ML17352A887
ML17352A887 | |
Person / Time | |
---|---|
Site: | Turkey Point |
Issue date: | 11/10/1994 |
From: | Mowrey C, Plunkett T FLORIDA POWER & LIGHT CO. |
To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
References | |
L-94-287, LER-94-005-03, LER-94-5-3, NUDOCS 9411170102 | |
Download: ML17352A887 (19) | |
Text
~A ~ ~ J. J.
(ACCELERATED RIDS PROCI'.SSIi~
X REGULATORY INFORMATION DISTRIBUTION SYSTEM (RIDS)
ACCESSION NBR:9411170102 DOC.DATE: 94/11/10 NOTARIZED: NO DOCKET g FACIL:50-250 Turkey Point Plant, Unit 3, Florida Power and Light C 05000250 AUTH. NAME AUTHOR AFFILIATION MOWREY,C.L. Florida Power & Light Co.
PLUNKETT,T.F. Florida Power 6 Light Co.
RECIP.NAME RECIPIENT AFFILIATION
SUBJECT:
LER 94-005-00:on 941103,design defect in safeguards bus sequencer test logic places both units outside design basis.
Caused by 3A sequencer failed to respond as expected to opposite unit SI signal.W/941110 ltr.
DISTRIBUTION CODE: IE22T COPIES RECEIVED:LTR ENCL SIZE-TITLE: 50.73/50.9 Licensee Event Report (LER), Incident Rpt, etc.
NOTES RECIPIENT COPIES RECIPIENT COPIES ID CODE/NAME LTTR ENCL ID CODE/NAME LTTR ENCL PD2-2 PD 1 1 CROTEAU,R 1 1 INTERNA -: AEOD OAB/DSP 2 2 AEOD/SPD/RRAB 1 1 FILE CENTE~02 1 1 NRR/DE/EELB 1 1 NRR/DE/EMEB 1 1 NRR/DORS/OEAB 1 1 NRR/DRCH/HHFB 1 1 NRR/DRCH/HICB 1 1 NRR/DRCH/HOLB 1 1 NRR/DRSS/PRPB 2 2 NRR/DSSA/SPLB 1 1 NRR/DSSA/SRXB 1 1 NRR/PMAS/IRCB-E 1 1 RES/DSIR/EIB 1 1 RGN2 FILE 01 1 1 EXTERNAL: L ST LOBBY WARD 1 1 LITCO BRYCE, J H 2 2 NOAC MURPHY,G.A 1 1 NOAC POORE,W. 1 1 NRC PDR 1 1 NUDOCS FULL TXT 1 1 CONTACT'I EMOTE TO ALL"RIDS" RECIPIENTS:
P LEASE HELP L'S TO RE DUCE i'CASTE! I I I; DOCU i!E iT CONTROL DESK, ROONI Pl-37 (EXT. 5%.2083 I TO ELIXIIiATEYOUR iAi!E FROiI DISTRIBUTION LISTS I'OR DOCUi!EX'I'S 5'0!: DOi "I'I I'.D!
FULL TEXT CONVERSION REQUIRED TOTAL NUMBER OF COPIES REQUIRED: LTTR 26 ENCL 26
NPy 10 1994 L-94-287 10 CFR 50.73 U. S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, D. C. 20555 Gentlemen:
Re: Turkey Point Units 3 and 4 Docket No. 50-250, 50-251 Reportable Event: 94-005-00 Desi n Flaw in Safe uards Bus Se uencer Lo ic Timin Places Both Units Outside the Desi n Basis The attached Licensee Event Report 250/94-005-00 is being provided in accordance with 10 CFR 50.73(a) (2) (ii), (a) (2) (v), (a)(2)(vii),
AND 10 CFR 21.
If there are any questions, please contact us.
Ver trul ours, F ~ Plunkett DZ.
Vice President Turkey Point Plant TFP/CLM/cm enclosure CC: Stewart D. Ebneter, Regional Administrator, Region II, USNRC Thomas P. Johnson, Senior Resident Inspector, Turkey Point Plant, USNRC 9411170102 9'41110 PDR ADOCK 05000250 an FPL Group company 8 PDR
LICENSEE EVENT REPORT (LER)
FACILITY NAME (1) DOCKET NUMBER (2) PACE (3)
TURKEY POINT UNITS 3 AND 4 05000250 1 OF 14 TITIE (4) DESIGN DEFECT IN SAFEGUARDS BUS SEQUENCER TEST LOGIC PLACES BOTH UNITS OUTSIDE THE DESIGN BASIS eveNT DATE (5) LER NUMBER(6) RPT DATE ( I ) OTHER FACILITIES INV. (8)
MON DAY YR YR seQ Ri MON DAY YR FACII ITY NAMES DOCKET I (S) 03 94 005 00 11 10 TURKEY POINT UNIT 4 05000251 (9), 1/5 oPERATINc MDDE POWER LEVEL (10) 100/0 10 CFR 50.73 a 2 ii a 2 v a 2 vii 10 CFR 21 LICENSEE CONTACT FOR THIS LER t12)
TELEPHONE NUMBER C. L. Mowrey, Licensing OEF Engineer/Analyst 305-246-6204 COMPLETE ONE LINE FOR EACH COMPONENT FAILURE DESCRIBED IN THIS REPORT (13) cAUse sysTeM coMpoNENT MANUFACTURER NPRDS2 CAUSE SYSTEM ~UFACTURER NPRDS?
JE 34 A160 SUPPLEMENTAL REPORT EXPECTED (14) NO gl YES 0 FxpecTeD SUBMISSION YEAR DATE (15)
(If yes, complete EXPECTED SUBMISSION DATE)
ABSTRACT (16)
On November 3, 1994, Turkey Point Unit 3 was in Mode 1 at 100% power, and Unit 4 was in Mode 5 during a refueling outage. During the Unit 4 Integrated Safeguards Test, the'3A sequencer failed to respond to the Unit 4 Safety Injection signal. A defect was found in the sequencer software logic which, for a limited period of time, could inhibit any or all of the four sequencers from responding to specific valid signals. The defect only affects the sequencers during manual or automatic testing. The sequencers were installed in late 1991.
The sequencer Test Selector switches are tagged to OFF. Front panel visual examinations are being performed every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, and internal visual examinations are being performed every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. A permanent repair to the software logic is being evaluated. Independent consultants are performing an assessment of the existing sequencer design, software design, and the software control process.
LICENSEE1ENT REPORT (LER) TEXT 'INTZNURTZON, FACILITY NAME DOCKET NOMBER LER NUMBER PAGE NO.
TURKEY POINT UNIT 3 05000250 94-005-00 2 OF 14 I. DESCRIPTION OF THE EVENT On November 3, 1994, Turkey Point Unit 3 was operating in mode 1 at 100% power, and Unit 4 was in Mode 5 during a refueling outage. During the Unit 4 Integrated Safeguards Test, a failure of the 3A sequencer [JE:34] to respond to the opposite unit's Safety Injection (SI) signal occurred. Troubleshooting resulted in the discovery of a defect in the sequencer software logic which, under certain conditions, could inhibit the sequencer from responding to a valid emergency signal. The defect manifested itself in the failure of the 3A High Head Safety Injection (HHSI) pump [BQ:p] to start. Turkey Point has four HHSI pumps; one per train, per unit. Each HHSI pump is capable of providing 50 percent of system requirements, therefore two of the four are required to mitigate the consequences of accidents analyzed in the Updated Final Safety Analysis Report (UFSAR). In order to meet single failure criteria, each sequencer signals its associated HHSI pump, and both of the opposite unit' HHSI pumps via the opposite unit's sequencers, to start. With no equipment failures, all four HHSI pumps will respond to an SI signal on either unit.
The software logic defect is limited to the test function, but the defect is common to all four sequencers (one sequencer per train, per unit). The design intent of the sequencers is such that should a "real" emergency signal occur while the sequencer is being tested, the test signal clears, allowing actuation of the Engineered Safety Features controlled by the sequencer.
Because the sequencers would not have responded properly to an SI signal as designed, Turkey Point Units 3 and 4 have been operating outside their design basis. This condition was reported to the NRCOC at 1609 on November 3, 1994, in accordance with 10CFR50.72(b) (ii) (B) .
SEQUENCER DESIGN BASIS AND FUNCTIONAL REQUIREMENTS Each of the four sequencers, 3C23A-1, 3C23B-1, 4C23A-1, and 4C23B-1, is associated with a given train (3A, 3B, 4A, and 4B, respectively). They are designated Class lE, Seismic Category I, since their operation is required for safe shutdown of the reactor in the event of a Loss of Offsite Power (LOOP) and to mitigate the consequences of a design basis accident.
The sequencers are Programmable Logic Controller (PLC)-based cabinets using a PLC for bus stripping and load logic and control. The signal path structure of the PLC uses dedicated input modules, control logic, and dedicated output modules.
LOOP Si nal Onl On a LOOP in a given unit, both sequencers associated with that unit will respond accordingly to clear their associated buses, stripping all 4.16KV loads and specified 480V loads within one second after the LOOP signal is generated.
The Emergency Diesel Generators (EDGs) [EK:dg] will start and within 15 seconds the EDG output breakers [EK:bkr] close, and loads required for safe reactor shutdown are sequentially connected to the corresponding bus; the first load block output signal is generated 16.5 seconds after the onset of the LOOP.
LXCENSEEOVENT REPORT (LER) TEXT ONTINURTXON FACILITY NAME DOCKET NUMBER LER NUHBER PAGE NO.
TURKEY POINT UNIT 3 05000250 94-005-00 3 OF 14 LOCA Si nal Onl If either (offsite) unit experiences a power is available, Loss bus of Coolant Accident (LOCA), and preferred stripping signals and EDG breaker closure permissive signals will not be initiated by the sequencers. Vital loads will be sequentially connected to the buses by the sequencers (including the opposite unit's HHSI pumps). If an EDG is already operating and parallelled to offsite power, and either unit experiences a LOCA, the EDG breaker will The EDG will continue to run in a standby condition. On the LOCA unit, 'rip.
Engineered Safety Feature (ESF) equipment will besequentially loaded onto the bus by the sequencer. Following a LOCA, if any given train experiences undervoltage, bus stripping, EDG breaker closure, and sequentially loading will be directed.
LOOP LOCA After a LOOP on both units, if one unit experiences a LOCA, the buses associated with the LOCA unit will be stripped and ESF loads will be loaded onto the bus. On the non-LOCA unit, both buses are stripped again, and reloaded with essential equipment; both HHSI pumps will also start.
Se uencer Testin Eachsequencer is provided with Manual test and Automatic Self-test capability.
The test mode is determined by a three-position Test Selector switch. The three positions are AUTO (self-tests 16 steps or scenarios in the automatic test sequence), MAN (each test is manually initiated), and OFF (no test signals are generated). In the automatic test mode, the sequencer continuously tests the input cards, output cards, and output relay coils, and exercises the program logic. The sequencer is designed to abort the manual and automatic test modes in response to a valid input. The automatic self-test function is normally in operation, however it is not required to be in service for the sequencer to perform its safety function. The manual test, in addition to testing all the conditions covered by the automatic test, actuates the output relays. However, blocking relays energize before the output relays energize, and the output relays de-energize before the blocking relays de-energize.
Placing the Test Selector switch in MAN stops automatic self-testing.
Manual testing involves five stripping/clearing scenarios (bus clearing, 480V undervoltage with SI present, 480V degraded voltage, 4.16KV undervoltage, and safety injection [LOCA) on an isolated bus). Upon completion of the stripping tests, sequencing scenarios are tested manually by rotation of a Sequencing Mode Test Selector switch through eleven steps or loading scenarios (LOOP; LOOP/LOCA same train; LOOP/LOCA other unit; LOCA same train; LOCA other unit; LOOP/LOCA same train with concurrent HHCP [high high containment pressure];
LOOP/LOCA same train with HHCP before 13 seconds; LOOP/LOCA same train with HHCP after 13 seconds; LOCA same train with concurrent HHCP; LOCA same train with HHCP before 13 seconds; LOCA same train with HHCP after 13 seconds),
Automatic self-testing cycles through the same sixteen test steps in the same order. The test steps start roughly an hour apart, so a full cycle of automatic self-testing takes approximately sixteen hours. Then the cycle begins again. Should a valid process input signal be received during manual or automatic testing, the testing stops, the test signal clears, and the inhibit signal is supposed to clear if present, allowing the valid signal to sequentially energize the output relays and their associated ESF equipment.
LICENSEETENT REPORT (LER) TEXT etNTINUATION FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.
TURKEY POINT UNIT 3 05000250 94-005-00 4 OF 14 IZ. CAUSE OF THE EVENT The 3A sequencer failed to respond as expected to an opposite unit SI signal.
The 3A sequencer had dropped out of the Automatic Self-Test without alarming, indicating that it had received a valid input signal. During troubleshooting, the input LED for a 4A SI signal was found to be lit, indicating the signal was still present. The 3A sequencerHowever, pump after a 3 second delay.
response should have been to start the 3A HHSI the pump failed to start because it did not receive a start signal from the sequencer.
Following the failure of 3A HHSI pump to start in response to a 4A SI input signal as described above, an analysis of the sequencer software logic was performed to determine the root cause of the failure. A software design defect was discovered whereby the start signal for the 3A HHSI pump remained inhibited during sequencer automatic test step 3 (LOOP/LOCA other Unit) even though a valid process input was present. In parallel with the above analysis, this particular fault was duplicated on the sequencer simulator which is identical to the 3C23A-1 (3A) sequencer. This is in contrast to the original design bases of the sequencer Automatic Self-Test and Manual Test functions.
The review was then expanded to include additional test modes, process inputs, and required outputs. It was found that the problem exists during both manual and automatic testing, during sequencer test steps 2, 3, 6, 8, and 10. These steps correspond to the following scenarios:
Step 2 LOOP/LOCA Step 3 LOOP/LOCA other Unit Step 6 LOOP/LOCA with concurrent High High Containment Pressure.
Step 8 LOOP/LOCA with High High Containment Pressure less than 13 seconds later.
Step 10 LOOP/LOCA with High High Containment Pressure more than 13 seconds later.
Note that these are tested scenarios, not actual events. Note too that all five of the affected test step scenarios involve LOOP and LOCA.
If a valid SI signal is received 15 seconds or later into one of the above tests, the test signal clears as intended, but the inhibit signal is maintained by means of latching logic, This latching logic is originally established by the test signal, but may be maintained by the process input signal if it arrives prior to removal of the test signal.
Since the above condition is applicable to both the Automatic Self-Test and Manual Testing, the sequencer must be considered inoperable during both testing modes. Note, however, that any design basis scenario which involves a loss of offsite power will not cause a sequencer operating malfunction in either the automatic test mode, manual test mode, or test mode off.
0
(
C
LICENSEEOTENT REPORT (LER) TEXT ONTINVATION FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.
TURKEY POINT UNIT 3 05000250 94-005-00 5 OF 14 This software logic defect was introduced during the detailed logic design phase of the software development. The detailed logic designer and the independent verifier failed to recognize the interaction between some process logic inhibits and the test logic. The defect in the software logic was not detected during the Validation and Verification process (V&V) because the response to valid inputs was not tested during all stripping and loading sequences of the automatic and manual testing logic. FPL has evaluated the V&V for the sequencers and concluded that the existing V&V adequately addresses operation of the sequencers with the Test Selector switch in OFF.
This logic defect can occur when the sequencer is in either the manual or automatic test mode, and the test sequence currently being executed is loading sequence test 2, 3, 6, 8, or 10. This was determined based on a review of the sequencer logic drawings for the 16 steps in the automatic test sequence, and design basis event signals. The sequencer simulator was used to confirm the results of the matrix. The defect cannot affect sequencer operation with the Test Selector switch OFF.
In loading sequence tests 2, 6, 8, or 10, the sequencer may be inhibited from responding to a valid SI signal on the same train. In loading sequence test 3, the sequencer may be inhibited from responding to a valid SI signal on the opposite unit.
III. ANALYSIS OF THE EVENT As a result of the erroneous inhibit signals, the potential exists for any sequencer output to be prevented from operating when required, Exactly which output or outputs is(are) determined by a combination of factors, i.e., which test scenario is in progress, how long since the test scenario was initiated, and which process input or inputs are received. In general, for the approximate one-hour duration of each of the above test steps (with the Test, Selector switch in AUTO), the sequencer will not respond correctly to a valid process input signal.
With the sequencer Test Selector switch in AUTO, the sequencer steps sequentially through sixteen steps as described above; first the five bus stripping/clearing steps, followed by the eleven LOOP and/or LOCA scenarios.
Note that the five test steps affected by the software defect are all in the loading sequence test steps, so the first affected step is the seventh step in the total testing sequence, During each of these affected test steps, fifteen seconds after the initiation of the step, the sequencer would not have responded properly to a valid process input signal. So the sequencer was inoperable for about five hours out of each sixteen hour period as long as its Test Selector switch was in AUTO. The sequencer was also inoperable for the duration of any Manual test of the five test steps listed above. A complete manual test on one sequencer takes about one hour.
LICENSEEOIIENT REPORT (LER) TEXT MTINUATION FACILITY NAME DOCKET NUMBER LER NONBER PAGE NO.
TURKEY POINT UNIT 3 05000250 94-005-00 6 OF 14 POTENTIAL ACCIDENT CONSE{}VENCES FOR SEQVENCER FAILVRE MODES The review of the sequencer logic determined that improper operation of the sequencer could occur for only certain sequencer stripping/loading scenarios in which an SI signal without Loss of Offsite Power'LOOP) occurs. The sequencer logic software defect does not affect any scenarios where a LOOP also occurs, whether before, after, or concurrent with an SI signal. A failure modes and effects matrix identified the following four events where the logic software defect could affect the operation of the sequencer, depending upon which of the five affected test steps (discussed above in II. CAUSE OF THE IMMY) are being performed when the SI signal is received by the'sequencer:
41 LOCA Same Train
$2 LOCA on other Unit
$3 LOCA t
w/High High Containment Pressure (HHCP) < 13 seconds f4 LOCA w/HHCP > 13 seconds Note that these are actual events, not test step scenarios. Note too that in contrast to the list of affected test step scenarios presented earlier, none of the actual events affected involve a LOOP.
For each of these events, the sequencer could receive a valid SI signal but the logic defect could inhibit the sequencer from starting equipment. Events fl, f3, and f4 above each have four logic test steps out of a total of sixteen which would inhibit the sequencer from providing a start signal to the equipment it controls while event k2 is affected by only one of the sixteen logic test steps.
The probability that a sequencer would not respond to a valid same train SI signal is 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />s/16 hours = 25%. The probability that a sequencer would not respond to a valid opposite unit SI signal is 1 hour/16 hours = 6.25%.
The equipment affected due to the failure of a sequencer was identified from plant drawings. The equipment listed is specific to the 3A sequencer. The equipment lists would be similar for the other three sequencers.
For event 41, the following equipment would not be automatically loaded by the sequencer:
RHR Pump 3A [BP:p]
HHSI Pump 3A Intake Cooling Water Pumps 3A (1) and 3C (1) [BI:p]
Emergency Containment Cooler Fan 3B and 3C [BK:fan]
Component Cooling Water Pumps 3A (1) and 3C (1) [CC:p]
Emergency Containment Filter Fans 3B and 3C (BK:fan]
Note (1): The equipment identified may already be in operation and may not require manual action to start.
LICENSEEEMT REPORT (LZR) TEXT OltCINUATION FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.
TURKEY POINT UNIT 3 05000250 94-005-00 7 OF 14 For events $3 and g4 (LOCA w/HHCP < 13 sec; LOCA w/HHCP > 13 sec), Containment Spray Pump 3A would be affected in addition to the equipment identified for event 41.
For event $2 (LOCA other Unit), only the 3A HHSI Pump is not automatically started.
It should be system noted that one of the initiating signals for Auxiliary Feedwater
[BA:p] is bus stripping, which is controlled by the sequencer.
(AFW)
No credit is taken, however, for bus stripping in the accident analyses for initiating AFW. AFW is also initiated on low-low steam generator level, SI, manual initiation and trip of all main feedwater pumps (SJ:p].
Using the above information, the defect in the sequencer test logic represents a potential concern for events where SI is required for mitigation and no LOOP is experienced.
4 Effect on Analyzed Accidents A review of the Turkey Point UFSAR Chapter 14 Accident Analyses was performed to determine which accidents would be potentially affected by the sequencer test software logic defect. This review identified 7 ofLoad" the 22 accidents which may be affected. Two of the seven, "Loss of External and "Loss of A.C.
Power" were determined to be dependent on the sequencer but not affected, since the inhibited sequencer failure mode applies to loss of coolant accident (LOCA) scenarios only, i.e., no LOOP.
The five accidents both requiring SI, and affected by the sequencer 1
test software logic defect, are the following:
- l. Large Break Loss-of-Coolant Accident (LBLOCA)
- 3. Rupture of a Steam Pipe (Main Steam Line Break, or MSLB) 4, Steam Generator Tube Rupture (SGTR)
- 5. Rupture of a Control Rod Mechanism Housing The effects of the sequencer test logic defect will be discussed below for each of the five accidents'. In each case, the transient is described and equipment necessary for mitigation of accidents is identified. Each transient is then evaluated assuming all four sequencers fail to operate properly. Credit is assumed for operator action to start HHSI pumps as well as other ESF equipment within 10 minutes as described below.
LARGE BREAK LOSS OF COOLANT ACCIDENT A LOCA would result from a rupture of the Reactor Coolant System (RCS) or any line connected to that system up to the first closed low valve. For a postulated LBLOCA, a reactor trip is initiated by pressurizer pressure (1790 psig) while the SI signal is actuated by pressurizer low pressure at 1636 psig. The consequences of the LBLOCA are limited in two ways:
Reactor trip and borated water injection supplement void formation in causing rapid reduction of nuclear power to a residual level corresponding to fission product decay.
2 ~ Injection of borated water ensures sufficient flooding of the core to prevent excessive temperatures and provide long term cooling.
LICENSEE ENT REPORT (LER) TEXT 4TINVATION FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.
POINT UNIT 3
'URKEY 05000250 94-005-00 8 OF 14 The reactor is designed to withstand the thermal effects caused by a LBLOCA including the double ended severance of the largest RCS pipe. The reactor core and internals, together wit'h the Emergency Core'ooling System (ECCS), are designed so that the reactor can be safely shutdown and the essential heat transfer geometry of the core will be preserved following an accident.
The LBLOCA analysis presented in Section 14.3 of the UFSAR assumes that 2 of 4 HHSI pumps and 1 of 2 RHR pumps are automatically actuated during the accident. If all four sequencers are inoperable because of the simultaneous presence of the test logic defect, SI actuation will not occur automatically.
The LBLOCA is a design basis event whose probability of occurrence is extremely small. A LBLOCA is considered to be a break with a total cross-sectional area equal or greater than 1.0 ft'.
LBLOCA sensitivity studies, performed to assess the impact of delaying SI, indicate that the maximum permissible SI delay is about 1 minute in order not to exceed the Peak Centerline Temperature criteria of 10 CFR 50.46, and about 5 minutes to avoid exceeding fuel melt temperature.. Turkey Point tested operator reaction times to manually start SI in the absence of an automatic start (described below under MITIGATION OF SEQUENCER FAILURE MODES). The maximum time did not exceed 4 minutes. Based on the difference between the time of predicted core melt and the operator reaction time to manually start SI, FPL concludes that a eoolable core geometry is maintained.
Containment Res onse to a LBLOCA A LBLOCA results in a significant mass and energy release into containment that results in pressurization of the containment structure. The UFSAR indicates that the pressurization event is limited by the size of containment, by containment heat sinks, and by the operation of containment cooling equipment (containment sprays and emergency containment coolers) .
The containment analysis for the LBLOCA was assessed using better estimate techniques in 1989 by Westinghouse. This analysis showed that peak containment pressure for a Double Ended Pump Suction (DEPS) to be on the order of 42 to 45 psig. Using the mass and energy release values developed for the design basis reconstitution work, Westinghouse re-performed the Turkey Point containment analysis assuming no operation of the containment spray pumps or the emergency containment coolers. This reanalysis shows that the peak pressure of the DEPS LOCA to be approximately 48.4 psig. Accordingly, since this peak pressure is less than the design pressure of 55 psig and less than the originally analyzed peak pressure of 49.9 psig, the results are acceptable. The ultimate strength of the Turkey Point containments is estimated to be 140 psig based on the IPE analysis work.
LZCENSEE OIENT REPORT (LER) TEXT VZZNUATZON FACILITY NAME DOCKET NUMBER LER NOMBER PAGE NO.
TURKEY POINT UNIT 3 05000250 94-005-00 9 OF 14 Dose Conse uences for a LBLOCA The UFSAR contains an offsite dose evaluation that assumes a total core r'elease (100% noble gas, 50% halogens) occurring at time t = 0 with results that remain within 10 CFR 100 guidelines. The event under review, however, is different than that evaluated in the UFSAR in that engineered safety features are assumed to be delayed. Using knowledge learned from observation of accident phenomena, it has been concluded that an instantaneous core melt and release of fission products to containment is not credible.
Rather, significant release to the containment would not be expected to occur during the first ten minutes of an accident. At this time, credit is taken for operator action to start SI, containment sprays, etc. Manual actuation of the containment sprays and emergency filters would provide for fission product cleanup within containment. While a calculation has not been performed, offsite for this event will not it is expected that the dose consequences exceed those stated in the UFSAR. Operation of sprays and filters will provide radioactive material cleanup prior to any significant fission product release from the containment.
SMALL BREAK LOSS OF COOLANT ACCIDENT SBLOCA SBLOCAs are slow transients which take longer to initiate SI and therefore are less sensitive to delays in the actuation of the HHSI pumps. Containment response and dose consequences for the SBLOCA event are bounded by LBLOCA discussions above.
MAIN STEAM LINE BREAK The UFSAR analyzes two separate steam line break events; opening a relief or safety valve, and main steam piping failure. The piping failure bounds the opening of the relief or safety valve. Since the sequencer issue is only a concern for the offsite power available case, on'y a main steam piping failure with offsite power available will be addressed. The most limiting cooldown event occurs at zero power with no decay heat. As indicated in the UFSAR, credit is taken for a single HHSI pump to provide borated water to return the core to a subcritical state.
Westinghouse re-performed the limiting MSLB accident with offsite power available assuming SI was not available for ten minutes. The results of this analysis indicate that the event can be accommodated without SI for ten minutes with acceptable results.
Containment Res onse to an MSLB A Main Steam Line Break inside containment also results in a containment pressurization transient. This event was rerun by Westinghouse assuming no active containment pressure mitigating features (i.e. no sprays or containment coolers). Assuming no safeguards, peak containment pressure for the MSLB was 48.8 psig occurring approximately 300 seconds (5 minutes) into the transient.
This is within the containment design pressure of 55 psig and is therefore acceptable.
LICENSEE SENT REPORT (LER) TEXT NTINUATION FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.
TURKEY POINT UNIT 3 05000250 94-005-00 10 OF 14 STEAM GENERATOR TUBE RUPTURE The event examined in the UFSAR is a complete tube break adjacent to the tube sheet. Each steam generator tube has a nominal diameter of 0.875 inches with a wall thickness of 0.050 inches. Accordingly, the cross-sectional break area of a double ended tube rupture is less than 1.0 square inches. This small break area shows that this event is bounded by the SBLOCA in terms of assessing the potential for core damage resulting from this event, and that dose releases for this event will not increase as a result of delayed SI.
RCCA EJECTION RUPTURE OF A CONTROL ROD MECHANISM HOUSING The event examined in the UFSAR is a failure of a control rod mechanism pressure housing such that RCS pressure would eject the control rod and drive shaft to a fully withdrawn position. The consequence of this mechanical failure is a rapid positive reactivity insertion together with an adverse core power distribution. The reactivity transient is terminated by the Doppler reactivity effects of the increased fuel temperature, andfuel by subsequent reactor trip before conditions are reached that can result in melt.
Actions are included in the Emergency Operating Procedures (EOPs) to address a SBLOCA that could be caused by a failed control rod mechanism pressure housing. Accident consequences of a SBLOCA in the reactor vessel upper head are bounded by the design-basis SBLOCA in the cold leg.
Summar of Potential Accident Conse uences Of the five UFSAR accidents affected, four are bounded by the LBLOCA.
Consequences of a LBLOCA are acceptable if operator action to start ESF equipment takes place within ten minutes of the start of the accident. The consequences of a MSLB are acceptable without operator action, since containment pressure peaks, below the design pressure, five minutes into the accident.
MZTZGATZON OF SEQUENCER FAZLURE MODES Because the presence of an SI signal during sequencer testing (automatic or manual mode) may render the sequencer inoperative, the dependence on SI was the primary consideration for determining the five affected accidents. For each of the affected accidents, the EOPs were reviewed to determine what mitigating actions would be taken by the operator. The effectiveness of the mitigating actions was also assessed based on its sequence within the procedures.
Upon initiation of any of the five affected accidents discussed above, the reactor would trip placing the operators in procedure 3/4-EOP-E-O, "Reactor Trip or Safety Injection." At Step 4 in EOP-E-O, the operator verifies whether SI is actuated or is required. If anor SIhe isis required, the operator verifies required to manually start these that HHSI and RHR pumps have started, pumps in Step 8. These two steps are part of the immediate actions to be taken by an operator following a reactor trip.
In addition, the foldout pages for EOP-E-0 contains specific reactor trip and SI actuation criteria which require operators to initiate the start of safety injection pumps. Therefore FPL concludes thatactions for these five accidents, there is a high probability that timely mitigating would have been taken by the operators to activate safeguards equipment even if the sequencer had failed.
LICENSEE aENT REPORT (LER) TEXT LTINUATION FACILITY NAME DOCKET NOMBER LER NOHBER PAGE NO.
POINT UNIT 3
'URKEY 05000250 94-005-00 11 OF 14 To assess the operators'bility to accommodate sequencer test software logic defects, the Turkey Point Training Department constructed three different scenarios involving design basis accidents with failed sequencers. The failure mode modeled was a failure of the sequencer to load safeguards equipment.
These scenario runs were completed on November 5, 1994. The three scenarios were:
A LOOP/LBLOCA with Unit 3 sequencers failed. In addition, Unit 4 HHSI pump flow initially blocked due to the MOV loss of power due to LOOP.
- 2. A LBLOCA with no LOOP, with Unit 3 sequencers failed (eg. the Unit 4 HHSI pumps were available to inject water).
- 3. A SBLOCA with no LOOP, with Unit 3 sequencers failed, Unit 4 HHSI pump breakers racked out, and the Unit 3 HHSI pump control switches in PULL TO LOCK on the Unit 4 control board.
Six control room crews ran each of the three scenarios, for a total of 18 simulator exercises. The Training Department was primarily interested in determining how long it took the control room crew to successfully energize all available safeguards equipment. A summary of the control room crew response times follows:
RESPONSE TIMES FOR FULL SAFEGUARDS INITIATION(IN MIN:SEC)
LOOP/LOCA LBLOCA SBLOCA SCENARIO SCENARIO SCENARIO 2:40 2:30 2:45 2:10 I:40 C 2:50 I:30 I:30 D 1:30 I:55 4:40 3:15 1:05 2:50 I:32 I:20 The simulator training coordinator stated that the longest time required to initiate SI flow was during Crew D's 8 minute LOOP/LOCA scenario; it took them approximately 4 minutes. However, the sequencer defect is not present for LOOP scenarios. Therefore, the longest non-LOOP response time was 3 minutes and 15 seconds. An assumed operator response time of 10 minutes is therefore conservative.
In addition to the scenario exercises described above, a review of earlier observations of operating crews in simulator training during July and August 1994 was made. These observations illustrated that minutes from event initiation to complete alignment of itthe took each crew 4 to 5 required safeguards equipment associated with a full sequencer failure.
LTCENSEEOITRNT REPORT (LER) TEXT INTZNUATTON FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.
POINT UNIT 3
'URKEY 05000250 94-005-00 12 OF 14 Operator verification of SI, and HHSI pump flow, is performed within the immediate action steps (Steps 4 and 8 respectively) of EOP-E-0. The first 14 steps are memorized by the control room crew. In addition, immediate action steps are required to be re-verified by the operators. Therefore FPL concludes that the control room crew would be successful in timely initiation of HHSI pump flow in the event of a sequencer malfunction.
PROBABZLZSTZC SAFETY ASSESSMENT A probabilistic safety assessment was performed to estimate the safety impact of inhibited emergency sequencer operation due to a,logic error in the software associated with the test feature. The assessment is based on the Turkey Point IPE Submittal and subsequent updates, and includes the effect of the failure of all four sequencers. The recovery actions are added to the model for different scenarios, e.g., recovery for LBLOCA vs. SBLOCA. These operator actions are calculated based on the time available to do the actions (NUREG/CR-4550, Vol. 3, Rev. 1; Parti), and the time it takes the operators ta perform the actions obtained from a review of 3/4-EOPs-0 and from simulator scenario runs.
The probabalistic safety assessment determined that the estimated change in the Core Damage Frequency (CDF) under the above conditions, with all four sequencers inoperable, is 6.3E-6/yr. However, all four sequencers were not inoperable at all times. Each sequencer is inoperable during 5 of the 16 tests. In order for all sequencers to fail simultaneously, all sequencers would have to be in an affected test. This would happen most often sequencer test cycles were synchronized. Even if if all four all four sequencers were synchronized on the same test cycle, the sequencers would all be inoperable during only 5 of the 16 tests. Therefore, all four sequencers would be inoperable approximately one-third of the time. This results in an estimated change in CDF of 2.1E-6/yr. This change in core damage frequency increases the baseline CDF by 3.2%. The PRA calculation considers an average probability over a one year period.
The 3.2% increase in the CDF is a conservative estimate for this situation.
This increase in CDF is not safety significant, based on the acceptance criteria stipulated in the draft EPRI PSA Application Guide.
The estimated risk impact of loss of sequencers for LBLOCAs is relatively low due to the low initiating event frequency of LBLOCAs, and recovery actions described in the early steps of the EOP E-0 for reactor trip and SI. Although SBLOCAs have a higher initiating event frequency the risk is relatively low because the operator has more time available to perform recovery actions.
The periodic inoperability of all four sequencers, as described above, has existed since the sequencers were installed during the dual unit outage in 1990/1991. The sequencers were accepted as operational in September and October, 1991, for Units 3 and 4, respectively. From early December, 1991, until November, 1992 (Unit 3) and May, 1993 (Unit 4) the sequencers'est Selector switches were in OFF except for monthly manual tests, as described in LER 251/91-007.
Since then, there have been four challenges to the bus sequencers (between the two units) . LER 251/92-004 reported an inadvertent Safety Injection on Unit 4; all plant equipment responded as designed, including the Unit 3 HHSI pumps.
LERs 250/92-009 and 250/92-013 reported a LOOP (due to hurricane Andrew), and an inadvertent 3A bus stripping. In these three instances the sequencers'est Selector switches were not in AUTO, and they performed as designed.
LZCENSEE SENT REPORT (LER) TEXT IIPPZNUATZON FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.
TURKEY POINT UNIT 3 05000250 94-005-00 13 OF 14 LER 250/94-002 reported an inadvertent ESF actuation on Unit 3, in which all equipment responded as design, except the 4A HHSI pump. At that time the failure of the 4A HHSI pump was attributed to an intermittent failure, which could not be reproduced. As a result of the discovery of the defect reported herein, that earlier event can now be reproduced at will on the sequencer simulator. FPL believes that the 4A HHSI pump failed to start because of the same defect that caused the 3A HHSI pump failure to start, reported in this'ER.
Since there have been no actual events requiring Engineered Safety Features actuation to protect the plant, the health and safety of the public has not been affected by the periodic inoperability of the sequencers.
This event is reportable under the requirements of 10 CFR 50.73(a) (2) (i) (B),
(a) (ii) (A), (a) (ii) (B), (a) (v), (a) (vii), and 10 CFR 21.
XV. CORRECTXVE ACTXONS The Test Selector switches on all four sequencers were placed in OFF.
Tags have been hung on each switch to require specific permission from the Nuclear Plant Supervisor to change the position of the switch. With the sequencer test mode switch in the OFF position, the automatic test logic is disabled. The sequencer is fully functional and will respond properly to input signals. The automatic test function is not a requirement for periodic surveillance of the sequencer.
- 2. With the Test Selector switch in OFF, additional visual inspections are being performed on a eight hour basis as described below:
- a. The local reflash annunciators points are verified not in alarm.
- b. The I/O power, PLC Power, and ANN Power switches are verified in the ON position and the Processor Power white indicating light is verified illuminated.
- c. The Test Selector switch is verified in the OFF position; the Stripping Clearing Test Selector and Sequencing Mode Test Selector Switches are verified in the OFF position.
- d. The 2 green test reset indicating lights and the sequencing reset green indicating lights are verified illuminated.
- e. The other indicating lights are verified not to be illuminated (except the ground fault indicating lights are supposed to be dimly lit) .
- f. Every 24 hours, the sequencer door is opened, the Processor Indicator LED is verified to be a solid green and the 9 indicator I/O cards "ACTIVE" LED are verified to be a solid green.
- 3. A detailed review of the original Validation and Verification process was performed; it has been concluded that an oversight occurred because not all sequencer functions were validated during all modes of automatic and manual testing. The existing verification and validation sufficiently covers the sequencer safety functions if automatic testing remains off.
- 4. Functional testing on the sequencer simulator of design basis inputs has been repeated with the Test Selector switch OFF, with acceptable results.
LICENSEE EMT REPORT (LER) TEXT ONTINUATION
~ ~
FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.
TURKEY POINT UNIT 3 05000250 94-005-00 14 OF 14
- 5. A safety evaluation has been issued demonstrating sequencer operability with the test selector switch in the OFF position. This safety evaluation was approved by the Plant Nuclear Safety Committ'ee on November 4, 1994.
- 6. Independent consultants have been retained to perform an assessment of the existing sequencer design, software design and V&V, and engineering software control procedures for process computers.
- 7. The original software vendor, United Controls, Inc. has been notified of this defect and its significance.
V. ADDITIONAL INFORMATION EIIS Codes are shown in the format (EIIS SYSTEM: IEEE component function
'identifier, second component function identifier (if appropri.ate)].
The Programmable Logic Controllers used in the sequencers are made by Allen-Bradley; the sequencers are assembled by United Controls, Inc. (UCI).
According to UCI, Florida Power & Light Company is the only utility to which UCI supplied this sequencer.