ML17352B211
| ML17352B211 | |
| Person / Time | |
|---|---|
| Site: | Turkey Point  |
| Issue date: | 06/12/1995 |
| From: | Croteau R Office of Nuclear Reactor Regulation |
| To: | Goldberg J FLORIDA POWER & LIGHT CO. |
| References | |
| RTR-NUREG-CR-4674 NUDOCS 9506280252 | |
| Download: ML17352B211 (14) | |
Text
~g REPp P
+
e 0
IC O
I O
+p
~O
++**+
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 June 12, 1995 dP-9+42/
Mr. J.
H. Goldberg President Nuclear Division Florida Power and Light Company P.O.
Box 14000 Juno
- Beach, Florida 33408-'0420
SUBJECT:
TURKEY POINT UNITS 3 AND 4 REVIEW OF PRELIMINARY ACCIDENT SEQUENCE PRECURSOR ANALYSIS OF DESIGN DEFECT IN SAFEGUARDS BUS SEgUENCER TEST LOGIC
Dear Mr. Goldberg:
Enclosed for your review and comment is a copy of the preliminary Accident Sequence Precursor (ASP) analysis of an operational event which occurred at Turkey Point Units 3 and 4 on November 3,
- 1994, (Enclosure 1),
and was reported in Licensee Event Report (LER) No.94-005.
This analysis was prepared by our contractor at the Oak Ridge National Laboratory (ORNL).
The--
results of this preliminary analysis indicate that this event may be a
precursor in the 1994 Annual Precursor Report.
In assessing operational
- events, an effort was made to make the ASP models as realistic as possible regarding the specific features and response of a given plant to various accident sequence initiators.
We realize that licensees may have additional systems and emergency procedures, or other features at their plants that might affect the analysis.
Therefore, we are providing you an opportunity to review and comment on the technical adequacy of the preliminary ASP analysis, including the depiction of plant equipment and equipment capabilities.
Upon receipt and evaluation of your comments,-
we will revise the conditional core damage probability calculations where necessary to consider the specific information you have provided.
The object of the review process is-to provide as realistic an analysis of the significance of the event as possible.
In order to incorporate your comments and meet our schedule for, issuance of the 1994 Precursor
- Report, you are requested to complete your review and to provide any comments within 30 days of receipt of thiC letter.
We have also'nclosed several items to facilitate your review.
Enclosure 2
contains specific guidance for performing the requested review, identifies the criteria which we will apply to determine whether any credit should be given in the analysis for the use of licensee-identified additional equipment or specific actions in recovering from the event, and describes the specific information that you should provide to support such a claim.
~5oiasoasa 9sossi PDR ADQCK 05000250 PDR L
The final resolution of each licensee's comment on the preliminary ASP analyses will be documented in a separate appendix of the 1994 Precursor
- Report, NUREG/CR-4674.
Florida Power and Light Company is on the distribution list for NUREG/CR-4674.
I
Mr. J.
H. Goldberg Please contact me at (301) 415-1475 if you have any questions regarding this request.
This request is covered by the existing ONB clearance number (3150-0104) for NRC staff followup review of events documented in LERs.
Your response to this request is voluntary and does not constitute a licensing requirement.
Sincerely, Docket Nos.
50-250 and 50-251
Enclosures:
As stated cc w/enclosures:
See next page Richard P. Croteau, Project Manager Project Directorate II-1 Division of Reactor Projects I/II Office of Nuclear Reactor Regulation
Hr. J.
H. Goldberg Florida Power and Light Company Turkey Point Plant CC.
J.
R.
- Newman, Esquire
- Morgan, Lewis & Bockius 1800 H Street, N.W.
Washington, DC 20036 Ja'ck Shreve, Public Counsel Office of the Public Counsel c/o The Florida Leg'islature ill West Madison Avenue, Room 812 Tallahassee, Florida 32399-1400 John T. Butler, Esquire
- Steel, Hector and Davis 4000 Southeast Financial Center Hiami, Florida 33131-2398 Hr. Thomas F. Plunkett, Site Vice President Turkey Point Nuclear Plant Florida Power and Light Company P.O.
Box 029100 Miami, Florida 33102 Joaquin Avino County Manager of Metropolitan Dade County 111 NW 1st Street, 29th Floor Miami, Florida 33128 Senior Resident Inspector Turkey Point Nuclear Generating Station U.S. Nuclear Regulatory Commission
'P.O.
Box 1448 Homestead, Florida 33090 Mr.,Bill Passetti Office of Radiation Control Department of Health and Rehabilitative Services 1317 Winewood Blvd.
Tallahassee, Florida 32399-0700 Mr. Joe Hyers, Director Division of Emergency Preparedness Department of Community Affairs 2740 Centerview Drive Tallahassee, Florida 32399-2100 Regional Administrator, Region II U.S. Nuclear Regulatory Commission 101 Marietta Street, N.W. Suite 2900 Atlanta, Georgia 30323 Attorney General Department of Legal Affairs The Capitol Tallahassee, Florida 32304 Plant Manager Turkey Point Nuclear Plant Florida Power and Light Company P.O.
Box 029100 Miami, Florida 33102 Hr. H. N. Paduano, Manager Licensing
& Special Programs Florida Power and Light Company P.O.
Box 14000 Juno
- Beach, Florida 33408-0420 Hr. Edward J.
Weinkam Licensing Manager
- Turkey Point Nuclear Plant P.O.
Box 4332 Princeton, Florida 33032-4332
0 Mr. J.
H. Goldberg June 12, 1995 Please contact me at (301) 415-1475 if you have any questions regarding this request.
This request is covered by the existing OMB clearance number (3150-0104) for NRC staff followup review of events documented in LERs.
Your response to this request is voluntary and does not constitute a licensing requirement.
Sincerely, (Original Signed By)
Richard P. Croteau, Project Manager Project Directorate II-1 Division of Reactor Projects I/II Office of Nuclear Reactor Regulation Docket Nos.
50-250 and 50-251
Enclosures:
As stated cc w/enclosures:
See next page Document Name:
G:
TURKEY TPASP.ASP Distribution Docket File
, KLandis, RII PUBLIC
OFFICE NAME LA:PDII-1 Dunnin on PM: PDI I-1 RCrotea D:P DMa ew DATE COPY 06 95 Yes No Yes No es No OFFICIAL R D COPY 06 IP. 95 06 < 95
A.1-1 ENCLOSURE 1
A.1 LER No. '50/94-005 Event
Description:
Date of Event:
Plant:
Load Sequencers Periodically Inoperable November 3, 1994 Turkey Point 3 and Turkey Point 4 A.i.l Summary During a Unit 4 Integrated Safeguards Test, a failure of the 3A sequencer to respond to the opposite unit's safety actuation signal occurred, Troubleshooting resulted in the discovety of an error in the sequencer software logic that could prevent each of the four Turkey Point sequencers from responding to a safety actuation signal.
As a result of the software error, each sequencer was unavailable one-fourth ofthe time to respond to automatic safety actuation signals from its own train and one-sixteenth of the time to respond to automatic signals from the other unit during both automatic self-testing and manual testing.
Unavailability of each sequencer would prevent the automatic actuation of safety-related equipment associated with that train including the high head safety injection (HHSI) and residual heat removal (RHR) pumps.
F The conditional core damage probability estimated for this event is 3.1 x 10~.
This value is applicable to each unit. The relative significance of the event compared to other postulated events at Turkey Point is shown in Figure A.1.1 (to be provided in the final report).
A.1.2 Event Description T:
On November 3, 1994, Turkey Point Unit 3 was operating at 100% power and Unit 4 was in Mode 5 during a refueling outage.
During the Unit 4 Integrated.Safeguards Test, a failure of the 3A sequencer to respond to the opposite unit's safety actuation signal occurred.
Troubleshooting resulted in the discovery of an error in the sequencer software logic that could prevent each sequencer from responding to a safety actuation signal.
The error impacted the Turkey Point 3 sequencers from November 1992 and the Turkey Point 4 sequencers from May 1993.
The Turkey Point design utilizes four sequencers, one for each train at each unit. The sequencers are programmable logic controller (PLC)-based cabinets that use a PLC for bus stripping and logic control. The sequencers are designed to respond to losses of offsite power (LOOP), loss of coolant accidents (LOCAs), and combined LOOP/LOCA events. The sequencers start the diesel generators, ifrequired because of a LOOP, and sequentially load safety-related equipment required to respond to the initiating event.
Each sequencer responds to safety actuation signals associated with its train plus signals from the opposite unit.
Each sequencer is provided with manual and automatic self-test capability. The automatic test mode is normally in operation. In the automatic test mode, the sequencer continually tests the input cards, output cards, and output relay coils and exercises the program logic. The automatic self-test cycles through 15 of 16 possible sequencer test steps.
The test steps start roughly an hour apart and take about one hour to complete.
There is one hour during which no testing takes place. The complete
automatic test cycle, therefore, takes about 16 h and then begins again. The sequencer is designed to abort the manual and automatic test modes in response to a valid input. Ifa valid input signal is received during sequencer testing, the testing stops, the test signal clears, and the inhibit signal, if present, is supposed to clear.
This will then allow the valid signal to sequentially energize the output relays for the associated safety-related equipment.
The 3A sequencer had dropped out of the automatic self-test without alarming, indicating that it had received a valid input signaL During troubleshooting, the input LED for the 4A safety actuation signal was found to be lit, indicating the signal was still present.
The 3A sequencer response should have been to start the 3A HHSI pump. However, the pump failed to start because it did not receive a start signal from the sequencer.
A software design error was discovered which inhibited the 3A HHSI pump start signal even though a valid input signal was present.
The design error was found to affect all sequencers during both manual and automatic testing in 5 of the 16 test steps. Ifa valid input signal was received 15 s or later into one of the hour-long test steps, the test signal cleared as intended, but the inhibit signal was maintained by means of latching logic. This latching logic is established by the test signal but could be maintained by the process input signal ifit arrived prior to removal of the test signal.
This software logic error was introduced during the detailed logic design phase of the software development.
The error was not discovered during the Validation and Verification (V&V)process because the response to valid inputs was not tested during all test sequences of the testing logic. In four loading sequence tests, the error prevented the sequencer from responding to a valid safety actuation signal on the same train, In one other loading sequence test,,the error prevented the sequencer from responding to a valid safety actuation signal on the opposite unit.
This software error did not iinpact response to LOOP, only safety actuation with offsite power available was affected. The logic error also did not affect sequencer operation with the test selector switch in the "off"position.
A detailed review of the sequencer software resulted in the discovery of one other error in the software which was independent of the test mode.
A condition was identified that would have prevented the automatic start of the containment spray pumps.
The condition would occur when a hi-hi containment pressure signal is received by the sequencer during a 60-ms time window beginning 12.886 s after receipt of a LOCA signal or 28.886 s after receipt of a LOOP/LOCA signal.
This error does not impact core damage sequences and was not addressed in this analysis.
A.1.3 Additional Event-Related Information For non-LOOP events, each sequencer sends start signals to the followingequipment associated with its train:
one RHR pump, one HHSI pump, two intake cooling water pumps, two emergency containment cooler fans, two component cooling water pumps, and two emergency containment filter fans.
Some equipment may already be in operation and would not be affected by a sequencer failure.
Turkey Point has four HHSI pumps, one per train for each unit. Allfour trains are normally cross-connected at the discharge of the pumps.
Each HHSI pump is capable of providing 50% of the required injection; two of the four pumps are, therefore, required for high-pressure injection success following a small-break LOCA. In order to meet single failure criteria for a safety actuation, each sequencer signals its associated HHSI pump to start, and the opposite unit's sequencers signal their
~
I)
associated HHSI pumps to start. For example, a safety actuation signal on Unit 3, Train A, signals the 3A sequencer and both of the Unit 4 sequencers.
With no equipment failures, all four HHSI pumps willrespond to a safety actuation signal on either unit. Other equipment provided for each unit, including the two RHR pumps, is only started by its associated sequencer.
A.l.4 Modeling Assumptions This event was modeled as an unavailability of HHSI and RHR pump automatic actuation for LOCA-related sequences during a 1-year period. Assuming the units were at power 70% ofthe time, an unavailability of 6132 h is estimated.
The ASP program typically considers the potential for core damage followingthree postulated offsite-power-available PWR initiating events:
transient, small-break LOCA, and steam generator tube rupture (SGTR). For each of these initiating events, unavailability of high-pressure injection, when required to make up inventory lost from the reactor coolant system, is assumed to result in core damage.
Two additional initiating events also exist that are impacted by the unavailability of the HHSI and RHR pumps:
medium-and large-break LOCA. For both of these initiating events, unavailability of low-pressure injection is assumed to result in core damage.
The significance of an unavailability such as this event is estimated in the ASP program in terms of the increase in core damage probability during the unavailability period.
Since a nonrecoverable failure of multiple sequencers will fail high-and low-pressure injection, and, since unavailability of high-and low-pressure injection followinga LOCAproceeds to core damage, the significance of this eVent can be estimated directly from the change in high-and low-pressure injection failure probabilities due to the sequencer software error and the probability of a small-, medium-, and large-break LOCA in the 6132 hour0.071 days <br />1.703 hours <br />0.0101 weeks <br />0.00233 months <br /> unavailability period...
Small-break LOCA. Small-break LOCA initiating events, SGTRs, and transient-induced LOCAs (primarily stuck-open relief valves for non-LOOP transients) were considered small-break LOCAs in this analysis.
The frequency of, these three events, based on data used in the ASP models, is 2.6 x 10~/h.
For the 6132 hour0.071 days <br />1.703 hours <br />0.0101 weeks <br />0.00233 months <br /> unavailability period, the probability of a small-break LOCA is 1,6 x 10-~.
For a small-break LOCA, two of four HHSI pumps provide injection success; failure of three of the four pumps will, therefore, fail high-pressure injection.
Since the software error did not affect sequencer response to LOOPs, only single-unit initiating events are of concern in the analysis (if LOOP response was affected, then potential dual-unit events such as a severe weather-related LOOP would also have to be considered).
Assume the small-break LOCAoccurs at Unit 3. The probability of the sequencers failing to actuate the four HHSI pumps is 0.25 for HHSI pumps 3A and 3B (the sequencers would not respond to a valid signal on the same train during 4 of the 16 loading sequence tests) and 0,0625 for HHSI pumps 4A and 4B (the sequencers would not respond to a valid signal from the opposite unit during one of the 16 loading sequence tests). The probability of three of the four pumps failing is estimated by considering the pump failure combinations that can result in injection failure:
p(3A) x p(3B) x p(4A) + p(3A) x p(3B) x p(4B) +
p(3A) x p(4A) x p(4B) + p(3B) x p(4A) x p(4B) = 9.8 x 10~.
Consideration of the sequencer testing process indicates that an assumption that the sequencers fail independently is reasonable. Ifthe testing of the two sequencers on each unit is synchronized, the increased HHSI failure probability is 6.3 x 10 z (ifthe testing of the four sequencers were somehow synchronized, the increased HHSI failure probability would be zero, since the test step that prevents response from the opposite unit is different from the steps that prevent response on the same train).
The potential impact ofsynchronized testing ofboth sequencers on an individual unit was addressed as a sensitivity analysis.
For a small-break LOCA, manual initiation of safety injection (SI) within 30 min of the LOCA is assumed to result in irijection success, Assuming 5 min to reach the procedure step to verify SI, 25 min would be available for operator action. The probability of failure to recover SI due to operator error was estimated by assuming the failure probability can be represented as a time-reliability correlation (TRC) as described in Human ReliabilityAnalysis (E. M. Dougherty and J. R. Fragola, John Wiley and Sons, New York, 1988).
Operator response was assumed to be rule-based and without hesitancy.
For the 25-min time period, a failure probability of 1.8 x 10~ is estimated.
The increase in core damage probability for small-break LOCAs resulting from the sequencer software error is, therefore, 1.6 x 10'probability of a small-break LOCA in the 6132 hour0.071 days <br />1.703 hours <br />0.0101 weeks <br />0.00233 months <br /> period~ x 9.8 x 10~ (probability ofHHSI actuation failure due to the software error) x 1.8 x 10~
(probability that the operators fail to manually initiate SI prior to core damage) = 2.8 x 10~.
Medium-and lar e-break LOCAs, The analysis of postulated medium-and large-break LOCAs follows the same approach as a small-break LOCA. The frequency of a medium-and large-break LOCA is estimated to be 1 x 10~/year and 5 x 10~/year respectively (see Analysis ofCon. Damage Fn.quent:
Internal Evenrs Methodology, NUREG/CR-4550, Vol 1, Rev. 1, Table 8.2-4). Mitigation ofboth medium-and large-break LOCAs requires low-pressure injection success.
Two RHR pumps are available for injection, and one of two provides success.
Since the two RHR pumps are actuated only by their same-train sequencers, an actuation failure probability of 0,25 x 0.25 = 0.0625 is estimated.
Assuming manual initiation of SI within 20 min of a medium-break LOCAprovides injection success (this value is consistent with Analysis of Cow Damage Fn.quency.'uny, Unit I, Internal Events, NUREG/CR-4550, VoL 3, Rev. 1, Part 1, Table 4,8-4), an operator failure probability of 2.2 x 10~
is estimated, using the same approach as described for small-break LOCAs.
For a large-break LOCA, the required operator response is less than 5 min, resulting in an operator error probability estimate of 1.0.
These estimates result in an increase in core damage probability of 1.4 x 10 7 for medium-break LOCAs and 3.1 x 10~ for large-break LOCAs.
A.i.5 Analysis Results Combining the probability estimates for small-, medium-, and large-break LOCAs results in an overall conditional core damage probability estimate for the sequencer software error of 3.1 x 10~,
contributed almost entirely by postulated large-break LOCAs. This value is applicable to each unit.
The dominant core damage sequence for the event involves a postulated large-break LOCA and failure of low-pressure injection. This sequence is highlighted in Figure A.1.2.
Ifthe sequencer testing was synchronized at each unit, the actuation failure probability for the HHSI
pumps would increase to 6.3 x 10's described in modeling assumptions.
The failure probability for low-pressure injection actuation would also increase to 0.25.
These failure probabilities were used in a sensitivity analysis to estimate the potential impact ifthe testing were synchronized.
The resulting core damage probability estimate is 1.3 x 10~, again primarily from large-break LOCAs.
A.1-6 LARGE-BREAK LOCA ACCUMU-LATORS LOW PRESSURE INJECTION LOW PRESSURE RECIRC.
SEQUENCE NO.
END STATE OK CD CD CD Fig. A-1.1 Dominant core damage sequence for LER 250/94-005.
~'UIDANCEFOR LICENSEE REVIEW OF PRELIMINARYASP ANALYSIS ENCLOSURE 2
Background
The preliminary precursor analysis of an operational event that occurred at your plant has been provided for your review.
This analysis was performed as a part of the NRC's Accident Sequence Precursor (ASP)
Program.
The ASP Program uses probabilistic risk assessment techniques to provide estimates ofoperating event significance in terms of the potential for core damage.
The types of events evaluated include actual initiating events such as a loss ofoff-site power (LOOP) or Loss'-Coolant Accident (LOCA), degradation ofplant conditions, and safety equipment failures or unavailabilities that could increase the probability ofcore damage from postulated accident sequences.
This preliminary analysis was conducted using the information contained in the plant-specific final safety analysis report (FSAR), individual plant examination (IPE), and the licensee event report (LER) for this event.
Modeling Techniques The models used for the analysis of 1994 events were developed by the Idaho National Engineering Laboratory (INEL).
The models were developed using the Systems Analysis Programs for Hands-on Integrated Reliability Evaluations (SAPHIRE) sofbvare.
The models are based on linked fault trees.
Four initiating events are considered:
(1) transients, (2) loss-of-coolant accidents (LOCAs), (3) loss of oQsite power (LOOPs), and (4) Steam Generator Tube Ruptures (PWR only). Fault trees were developed for each top event on the event trees to a supercomponent level ofdetail. The only support system currently modeled is the electric power system.
IR The models may be modified to include additional detail for the systems/components of interest for a particular event.
This may include additional equipment or mitigation strategies as outlined in the FSAR or IPE. Probabilities are modified to reflect the particular circumstances ofthe event being analyzed.
Guidance for Peer Review Comments regarding the analysis should address:
~
Does the "Event Description" section accurately describe the event as itoccurred?
~
Does the "Additional Event-Related Information" section provide accurate additional information concerning the configuration of the plant and the operation of and procedures associated with relevant systems?
~
Does the "Modeling Assumptions" section accurately describe the modeling done for the event?
Is the modeling ofthe event appropriate for the events that occurred or that had the potential to occur under the event conditions? This also includes assumptions regarding the likelihood ofequipment recovery.
Appendix E ofReference 1 provides examples ofcomments and responses for previous ASP analyses.
Criteria for Evaluating Comments Modifications to the event analysis may be made based on the comments that you provide.
Specific documentation willbe required to consider modifications to the event analysis.
References should be made to portions of the LER, AIT, or other event documentation concerning the sequence of events.
System and component capabilities should be supported by references to the FSAR, IPE, plant procedures, or analyses.
Comments related to operator response times and capabilities should reference plant procedures, the FSAR, the IPE, or applicable operator response models.
Assumptions used in determining failure probabilities should be clearly stated.
Criteria for Evaluating Additional Recovery Measures Additional systems, equipment, or specific recovery actions may be considered for incorporation into the analysis.
However, to assess the viability and effectiveness of the components and methods, the appropriate documentation must be included in your response.
This includes:
normal or emergency operating procedures, piping and instrumentation diagrams (PRIDs),
electrical one-line diagrams, results ofthermal-hydraulic analyses, and operator training (both procedures and simulator), etc.
Systems, equipment, or specific recovery actions that were not in place at the time of the event willnot be considered.
Also, the documentation should address the impact (both positive and negative) ofthe use ofthe specific recovery measure on:
the sequence ofevents, the timing ofevents, the probability ofoperator error in using the system or equipment, and other systems/processes already modeled in the analysis (including operator actions).
For example, Plant A (a PWR) experiences a reactor trip, and, during the subsequent recovery, it is discovered that one train of the auxiliary feedwater (AFW) system is unavailable.
Absent any further information regrading this event, the ASP Program would analyze it as a reactor trip with one train of AFW unavailable.
The AFW modeling would be patterned aAer information gathered either from the plant FSAR or the IPE. However, ifinformation is received about the use of an additional system (such as a standby steam generator feedwater system) in recovering from this event, the transient would be modeled as a reactor trip with one train ofAFW unavailable, but this unavailability would be mitigated by the use of the standby feedwater system.
The mitigation effect for the standby feedwater ~stem would be credited in the analysis provided that the followingmaterial was available:
standby feedwater system characteristics are documented in the FSAR or accounted for in the IPE, procedures for using the system during recovery existed at the time ofthe event, the plant operators had been trained in the use ofthe system prior to the event, a clear diagram ofthe system is available (either in the FSAR, IPE, or supplied by the licensee),
previous analyses have indicated that there would be sufficient time available to implement the procedure successfully under the circumstances ofthe event under analysis,
~Revision or practices at the time the event occurred.
the effects of using the standby feedwater system have on the operation and recovery of systems or procedures that are already included in the event modeling. In this case, use ofthe standby feedwater system may reduce the likelihood of recovering failed AFW equipment or initiating feed-and-bleed due to time and personnel constraints.
Materials Provided for Review The following materials have been provided in the package to facilitate your review of the preliminary analysis ofthe operational event.
~
The specific LER, augmented inspection team (AIT)report, or other pertinent reports.
~
A summary of the calculational results.
An event tree with the dominant sequence(s) highlighted. Four tables in the analysis indicate (1) a summary of the relevant basic events including modifications to the probabilities reflect the circumstances of the event, (2) the dominant core damage sequences, (3) the system names for the systems cited in the dominant core damage sequences, and (4) cut sets for the dominant core damage sequences.
Schedule Please refer to the transmittal letter for schedules and procedures for submitting your comments.
References 1.
L. N. Vanden Heuvel et al., Precursors lo Potential Severe Core Damage Accidents:
1993, A Status Report, USNRC Report NUREG/CR-4674 (ORNL/NOAC-232, Volumes 19 and 20), Martin Marietta Energy Systems, Inc., Oak Ridge National Laboratory and Science Applications International Corp.,
September 1994.
I Guidance revised Harch 9, 1995