ML17354A406

From kanterella
Jump to navigation Jump to search
LER 96-004-03:on 970107,identified Three Instances of Inadequate Surveillance Testing.Caused by Inadequate Surveillance Procedures.Surveillance Procedures Revised
ML17354A406
Person / Time
Site: Turkey Point NextEra Energy icon.png
Issue date: 02/03/1997
From: Mowrey C
FLORIDA POWER & LIGHT CO.
To:
Shared Package
ML17354A405 List:
References
GL-96-01, GL-96-1, LER-96-004, LER-96-4, NUDOCS 9702100495
Download: ML17354A406 (22)
v  d  e


Text

LICENSEE EVENT REPORT (LER) fACILITY NAME (1) DOCKET NVMBER (2) PAGE (3)

TURKEY POINT UNIT 3 05000250 1 OP 18 TITLE (4) Technical Specification Surveillance Procedure review Identification of Inadequate Surveillance Testing EVENT DATE (5) LER NVMBER(6) RPT DATE (7) DINER fACILITIES INV. (8)

H3N DAY YR YR ~B) I RI )K>N DAY YR PACI LITY NAMES DOCKET I (S) 1 7 97 96 004 03 2 3 97 TVRKEY POINT UNIT ( 05000251 OPERATING )K)DE (9) 10 CFR 50.73(a) (2) (v)

POWER LEVEL (10) 100 LICENSEE CONTACT FOR THIS LER (12)

Telephone Number C.L. MOWREY, COMPLIANCE SPECIALIST (305) 246-6204 COMPLETE ONE LINE FOR EACH COMPONENT FAILURE DESCRIBED IN THIS REPORT (13)

CAVSE SYSTEM HANVPACTVRER NPRDS I CAUSE SYSTEM COMPONENT MANVPACIVRER NPRDS?

SVPPLQ(ENTAL REPORT EXPECTED (14) NO YES 0 EXPECTED SVBHISSION DATE (15)

(II yes, cecplete EXPECTED SUBMISSION DATE)

ABSTRACT (16)

During a review of circuits and surveillances in accordance with Generic Letter 96-01, Florida Power & Light Company has identified three instances of inadequate surveillance testing. The first two resulted in missed surveillances regarding an Auxiliary Feedwater Start signal, and the safety-related swing 4KV switchgear. These were reported in earlier versions of this LER. The third involved the main steam line isolation function; it did not result in a missed surveillance, but approved procedures would have allowed it.

Turkey Point has determined the root cause of the events to be inadequate surveillance procedures.

Corrective actions included, where applicable, entering Technical Specification Action Statements, testing of the required instrument functions to fulfill Technical Specification surveillance requirements, review of past procedure performances, and surveillance procedure revisions.

9702i00495 970203 PDR ADQCK 05000250 S PDR

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.

TURKEY POINT UNIT 3 05000250 96-004-03 2 OF 18 I. DESCRIPTION OF THE EVENTS Inadequate Surveillance Testing of the Auxiliary Feedwater Actuation Circuitry On February 20, 1996, during the performance of scoping and scheduling the effort required to respond to NRC Generic Letter 96-01, "Testing of Safety-Related Logic Circuits, " Florida Power &

Light Company (FPL) identified a potential Technical Specification non-compliance associated with surveillance testing of the AFW

[AB) actuation circuitry on steam generator (SG) low-low water level. After review and evaluation of this issue, FPL concluded that the Technical Specification required testing for this ci~ Iitry was insufficient and the system was declared inoperable.

The ~valuation supporting this conclusion was completed at approximately 9;00 am on February 22, 1996.

The concern identified was that not all three (3) combinations of the 2/3 logic for the Low-Low Level SG Level Auxiliary Feedwater (AFW) start signal are verified in Plant Procedure 3/4-OSP-075.4, "Auxiliary Feedwater Auto-Start Test". In accordance with Table 4.3-2, Item 6.a and Section 1.2 of the Technical Specifications, "each possible interlock logic state" shall be tested when performing the "Actuation Logic Test". A review of other applicable Operations and Maintenance Plant Procedures determined that the required testing was not performed. Therefore, the subject surveillance requirement was not satisfied and Section 4.0.3 of the Technical Specifications was applicable. Technical Specification 4.0.3 allows 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for completion of a missed surveillance. The test was completed successfully at approximately 10:15 pm on February 22, 1996, for both units.

Although AFW has four other auto-start signals [JE:RLY] (Loss of offsite power (LOOP), safety injection (SI), ATWS Mitigating System Actuation circuitry (AMSAC), SG Feedwater Pump Trip),

credit is taken for Low-Low SG Level as the primary auto-start signal for several plant accident analyses.

2. Inadequate Surveillance of the 4KV D Bus Clearing On May 24, 1996, during the continuing review of circuit designs in response to Generic Letter 96-01, FPL identified a potential Technical Specification non-compliance associated with surveillance testing of Emergency Diesel Generator (EDG) [EK:dgj verification of bus stripping and automatic closure of the EDG breaker [EK:bkrj within 15 seconds of the test signal. Four breaker contacts [EA:52b] per train, associated with the safety-

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME DOCKET NVM8ER LER NJM8ER PAGE NO.

TURKEY POINT UNIT 3 05000250 96-004"03 30F 18 related swing 4KV switchgear [EA:swgr], have not been tested as part of any periodic surveillance. Assuming all four of the untested contacts were in a failed condition, a single active failure could result in a failure of both EDGs to automatically load their respective safety busses during a loss-of-offsite power (LOOP) .

The contacts in question are part of the bus clear permissive signal to allow the EDG output breaker to close. The contacts are redundant pairs which signal that the swing 4KV bus is being powered from the opposite train. For example, the contacts in the bus clear logic for the 3A EDG are closed when the swing 4KV bus is powered from Train B.

Periodic surveillances to verify that the busses strip and the EDG output breaker closes have been performed with the swing 4KV bus aligned to the train being tested, to verify that the swing bus loads will strip and provide a proper bus clear signal.

Surveillances have not been performed with the swing 4KV bus aligned to the train opposite that being tested.

3. Inadequate Surveillance Procedures for the Main Steam Line Isolation Function During the continuing review of circuits and surveillances in accordance with Generic Letter 96-01, FPL discovered a combination of approved procedural steps which could have allowed inadequate surveillance testing of the main steam line isolation function on manual initiation or containment high-high pressure. Technical Specification Table 4.3-2, Item 4 (Steam Line Isolation) requires that a TRIP ACTUATING DEVICE OPERATIONAL TEST be performed each refueling outage for manual initiation (Item 4a), and for containment high pressure coincident with high-high pressure (Item 4c) . A TRIP ACTUATING DEVICE OPERATIONAL TEST is defined in the Technical Specifications as follows:

"A TRIP ACTUATING DEVICE OPERATIONAL TEST shall consist of operating the Trip Actuating Device and verifying OPERABILITY of alarm, interlock and/or trip functions. The TRIP ACTUATING DEVICE OPERATIONAL TEST shall include adjustment, as necessary, of the Trip Actuating Device such that it actuates at the required setpoint within the required accuracy."

The steam line actuating relays [SB:rly] are MS1, MS2 and MS3 for Train A and MS11, MS12 and MS13 for Train B as shown on Drawing 5610-M-430-171, Sh. 6. The contacts from these relays actuate

LICENSEE EVENT REPORT (LER) TEXT CONTINUATZON FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.

TURKEY POINT UNIT 3 05000250 96-004-03 4 OF 18 solenoid valves [SB:fsv] for closure of the Main Steam Isolation

'alves (MSIVs) [SB:isv]. The function of the safeguards actuating relays required to support the design basis safety function needs to be verified to satisfy the trip actuating device operational test. The actuation circuitry is sufficiently redundant such that a failure of one actuating relay in conjunction with another single failure will not prevent closure of the required two out of three MSIVs.

Plant Procedures 3/4-0SP-072.1, "Manual Steam Line Isolation Test, " are provided to satisfy the requirements of Technical Specification Table 4.3-2, Item 4a. These procedures operate the manual pushbutton for each MSIV and verify that the corresponding actuating relay for each train is energized and that the valve closes. Since the pushbutton provides an input contact to each train simultaneously, the procedure does not verify that both trains of solenoid valves operate.

However, overlap testing is provided as described below.

Plant Procedures 3/4-0SP-203.1, "Train A Engineered Safeguards Integrated Test, " and 3/4-0SP-203.2, "Train B Engineered Safeguards Integrated Test, " are provided to satisfy the requirements of Technical Specification Table 4.3-2, Item 4c.

These procedures are performed on a train independent basis. In Section 7.3 of each procedure, a containment pressure high coincident with high-high condition is simulated. In response to the simulated condition, each MSIV is verified to close and to remain closed following a SI reset signal. However, the procedure includes a NOTE that allows monitoring the status of the steam line isolation actuating relays if the MSIVs are unavailable.

This NOTE does not provide for functional testing of the steam line isolation actuating relay contacts and solenoid valves.

A review of plant records indicated that procedures 4-0SP-203.1 and 4-0SP-203.2 were both revised on May ll, 1993, to include the NOTE described above. Procedures 3-0SP-203.1 and 3-0SP-203.2 were revised on August 10, 1993, to incorporate the same changes made to the Unit 4 test procedures. Prior to this revision, the procedures did not allow any exception for nonavailability of the MS1Vs.

The last performances for each of these procedures for Units 3 and 4 were reviewed to determine if the MSIVs were available.

determined that POV-4-2604 was not available when the Train A It was procedure was performed (4-0SP-203.1) on March 28, 1996.

Procedure 4-OSP-072.1 was subsequently performed when the valve became available. As described above, this procedure provides

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.

TURKEY POINT UNIT 3 05000250 96-004-03 5 OF 18 verification that the steam line isolation actuation relays are energized but does not provide verification that both trains of solenoid valves operate. Therefore, operation of the Train A solenoid valve circuitry for MSIV POV-4-2604 is not assured based on this surveillance testing. Another procedure (4-OSP-072, "Main Steam Isolation Valve Closure Test" ) is performed each refueling to close each MSIV,'nd does independently verify that the closing solenoid valve for each MSIV actuates by use of the control room manual switch. This is accomplished by pulling the fuses for the opposite train solenoid valve circuit and verifying closure of the valve. However, the actuation (de-energizing) of the normally energized open solenoid valves is not verified since the fuses for the opposite train circuit are pulled.

Three years earlier POV-4-2605 was not available during Unit 4 Train A procedure testing; credit was taken for inspection of isolation actuating relay MS2 on May 16, 1993. Although Train A logic for this valve was not tested, Train A logic for POV-4-2604 and POV-4-2606 was tested satisfactorily. Subsequently, Train B logic for POV-4-2604, POV-4-2605 and POV-4-2606 was tested satisfactorily. During the subsequent Unit 4 outage in 1994, POV-4-2605 was satisfactorily tested during Train A safeguards testing.

As previously discussed, POV-4-2604 was identified not being available for testing on March 28, 1996. Credit was taken for inspection of isolation actuating relay MS1. Although Train A logic for this valve was not tested, Train A logic for POV-4-2605 and POV-4-2606 was tested satisfactorily. Subsequently, Train B logic for POV-4-2604, POV-4-2605, and POV-4-2606 was tested satisfactorily.

On January 7, 1997, FPL determined that although this combination of procedures did not result in a missed surveillance or a condition prohibited by Technical Specifications, it nevertheless constituted a reportable condition. On January 15, 1997, FPL further determined that this condition alone could have prevented the fulfilment of a safety function needed to mitigate the consequences of an accident, and is therefore reportable under 10CFR50.72(b) (2) (iii) .

II. CAUSE OF THE EVENTS The root cause of the events was inadequate surveillance procedures.

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.

TURKEY POINT UNIT 3 . 05000250 96-004-03 60F 18 III. ANALYSIS OF THE EVENTS Inadequate Surveillance Testing of the Auxiliary Feedwater Actuation Circuitry Design and Licensing Bases Design Bases The Turkey Point AFW System is a shared system between Units 3 and

4. It uses secondary steam to drive three AFW pump turbines which supply feedwater to the steam generators during transients when the normal feedwater source is not available. The system consists of two independent trains each capable of providing required flows to both units. Control and motive power to the AFW valves is provided by either Vital AC or DC. The required AFW flow of approximately 125 gpm/unit must be delivered within three minutes of the generation of an RPS/ESFAS signal for LOOP or Small Break LOCA. This time is an assumption for the analyses used to establish the minimum flow requirement.

The control logic governing AFW operation is such that a variation in specific plant parameters, beyond the setpoint limits, results in a signal to open the steam supply valves on the affected units(s). As configured, the AFW system automatically initiates as a result of any one of the following:

1) SI actuation
2) 2 out of 3 Low-Low water level in any one of the three SGs
3) Loss of both steam generator feedwater pumps (SGFP)
4) Bus Stripping (Bus stripping from one bus opens two out of three AFW steam motor operated valves (MOVs))
5) ATWS Mitigating System Actuation circuitry Licensing Bases Technical Specifications Surveillance requirements of the AFW System that apply to auxiliary feedwater actuation are provided in Technical Specification Section 4.7.1.2.1. as stated below:

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.

TURKEY POINT UNIT 3 05000250 96-004-03 7 OF 18 "The required independent auxiliary feedwater trains shall be demonstrated OPERABLE:

a ~

b. At least once per 18 months by:
1) Verifying that each automatic valve in the flow path actuates to its correct position upon receipt of each Auxiliary Feedwater Actuation test signal, and
2) Verifying that each auxiliary feedwater pump receives a start signal as designed automatically upon receipt of each auxiliary Feedwater Actuation test signal."

Surveillance requirements for Engineered Safety Features Actuation System (ESFAS) Instrumentation that apply to auxiliary feedwater actuation are provided in Technical Specification Section 4.3.2.1 as stated below:

"Each ESFAS instrumentation channel and interlock and the automatic actuation logic and relays shall be demonstrated OPERABLE by performance of the ESFAS Instrumentation Surveillance Requirements specified in Table 4.3-2".

Item 6a of Technical Specification Table 4.3-2, requires that the automatic actuation logic and actuation relays of the auxiliary feedwater system have an ACTUATION LOGIC TEST performed each refueling outage.

The definition of an ACTUATION LOGIC TEST is provided in Technical Specification Section 1.2 as stated below:

"An ACTUATION LOGIC TEST shall be the application of various simulated input combinations in conjunction with each possible interlock logic state and verification of the required logic output. The ACTUATION LOGIC TEST shall include a continuity check, as a minimum, of the output device".

If a Technical Specification Surveillance Requirement is not performed, Surveillance Requirement 4.0.3 must be met. It states the following:

"Failure to perform a Surveillance Requirement within the

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.

TURKEY POINT UNIT 3 05000250 96-004-03 8 OF 18 allowed surveillance interval, defined by Specification 4.0.2, shall constitute noncompliance with the OPERABILITY requirements for a Limiting Condition for Operation. The time limits of the ACTION requirements are applicable at the time it is identified that a surveillance requirement has not been performed. The ACTION requirements may be delayed for up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to permit the completion of the surveillance when the allowable outage time limits of the ACTION requirements are less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Surveillance requirements do not have to be performed on inoperable equipment".

Surveillance Requirement 4.0.2 that is referred to above states:

"Each Surveillance Requirement shall be performed within the specified time interval with a maximum allowable extension not to exceed 25% of the surveillance interval".

AFW Auto Start Logic Testing The AFW automatic start logic consists of 5 actuation signals: Bus Stripping, SI, Trip of SGFPs, AMSAC, and Low-Low Level on any SG.

In order to determine if Technical Specification surveillance requirements of the AFW actuation logic was being satisfied, schematic and logic diagrams of the logic circuitry were compared against the associated test procedures to ensure all logic and parallel signal paths were being tested properly. The following summarizes the results of this design versus testing review.

The logic associated with Bus Stripping and SI is verified by simulating the actual process signals (i.e. Loss of 4KV Voltage, Hi-Hi Containment Pressure) during Integrated Safeguards Testing procedures 3/4-OSP-203.1, 2. The Trip of SGFPs logic is satisfied when both pump breakers are open and either pump control switch has been placed in the start position and returned to mid position. Therefore, this logic actuated AFW when either/both SGFPs have tripped or one has tripped while the other has been manually stopped. The various combinations of switch positions are tested properly as well as independent actuation of each train of AFW circuitry by procedure 3/4-OSP-075.4.

The AMSAC auto start logic is not required to be tested by Technical Specifications. However, the AMSAC logic is tested via procedure 3/4-0SP-093.1 as directed by Operations or following design modifications or maintenance activities.

LXCENSEE EVENT REPORT (LER) TEXT CONTINUATZON FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.

TURKEY POINT UNIT 3 05000250 96-004-03 90F 18 The Low-Low S/G Level logic for AFW start is derived from the same logic relays used in the Reacc,or Prote tion System (RPS) to initiate reactor trip. Operation of these logic relays'oils and contacts which generate a reactor trip are tested on a monthly basis by procedure 3/4-0SP-049.1. However, the relay contacts used for the AFW start logic are not verified since its test relay contacts are wired in series to block AFW actuation. As a result, the AFW start logic is tested separately (on an 18 month basis) by procedure 3/4-0SP-075.4 by placing the Low-Low Level instrument loop bistable switches in test in order to actuate the logic relays. However, only channels 1 & 2 bistables are actuated on each S/G to simulate the Low-Low S/G Level signal. In order to properly verify the 2/3 relay logic matrix, channels 1 & 3 and 2 &

3 bistables should also be actuated.

ANALYSIS The Updated Final Safety Analysis Report (UFSAR) Chapter 14 accident analysis credits AFW for mitigation of several events.

The following AFW related transients were reviewed: 1) Loss of Normal Feedwater Flow, 2) Loss of Non Emergency AC to Plant Auxiliaries, 3) Steam Generator Tube Rupture (SGT.), 4) Main Steam Line Break, and 5) Small Break LOCA. None of these transients rely on AFW initiation from bus stripping. The analyses assume AFW System actuation on SI or Low-Low SG Water Level.

The Loss of Normal Feedwater Flow transient is analyzed in Section 14.1.11 of the UFSAR. A loss of normal feedwater results in a reduction in capacity of the secondary system to remove the heat generated in the reactor core. The analysis of the transient described in this section demonstrates that the AFW system is capable of removing the stored and residual heat, thus preventing either over pressurization'f the Reactor Coolant System or loss of water from the reactor core, and returning the plant to safe condition.

The UFSAR analysis assumes that AFW flow is initiated three (3) minutes following a start signal on Low-Low SG level. This event specifically credits AFW initiation on Low-Low SG level. As a backup, the operator would also be expected to manually initiate AFW on a reactor trip at Step 7 of 3/4-EOP-E-O, which is one of the memorized immediate operator steps.

The Loss of Non-emergency A-C Power to Plant Auxiliaries is analyzed in Section 14.1.12 of the UFSAR. The accident of record assumes that AFW is initiated on Low-Low SG level. However, because this event also assumes a LOOP, both main feedwater pumps

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.

TURKEY POINT UNIT 3 05000250 96-004-03 10 QF 18 will trip on undervoltage and cause an AFN initiation on the main feed pump breakers opening. AFN will also be initiated on bus stripping for this event. Accordingly, the AFW Actuation System (AFAS) testing inadequacies did not affect plant response to this event.

The SGTR transient is analyzed in Section 14.2 4 of the UFSAR.

is initiated for the SGTR on a Sl signal. Accordingly, the AFASAFW testing inadequacies did not affect plant response to this event.

The Main Steam Line Break transient is analyzed in Section 14.2.5 of the UFSAR. AFW is initiated for the steam line break on a SI signal. Accordingly, the AFAS testing inadequacies did not affect plant response to this event.

The Small Break LOCA is analyzed in Section 14.3.2.2 of the UFSAR.

AFN is initiated for the small break LOCA on a SI signal.

Accordingly, the AFAS testing inadequacies did not affect plant response to this event.

Based on the preceding, the only event where AFW automatic initiation is not demonstrated by the conduct of the surveillance testing is the Loss of Normal Feedwater event resulting in initiation on Low-Low SG level. Additionally, a normal reactor trip is expected to result in AFW initiation on Low-Low SG level.

This event is reportable under the requirements of 10 CFR 50.73(a) (2) (I) (B) .

Safety Significance and Operability Assessment As defined by 10 CFR 50.36, Limiting Conditions for Operation (LCO) are "the lowest functional capability or performance levels of equipment required for safe operation of the facility. When an LCO of a nuclear reactor is not met, the licensee shall shut down the reactor or follow any remedial action permitted by the Technical Specifications until the condition can be met."

Implicit in this definition is that the lowest functional capability or performance levels of equipment be maintained assuming any credible single failure. As such, the principle purpose of LCOs is to ensure the preservation of single failure criteria by requiring all redundant components of safety systems be operable. Nhen the required redundancy is not maintained, either due to equipment failure, maintenance, or surveillance testing, action is required within a specified time to shutdown the plant and/or perform actions to ensure a safe condition. This

LICENSEE EVENT REPORT (LER) TEXT CONTINUATXON FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.

TURKEY POINT UNIT 3 05000250 96-004-03 11 oF as LCO action time is a temporary short term relaxation of the single failure criteria which is consistent with the overall system reliability, probability of the equipment function being required (i.e. LOOP Design Basis Accident occurring) during the specified time, and the safety significance of the inoperable equipment/system.

Also, as defined by 10 CFR 50.36, "Surveillance Requirements are requirements relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that the facility operation will be within safety limits, and that the limiting conditions of operation will be met". This states that Surveillance Requirements support meeting LCOs.

GL 91-18 provides guidance on actions to be taken when a Technical Specification Surveillance is missed. The GL refers to the Standard Technical Specifications version of Surveillance Requirement 4.0.3 and which forms the basis for Surveillance Requirement 4.0.3 contained in the Turkey Point Technical Specifications. The GL version of 4.0.3 states in part that:

"Failure to perform a Surveillance Requirement within the specified time interval shall constitute a failure to meet the OPERABILITY requirements for a Limiting Condition of Operation...".

Surveillance Requirements and the "Action Logic Test" definition imply or intend that all signal/actuation paths be tested. The review of 3/4-OSP-075.4 showed that the signal/actuation paths for the steam generator low-low level AFW initiation signal was only tested for one of three paths on each steam generator. This is inconsistent with the Turkey Point Plant testing that is performed on similar logic for both the RPS and ESFAS. Based on this difference, the existing testing performed was not considered sufficient to meet the intent of the Technical Specification surveillance, and Technical Specification 4.0.3 was entered and the required actions met. Additional testing that insured compliance with the Technical Specification surveillance requirements was implemented without a plant shutdown.

While GL 91-18 and the Technical Specifications provide specific criteria to be followed when a surveillance is not met, there is a strong case that demonstrates that operability of the AFW system and its actuation logic was maintained even though surveillance testing had some inadequacies. All active components (e.g.,

relays, bistables) have been shown by existing testing to remain

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.

TURKEY POINT UNIT 3 05000250 96-004-03 12 OF 18 operable and capable of changing state. By testing of the RPS, the subject relays and contacts for the RPS have been shown to be operable. The primary aspect of testing that had not been met was showing those contact points for AFW actuation for the remaining two out of three logic points are made up when required. These relays and their associated contacts are located in the Cable Spreading Room, which is a controlled environment. The contacts are open during normal operation, and are not subject to welding or other phenomenon that would result in their degradation. Xt is considered highly improbable that one set of relay contacts would remain functional and another set would fail to function.

Accordingly, on this basis, there was a high level of confidence that the untested portions of the steam generator low-low level AFW actuation circuitry were functional and capable of performing their design functions.

Probabilistic Safety Assessment An analysis was performed to determine the change in Core Damage Frequency (CDF) for failure of the AFW system to actuate in the event of a low-low level in the steam generators. The analysis increased the AFW pump common cause failure to start by a factor of one hundred to account for the actuation failure and assumed the probability of the operator's failure to turn on the AFW pumps while carrying out the Emergency Operating Procedure as 1.50E-02.

The calculated CDF change is 7.00E-07/yr. This is considered not risk significant based on the criterion of risk significance for permanent plant changes in the Electric Power Research Institute Probabilistic Safety Assessment Applications Guide.

2. Inadequate Surveillance of the 4KV D Bus Clearing Design Bases The Emergency Power System provides AC power to Turkey Point Units 3 and 4 station loads to assure the capability for a safe and orderly shutdown, as well as continued maintenance of the units in a safe condition under the following circumstances:
1) Normal operating modes of the units,
2) Loss of Offsite Power (LOOP),
3) Design basis accident on one unit requiring mitigation of accident conditions and subsequent safe shutdown of the unit, together with achieving and maintaining the non-accident unit

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.

TURKEY POINT UNIT 3 05000250 96-004-03 13 OF 18 in hot shutdown condition,

4) Postulated fires requiring shutdown of the units with or without availability of offsite power,
5) 10 CFR 50.63 Station Blackout events.

Four onsite EDGs are provided with two EDGs dedicated to each unit. The EDGs supply on-site power in the event of a LOOP.

Although dedicated to a specific unit, each of the EDGs supplies loads which are common to both units (e.g., safety injection pumps

[BQ:p] and vital DC battery chargers (EJ:byc]). The A EDGs feed the A 4KV busses and the B EDGs feed the B 4KV busses of their respective units. Also, the D 4KV bus of each unit is a swing bus, which can be powered by either of its respective A or B 4KV busses. To enable the EDG output breakers to automatically close on to the 4KV busses, all load breakers connected to the 4 KV busses must be opened (bus stripping and clearing). Breakers supplying the required equipment can then be sequentially closed with sufficient time delay between breaker closures to prevent overloading the EDGs.

Technical Specifications Surveillance requirements of the Electrical Power Systems that apply to the EDGs are provided in Technical Specifications Section 4.8.1.1.2. In the event of a loss-of-offsite power, the applicable surveillance requirements are provided in Technical Specification Sections 4.8.1.1.2.g.4.a and b, and 4.8.1.1.2.g.6.a and b, as discussed below:

Each diesel generator shall be demonstrated OPERABLE:

go At least once per 18 months, during shutdown (applicable to only the two diesel generators associated with the unit):

4) Simulating a loss-of-offsite power by itself, and:

a) Verifying deenergization of the emergency busses and load shedding from the emergency busses, and b) Verifying the diesel starts or. the auto-start signal, energizes the emergency busses with any permanently connected loads within 15 seconds,....

6) Simulating a loss-of-offsite power in conjunction with an ESF Actuation test signal, and:

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME DOCKET NliMBER LER NUMBER PAGE NO.

TURKEY POINT UNIT 3 05000250 96-004-03 14 OF 18 a) Verifying deenergization of the emergency busses and load shedding from the emergency busses; b) Verifying the diesel starts on the auto-start signal, energizes the emergency busses with any permanently connected loads within 15 seconds, If a Technical Specification Surveillance Requirement is not performed, Surveillance Requirement 4.0.3 must be met. It states the following:

"Failure to perform a Surveillance Requirement within the allowed surveillance interval, defined by Specification 4.0.2, shall constitute noncompliance with the OPERABILITY requirements for a Limiting Condition for Operation. The time limits of the ACTION requirements are applicable at the time it is identified that a surveillance requirement has not been performed. The ACTION requirements may be delayed for up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to permit the completion of the surveillance when the allowable outage time limits of the ACTION requirements are less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Surveillance requirements do not have to be performed on inoperable equipment:".

Surveillance Requirement 4.0.2, referred to above, states:

"Each Surveillance Requirement shall be performed within the specified time interval with a maximum allowable extension not to exceed 25% of the surveillance interval".

Bus Clearing Signal The bus clearing signal is a required permissive for automatic closure of the diesel breaker in order to satisfy the above surveillance requirements. There are two redundant bus clearing relay circuits per train for reliability purposes. Only one of the two bus clearing relays is required to pick up as a permissive for the diesel breaker closure permissive. In addition, there is a contact for both the "D" 4KV bus supply and incoming breakers in parallel for each of the bus clearing relay circuits (see attached sketch).

Technical Specification surveillance requirements 4.8.1.1.2.g.4.b and 4.8.1.1.2.g.6.b are intended to be tested by procedures 3/4-OSP-203.1 (Train A) and 3/4-0SP-203.2 (Train B). Since Train A and B are tested independently, the D 4KV bus is aligned to the train being tested in order to satisfy the surveillance criteria with respect to stripping and loading of the intake cooling water

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.

TURKEY POINT UNIT 3 05000250 96-004-03 15 QF 18 (ICW) [BI:p] and component cooling water (CCW) pumps [CC:p]

powered from the D 4KV bus. However, with the D 4KV bus aligned to the train under test, only one path in the bus clear relay circuit is tested. The two bus clearing relay circuit paths for the D 4KV bus aligned to the opposite train are not tested by the above plant procedures.

Safety Significance Assuming that the contacts which are not tested are not operational, a single failure (e.g. CCW pump breaker or ICW pump breaker fails to trip) will result in a failure of both EDGs to automatically load their respective safety busses during a LOOP.

Note that there are two redundant bus clearing circuits per train for reliability purposes. Four contacts would have to fail for the non-tested circuit path not to function. In addition, the bus tie breakers are interlocked such that the supply breaker cannot be closed when the incoming breaker is open. Operating procedures require both the supply and incoming breaker be open for bus isolation. Therefore, the probability of concurrent failure of the four contacts is extremely low.

The two bus clearing relay circuit paths for the D 4KV bus aligned to the opposite train were tested successfully on May 24, 1996, therefore, the Technical Specification Sections 4.8.1.1.2.g.4 and 4.8. 1. 1.2.g.6 surveillance requirements were met.

LICENSEE EVENT RZPORT (LER) TEXT CONTINUATXON FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.

TURKEY POINT UNIT 3 05000250 96-004-03 16 QF 18

3. Inadequate Surveillance Procedures for Main Steam Line Isolation Function UFSAR Review Main steam isolation and operation of the MSIVs is discussed in the UFSAR in Sections 10.2, 14.2.4, and 14.2.5. Section 10.2.2 of the UFSAR states in part:

"The Main Steam Isolation Valves (MSIVs) provide safety related isolation capability for the steam generators for Main Steam Line Breaks (MSLBs) and Steam Generator Tube Ruptures (SGTRs) . The MSIVs are maintained closed by the Instrument Air System. On Unit 3, a safety related nitrogen supply subsystem functions as a backup to the Instrument Air System. On Unit 4, safety related air accumulators are provided to perform this backup function. The backup subsystems consist of independent pneumatic circuits, redundant electric control solenoid valves, and dedicated high pressure gas reserves (Unit

3) or dedicated air reserves (Unit 4). This ensures that each MSIV will close in 5 seconds or less under no steam flow conditions if the Instrument Air System and one 125 VDC power channel are unavailable. These backup systems also ensure that the MSIVs will remain closed for a minimum of one hour without the need for operator action, independent of the availability of Instrument Air Section 14.2.4 of the UFSAR deals with the SGTR event, which credits operator action to manually isolate the faulted steam generator 30 minutes into the tube rupture event. Since manual action is credited, operation of main steam line isolation safeguards circuitry is not required for this event.

Section 14.2.5 of the UFSAR deals with the MSLB event. Based on the design of the system, "...For any break, in any location, no more than one steam generator would experience an uncontrolled blowdown if one of the MSIVs fails to close."

Design Basis If it is assumed that one Train A solenoid valve circuit is in a failed condition and a single failure is considered involving the Train B circuitry, one MSIV would fail to close on demand. The failure to close one MSIV is enveloped by the Updated Final Safety Analysis Report. The analysis assumes an uncontrolled steam

LXCENSEE EVENT REPORT (LER) TEXT CONTXNUATION FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.

TURKEY POINT UNIT 3 05000250 96-004-03 17 OF 18 release from one steam generator. Therefore, the present condition of the MSIVs is not outside of the ='esign basis.

TECHNICAL SPECIFICATION COMPLIANCE/OPERABILITY As provided in 10CFR50.36(c)(3), "Surveillance requirements are requirements relating to test, calibration or inspection to ensure that the necessary quality of systems and components is maintained, that the facility operation will be within safety limits, and that the limiting conditions of operation will be met." The surveillance testing that has been performed for the MSIVs ensures the necessary quality of the system. No single failure in conjunction with an assumed failure of the Train A valve circuit will result in more than one steam isolation valve failing to close. The failure of one MSIV to -lose is within the plant design basis and ensures operation wit."'..-. the safety limits.

The Technical Specifications require a TRIP ACTUATING DEVICE OPERATIONAL TEST for steam line isolation be performed. However, the specific logic paths are not delineated. The surveillance testing provided for the MSIVs provides assurance that the system will meet its specified safety function as is required for operability to support the limiting conditions of operation.

The Technical Specification Bases for the Engineered Safety Features Actuation System Instrumentation (Section 3/4.3.2) states that, "The surveillance requirements specified for these systems ensure that the overall system functional capability is maintained comparable to the original design standards." The design basis for this system is that no single failure result in more than one MSIV failing to close. The surveillance testing provided for the MSIVs provides assurance that the system will meet its specified safety function within the design basis of the plant. In addition, the surveillance testing provides a reasonable expectation that the system will meet its safety function and that it is reasonably reliable.

Based on the above, the subject surveillance requirements of Technical Specification Table 4.3-2, Item 4, have been satisfied and Operability has been demonstrated.

IV. CORRECTIVE ACTIONS

1. Inadequate Surveillance Testing of the Auxiliary Feedwater Actuation Circuitry
1. The untested portion of the Low-Low S/G Level AFW start logic

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME DOCKET NUMBER LER NUMBER PAGE NO.

TURKEY >OINT UNIT 3 05000250 96-004-03 18 OF 18 was tested successfully on February 22, 1996.

2. Plant Procedures 3-0SP-075.4 and 4-OSP-075.4 will be revised to include all combinations of the 2/3 low-low steam generator level logic prior to the next performance of this surveillance.
2. Inadequate Surveillance of the 4D 4KV Bus Clearing The two bus clearing relay circuit paths for the D 4KV bus aligned to the opposite train were tested successfully on May 24, 1996.
2. Plant procedures will be revised to test all possible paths of the bus clearing relay circuits prior to the next performance of this surveillance.
3. Inadequate Surveillance Procedures for Main Steam Line Isolation Function Surveillances performed since the listed procedure steps were approved were reviewed. The review showed two instances in which the NOTE was invoked, each time for a single train on a single MSIV. At no time was the note invoked for more than one of the steam line actuating relays.
2. Procedures 3/4-0SP-072.1 will be revised to test each train of MSIVs separately.
3. Temporary Procedure 97-003 was generated to validate the MSIV logic on a per train basis. The procedure will be performed during the next Unit 4 Short Notice Outage of sufficient duration. If no such outage occurs, revised procedure 4-OSP-072.1 will be used to test the MSIV logic during the next Unit 4 refueling outage.

V. ADDITIONAL INFORMATION EIIS Codes are shown in the format [EIIS SYSTEM: IEEE component function identifier, second component function identifier (if appropriate)].

Retrieved from "https://kanterella.com/w/index.php?title=ML17354A406&oldid=1962275"