Regarding Discovery of Inadequacy in Surveillance Testing of Solid State Protection System

ML12363A038
Person / Time
Site:	McGuire, Mcguire
Issue date:	12/18/2012
From:	Capps S Duke Energy Corp, Duke Energy Carolinas
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
M-12-7530 LER 12-002-00
Download: ML12363A038 (8)
v • d • e

LER-2012-002, Regarding Discovery of Inadequacy in Surveillance Testing of Solid State Protection System

Event date:
Report date:
Reporting criterion:	10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(vii), Common Cause Inoperability
3692012002R00 - NRC Website
v • d • e

text

Duke STEVEN D CAPPS r

Energy Vice President McGuire Nuclear Station Duke Energy MGOO VP / 12700 Hagers Ferry Rd.

Huntersville, NC 28078 980-875-4805 980-875-4809 fax Steven. Capps@duke-energy.corni December 18, 2012 10 CFR 50.73 U.S. Nuclear Regulatory Commission ATTENTION: Document Control Desk Washington, D.C. 20555

Subject:

Duke Energy Carolinas, LLC McGuire Nuclear Station, Units 1 and 2 Docket Nos. 50-369 and 50-370 Licensee Event Report 369/2012-02, Revision 0 Problem Investigation Process Number M-12-7530 Pursuant to 10 CFR 50.73 Sections (a) (1) and (d), attached is Licensee Event Report (LER) 369/2012-02, Revision 0, regarding the discovery of an inadequacy in surveillance testing of the Solid State Protection System (SSPS).

This report is being submitted in accordance with 10 CFR 50.73(a)(2)(i)(B) for operation or condition prohibited by Technical Specification, and under 10 CFR 50.73(a)(2)(vii) for common cause inoperability of an independent train or channel.

This event is considered to be of no significance with respect to the health and safety of the public. There are no new regulatory commitments contained in this LER.

If questions arise regarding this LER, please contact Michael K. Leisure at 980-875-5171.

Sincerely, Steven D. Capps Attachment www. duke-energy. corn

U.S. Nuclear Regulatory Commission December 18, 2012 Page 2 cc:

V. M. McCree Administrator, Region II U.S. Nuclear Regulatory Commission Marquis One Tower 245 Peachtree Center Ave. NE, Suite 1200 Atlanta, Georgia 30303-1257 J. H. Thompson Project Manager (McGuire)

U.S. Nuclear Regulatory Commission 11555 Rockville Pike Rockville, MD 20852-2738 Mail Stop 0-8 G9A J. Zeiler NRC Senior Resident Inspector McGuire Nuclear Station W. L. Cox Ill, Section Chief North Carolina Department of Environment and Natural Resources Division of Environmental Health Radiation Protection Section 1645 Mail Service Center Raleigh, NC 27699-1645

Abstract

At the time of the event, September 26, 2012, Unit 1 was in Mode 1 at 100% power and Unit 2 was in Mode 6.

It was discovered that the existing Solid State Protection System (SSPS) logic test (semi-automatic test) and Westinghouse "7300" series channel operational test (COT) surveillance procedures for the "Safety Injection on 2/4 Low-Low Pressurizer Pressure" function may not provide sufficient overlap to confirm continuity for some of the SSPS jumpers used for channel multiplication. The inadequate surveillance testing constitutes a failure to meet the Limiting Condition for Operation, resulting in past operation prohibited by Technical Specifications, and common cause inoperability of an independent train or channel.

The cause of this event was a design deficiency by the vendor in the specific test circuitry used to verify the SSPS logic. Testing was conducted to verify continuity of the affected SSPS jumpers which provide overlap.

As corrective actions, the appropriate procedure changes were made and design changes will be implemented.

BACKGROUND The following information is provided to assist readers in understanding the event described in this Licensee Event Report (LER).

Applicable.

Energy Industry Identification [EIIS] system and component codes are enclosed within brackets.

McGuire unique system and component identifiers are contained within parentheses.

Engineered Safety Features Actuation System [JE] (ESFAS):

The Solid State Protection System (SSPS) equipment is used for the decision logic processing of outputs from the signal processing equipment bistables.

To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided.

The SSPS performs the decision logic for most Engineered Safety Features (ESF) equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients.

If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate function best serves to alleviate the condition and restore the unit to a safe condition.

SSPS will actuate as needed a reactor trip and the following safety functions via an ESFAS signal:

• Safety Injection [BQ] (NI),

including emergency diesel generator [EK] (DG) actuation

• Phase A and Phase B Containment Isolation Containment Ventilation Isolation Steam Line Isolation

• Main Feedwater Isolation

• Steam Dump Interlock

• Turbine Generator Trip

• Auxiliary Feedwater Automatic Start

" Automatic Switchover of Emergency Core Cooling Water to the Containment Sump

• Containment Air Return and Hydrogen Skimmer Fans Each SSPS train has a built in testing device that can test the decision logic matrix functions and the actuation devices while the unit is at power.

When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed.

The testing device is semi-automatic to minimize testing time.

Safety Injection - Pressurizer Pressure Low-Low is one of the SSPS input signals.

This signal provides protection against the following accidents: inadvertent opening of a steam generator (SG) relief or safety valve; steam line break (SLB); inadvertent opening of a pressurizer relief or safety valve; loss of coolant accidents (LOCAs);

and SG tube rupture.

EVENT DESCRIPTION

On 9/26/12, site Engineering personnel were contacted by counterparts at the Catawba Nuclear Station and were made aware that the existing SSPS logic test (semi-automatic test) and 7300 channel operational test (COT) surveillance procedures for "Safety Injection on 2/4 Low-Low Pressurizer Pressure" function may not provide sufficient overlap to confirm continuity for some of the SSPS jumpers used for channel multiplication.

This condition was subsequently confirmed by site Engineering personnel in consultation with the vendor (Westinghouse) SSPS Engineer.

The condition was determined to impact both SSPS trains of both Units for the specific function.

The SSPS design uses a combination of 2/3 and 2/2 SSPS logic cards to develop the 2/4 logic for Safety Injection on Low Pressurizer Pressure.

The arrangement uses external jumpers on the back planes of the cards to distribute some of the four input signals to the appropriate logic cards.

For this specific function and current design, positive verification of annunciator and/or status indications during the 7300 Pressurizer Pressure Low Low Channel COT's does not electrically validate some of the logic input jumper wiring paths to the logic cards.

Current SSPS logic testing, usincg the built in semi-automatic tester, verifies the correct logic from the logic

input to the appropriate logic outputs, but does not electrically validate the jumper wiring continuity.

Subsequent to the discovery of the condition, it was recognized that applicable surveillance requirements for Limiting Condition for Operation (LCO) 3.3.2, "Engineered Safety Features Actuation System Instrumentation," were not met for both Unit 1 SSPS trains, resulting in entry into LCO 3.0.3 at 1820 hours0.0211 days <br />0.506 hours <br />0.00301 weeks <br />6.9251e-4 months <br /> on 9/26/12.

Unit 2 was in Mode 6 at the time as part of scheduled outage 2EOC21; hence, LCO 3.3.2 was not applicable to Unit 2 at the time.

Following successful verification of the continuity of the affected Unit 1 train 1B SSPS jumpers, Unit 1 exited LCO 3.0.3 at 2322 hours0.0269 days <br />0.645 hours <br />0.00384 weeks <br />8.83521e-4 months <br /> on 9/26/12, prior to a power reduction being required.

Continuity of the Unit 1 train lA and the Unit 2 train 2A and 2B SSPS jumpers were verified by later testing.

In that the condition existed on both units prior to discovery, the inadequate surveillance testing constitutes a failure to meet LCO 3.3.2, and resulted in past operation prohibited by Technical Specifications, satisfying reporting criterion 10 CFR 50.73(a) (2) (i) (B).

The event is also reportable as a result of common cause inoperability of an independent train or channel (reporting criterion 10 CFR 50.73(a) (2) (vii).

The McGuire Nuclear Station SSPS design was reviewed for other cases where a similar issue exists, and none were found.

CAUSAL FACTORS It was determined that the jumper wiring of the "Safety Injection on 2/4 Low-Low Pressurizer Pressure" function and the associated selector switch wiring inside the SSPS was an original design provided by Westinghouse during the construction of the plant.

During 1996-1997, Duke Energy performed an extensive review of logic schematics and surveillance procedures as required by Generic Letter (GL) 96-01, "Testing of Safety-Related Circuits."

However, the jumper issue for the Safety Injection Low Pressurizer Pressure function was not identified as creating a potential gap in the logic testing.

The cause of this event was a design deficiency by the vendor (Westinghouse) in the specific test circuitry used to verify the Pressurizer Low Pressure Safety Injection logic.

The Westinghouse Semi-Automatic Tester was designed

by Westinghouse and is considered as an integral function in the overall SSPS Design.

The failure of Duke Energy personnel to discover the condition during the original test procedure preparation/review and the much later GL 96-01 review are considered to be missed opportunities.

CORRECTIVE ACTIONS

Immediate Corrective Action:

1.

Conducted testing to verify continuity of SSPS jumpers on Unit 1.

(Train 1B was completed on 9/26/12 at 2130 hours0.0247 days <br />0.592 hours <br />0.00352 weeks <br />8.10465e-4 months <br />; Train lA was completed on 9/26/12 at 2322 hours0.0269 days <br />0.645 hours <br />0.00384 weeks <br />8.83521e-4 months <br />)

Subsequent Corrective Actions:

1.

Conducted testing to verify continuity of SSPS jumpers on Unit 2 prior to entry into Mode 4.

(Train 2A was completed on 10/11/12; Train 2B was completed on 10/12/12)

2.

Revised procedures to ensure logic testing for Unit 1 Trains A and B satisfy Technical Specification Surveillance Requirements for safety injection on low pressurizer pressure.

(Complete)

3.

Implemented design change to ensure comprehensive semi-automatic logic testing for Unit 2 Trains A and B satisfy Technical Specification Surveillance Requirements for safety injection on low pressurizer pressure.

(Complete)

Planned Corrective Action:

1.

Implement design change to ensure comprehensive semi-automatic logic testing for Unit 1 Trains A and B satisfy Technical Specification Surveillance Requirements for safety injection on low pressurizer pressure.

SAFETY ANALYSIS

The SSPS remained capable of performing its safety function, as demonstrated by subsequent continuity testing of the affected SSPS jumpers.

Therefore, this event had no impact on nuclear safety.

ADDITIONAL INFORMATION

To determine if this event is recurring, a search of the McGuire Nuclear Station Problem Identification Process (PIP) database was conducted for a time period covering five years prior to the event.

The PIP searches do not show any previous history or identification of inadequate testing pertaining to the specific issue identified at the McGuire Nuclear Station for Safety Injection Low Pressurizer Pressure logic testing.

Therefore, this event is not considered recurring.