05000302/LER-2008-001, Regarding Software Change Causes Inoperability of Redundant Core Subcooling Monitors for Longer than TS Allowable

From kanterella
(Redirected from 05000302/LER-2008-001)
Jump to navigation Jump to search
Regarding Software Change Causes Inoperability of Redundant Core Subcooling Monitors for Longer than TS Allowable
ML080870427
Person / Time
Site: Crystal River Duke Energy icon.png
Issue date: 03/20/2008
From: Annacone M
Progress Energy Florida
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
3F0308-02 LER 08-001-00
Download: ML080870427 (8)
v  d  e


LER-2008-001, Regarding Software Change Causes Inoperability of Redundant Core Subcooling Monitors for Longer than TS Allowable
Event date:
Report date:
Reporting criterion: 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications
10 CFR 50.73(a)(2)(i)
10 CFR 50.73(a)(2)(vii), Common Cause Inoperability
10 CFR 50.73(a)(2)(ii)(A), Seriously Degraded
10 CFR 50.73(a)(2)(viii)(A)
10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition
10 CFR 50.73(a)(2)(viii)(B)
10 CFR 50.73(a)(2)(iii)
10 CFR 50.73(a)(2)(ix)(A)
10 CFR 50.73(a)(2)(iv)(A), System Actuation
10 CFR 50.73(a)(2)(x)
10 CFR 50.73(a)(2)(v)(A), Loss of Safety Function - Shutdown the Reactor
10 CFR 50.73(a)(2)(v)(B), Loss of Safety Function - Remove Residual Heat
10 CFR 50.73(a)(2)(i)(A), Completion of TS Shutdown
10 CFR 50.73(a)(2)(v), Loss of Safety Function
3022008001R00 - NRC Website
v  d  e

text

a0 Progress Energy Crystal River Nuclear Plant Docket No. 50-302 Operating License No. DPR-72 Ref: 10 CFR 50.73 March 20, 2008 3F0308-02 U.S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555-0001

Subject:

CRYSTAL RIVER UNIT 3 - LICENSEE EVENT REPORT 50-302/2008-001-00

Dear Sir:

Florida Power Corporation, currently doing business as Progress Energy Florida, Inc., hereby submits Licensee Event Report (LER) 50-302/2008-001-00. The LER discusses a condition which is prohibited by the Crystal River Unit 3 (CR-3) Improved Technical Specifications (ITS).

Specifically, an instrument channel was inoperable longer than allowed by ITS 3.3.17. This report is being submitted pursuant to 10 CFR 50.73(a)(2)(i)(B).

No regulatory commitments are made in this letter.

If you have any questions regarding this submittal, please contact Mr. Dennis Herrin, Acting Supervisor, Licensing and Regulatory Programs at (352) 563-4633.

Sincerel MichaOt"J. Annacone Plant General Manager Crystal River Nuclear Plant MJA/par Enclosure xc:

Regional Administrator, Region II Senior Resident Inspector NRR Project Manager Progress Energy Florida, Inc.

Crystal River Nuclear Plant 15760 W. Powerline Street Crystal River, FL 34428 J76J2~

MRC FORM 366 U.S. NUCLEAR REGULATORY COMMISSION APPROVED BY OMB: NO. 3150-0104 EXPIRES: 08/31/2010 19-2007)

, the NRC may digits/characters for each block) not conduct or sponsor, and a person is not required to respond to, the information collection.

3. PAGE CRYSTAL RIVER UNIT 3 05000302 1 of 7
4. TITLE Software Change Causes Inoperability of Redundant Core Subcooling Monitors for Longer Than TS Allowable
5. EVENT DATE
6. LER NUMBER
7. REPORT DATE
8. OTHER FACILITIES INVOLVED MONTH DAY YEAR YEAR SEQUENTIAL REV MONTH FACLITY NAME DOCKET NUMBER NUMBER NO.

05000 FACILITY NAME DOCKET NUMBER 01 23 2008 2008 001 00 03 20 2008 05000

9. OPERATING MODE
11. THIS REPORT IS SUBMITTED PURSUANT TO THE REQUIREMENTS OF 10 CFR§: (Check all that apply)

El 20.2201(b)

El 20.2203(a)(3)(i)

El 50.73(a)(2)(i)(C)

E] 50.73(a)(2)(vii) 1 El 20.2201(d)

El 20.2203(a)(3)(ii)

E] 50.73(a)(2)(ii)(A)

El 50.73(a)(2)(viii)(A)

El 20.2203(a)(1)

[E 20.2203(a)(4)

[1 50.73(a)(2)(ii)(B)

El 50.73(a)(2)(viii)(B)

El 20.2203(a)(2)(i)

El 50.36(c)(1)(i)(A)

E) 50.73(a)(2)(iii)

El 50.73(a)(2)(ix)(A)

10. POWER LEVEL F] 20.2203(a)(2)(ii)

[E 50.36(c)(1)(ii)(A)

[] 50.73(a)(2)(iv)(A)

E] 50.73(a)(2)(x)

El 20.2203(a)(2)(iii)

El 50.36(c)(2)

El 50.73(a)(2)(v)(A)

El 73.71(a)(4)

El 20.2203(a)(2)(iv)

El 50.46(a)(3)(ii)

El 50.73(a)(2)(v)(B)

E] 73.71(a)(5) 100%

El 20.2203(a)(2)(v)

El 50.73(a)(2)(i)(A)

[E 50.73(a)(2)(v)(C)

[1 OTHER El 20.2203(a)(2)(vi)

[

50.73(a)(2)(i)(B)

El 50.73(a)(2)(v)(D)

Specify in Abstract below or in NRC Form 366A

12. LICENSEE CONTACT FOR THIS LER FACILITY NAME TELEPHONE NUMBER (Include Area Code)

Philip Rose - Engineer (Licensing and Regulatory Programs) 1 352-563-4883CAUSE COMPONENT FACUE REPORTABLE

CAUSE

COMPONENT MANU-REPORTABLE FACTURER TO EPIX FACTURER TO EPIX

14. SUPPLEMENTAL REPORT EXPECTED
15. EXPECTED MONTH DAY YEAR SUBMISSION El YES (If yes, complete 15. EXPECTED SUBMISSION DATE) 0 NO DATE ABSTRACT (Limit to 1400 spaces, i.e., approximately 15 single-spaced typewritten lines)

On January 23, 2008, while operating in MODE 1 (POWER OPERATION) at 100 percent RATED THERMAL POWER, at Progress Energy Florida, Inc. Crystal River Unit 3 (CR-3), during the performance of Surveillance Procedure SP-144C, "Core Exit Thermocouple Calibration," the Core Subcooling Monitors would indicate out of range above a simulated Core Exit Thermocouple (CET) input temperature of 1250 degrees Fahrenheit (F).

As part of the extent of condition investigation, SP-144C was performed for the Channel B recorder and the same failure mechanism was identified. At 1717 on January 25, 2008, both Core Subcooling Monitors were determined to be inoperable. These instruments are OPERABLE when accurately indicating between 0 to 2500 degrees F. Improved Technical Specification (ITS) 3.3.17, "Post Accident Monitoring (PAM) Instrumentation," Condition C, allows 7 days for restoration if one or more functions with two required channels inoperable. The condition was determined to have existed since the new Safety Parameter Display System (SPDS) multiplexer server Modbus driver was installed on August 13, 2007. This exceeded the ITS completion time and as such, this report is being submitted under 10 CFR 50.73(a)(2)(i)(B). The.cause for this condition was that the responsible engineer did not identify the impact of the software change to the system and require full range, post modification testing for this function following implementation of the Engineering Change. The condition was corrected on January 26, 2008 through a software change. This condition 'does not represent a reduction in the public health and safety. A previous similar occurrence has not been reported to the NRC.

NRC FORM 366 (9-2007)

PRINTED ON RECYCLED PAPERU.S. NUCLEAR REGULATORY COMMISSION (9-2007)

LICENSEE EVENT REPORT (LER)

1. FACILITY NAME
2. DOCKET
6. LER NUMBER
3. PAGE YEAR ISEQUENTIAL I REVISION YEAR NUMBER NUMBER CRYSTAL RIVER UNIT 3 05000-302 2008 001 00 2

OF 7

EVENT DISCRIPTION At 1800 on January 23, 2008, Progress Energy Florida, Inc. Crystal River Unit 3 (CR-3) was operating in MODE 1 (POWER OPERATION) at 100 percent RATED THERMAL POWER.

During the performance of Surveillance Procedure SP-144C, "Core Exit Thermocouple Calibration," the actions of ITS 3.3.17, Condition A, Function 18a for Channel A were applicable when two thermocouples [IP] (IM-5G-TE and IM-3L-TE) were removed from service for calibration. There are 16 qualified thermocouples in the core, two per channel per quadrant.

Two Channel A thermocouples in the same core quadrants (IM-6C-TE and IM-60-TE) were already inoperable at this time, resulting in their respective quadrants being without an OPERABLE Channel A core exit thermocouple (CET) during the calibration activity.

During the performance of SP-144C, the "A" Safety Parameter Display System (SPDS) Core Subcooling Monitor [IP, Mon](EMCO-38) was considered inoperable. The actions of ITS 3.3.17, Condition A, Function 21 are applicable during the time this monitor is out of service.

During this calibration, it appeared that the output signal from the Channel A Chessel recorder [IP, TR] was being limited to the "A" SPDS and the plant computer [ID, CPU]. When the signal was increased above 1250 degrees F the computer point which is the input to the SPDS [IP, CPU] indicated out of range. However, the recorder display and trace both showed the full calibration injected signal. Additionally, the calibration demonstrated that for injected signals corresponding to CET temperatures below 1250 degrees F, the "A" SPDS and plant computer points appeared accurate. As part of the extent of condition investigation, SP-144C was performed for the Channel B recorder.

At 1717 on January 25, 2008, the same failure mechanism was identified on the "B" SPDS Core Subcooling Monitor (EMCO-39) and plant computer points when a simulated thermocouple signal was injected into the input of the Channel B recorder. ITS 3.3.17, Condition A remains applicable for EMCO-39 and EMCO-38, and ITS 3.3.17, Condition C became applicable due to both Core Subcooling Monitors being out of service at the same time. ITS 3.3.17, Condition A has a 30 day completion time while Condition C has a 7 day completion time.

The specific condition was identified as a failure of computer point R-266 during the performance of the surveillance test, SP-144C. The condition was discovered to have occurred during a software change to the plant computer that was implemented on August 13, 2007. All 8 qualified CETs in each channel (total of 16) were determined to have the same condition.

ITS 3.3.17, requires that Post Accident Monitoring instrumentation for each Function in Table 3.3.17-1 shall be OPERABLE in MODES 1, 2, and 3. Table 3.3.17-1, Line Item 21 requires two channels of Degrees of Subcooling [IP, CHA]. ITS 3.3.17, Condition C, states that with one or more Functions with two required channels inoperable, restore one channel to OPERABLE status within 7 days.

The ITS Bases for 3.3.17, Function 21 states that the CET inputs operate over a range of 0 to 2500 degrees F. The CR-3 Final Safety Analysis Report, Section 7.3.2.2.3.f, describes the input range of the SPDS subcooling margin calculation as 0 to 2500 degrees F.

This condition was determined to be reportable under 10 CFR 50.73(a)(2)(i)(B), any operation or condition which was prohibited by the plant's Technical Specification since both Core Subcooling Monitors had been inoperable for greater than 7 days.PRINTED ON RECYCLED PAPERPRINTED ON RECYCLED PAPERU.S. NUCLEAR REGULATORY COMMISSION (9-2007)

LICENSEE EVENT REPORT (LER)

1. FACILITY NAME
2. DOCKET
6. LER NUMBER
3. PAGE YEAR ISEQUENTIAL REVISION YEAR NUMBER NUMBER CRYSTAL RIVER UNIT 3 05000-302 2008 001 00 3

OF 7

SAFETY CONSEQUENCES

The Core Subcooling Monitors provide an indication to the operators of the amount of subcooling margin in the Reactor Coolant System (RCS) [AC] at any given moment, both for normal operations and abnormal conditions. Subcooling is defined as any temperature below saturation conditions. Saturation is the point where a change from liquid to steam occurs. This is important as the plant does not want to have bulk boiling in the reactor core. In a Pressurized Water Reactor, the RCS is pressurized to be able to get high temperature water without bulk boiling. Typical conditions in the CR-3 Reactor Pressure Vessel during normal plant operation are approximately 2155 pounds per square inch gauge (psig) and 610 degrees F (T-incore). These conditions provide approximately 5 degrees of subcooling in addition to the subcooling margin (margin that is added to account for worst case instrument uncertainties).

Degrees of Subcooling (Subcooling Margin) is displayed in degrees F on both SPDS monitors. The SPDS is the primary display of margin to saturation for each RCS loop. Multiple core exit temperatures are auctioneered with only the highest temperature being input to the monitor. The THot inputs to the SPDS Core Subcooling Monitors operate over a range of 120 to 920 degrees F. The core exit temperature inputs operate over a range of 0 to 2500 degrees F. RCS pressure inputs operate over a wide range of 0 to 2500 psig and low range of 0 to 600 psig.

The Core Subcooling Monitors are used to verify the existence of, or to take actions to ensure the restoration of subcooling margin. Specifically, a loss of adequate subcooling margin during a Loss of Coolant Accident requires the operator to trip the reactor coolant pumps (RCPs) [AC, P], to ensure high or low pressure injection, and raise the steam generator levels to the inadequate subcooling margin level. This variable is used by the operator to trip the RCPs within one minute of the loss of subcooling margin.

At 2600 pounds per square inch absolute (psia), which is greater than the maximum pressure that can be measured by the wide range pressure transmitters used for the subcooling margin calculator (2500 psig), the saturation temperature is 673.91 degrees F. To be able to indicate the Regulatory Guide (RG) 1.97, "Instrumentation for Light-Water-Cooled Nuclear power Plants to Assess Plant Conditions During and Following an Accident," Revision 2, specified 35 degrees of superheat, at this pressure the temperature would have to be 708.91 degrees F.

The condition caused the core subcooling indication to be out of range at CET temperatures above 1250 degrees F. The indication remained accurate below 1250 degrees F. Even with the degraded SPDS, there would still be 541 degrees F of additional valid indication. Therefore, the subcooling margin indication degradation was of low safety significance and the design function of the Core Subcooling Monitors was maintained.

A small break loss of coolant accident may be the most limiting for this condition as the RCS temperature could remain high while the RCS pressure slowly drops. This event would cause a loss of subcooling. However, the Core Subcooling Monitor would provide indication and alarms to permit plant staff to take the necessary actions to protect the core and the public.

Additionally, CR-3 has procedural guidance in the event of a loss of the SPDS. Administrative Instruction AI-505, "Conduct of Operations During Abnormal and Emergency Events," step 4.2.8.3 states that if SPDS is unavailable, subcooling margin is determined by plotting RCSPRINTED ON RECYCLED PAPERU.S. NUCLEAR REGULATORY COMMISSION (9-2007)

LICENSEE EVENT REPORT (LER)

1. FACILITY NAME
2. DOCKET
6. LER NUMBER
3. PAGE SEQUENTIAL I REVISION YEAR NUMBER NUMBER CRYSTAL RIVER UNIT 3 105000-302 2008 001 00 4

OF 7

temperature and pressure on Enclosure 5 or 6 of this procedure or on the same figures of applicable Emergency Operating Procedures (EOPs).

EOP -03, "Inadequate Subcooling Margin,"

step 2.1, states that if RCPs were not stopped within one minute, then ensure one RCP remains running in each RCS loop to avoid core damage.

Based on the above discussion, Progress Energy Florida (PEF) concludes that the identified condition did not represent a reduction in the public health and safety.

The identified condition is not reportable under 10 CFR 50.73(a)(2)(v) and does not represent a condition that would have prevented the fulfillment of a safety function. Therefore, this event does not meet the Nuclear Energy Institute (NEI) definition of a Safety System Functional Failure (Reference NEI 99-02, Revision 5).

CAUSE

The cause for this condition was that the responsible engineer did not identify the impact of the software change to the system and require testing for the high, mid, and low data ranges for computer point R-266 after implementing Engineering Change (EC) 64476. The EC included a change to the drivers for the SPDS multiplexer server's Modbus and changed the way the Modbus interface converts the data from the Chessel recorders. The differences in the Modbus interface was not identified and as such the testing was not adequate to assure operability of the SPDS Core Subcooling Monitors.

The reason for the inaccurate indications above 1250 degrees F was found to be the treatment of the incoming 16-bit data words from the CET recorders as signed integers in the SPDS multiplexer server's Modbus driver. The CET recorders transmit the temperature data in an unsigned format. The new Modbus driver had been installed under EC 64476 as part of an Emergency Monitoring (EM) and Plant Computer (CP) system software update. For all values at or below midscale (1250 degrees F), the same data word represents the signed and unsigned version of the temperature. Inaccurate treatment of the input data occurred in the range above 1250 degrees F, where any value above 1250 appeared to exceed the maximum of 2500 degrees. When the input data type for CET data was changed to an unsigned integer on a process computer system simulator, the SPDS variables followed the input from the recorders for the full range (0 to 2500 degrees F). This confirmed the failure mode and the date that the condition began.

Corrective Actions

1.

The Core Subcooling Monitor over range condition at CET temperatures above 1250 degrees F was corrected through a revision to EC 64476 to implement Modbus driver changes for the EM and CP systems. This revision was implemented on January 26, 2008. Testing was performed to assure EM system OPERABILITY prior to turning the systems back to Operations.

2. Additional corrective actions are identified in Nuclear Condition Report 263310.PRINTED ON RECYCLED PAPERU.S. NUCLEAR REGULATORY COMMISSION (9-2007)

LICENSEE EVENT REPORT (LER)

1. FACILITY NAME
2. DOCKET
6. LER NUMBER
3. PAGE YEAR SEQUENTIAL REVISION A

NUMBER NUMBER CRYSTAL RIVER UNIT 3 05000-302 2008 001 00 5

OF 7

PREVIOUS SIMILAR EVENTS

None.

Both trains of Core Subcooling Monitor indication being inoperable for longer than allowed by ITS 3.3.17, Condition C, completion time was previously reported to the NRC as LER 50-302/03-004-00. However, the cause was different than described in this LER.

A-TTACHMENTS - Abbreviations, Definitions, and Acronyms - List of CommitmentsPRINTED ON RECYCLED PAPERPRINTED ON RECYCLED PAPERU.S. NUCLEAR REGULATORY COMMISSION (9-2007)

LICENSEE EVENT REPORT (LER)

1. FACILITY NAME
2. DOCKET
6. LER NUMBER
3. PAGE YEAR SEQUENTIAL I REVISION YA NUMBER NUMBER CRYSTAL RIVER UNIT 3 105000-302 2008 001 00 6

OF 7

Abbreviations, Definitions, and Acronyms AI Administrative Instruction CET Core Exit Thermocouple CFR Code of Federal Regulations CP Plant Computer CR-3 Crystal River Unit 3 EC Engineering Change EM Emergency Monitoring System EOP Emergency Operating Procedure F

Fahrenheit FSAR Final Safety Analysis Report ITS Improved Technical Specifications NEI Nuclear Energy Institute NRC Nuclear Regulatory Commission PEF Progress Energy Florida, Inc.

psia pounds per square inch absolute psig pounds per square inch gauge RCP Reactor Coolant Pump RCS Reactor Coolant System RG Regulatory Guide SP Surveillance Procedure SPDS Safety Parameter Display System NOTES:

Improved Technical Specification Defined terms appear capitalized in LER text

{e.g., MODE 1}.

Defined terms/acronyms/abbreviations appear in parenthesis when first used

{e.g., Reactor Building (RB)}.

EIIS codes appear in square brackets {e.g., reactor building penetration [NH, PEN]}PRINTED ON RECYCLED PAPERPRINTED ON RECYCLED PAPERU.S. NUCLEAR REGULATORY COMMISSION (9-2007)

LICENSEE EVENT REPORT (LER)

1. FACILITY NAME
2. DOCKET
6. LER NUMBER
3. PAGE YEAR SEQUENTIAL REVISIONI YEAR INUMBER NUMBER CRYSTAL RIVER UNIT 3 105000-302 2008 001 00 I

7 OF 7

LIST OF COMMITMENTS The following table identifies those actions committed by PEF in this document. Any other actions discussed in the submittal represent intended or planned actions by PEF.

They are described to the NRC for the NRC's information and are not regulatory

commitments

Please notify the Acting Supervisor, Licensing and Regulatory Programs of any questions regarding this document or any associated regulatory commitments.

RESPONSE

COMMITMENT

DUE DATE SECTION No regulatory commitments are being made in this submittal.PRINTED ON RECYCLED PAPERPRINTED ON RECYCLED PAPER

Retrieved from "https://kanterella.com/w/index.php?title=05000302/LER-2008-001,_Regarding_Software_Change_Causes_Inoperability_of_Redundant_Core_Subcooling_Monitors_for_Longer_than_TS_Allowable&oldid=5333335"