ML17348B370
| ML17348B370 | |
| Person / Time | |
|---|---|
| Site: | Turkey Point  |
| Issue date: | 02/04/1992 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML17348B369 | List: |
| References | |
| NUDOCS 9202100399 | |
| Download: ML17348B370 (15) | |
Text
~C Cy I
lth p
RE0y
~p
~c 0p Cy
~O
- +~
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555 SAFETY EVA UATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION CONFIRMATORY AUDIT OF LOAD SE UENCER IMPLEMENTATION AT TURKEY POINT PLANT UNITS 3 AND 4 FLORIDA POWER
& LIGHT COMPANY DOCKET NOS.
50-250 AND 50-251
- 1. 0 INTRODUCTION The NRR staff, with assistance from Region II staff, audited the licensee's implementation of the load sequencer hardware and software design.
The purpose of this audit was to confirm that the licensee:
1)
Assessed the functional equivalence and improvement of the upgrade relative to the original design
- bases, 2)
Assessed the vendor's design (functional requirements and specifications) and verification and validation processes, 3)
Confirmed that the design functional requirements have been satisfactorily translated into the software configuration, 4)
Assessed their own development of the design modification with respect to the design
- bases, 5)
Implemented and followed their configuration management process for the new design, 6) 7)
Isolated the non-Class 1E systems from the Class 1E portion of the load sequencers, Dedicated the load sequencer commercial-grade components for safety-related
- use, 8)
Verified that the electromagnetic environment qualification at the plant is enveloped by the vendor's tests, and 9)
Provided the control room operators with load sequencer bypass indications and inoperable state indications.
9~021003 pgpppp50 qppp04%
PDR ADo pDR p
The staff's evaluation of the licensee's implementation of each of these items is addressed in this Safety Evaluation.
- 2. 0 EVALUATION
- 2. 1 Items 1 and 4 -
E uivalence of New Desi n to Ori inal Desi n Bases The staff reviewed these items to confirm that the licensee has assessed the development of the design modifications with respect to the design bases.
The licensee, Florida Power and Light Company (FPL), requested that the plant
- vendor, Westinghouse, review and evaluate the proposed diesel loading scheme for potential impacts on the current design bases accident analyses.
The loading scheme changes were part of the Emergency Power System (EPS)
Enhancement Project and affect the electrical system response to initial starting currents and associated voltage transients.
The scope of the Westinghouse 10 CFR 50.59 safety evaluation was limited to assessing the EPS changes for the FSAR Chapter 14 accident analyses and any impact on offsite thyroid doses as a result of a proposed delay in loading essential safety systems.
The Westinghouse safety evaluation is documented in the Diesel Loading Evaluation (SECL-90-365).
The Diesel Loading Evaluation concluded that the proposed emergency diesel generator load sequencer and loading scheme design is acceptable with respect to the accident analyses.
The vendor concluded the proposed load sequencer and loading scheme does not represent an unreviewed safety question.
The staff reviewed the implementation of the load sequencer hardware and software design, and concludes that the licensee.properly assessed the design modification with respect to the design bases and design bases accident.
2.2 Items 2
3 and 5 - Di ital S stem Desi n
Im lementation The purpose of this section is to discuss the adequacy of the licensee's and the vendor's digital system design'implementation, as documented in the Verification and Validation (V&V) Program of the Turkey Point 3 and 4 load sequencer system.
The staff audited the V&V Program using guidelines provided in ANSI/IEEE Standard 1028-1988, "IEEE Standard for Software Reviews and Audits", Corrected Edition, June 30, 1989, to ensure the licensee's V&V Program conformed to ANSI/IEEE-ANS-7-4.3.2-1982, "American National Standard, Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations."
ANSI/IEEE-ANS-7-4.3.2-1982 has been endorsed by the NRC in Regulatory Guide 1. 152, "Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants,"
November 1985.
The load sequencer system at Turkey Point Units 3 and 4 is a programmable logic controller (PLC) based system consisting of both hardware and software.
The implementation of this system at the Turkey Point 3 and 4 plants must conform to the original load sequencer licensing design basis.
To ensure the licensee has maintained adequate design control, the staff audited the formal V&V plan that governed the development of the load sequencer system.
In its initial review, the staff found the V&V plan submitted by the licensee to be acceptable.
~ The purpose of the staff's subsequent audit was to confirm that the licensee adequately implemented the VKV plan throughout the load sequencer system development effort.
The objective of the staff's functional audit was to verify that all load sequencer system requirements specified in the software requirements specification have been met.
To accomplish this objective, the staff reviewed test documentation and validated data to ensure that the tests sufficiently established load sequencer system performance.
The staff also evaluated performance parameters that could only be verified by using simulations or other analysis.
The staff performed the functional audit of the load sequencer system using the guidelines provided in IEEE 1028-1988.
This standard is not referenced in the Standard Review Plan; however, this standard provides a detailed list of audit objectives that can be used to assess the adequacy of a software system implementation.
The staff reviewed the licensee contractor's VLV report, "Verification and Validation Report for the Emergency Bus Load Sequencers for Florida Power 8
Light, Turkey Point - Unit 3 8 4, VVR-1262."
This report documents the entire load sequencer software development effort, and includes the following information:
1) 2)
3) 4)
5) 6)
Software requirements specifications, Preliminary design review documentation, Listing of the load sequencer
- program, Current listing of waivers against specific configuration items, Test documentation (for example, plans, specifications, procedures and reports),
and Listings of successfully accomplished functional testing.
The staff audited the formal test documentation against the test data.
The purpose of this audit was to check for adequacy and accuracy of the test program scope, and to determine whether the licensee documented system deficiencies.
The staff reviewed United Controls Incorporated (UCI) Test Procedure
- SATP3A2, "Software/Hardware Functional Test Procedure for the Emergency Bus Load Sequencer for Florida Power
& Light Turkey Point Units 3 and 4," Revision 2, October 12, 1990.
The purpose of the tests covered by this procedure is to demonstrate that both the hardware and software of the load sequencer will perform according to the licensee's specifications.
The test procedure scope acceptably addresses the system response requirements.
The staff finds the test report to be acceptable.
The staff reviewed the licensee's startup test procedure, Preoperational Procedure 0804. 121, "Unit 4 Train B Emergency Bus Load Sequencer 4C23B-1 Preoperational Test."
The licensee's test procedure was prepared by the licensee's startup group.
The startup group submitted the test procedure to the engineering group for approval.
The engineering group reviewed the startup procedures, documented discrepancies, and returned the procedures for
and the licensee's test procedure and found the scope of the licensee's test procedure to be acceptable.
~The staff audited the software V&V reports to validate whether the reports are accurate and completely describe the testing effort.
This review was conducted to ensure the licensee or vendor incorporated and verified all approved system changes.
The staff finds the licensee's control of system changes to be well documented and acceptable.
The staff reviewed updates to the system documents to ensure the documents are accurate and the updates are consistent with the design objectives.
Revisions to the system documents are clearly indicated in an acceptable manner.
The staff reviewed design review documentation to validate whether design changes have been accurately incorporated and formally completed.
The staff finds the design review documentation to be acceptable.
The staff compared software listings with the software requirements in the specifications document to determine whether the software addresses the system requirements.
The staff finds the listings to be consistent with the documented requirements.
In summary, the staff finds the licensee's implementation of the V8V Program to be acceptable.
2.3 Item 6 Isolation of the Non-Class IE S stems From the Class 1E Portion of the Load Se uencers The purpose of auditing this item was to confirm that the non-Class IE systems are properly isolated from the Class 1E portion of the load sequencer.
The staff reviewed the electrical wiring diagrams to determine the non-Class IE connections to the sequencers.
The only non-Class IE signal is from the local sequencer annunciator to the main control room annunciator This signal is isolated by relay contacts in the local sequencer annunciator.
All other signals and power to the new sequencers were taken from the "old" sequencer panels that were used before the EPS modifications.
Additionally, the staff conducted walkdown inspections of the "old" sequencer panels and the new sequencer panels to verify the wiring connecting the panels.
The staff found the isolation of the non-Class lE systems from the Class IE systems to be acceptable.
2.4 Item 7 - Evaluation of Commercial-Grade Item Dedication of Load Se uencers The staff reviewed the implementation of the licensee's commercial-grade item (CGI) dedication of the load sequencer components used in Turkey Point Units 3.
and 4.
This section provides NRC staff comments regarding the acceptability of the licensee's dedication of these CGIs for use in a safety-related system.
As part of the program to enhance the Emergency Power System at the Turkey Point Plant, Units 3 and 4, the licensee added a new load sequencing system
that uses Allen-Bradley programmable logic controllers (PLCs).
The load sequencing system was provided as a
CGI by UCI, through a contract with FPL.
The staff reviewed the licensee's selection of load sequencer critical characteristics as part of the staff's audit of the licensee's CGI dedication of the Allen-Bradley PLC.
The following critical characteristics, the manner by which the licensee reviewed each characteristic, and the NRC staff's acceptance of the licensee's actions are described below.
I)
Operability The load sequencer will operate in accordance with the load sequencer requirements, as defined in the load sequencer ladder logic diagrams.
During system development and after installation in the plant, the licensee tested the load sequencers to ensure proper operation for all bus stripping and loading sequencers.
Design deficiencies were detected, documented, and corrected during these development phases.
Based upon the quality of the licensee's test program, and the results of the NRC staff's audit of the licensee's V&V Program, the staff finds the licensee acceptably evaluated the operability of the load sequencing system.
2)
General configuration The load sequencer and subcomponent locations must match the drawing and design details.
The licensee and its contractor confirmed that the configuration of the load sequencer and associated software agree with the drawing and design details as part of the formal V&V Program.
Deficiencies and corrective actions were properly incorporated into the V&V documentation.
The licensee noted that items returned to Allen-Bradley for repairs are repaired to the same series as the original issue; however, Allen-Bradley incorporates all revisions that have occurred since the PLC was originally issued.
Consequently, the repaired PLC may not be the same as when it was sent to Allen-Bradley for repair.
The licensee will flag Allen-Bradley components in their material tracking system to ensure the design requirements of the PLCs have not been changed during the repair process.
Items returned from Allen-Bradley will be inspected at the site and rededicated for use prior to installation at the plant.
Additionally, the licensee will furnish Allen-Bradley with their name, title, and address to facilitate possible recalls.
The licensee and three of its contractors surveyed the Allen-Bradley engineering and manufacturing facilities to evaluate this vendor's quality assurance programs.
The licensee's survey evaluated the following areas:
I) 2)
3) 4)
5) 6)
guality Assurance
- Program, Design Control, Control of Materials, Parts and Components, Document Control, Manufacturing,
- Testing,
7)
Software Development and Control, 8)
Repair/Warranty Department Operations, 9)
Purchasing
- Control, and 10)
Reporting of Nonconformance The licensee surveyed the testing procedures that Allen-Bradley uses to control the quality of the individual subcomponents in the manufacturing process.
The licensee found that Allen-Bradley subjects subcomponents to environmental and electromagnetic testing as part of its product acceptance procedures.
The licensee reviewed these procedures, and the degree to which Allen-Bradley follows the procedures, and found that Allen-Bradley performs testing in accordance with test procedures.
Additionally, Allen-Bradley burns-in and tests all modules, and emphasizes in-process inspections.
The licensee found all test equipment to be calibrated and controlled by formal procedures.
The licensee concluded that testing was a major strength in the quality control process.
The licensee noted that Allen-Bradley purchases all materials only from suppliers that have been approved by Allen-Bradley.
An approved supplier list is maintained by Allen-Bradley for this purpose.
A supplier can be placed on the Allen-Bradley suppliers list only after Allen-Bradley performs a supplier
- survey, a component/product evaluation, and after monitoring the component/
product performance.
Additionally, Allen-Bradley conducts receipt inspections of all ordered components and parts using approved drawings.
The receipt inspections typically include sample inspections of the critical points of metal and plastic parts, and extensive inspections/tests of printed circuit
- boards, including cross-sectioning.
The licensee stated that changes in form, fit, or function by Allen-Bradley result in a series number change in the product.
Changes in the product will result in part number change.
All changes are controlled through Allen-Bradley's change control procedure, which requires approval of all affected functions.
The licensee and its load sequencer development contractor will be notified by Allen-Bradley whenever changes to a product result in a part number change.
Series number changes will be tracked though the licensee's material tracking system.
Allen-Bradley in-house manufacturing processes are controlled via inspection, special process controls, auditing, and process documentation.
Allen-Bradley inspects and tests finished items to ensure the product conforms to the published specifications.
The licensee noted that these tests and inspections are controlled by a formal set of procedures.
The staff finds the licensee's evaluation of All'en-Bradley's guality Assurance Program to be acceptable.
3)
Subcomponent model numbers - Each subcomponent in the load sequencer
- cabinet, including non-safety related
- items, has the model number that is identified in the Bill of Haterials.
The licensee compared the documentation describing the load sequencer component model numbers with the components received from Allen-Bradley to confirm that the components received are the same as those listed in the Bill of Materials.
Additionally, each component item is cataloged in the Turkey Point materials tracking system to ensure continued configuration control is maintained throughout the life of the load sequencer.
The licensee noted that Allen-Bradley makes minor changes to their PLC design without making corresponding changes to the PLC revision number.
Consequently, PLCs with the same revision number may not have the same design.
To address this issue, the licensee will use unique identifiers for each spare component.
The material tracking system at Turkey Point Units 3 and 4 has the capability to flag items with cautionary notes regarding item-specific characteristics.
The Allen-Bradley PLCs and modules will be flagged accordingly.
The staff finds this to be acceptable.
The licensee will also purchase an additional three PLCs with all modules for use as spare components.
Given the long mean time to failure (NTTF) for the PLC modules (Allen-Bradley states that the minimum component HTTF is approximately 584,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br />),
the staff finds this number of spare PLCs to be acceptable.
Allen-Bradley states that the PLC modules have a minimum shelf life of 10 years.
Two of the modules (1771-P45 and 1772-LXPO) require powering every 1.5 years for a minimum of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
This is required to prevent degradation of the dielectric material of the capacitors util.ized on these modules.
Additionally, all of the spare parts are to be stored in accordance with ANSI N45.2.2 Level B in order to maintain their shelf life.
The staff finds this commitment to be acceptable.
The licensee concluded that Allen-Bradley follows acceptable material control procedures.
The NRC staff concurs with the licensee's conclusions.
4)
Environmental qualification - The load sequencer items can survive environmental qualification tests without visible damage or deterioration, and the items will remain operable after the test.
The equipment is required to operate in a mild environment, as defined by 10 CFR 50.49 requirements.
The design maximum environmental conditions are:
Temperature:
120 deg.F Humidity:
95X Relative Humidity Pressure:
Atmospheric Radiation:
Normal ambient A load sequencer cabinet with all components in the same location and with the same model numbers as the four cabinets to be used in the plants was tested at environmental conditions exceeding the design conditions, then inspected for aging-related damage that could affect the equipment operability.
The only failures to occur wer e the elapsed time indicators, which failed in conditions above the maximum operating conditions.
I ~
Although aging/radiation testing is not required for equipment located in a mild environment, the licensee conducted a review of radiation tolerances of EPROH and CHOS chips.
The licensee's review revealed these components tolerate radiation environments greater than 10 R.
Electromagnetic Interference (EHI) testing has been performed by UCI (and witnessed by the licensee).
On-site verification of the electromagnetic environment was determined by testing.
The standards by which the test cabinet and components were tested for electromagnetic compatibility are SAMA PHC 33. 1, Mil-Std-461C, Hil-Std-462, Hil-Std-463, and IEC Standard 801-3, Edition 1, 1984.
Additionally, a licensee contractor tested the electromagnetic environment in the switchgear rooms at the Turkey Point plant to ensure the laboratory test environment enveloped the environmental conditions at the plant site.
The tests indicate that the electromagnetic environment at the site is significantly less harsh than the test conditions.
The staff finds the licensee's on-site EHI tolerance verification to be acceptable.
5)
Seismic integrity - The load sequencer can operate successfully during and after a seismic event.
The test cabinet described in the preceding paragraphs was also seismically tested by an independent testing laboratory.
The sequencer was operated both during the simulated design seismic events and following the events.
There were no failures in the operation of the equipment.
The staff finds the licensee's certification of equipment operability during design seismic conditions to be acceptable.
The staff finds acceptable the licensee's selection of critical characteristics, the licensee's evaluation of Allen-Bradley's test and inspection
- programs, and the manner in which the licensee verified these programs.
Based upon the results of the above evaluation, the staff finds the licensee's commercial-grade item dedication of the Allen-Bradley PLC-based load sequencer system hardware components to be acceptable.
2.5 Item 8 Verification that the Electroma netic Environment uglification at the Plant is Envelo ed b
the Vendor's Tests The purpose of this audit was to confirm that the licensee has verified that the electromagnetic environment qualification at the plant was enveloped by the vendor's tests.
The staff confirmed that the sequencer panels were tested for electromagetic interference at the vendor's factory and at the plant.
In addition, the licensee monitored the power leads to the sequencers for disturbances, electrical noise transients, and surges created by inductive loads within the plant.
For the integrated safeguards load group separation preoperational
- test, the licensee installed power line analyzers on all four sequencers to continuously monitor and record all transients on both the 120 VAC and 125 VDC power leads.
Since voltage transients and surges (caused by switching inductive loads) are random events, continuous monitoring was necessary to supplement the EMI, tests.
The types of transients monitored were voltage spikes, voltage dips, frequency shifts, and power surges for both voltage and frequency.
These power inputs were monitored to determine and
identify the types of transients and their magnitude.
The types of transients were identified to determine whether they exceeded the specifications of the programmable controllers used in the sequencers.
The power leads were continuously monitored and recorded from July 23 to August 6, 1991.
The test results indicated that the power leads for all four sequencers experienced similar transients and disturbances.
Although a few high voltage spikes and surges occurred (up to 465 VAC and 526 VDC), none exceeded the surge transient susceptibility testing specifications for the PLCs.
A licensee contractor, National Technical Systems (NTS), performed EMI tests on the sequencers at the United Control Inc. site in Stone Mountain, Georgia, and at the Turkey Point site.
The tests at the UCI site were performed in October 1990 and September 1991.
The October 1990 visit is documented by NTS Test Report No. 28042-91N, Revision 1, dated January 14, 1991.
Preliminary tests at the Turkey Point site were performed from July 30 through August 2,
- 1991, and documented in NTS Test Report 28884-92N, dated August 9, 1991.
The tests were conducted in accordance with IEC Standard 801-3, Edition 1, which references SAMA Standard PCM 33. 1-1978, and MIL-STD-461C.
The EMI tests performed at the factory on the sequencer panels are as follows:
1) 2)
3) 4)
5)
CS01 Conducted Susceptibility, Power Leads, 30 Hz to 50 KHz, CS02 Conducted Susceptibility, Power Leads, 50 KHz to 400 MHz, CS06 Conducted Susceptibility, Power Leads,
- Spikes, RS03 Radiated Susceptibility, Electric Field, 20 MHz to 1
- GHz, and SAMA Keying Test, Electric Field, 20 MHz to 1
GHz.
The EMI tests performed at the Turkey Point site in Switchgear Rooms 3A, 3B, and 4A were as follows:
1) 2)
3) 4)
-5)
CE01 Conducted Emissions, Power Leads, 30 Hz to 15 KHz Room 3A, CE02 Conducted Emissions, Power Leads, 15 KHz to 50 MHz Rooms 3A and 3B, CE07 Conducted Emissions, Power Leads,
- Spikes, Time Domain, Room 3B, RE02 Radiated Emissions, Electric Field, 20 MHz to 1 GHz, Rooms 3A and 4A, and RE02 Radiated Emissions, Electric Field, Hand Held Radio Profile Rooms 3A, 3B, and 4A.
The EMI tests performed at the factory established the'envelope within which the load sequencer equipment is qualified to operate.
The licensee performed EMI tests at the Turkey Point site to confirm that the electromagnetic environment at the site is less harsh than the test conditions at the factory.
The tests conducted at the site may not have been conducted under worst-case conditions because the 4. 16 kV buses in the switchgear rooms were not fully loaded with operating reactor coolant pump motors and the main feedwater pump
1 motors.
NTS returned to the site in September
- 1991, and completed the EMI testing with the 4. 16 kV buses fully loaded.
These EMI tests were performed with the reactor coolant pump motors and the main feedwater pump motors
- running, but prior to Mode 1 plant oper ation.
The staff finds the results of these tests acceptably verify that the EMI environment at the Turkey Point site is enveloped by the EMI tests performed at the factory.
2.6 Item 9 Provide the Control Room 0 erators with Load Se uencer B
ass Indications and Ino erable State Indications The purpose of this audit item was to confirm that the licensee has provided the control room operators with load sequencer bypass indications and inoperable state indications.
In the main control room there are four annunciator
- alarms, one for each of the four sequencers.
Each sequencer panel has two local annunciators to identify potential failure modes.
The local alarms are combined into one alarm signal that is then sent to the main control room annunciator as "SEgUENCER 3A [3B, 4A, 4B] TROUBLE".
An auxiliary operator will be dispatched to the local sequencer panel to read fhe local annunciator to determine the specific failure mode.
The staff confirmed this installation by reviewing sequencer
- drawings, performing walkdown inspections of the sequencer panels and main control room indicators, and by demonstration that the local and control room annunciators will indicate the failure status of each sequencer.
Based on the results of this review, the staff finds this installation to be acceptable.
3.0 CONCLUSION
The staff reviewed the licensee's implementation of the load sequencer system at Turkey Point Units 3 and 4.
The licensee has acceptably closed the nine confirmatory items reviewed by the staff.
Date:
February 4, 1992 Principal Contributors:
Merle N. Miller Michael E. Waterman
J
~
~