05000302/LER-2008-001
| Docket Number Sequential Revmonth Day Year Year Month Day Yearnumber No. 05000 | |
| Event date: | 01-23-2008 |
|---|---|
| Report date: | 03-20-2008 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(v), Loss of Safety Function |
| 3022008001R00 - NRC Website | |
Calibration," the actions of ITS 3.3.17, Condition A, Function 18a for Channel A were applicable when two thermocouples [IP] (IM-5G-TE and IM-3L-TE) were removed from service for calibration. There are 16 qualified thermocouples in the core, two per channel per quad.rant.
Two Channel A thermocouples in the same core quadrants (IM-6C-TE and IM-60-TE) were already inoperable at this time, resulting in their respective quadrants being without an OPERABLE Channel A core exit thermocouple (CET) during the calibration activity. During the performance of SP-144C, the "A" Safety Parameter Display System (SPDS) Core Subcooling Monitor [IP, Mon](EMCO-38) was considered inoperable. The actions of ITS 3.3.17, Condition A, Function 21 are applicable during the time this monitor is out of service.
During this calibration, it appeared that the output signal from the Channel A Chessel recorder [IP, TR] was being limited to the "A" SPDS and the plant computer [ID, CPU]. When the signal was increased above 1250 degrees F the computer point which is the input to the SPDS [IP, CPU] indicated out of range. However, the recorder display and trace both showed the full calibration injected signal. Additionally, the calibration demonstrated that for injected signals corresponding to CET temperatures below 1250 degrees F, the "A" SPDS and plant computer points appeared accurate. As part of the extent of condition investigation, SP-144C was performed for the Channel B recorder.
At 1717 on January 25, 2008, the same failure mechanism was identified on the "B" SPDS Core Subcooling Monitor (EMCO-39) and plant computer points when a simulated thermocouple signal was injected into the input of the Channel B recorder. ITS 3.3.17, Condition A remains applicable for EMCO-39 and EMCO-38, and ITS 3.3.17, Condition C became applicable due to both Core Subcooling Monitors being out of service at the same time. ITS 3.3.17, Condition A has a 30 day completion time while Condition C has a 7 day completion time.
The specific condition was identified as a failure of computer point R-266 during the performance of the surveillance test, SP-144C. The condition was discovered to have occurred during a software change to the plant computer that was implemented on August 13, 2007. All 8 qualified CETs in each channel (total of 16) were determined to have the same condition.
ITS 3.3.17, requires that Post Accident Monitoring instrumentation for each Function in Table 3.3.17-1 shall be OPERABLE in MODES 1, 2, and 3. Table 3.3.17-1, Line Item 21 requires two channels of Degrees of Subcooling [IP, CHA]. ITS 3.3.17, Condition C, states that with one or more Functions with two required channels inoperable, restore one channel to OPERABLE status within 7 days.
The ITS Bases for 3.3.17, Function 21 states that the CET inputs operate over a range of 0 to 2500 degrees F. The CR-3 Final Safety Analysis Report, Section 7.3.2.2.3.f, describes the input range of the SPDS subcooling margin calculation as 0 to 2500 degrees F.
This condition was determined to be reportable under 10 CFR 50.73(a)(2)(i)(B), any operation or condition which was prohibited by the plant's Technical Specification since both Core Subcooling Monitors had been inoperable for greater than 7 days.
� saturation conditions. Saturation is the point where a change from liquid to steam occurs. This is important as the plant does not want to have bulk boiling in the reactor core. In a Pressurized Water Reactor, the RCS is pressurized to be able to get high temperature water without bulk boiling. Typical conditions in the CR-3 Reactor Pressure Vessel during normal plant operation are approximately 2155 pounds per square inch gauge (psig) and 610 degrees F (T-incore). These conditions provide approximately 5 degrees of subcooling in addition to the subcooling margin (margin that is added to account for worst case instrument uncertainties).
Degrees of Subcooling (Subcooling Margin) is displayed in degrees F on both SPDS monitors. The SPDS is the primary display of margin to saturation for each RCS loop. Multiple core exit .
temperatures are auctioneered with only the highest temperature being input to the monitor. The THot inputs to the SPDS Core Subcooling Monitors operate over a range of 120 to 920 degrees F. The core exit temperature inputs operate over a range of 0 to 2500 degrees F. RCS pressure inputs operate over a wide range of 0 to 2500 psig and low range of 0 to 600 psig.
The Core Subcooling Monitors are used to verify the existence of, or to take actions to ensure the restoration of subcooling margin. Specifically, a loss of adequate subcooling margin during a Loss of Coolant Accident requires the operator to trip the reactor coolant pumps (RCPs) [AC, P], to ensure high or low pressure injection, and raise the steam generator levels to the inadequate subcooling margin level. This variable is used by the operator to trip the RCPs within one minute of the loss of subcooling margin.
At 2600 pounds per square inch absolute (psia), which is greater than the maximum pressure that can be measured by the wide range pressure transmitters used for the subcooling margin calculator (2500 psig), the saturation temperature is 673.91 degrees F. To be able to indicate the Regulatory Guide (RG) 1.97, "Instrumentation for Light-Water-Cooled Nuclear power Plants to Assess Plant Conditions During and Following an Accident," Revision 2, specified 35 degrees of superheat, at this pressure the temperature would have to be 708.91 degrees F.
The condition caused the core subcooling indication to be out of range at CET temperatures above 1250 degrees F. The indication remained accurate below 1250 degrees F. Even with the degraded SPDS, there would still be 541 degrees F of additional valid indication. Therefore, the subcooling margin indication degradation was of low safety significance and the design function of the Core Subcooling Monitors was maintained.
A small break loss of coolant accident may be the most limiting for this condition as the RCS temperature could remain high while the RCS pressure slowly drops. This event would cause a loss of subcooling. However, the Core Subcooling Monitor would provide indication and alarms to permit plant staff to take the necessary actions to protect the core and the public.
Additionally, CR-3 has procedural guidance in the event of a loss of the SPDS. Administrative Instruction AI-505, "Conduct of Operations During Abnormal and Emergency Events," step 4.2.8.3 states that if SPDS is unavailable, subcooling margin is determined by plotting RCS _NRC FORM 366A (9-2007) PRINTED ON RECYCLED PAPER 7 step 2.1, states that if RCPs were not stopped within one minute, then ensure one RCP remains running in each RCS loop to avoid core damage.
Based on the above discussion, Progress Energy Florida (PEF) concludes that the identified condition did not represent a reduction in the public health and safety.
The identified condition is not reportable under 10 CFR 50.73(a)(2)(v) and does not represent a condition that would have prevented the fulfillment of a safety function. Therefore, this event does not meet the Nuclear Energy Institute (NEI) definition of a Safety System Functional Failure (Reference NEI 99-02, Revision 5).
CAUSE
The cause for this condition was that the responsible engineer did not identify the impact of the software change to the system and require testing for the high, mid, and low data ranges for computer point R-266 after implementing Engineering Change (EC) 64476. The EC included a change to the drivers for the SPDS multiplexer server's Modbus and changed the way the Modbus interface converts the data from the Chessel recorders. The differences in the Modbus interface was not identified and as such the testing was not adequate to assure operability of the SPDS Core Subcooling Monitors.
The reason for the inaccurate indications above 1250 degrees F was found to be the treatment of the incoming 16-bit data words from the CET recorders as signed integers in the SPDS multiplexer server's Modbus driver. The CET recorders transmit the temperature data in an unsigned format. The new Modbus driver had been installed under EC 64476 as part of an Emergency Monitoring (EM) and Plant Computer (CP) system software update. For all values at or below midscale (1250 degrees F), the same data word represents the signed and unsigned version of the temperature. Inaccurate treatment of the input data occurred in the range above 1250 degrees F, where any value above 1250 appeared to exceed the maximum of 2500 degrees. When the input data type for CET data was changed to an unsigned integer on a process computer system simulator, the SPDS variables followed the input from the recorders for the full range (0 to 2500 degrees F). This confirmed the failure mode and the date that the condition began.
Corrective Actions
1. The Core Subcooling Monitor over range condition at CET temperatures above 1250 degrees F was corrected through a revision to EC 64476 to implement Modbus driver changes for the EM and CP systems. This revision was implemented on January 26, 2008. Testing was performed to assure EM system OPERABILITY prior to turning the systems back to Operations.
2. Additional corrective actions are identified in Nuclear Condition Report 263310.
�NRC FORM 366A (9-2007) PRINTED ON RECYCLED PAPER Both trains of Core Subcooling Monitor indication being inoperable for longer than allowed by ITS 3.3.17, Condition C, completion time was previously reported to the NRC as LER 50 302/03-004-00. However, the cause was different than described in this LER.
ATTACHMENTS
Attachment 1 — Abbreviations, Definitions, and Acronyms Attachment 2 — List of Commitments _NRC FORM 366A (9-2007) PRINTED ON RECYCLED PAPER PENJ} �NRC FORM 366A (9-2007) PRINTED ON RECYCLED PAPER