CS system remains OPERABLE because, in the highly
unlikely event that the condition were to occur, simple operator action
to start the CS pumps, in accordance with the plant's emergency operating
procedures, would ensure compliance with the system specified functions.
The ability to manually start the CS pumps as much as 10 minutes into the
event and maintain required cooling is supported by analysis, procedures,
and training. In addition the safety significance of the evaluated
condition is extremely low because the probability of the evaluated
condition is lower than the probability of a common mode failure of both
CS trains, as discussed earlier under Possible Accident Consequences for
Sequencer Failure Modes. In any case, the contribution to CDF of this
software error is negligible.
III.k 480 VOLT LOAD CENTER ISSUE
Similar arguments obtain for the condition involving the 480 Volt Load
Center feeder breaker autoclosure failure. The probability of occurrence
of the specific scenario is very low. The contribution to CDF is
similarly very low, neglecting any mitigating operator action.
Nevertheless, should the scenario occur, simple operator action, again as
much as 10 minutes into the event, drops the CDF by one to two orders of
magnitude.
In accordance with Generic Letter 91-18, a licensee cannot replace
automatic action with manual action if the automatic action is needed to
avoid exceeding a "Safety Limit." Safety limit is defined in 10CFR50.36,
as is limiting safety system setting. "Where a limiting safety system
setting is specified for a variable on which a safety limit has been
placed, the setting must be so chosen that automatic protective action
will correct the abnormal situation before a safety limit is exceeded."
Turkey Point's safety limits and limiting safety system settings are
defined in Technical Specifications. The limiting safety system settings
are reactor trip setpoints. There is no reactor trip setpoint on 480
Volt Load Centers. The only two safety limits are reactor pressure, and
a graph combining pressure, Ta sub avg, and reactor power. Neither of
these are challenged by the loss of the automatic re-energization of the
480 Volt Load Centers.
Therefore manual action can be credited to determine the operability of
the 480 Volt Load Centers, if it can be shown that such action (1) is
proceduralized, and (2) is not heroic. Emergency Operating Procedures
3/4-EOP-E-0, Reactor Trip or Safety injection, direct the reactor
operators to verify ECCS flow, and provide guidance to get flow in the
Response Not Obtained column. The actions are taken from the control
board, are part of the standard training of reactor operators, and
involve no hazard. Indeed, when the scenario in question was imposed on
several crews on the simulator, their delay in re-energizing the load
centers was in waiting for the sequencer to finish sequencing. Thus the
actions (1) are proceduralized, and (2) are not heroic. Therefore, FPL
concludes that the 480 Volt Load Centers remain operable.
TEXT PAGE 21 OF 23
IV. CORRECTIVE ACTIONS
1. The Test Selector switches on all four sequences were placed in OFF.
Tags have been hung on each switch to require specific permission
from the Nuclear Plant Supervisor to change the position of the
switch. With the sequencer test mode switch in the OFF position,
the automatic test logic is disabled. The sequencer is fully
functional and will respond properly to input signals. The
automatic test function is not a requirement for periodic
surveillance of the sequencer.
2. With the Test Selector switch in OFF, additional visual inspections
are being performed on a eight hour basis as described below:
a. The local reflash annunciators points are verified not in
alarm.
b. The I/O power, PLC Power, and ANN Power switches are verified
in the ON position and the Processor Power white indicating
light is verified illuminated.
c. The Test Selector switch is verified in the OFF position; the
Stripping Clearing Test Selector and Sequencing Mode Test
Selector Switches are verified in the OFF position.
d. The 2 green test reset indicating lights and the sequencing
reset green indicating lights are verified illuminated.
e. The other indicating lights are verified not to be illuminated
(except the ground fault indicating lights are supposed to be
dimly lit).
f. Every 24 hours, the sequencer door is opened, the Processor
Indicator LED is verified to be a solid green and the 9
indicator I/O cards "ACTIVE" LED are verified to be a solid
green.
3. A detailed review of the original Validation and Verification
process was performed; it has been concluded that an oversight
occurred because not all sequencer functions were validated during
all modes of automatic and manual testing. The existing
verification and validation sufficiently covers the sequencer safety
functions if the Test Selector switch remains OFF.
4. Functional testing on the sequencer simulator of design basis inputs
has been repeated with the Test Selector switch OFF, with acceptable
results.
5. A safety evaluation has been issued demonstrating sequencer
operability with the test selector switch in the OFF position. This
safety evaluation was approved by the Plant Nuclear Safety Committee
on November 4, 1994.
6. Independent consultants were retained to perform an assessment of
the existing sequencer design, software design and V&V. This
"Independent Assessment Team" (IAT) concluded that operation of the
sequences with the Test Selector switch in OFF represented a safe
condition and that FPL's evaluation of the condition was
appropriate.
The second phase of the IAT's assignment was to provide a detailed
review of the software documentation. Some drawing discrepancies
were identified and have been evaluated. In general the
discrepancies
TEXT PAGE 22 OF 23
dealt with the inclusion of additional information on the logic
diagrams not reflected in the ladder diagrams, to aid in
understanding the logic diagrams. One other software error was
identified involving autostart of the CS pumps, and has been
discussed earlier in the LER. The drawing discrepancies will be
corrected when the software is modified (see Corrective Action #9
below).
The IAT confirmed that the V&V was not comprehensive enough to test
certain aspects of the logic. "The plan was weak in that it relied
almost completely on testing as the V&V methodology. More emphasis
on the analysis of the requirements and design would have increased
the likelihood of discovering the design flaw." A revision to the
V&V documentation will be made coincident with the design
modifications described on Corrective Action #9 below.
7. The original software vendor, United Controls, Inc. has been
notified of this defect and its significance.
8. In order to eliminate issues related to the use of one-of-a-kind or
first-of-a-kind equipment, FPL implemented Nuclear Policy NP-905,
Equipment Selection, in October of 1991. This policy states in part
that, "FPL's nuclear engineering department shall select only
specific models of equipment with proven records of reliable
performance for use in FPL nuclear facilities. Verification of the
equipment reliability must be established through contact with
NPRDS, nuclear station managers, or other appropriate sources. If
no prior operating experience is available, appropriate prototype
testing, under equivalent plant operating conditions, must be
undertaken to establish its reliability before it is placed in
service at FPL nuclear facilities." The Engineering Quality
Instructions contain the Nuclear Policy requirements for design
outputs.
9. Design modifications to eliminate the identified problems will be
implemented during the next refueling outages of each unit.
10. Other safety-related process computer suppliers were notified of the
event on November 14, 1994. These suppliers responded that similar
software errors do not exist in other safety-related process
computers.
11. An FPL Nuclear Engineering standard will be developed on the use of
PLCs, prior to the procurement of any additional PLC-based
equipment.
12. Manual testing of the sequences was resumed on January 11, 1995.
13. Emergency Operating Procedures 3/4-EOP-E-0, Reactor Trip or Safety
Injection, have been revised to require the operator to verify that
the Load Centers associated with the energized 4.16 KV bus(es) are
energized.
V. ADDITIONAL INFORMATION
EIIS Codes are shown in the format [EIIS SYSTEM: IEEE component
function identifier, second component function identifier (if
appropriate)].
The Programmable Logic Controllers used in the sequences are made by
Allen-Bradley; the sequences are assembled by United Controls, Inc.
(UCI). According to UCI, Florida Power & Light Company is the only
utility to which UCI supplied this sequencer.
TEXT PAGE 23 OF 23
The condition wherein the 480 Volt Load Center feeder breakers may
not close automatically may have generic implications not associated
with digital load sequences. It appears that any time such a
breaker is presented with conflicting simultaneous close and trip
signals, if that breaker has an "anti-pumping" circuit like the one
described in this report, that breaker will not close. FPL is not
able to determine if such conflicting signals may be generated by an
analog or "relay-based" load sequencer system.
*** END OF DOCUMENT ***
Page Last Reviewed/Updated Tuesday, March 09, 2021