L-2002-009, Proposed License Amendments, Surveillance Requirement 4.8.1.1.2.g.7 Change to Perform the Emergency Diesel Generator 24-Hour Functional Testing During Power Operation

From kanterella
Revision as of 03:38, 28 March 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Proposed License Amendments, Surveillance Requirement 4.8.1.1.2.g.7 Change to Perform the Emergency Diesel Generator 24-Hour Functional Testing During Power Operation
ML020440225
Person / Time
Site: Turkey Point  NextEra Energy icon.png
Issue date: 01/16/2002
From: Mcelwain J
Florida Power & Light Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
L-2002-009
Download: ML020440225 (21)
v  d  e


Text

L-2002-009 FPL FPL" 10 CFR 50.90 U. S. Nuclear Regulatory Comfnission Attn: Document Control Desk Washington D. C. 20555-0001 Re: Turkey Point Units 3 and 4 Docket Nos. 50-250 and 50-251 Proposed License Amendments Surveillance Requirement 4.8.1.1.2.g.7 Change to Perform the Emergency Diesel Generator 24-Hour Functional Testing During POWER OPERATION Pursuant to 10 CFR 50.90, Florida Power & Light Company (FPL) requests to amend Facility Operating Licenses DPR-31 and DPR-41 for Turkey Point Units 3 and 4, respectively, by incorporating the attached Technical Specifications (TS) revision.

The proposed changes will add a footnote to Surveillance Requirement 4.8.1.1.2.g.7 regarding the 24-hour functional test of the emergency diesel generators (EDGs). The proposed amendments will permit functional testing of the EDGs to be performed during POWER OPERATION. The changes are based on an integrated review of deterministic design basis factors, and an evaluation of plant risk using probabilistic safety assessment (PSA) techniques.

Approval of these license amendments is expected to simplify and shorten the scheduling of the EDG testing and surveillance window during a refueling outage, resulting in a reduction of the outage time and significant cost savings. The risk of performing the proposed EDG functional test during POWER OPERATION has been determined to be not risk significant. These proposed amendments are similar to those submitted by LaSalle and Shearon Harris Nuclear Stations and approved by NRC on October 16, 2000 and October 3, 2001, respectively.

It is requested that the proposed amendments, if approved, be issued by April 1, 2002. is the evaluation of the proposed TS changes. FPL has determined that the proposed license amendments do not involve a significant hazard pursuant to 10 CFR 50.92. Attachment 2 is the "Determination of No Significant Hazards Consideration." Enclosure 1 contains the appropriate TS page marked-up to show the proposed changes.

an FPL Group company

Turkey Point Units 3 and 4 L-2002-009 Docket Nos. 50-250 and 50-251 Page 2 Proposed License Amendments Surveillance Requirement 4.8.1.1.2.g.7 Change to Perform the Emergency Diesel Generator 24-Hour Functional Testing During POWER OPERATION In accordance with 10 CFR 50.9 1(b), a copy of the proposed license amendments is being forwarded to the State Designee for the State of Florida.

The proposed license amendments have been reviewed by the Turkey Point Plant Nuclear Safety Committee and the FPL Company Nuclear Review Board.

Should there be any questions, please contact Olga Hanek at (305) 246-6607.

Very truly yours, ImnP. M~wi Vice President Turkey Point Plant SM Attachments, Enclosure cc: Regional Administrator, Region II, USNRC Senior Resident Inspector, USNRC, Turkey Point Plant Florida Department of Health

Turkey Point Units 3 and 4 L-2002-009 Docket Nos. 50-250 and 50-251 P age 3 Proposed License Amendments Surveillance Requirement 4.8.1.1.2.g.7 Change to Perform the Emergency Diesel Generator 24-Hour Functional Testing During POWER OPERATION STATE OF FLORIDA )

COUNTY OF MIAMI-DADE

)

John P. McElwain being first duly sworn, deposes and says:

That he is Vice President, Turkey Point Plant, of Florida Power and Light Company, the Licensee herein; That he has executed the foregoing document; that the statements made in this document are true and correct to the best of his knowledge, information and belief, and that he is authorized to execute the document on behalf of said Licensee.

i,/)john '. Mckwain Subscribed and sworn to before me this day of ,2002, Name of Notgry Public (Type or Print)

John P. McElwain is personally known to me.

ATTACHMENT 1 TABLE OF CONTENTS EVALUATION OF PROPOSED TECHNICAL SPECIFICATION CHANGES 1.0 Introduction

2.0 Background

2.1 Emergency Diesel Generator (EDG) 2.2 Starting Initiating Circuits 2.3 Trips and Interlocks 2.4 Load Shedding Circuits 2.5 Automatic Loading and Stripping of Buses 2.6 Current Technical Specification Requirements 3.0 Description of Proposed TS Changes 4.0 Justification for Proposed TS Changes 4.1 Deterministic Safety Assessment of the Proposed EDG 24-Hour Functional Testing During POWER OPERATION 4.2 Design Basis and Safety Analysis Impact 4.3 Probabilistic Safety Assessment (PSA) of the Proposed EDG 24-Hour Functional Testing During POWER OPERATION 5.0 Environmental Consideration (i)

L-2002-009, Attachment I Page 1 of 12 EVALUATION OF THE PROPOSED TECHNCIAL SPECIFICATION CHANGES 1.0 Introduction Pursuant to 10 CFR 50.90, Florida Power & Light Company (FPL) requests to amend Facility Operating Licenses DPR-31 and DPR-41 for Turkey Point Units 3 and 4, respectively, by incorporating the attached Technical Specifications (TS) revision. Presently, the TS Surveillance Requirement (SR) 4.8.1.1.2.g.7 requires that operability of each Emergency Diesel Generator (EDG) be determined every 18 months by performing a 24-hour endurance functional test during shutdown. The proposed changes will add a footnote to Surveillance Requirement 4.8.1.1.2.g.7 to permit the performance of the EDG 24-hour functional test during POWER OPERATION. The requested changes will remove the restriction on performing the testing only during shutdown. These changes are based on information provided herein which includes an integrated review and safety assessment of deterministic EDG design basis factors, and an evaluation of plant risk using probabilistic safety assessment (PSA) techniques.

Approval of these license amendments is expected to simplify and shorten the scheduling of the EDG testing and surveillance window during a refueling outage, resulting in a reduction of outage time and significant cost savings.

2.0 Background

2.1 Emergency Diesel Generator (EDG)

The original configuration of Turkey Point Units 3 and 4, as licensed by the NRC, utilized two EDGs currently labeled 3A and 3B that were shared between the units. In 1990-1991, as part of an upgrade of the Emergency Power System, two additional EDGs labeled EDGs 4A and 4B were added to the plant. These two new EDGs were designed to the latest standards while maintaining consistency with the existing Emergency Power System.

The onsite emergency AC power source consists of four EDG sets and their associated auxiliary systems, comprising the fuel oil, lube oil, cooling water, starting air, air intake and exhaust, and automatic control circuitry. Each EDG consists of a turbocharged, two-cycle engine directly coupled to a generator. The generator is a 4160 volt, 3 phase, 60 Hz, AC synchronous machine. Each of the diesel generator net output is rated at 2500 kW for Unit 3, and 2874 kW for Unit 4. Descriptions of the EDG design and operation are provided in the Updated Final Safety Analysis Report (UFSAR).

Each EDG is seismically qualified, safety related, and located in a separate room inside two separate structures located east (Unit 3) and northeast (Unit 4) of the turbine area. Each EDG is connected to a separate power train, two per unit. The EDGs supply onsite emergency AC power to those electrical loads needed to achieve safe shutdown of the plant or to mitigate the consequences of any safety injection event coincident with the loss of the normal AC power supply. With any credible single failure, the EDGs are capable of assuring a safe shutdown of both units with a Loss of Offsite Power (LOOP) concurrent with a Loss of Coolant Accident (LOCA) on one unit. Each EDG can supply power to its respective 4.16 kV bus. Under specific circumstances, each EDG can supply either of the opposite unit's vital 4.16 kV buses through the Station Blackout tie line. The 4.16 kV system has the capability via the crosstie

L-2002-009, Attachment 1 Page 2 of 12 and the swing switchgear to connect any EDG with either the "A" or "B" switchgear of the opposite unit. The design provides the capability to perform this function from within the Control Room. Both Turkey Point Units 3 and 4 can successfully withstand and recover from a loss of all offsite and onsite AC power in compliance with the Station Blackout rule, 10 CFR 50.63.

The EDG system description, which is provided in the following sections 2.2 through 2.5 of this submittal, reflects the information provided in Turkey Point Units 3 and 4 UFSAR Sections 8.2.2.1.1.1 and 8.2.2.1.1.2.

2.2 Starting Initiating Circuits Each EDG is started on the receipt of a Safety Injection Signal (SIS) in either unit or the loss of voltage on its associated 4.16 kV bus. Upon loss of voltage, the following automatic sequence starts:

1. The EDG for the respective bus is started.
2. All motor feeders and main supply breakers are tripped via the load sequencer.
3. EDG breaker closes.
4. All required emergency shutdown loads are sequenced onto the EDG via its load sequencer. To continue the shutdown of the unit on loss of power, all further operations are done manually by the operator.

Upon initiation of a Safety Injection Signal, the EDGs start and continue to operate in a no load condition (EDG breaker open) at normal operating speed unless an undervoltage signal is received or until they are stopped manually.

2.3 Trips and Interlocks Protective and alarm relays are provided for the generator of the EDGs which are bypassed under emergency operation with the exception of the generator differential. In addition to the generator differential relay, the other devices that will trip the EDG under emergency operation are a mechanical engine overspeed trip and the emergency stop button.

2.4 Load Shedding Circuits A loss of normal power supply is detected by undervoltage relays which initiate via the bus load sequencer the bus stripping action on the affected 4.16kv and associated 480 v load center bus by energizing bus stripping relays. The bus stripping relays open all required bus supply and feeder breakers.

2.5 Automatic Loading and Stripping of Buses The loading and stripping functions of the emergency power distribution system in response to undervoltage signals and/or SIS are controlled by the load sequencers. The four load sequencers (one per train/EDG) are qualified solid state type sequencers, which primarily perform two functions, "Bus Stripping/Clearing" and "Load Sequencing."

L-2002-009, Attachment 1 Page 3 of 12 The bus stripping function trips and blocks starting of electrical loads on 4.16 kV switchgear, 480V load centers or 480V MCCs; the bus clearing function verifies that the required 4.16 kV switchgear breakers have tripped. The EDGs are designed to obtain rated speed and voltage within 15 seconds following the receipt of a start signal. The EDG breaker closes once the EDG has reached rated speed and voltage and the appropriate buses have been stripped in accordance with the design. The control logic is such that no loads can be sequenced onto the bus following a loss of power on a 4.16 kV switchgear until the EDG breaker is closed. This in turn requires that all loads are previously stripped from the bus to permit EDG breaker closure. Upon initiation of stripping after detection of a LOOP condition (one-second), the sequencer starts loading automatically at 15.5 seconds. The timing contacts of the sequencer close the breakers or energize the contactors of the equipment required for the safe shutdown of the plant in a predetermined sequential order.

The stripping and loading of equipment are summarized below:

1. For a LOOP on a given unit all associated 4.16 kV and 480V loads will be stripped. Output relays that strip the essential loads are reset when power is restored. This enables the essential loads to be loaded by the sequencer onto the bus for safe shutdown. Output relays that strip non-essential loads are automatically reset only after offsite power is restored to the 4.16 kV bus.
2. If either unit experiences an SIS while offsite power is available, load shedding, bus stripping and EDG breaker closure signals will not be initiated by the sequencer. However, essential loads required for emergency reactor shutdown will be sequentially connected to the bus by the sequencer. This occurs without any timing delay for start of the EDGs. The SIS in this case, starts the EDGs but they are not connected to the plant distribution system unless a LOOP also occurs.
3. If a LOOP is experienced subsequent to the occurrence of an SIS, any train experiencing the loss of voltage will be stripped by the sequencer and, upon closure of the EDG breaker, the affected bus(es) will be sequentially loaded.
4. If an EDG is in the test mode and paralleled to offsite power and an SIS is initiated, the EDG breaker will trip, the EDG will continue to run and essential loads required for emergency shutdown will be sequentially loaded to the bus by the sequencer, with the power being supplied from the offsite power source.
5. If an SIS occurs subsequent to a LOOP, while the EDGs are providing emergency onsite power, the EDGs will continue to operate and the buses associated with the unit experiencing the SIS will be stripped. Next, the loads required for emergency shutdown will be loaded to the buses by the associated sequencer. The timing contacts of the sequencer will be reset to the zero time condition regardless of the state of progress of the EDG LOOP loading operation. Additionally, the buses associated with the non-SIS unit will be stripped and sequentially loaded for safe shutdown as well as starting both SI pumps associated with that unit. For both units the EDG breakers remain closed during these scenarios.

L-2002-009, Attachment 1 Page 4 of 12 2.6 Current Technical Specification Requirements

[Note: The Surveillance Requirement 4.8.1.1.2.g.7 is printed in two pages. There are two different footnotes denoted with a double asterisk (**). One is found on TS page 3/4 8-7 and the second on TS page 3/4 8-8.]

Surveillance Requirement 4.8.1.1.2.g.7 requires that each of the required EDGs shall be demonstrated operable at least once per 18 months during shutdown by performing the following:

(On TS Page 3/4 8-7) 7)* Verifying the diesel generator operates for at least 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. During the first 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of this test, the diesel generator shall be loaded to 2550-2750 kW (Unit 3),

2950-3150 kW (Unit 4)** and during the remaining 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br /> of this test, the diesel generator shall be loaded to 2300-2500 kW (Unit 3), 2650-2850 kW (Unit 4)**. The generator voltage and frequency shall be 4160 +/- 420 volts and 60 +/- 1.2 Hz within 15 seconds after the start signal; the steady-state generator voltage and frequency (On TS Page 3/4 8-8) shall be maintained within these limits during this test. Within 5 minutes after completing this 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> test, verify the diesel starts and accelerates to reach a generator voltage and frequency of 4160 +/- 420 volts and 60 +/- 1.2 Hz within 15 seconds after the start signal. **

The footnotes are as follows:

TS Page 3 /4 8-7

  • For the purpose of this test, warmup procedures, such as idling, gradual acceleration, and gradual loading as recommended by the manufacturer may be used.

TS Page 3 /4 8-7 ** Momentary transients outside these load bands do not invalidate this test.

TS Page 3 /4 8-8 **If verification of the diesel's ability to restart and accelerate to a generator voltage and frequency of 4160 +/- 420 volts and 60 + 1.2 Hz within 15 seconds following the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> operation test of Specification 4.8.1.1.2.g.7) is not satisfactorily completed, it is not necessary to repeat the 24-hour test. Instead, the diesel generator may be operated between 2300-2500 kW Unit 3, 2650-2850 kW (Unit 4) for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> or until operating temperature has stabilized (whichever is greater). Following the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />s/operating temperature stabilization run, the EDG is to be secured and restarted within 5 minutes to confirm its ability to achieve the required voltage and frequency within 15 seconds.

3.0 Description of Proposed TS Changes The proposed changes add a footnote denoted by "#" to the Surveillance Requirement for the 24-hour functional test of the EDGs, which will permit functional testing of the EDGs to be performed during POWER OPERATION.

The proposed footnote to Surveillance Requirement 4.8.1.1.2.g.7, is as follows:

  1. This test may be performed during POWER OPERATION.

L-2002-009, Attachment 1 Page 5 of 12 4.0 Justification for Proposed TS Chances 4.1 Deterministic Safety Assessment of the EDG 24-hour Functional Testing During POWER OPERATION The proposed changes to permit the performance of the EDG 24-hour functional test during POWER OPERATION, are acceptable based on the following:

" Turkey Point Units 3 and 4 EDGs are run monthly during POWER OPERATION to satisfy monthly TS requirements. The EDG is declared inoperable for the duration of the test. The EDG system lineup with the offsite power system, for the monthly test, is identical to the lineup for the 24-hour functional test. Thus, performing the 24-hour functional test, during POWER OPERATION, does not introduce a new mode of operation for the EDGs.

"* During the 24-hour functional test of an EDG, no other EDG is operated in parallel with the offsite power system. The testing does not affect the independent safe shutdown capabilities of the emergency buses. This restriction is controlled administratively.

" A non-emergency EDG trip will not prevent a running diesel from supplying power when operating in an emergency mode. The emergency signals, SI and bus stripping, will override all protective EDG trips with the exception of the engine overspeed and EDG differential.

"* The EDG 24-hour testing shall not be performed during known unstable grid conditions or during forecasted severe weather conditions. This restriction is controlled administratively.

" If an EDG is in the test mode and paralleled to offsite power, the starting of large motor loads on the associated electrical bus can subject the EDG to undesirable transients.

Manual starting of such large motor loads is prevented by administrative procedural control. The potential automatic start of large motor loads is administratively controlled by either ensuring the motor is running before the test is started or by racking out the associated motor breaker.

" If an EDG is in the test mode and paralleled to offsite power and an SI signal is initiated, the EDG breaker will trip, the EDG will continue to run and essential loads required for emergency shutdown will be sequentially loaded to the bus by the sequencer, with the power being supplied from the offsite power source.

" When the EDG is in the test mode and paralleled to the offsite power, protective trips are provided for the EDG breaker by the main generator (286/G3X, 286/G4X) and main generator transformer (86/G3X, 86/G4X) lockout relays (

Reference:

5613(4)-T-Ll, Sh.

9A6 (9A5). These lockout relays are actuated by any of the following conditions:

Directional power and main transformer fault pressure Switchyard string bus differential Generator neutral ground Generator differential

L-2002-009, Attachment 1 Page 6 of 12 Generator leads fault and voltage balance Generator over excitation Main transformer ground Auxiliary transformer differential Switchyard generator breaker backup lockout Generator exciter overcurrent Generator field loss of power supply Turbine Trip Turbine blade overheat protection Generator reverse power Generator voltage balance and ground Generator negative sequence Generator loss of field and voltage balance Auxiliary transformer breaker backup overcurrent Generator out of step Main transformer differential Auxiliary transformer fault pressure Volts per hertz low or high

" If a LOOP occurs due to the actuation of one of the above lockout relays when the EDG is in the test mode and paralleled to offsite power, the EDG breaker would trip open while the EDG continues to run in standby. The LOOP would then be detected by the undervoltage relays that initiate bus-stripping action via the sequencer as previously described. The bus stripping signal transfers the EDG to emergency operation (non-essential trips bypassed) and switches the EDG from droop mode to isochronous mode. Following bus stripping, a bus clear signal is generated that results in reclosing of the EDG breaker. The sequencer then loads equipment required for safe shutdown of the plant in a predetermined order.

(

Reference:

5613(4)-T-L1, Sh. 9A6 (9A5), 5610-T-Ll, Sh. 4A and 4B, 5613(4)-T-Ll, Sh.

9A, 12&13 series).

"* Although the above described protection is provided to the EDG for LOOP events that may occur during testing, the EDG is considered inoperable during testing since the protection is non-safety related. The failure of the lockout relay protection to trip the EDG breaker for LOOP events during testing would likely result in actuation of an EDG protective trip (likely generator voltage restrained overcurrent). Response to such an event would be recognized by the operators and is procedurally controlled.

4.2 Design Basis Requirements and Safety Analysis Impact The function of the EDGs is to provide a reliable source of AC power to the electric loads required for safe shutdown of the nuclear units in the event that the preferred power source is interrupted. The EDGs accomplish this function for the following shutdown conditions:

LOOP affecting one or both nuclear units, or LOCA on one unit concurrent with a LOOP that affects both units, or SBO conditions on the opposite unit.

L-2002-009, Attachment 1 Page 7 of 12 In each case, the EDGs are required to provide a continuous source of AC power while maintaining voltage and frequency stability. The condition that imposes the highest load demand on the EDGs is the LOOP-LOCA. Under these conditions, the EDGs must power the accident mitigation loads of one unit plus the safe shutdown loads of the non-accident unit. The EDGs are designed to supply the required power to both the accident and non accident unit, under the most limiting single failure condition. Two EDGs are required to satisfy the LOOP-LOCA design basis requirements. To ensure that two EDGs will be available under single active failure conditions, the plant Technical Specifications require three EDGs to be operable for each unit in Modes 1, 2, 3, and 4.

Removing one of the four EDG from service places the associated Unit in an Action Statement (but leaves the required three for the opposite Unit). The specified time to take action represents a temporary relaxation of the single failure criterion, which, consistent with overall system reliability considerations, provides a limited time period to repair, inspect, overhaul, or test equipment without impacting the plant operating mode.

Accordingly, from a design basis standpoint, the inoperable EDG effectively represents a single failure for the system during the performance of the EDG 24-hour functional testing.

Since the emergency power system can accommodate a single EDG failure, and recovery of a failed component is not credited in the plant safety analysis, i.e., the single failure remains in effect for the entire accident sequence, performing the EDG 24-hour functional test during POWER OPERATION has no impact on the system design basis or the plant safety analyses.

4.3 Probabilistic Safety Assessment (PSA) of the Proposed EDG 24-Hour Functional Testing During POWER OPERATION The risk assessment of the proposed EDG 24-hour functional testing on line for Turkey Point was generated using an updated version of the Individual Plant Examination (IPE) model developed in response to Generic Letter (GL) 88-20, Individual PlantExamination for Severe Accident Vulnerabilities, and associated supplements. Since submittal of the IPE, both the model and the reliability/unavailability databases for Turkey Point have been updated. The two units are sufficiently similar such that one model represents both units.

The updated model and databases were used to calculate the risk numbers to evaluate the EDG 24-hour functional testing on line. The model update process included a review of all plant design changes that were implemented since creation of the original models. A summary of the Turkey Point PSA changes since submittal of the IPE is included in Section 4.3.1.3 of this attachment.

FPL's evaluation of the risk associated with the proposed EDG 24-hour functional testing on line generally conforms to the three-tiered approach that is identified in Regulatory Position C.2.3 of USNRC Regulatory Guide 1.177, An Approachfor Plant-Specific,Risk-Informed Decisionmaking:Technical Specifications, August 1998. Tier 1 consists of the PSA capability and insights; Tier 2 identifies risk-significant plant configurations that should be avoided; and Tier 3 describes the implementation of a risk-informed configuration risk management program. At Turkey Point Units 3 and 4, a Tier 3 configuration risk management program is in place via the implementation of Section (a)(4) of the Maintenance Rule.

L-2002-009, Attachment 1 Page 8 of 12 4.3.1 Tier 1, Analysis of Risk Impact and Calculated Results Tier 1 is an evaluation of the impact on plant risk of the proposed TS change as expressed by the change in Core Damage Frequency (CDF), the Incremental Conditional Change in Core Damage Probability (ICCDP), and when appropriate, the change in Large Early Release Frequency (LERF) and the Incremental Conditional Large Early Release Probability (ICLERP). The definitions of these risk measures are shown below:

ICCDP= [(conditional CDF with the subject equipment out of service) - (baseline CDF with nominal expected equipment unavailabilities)] * (duration of subject equipment unavailability)

ICLERP= [(conditional LERF with the subject equipment out of service) - (baseline LERF with nominal expected equipment unavailabilities)] * (duration of subject equipment unavailability)

The LERF for Turkey Point was estimated as follows:

LERF = [(fraction of CDF leading to a large early release) * (Total CDF - SGTR CDF ISLOCA CDF)] + SGTR CDF + ISLOCA CDF where ISLOCA CDF is the CDF contribution from Interfacing System LOCAs, and SGTR CDF is the CDF contribution from Steam Generator Tube Ruptures The risk incurred by moving the performance of the EDG 24-hour run from shutdown to on-line conditions can be bounded by calculating the on-line risk of completely removing the EDG from service for the duration of the test. For this analysis, the EDG was assumed to be inoperable for 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> - 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for the actual run, and 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for pre- and post test activities. The following results are based on removing both EDGs from service for a 30-hour period (at separate times):

Annualized Delta CDF = 4.4E-8 per year Annualized Delta LERF = 1.3E-10 per year ICCDP = 2.9E-8 ICLERP = 6.5E-1 1 These results fall below the Acceptance Guidelines for TS Changes contained in Regulatory Guides 1.174 and 1.177. Therefore, the risk of performing the EDG 24-hour run on-line has only a small quantitative impact on plant risk.

4.3.1.1 Quality of the Turkey Point PSA The models used for this application were generated using the IPE models developed in response to GL 88-20, Individual Plant Examinationfor Severe Accident Vulnerabilities, and associated supplements. The original

L-2002-009, Attachment 1 Page 9 of 12 development work was classified and performed as Quality Related under the FPL 10 CFR 50, Appendix B quality assurance (QA) program. The revision and applications of the probabilistic safety assessment (PSA) models and associated databases continue to be handled as Quality Related.

Administrative controls include written procedures and independent review of all model changes, data updates, and risk assessments performed using PSA methods and models.

Risk assessments are performed by a PSA engineer, independently reviewed by another PSA engineer, and approved by the Department Head or designee. The Reliability Risk Assessment Group (RRAG) is required to follow the FPL Nuclear Engineering Quality Instructions (QI) with written procedures derived from those QIs. Procedures, risk assessment documentation, and associated records are controlled and retained as QA records.

Since the approval of the IPE, the RRAG has maintained the PSA models consistent with the current plant configuration such that they are considered living models. The PSA models are updated for different reasons, including plant changes and modifications, procedure changes, accrual of new plant data, discovery of modeling errors, advances in PSA technology, and issuance of new industry PSA standards. The update process ensures that the applicable changes are implemented and documented in a timely manner so that risk analyses performed in support of plant operations reflect the current plant configuration, operating philosophy, and transient and component failure history. The PSA maintenance and update process is described in the RRAG Standard entitled, Probability Safety Assessment Update and Maintenance Procedure. This standard defines two types of periodic updates: 1) a data analysis update, and 2) a model update. The data analysis update is performed at least every five years. Model updates consist of either single or multiple PSA changes and are performed at a frequency dependent on the estimated impact of the accumulated changes. Guidelines to determine the need for a model update are provided in the standard.

4.3.1.2 PSA Software. All computer programs that process PSA model inputs are verified and validated as needed. The RRAG policy on verification and validation of QA controlled/procured software, as well as the verification and validation for software and computers when used for Quality Related applications are described in the RRAG Standard entitled, ProbabilitySafety Assessment Software ControlProcedure. This standard provides a list of all the software used by the RRAG and indicates whether the software is QA controlled/procured. Software verification is the process used to ensure the software meets the software requirement specifications. The PSA software that is procured with a QA option, and is developed under a 10 CFR 50, Appendix B, QA program, does not require further software verification by the RRAG. However, the PSA software, which is not procured with a QA option is verified by comparison of results to previously approved software.

Validation of software is performed for different conditions such as: 1) a new installation of software, 2) any new database or configuration file changes issued by the RRAG, 3) unreasonable results, 4) change in computer configuration (software, hardware), or 5) use of software for Quality Related applications for the first time. Validation requirements for

L-2002-009, Attachment 1 Page 10 of 12 each Quality Related PSA computer program are documented in a Software Verification/Validation Plan (SVVP) procedure. These requirements include the method of validation, the frequency of validation, the documentation required and the acceptance criteria. A SVVP procedure is submitted for each program. Actual validation benchmark problems can exercise more than one program, but a separate Software Verification/Validation Report (SVVR) must be submitted for each program. Each SVVP procedure and SVVR is independently reviewed and then approved by the RRAG supervisor. Software validation tests both the software and the hardware. Validation tests are also performed following any significant change in the hardware, operating system, or program, or if the validation period established in the SVVP procedure expires.

4.3.1.3 Model Changes Since Submittal of the IPE. Prior to performing the risk assessment for this proposed license amendment, all design changes implemented since the last PSA update were reviewed. Changes to the PSA were not required as a result of this review. A summary of significant model changes incorporated since the IPE submittal follows:

The replacement of one of the standby steam generator feedwater pumps with a diesel-driven pump, and the removal of the black-start diesel generators were incorporated into the model. Minor improvements were made in the modeling of instrument air, chemical and volume control, Heating Ventilation Air Condition (HVAC), AC power, component cooling water, and service water systems.

The success criteria for small LOCAs was modified to take credit for cooldown, depressurization, and use of the opposite unit's Refueling Water Storage Tank (RWST) inventory for injection. The Reactor Coolant Pump (RCP) seal LOCA treatment was modified to reflect the latest research in this area.

A complete data update was performed, including all plant-specific failure rates, test and maintenance unavailabilities, initiating event frequencies, and common-cause beta factors.

New Initiating Event (IE) frequencies were calculated for all LOCAs. Although the IE frequencies for the larger LOCA sizes decreased, the net impact was an increase in the total LOCA IE frequency of nearly 40%.

The process of adding recoveries is now automated using a recovery rule file. The rule file utilizes a manual recovery action process in that recovery actions are added to each cutset rather than being generated from the model, but the process is automated such that all the similar cutset scenarios are recovered automatically. This automatic feature ensures uniform and complete inclusion of recovery actions throughout all of the generated cutsets, and yields more realistic and consistent results. The methodology for crediting the recovery of offsite power was changed to a more realistic convolution analysis technique.

4.3.1.4 PSA Reviews. As discussed in the Turkey Point IPE submittal, multiple levels of review were used for the Turkey Point PSA. The first consisted of normal engineering quality assurance practices carried out by the organization performing the analysis. A qualified individual with knowledge of PSA methods and plant systems performed an independent review of the results for each task. This represents a detailed check of the input to the PSA

L-2002-009, Attachment 1 Page 11 of 12 model and provides a high degree of quality assurance.

The second level of review was performed by plant personnel not directly involved with the development of the PSA model. This review was performed by individuals from Operations, Technical Staff, Training, and the Independent Safety Engineering Group, who reviewed the system description notebooks and accident sequence description. This provided diverse expertise with plant design and operations knowledge to review the system descriptions for accuracy.

The third level of review was performed by PSA experts from ERIN Engineering. This review provided broad insights on techniques and results based on experience from other plant PSAs. The review team reviewed the PRA development procedures, as well as the output products.

Comments obtained from all the review sources were incorporated, as appropriate, into the work packages, and the final product. Following the Turkey Point IPE submittal to the NRC on June 25, 1991, it was reviewed extensively by the NRC and NRC contractors. In fact, the Turkey Point IPE was one of the few IPE submittals to receive a Step 1 and a Step 2 review by the NRC. The Step 2 review consisted of a team of NRC representatives and contractors visiting FPL to conduct a week-long, extensive review of the Turkey Point IPE.

Following these reviews, the Turkey Point IPE was revised in early 1992, and FPL received the NRC Safety Evaluation Report (SER) for the Turkey Point IPE on October 15, 1992.

The SER concluded that the Turkey Point IPE had met the intent of GL 88-20.

4.3.2 Tier 2, Avoidance of Risk-Sign.ificant Plant Configurations Tier 2 is an identification of potentially high risk configurations that could exist if equipment in addition to that associated with the TS change is taken inoperable concurrently, or other risk-significant operational factors such as concurrent system or equipment testing are involved. The objective of Tier 2 is to ensure that appropriate restrictions are placed on dominant risk-significant configurations that would be relevant to the proposed TS change. The Tier 2 restrictions are included in the administrative procedure for implementation of Section (a)(4) of the Maintenance Rule and, for high winds, are included in the administrative procedure for severe weather preparations.

Reference to the Tier 2 restrictions is also included as part of the On-line Risk Monitor.

The Tier 2 restrictions currently address the availability of the startup transformers, blackout crosstie, and offsite power with regard to EDG planned unavailability. These Tier 2 restrictions will apply for the EDG 24-hour functional test, since the EDG will be considered to be unavailable during the test. In addition to the pre-determined Tier 2 restrictions, assessments performed in accordance with the provisions of the Maintenance Rule (a)(4) will ensure that any other potentially risk significant configurations are identified prior to removing an EDG from service for the EDG 24-hour functional testing.

Similarly, the implementation of the Maintenance Rule configuration risk management program ensures that the risk significance of unexpected configurations resulting from unplanned maintenance or conditions while an EDG is OOS are properly evaluated.

L-2002-009, Attachment 1 Page 12 of 12 4.3.3 Tier 3, Configuration Risk Management Tier 3 is the development of a proceduralized program to ensure that the risk impact of out of-service equipment is appropriately evaluated prior to performing a maintenance activity.

The need for this third tier stems from the difficulty of identifying all possible risk-significant configurations under Tier 2 that will be encountered over extended periods of plant operation.

A Tier 3 configuration risk management program has been established at Turkey Point Units 3 and 4 via the recent implementation of Section (a)(4) of the Maintenance Rule, 10 CFR 50.65. The program consists of a proceduralized probabilistic risk assessment-informed process to ensure that the overall impact of plant maintenance on plant risk is properly evaluated. Implementation of Section (a)(4) of the Maintenance Rule via a plant administrative procedure enables appropriate actions to be taken or decisions to be made to control risk when performing on line maintenance with a risk-informed completion time.

5.0 Environmental Consideration The proposed license amendments change requirements with respect to installation or use of a facility component located within the restricted area as defined in 10 CFR Part 20. The proposed amendments involve no significant increase in the amounts and no significant change in the types of any effluents that may be released offsite, and no significant increase in individual or cumulative occupational radiation exposure. FPL has concluded that the proposed amendments involve no significant hazards consideration and meet the criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9) and that, pursuant to 10 CFR 51.22(b), an environmental impact statement or environmental assessment need not be prepared in connection with issuance of the amendments.

L-2002-009, Attachment 2 Page 1 of 2 ATTACHMENT 2 DETERMINATION OF NO SIGNIFICANT HAZARDS CONSIDERATION Pursuant to 10CFR50.92, a determination may be made that a proposed license amendment involves no significant hazards consideration if operation of the facility in accordance with the proposed amendment would not: (1) involve a significant increase in the probability or consequences of an accident previously evaluated; or (2) create the possibility of a new or different kind of accident from any accident previously evaluated; or (3) involve a significant reduction in a margin of safety. Each standard is discussed as follows:

(1) Operation of the facility in accordance with the proposed amendment would not involve a significant increase in the probability or consequences of an accident previously evaluated.

The function of the emergency diesel generators is to supply emergency power in the event of a LOOP. Operation of the EDGs is not a precursor to any accident. The EDGs provide assistance in accident mitigation. There are no technical changes related to the acceptance criteria of the surveillance requirement. The proposed change requesting that the scheduling aspects of the surveillance requirements be changed to accommodate improved planning capability for testing does not affect the accident analyses. The EDG that is being tested will be considered inoperable however, the remaining required EDGs would be operable during the test and they are capable of supporting the safe shutdown of the plant. The Probabilistic Safety Assessment (PSA) results fall below the Acceptance Guidelines for TS changes contained in Regulatory Guides 1.174 and 1.177; therefore, the risk of performing the EDG 24-hour run during POWER OPERATION has only a small quantitative impact on plant risk. Therefore, the proposed change to permit the 24-hour functional test of the EDGs to be performed during POWER OPERATION does not significantly increase the probability or consequences of an accident previously evaluated.

L-2002-009, Attachment 2 Page 2 of 2 (2) Operation of the facility in accordance with the proposed amendment would not create the possibility of a new or different kind of accident from any accident previously evaluated.

The proposed change does not include any physical changes to plant design or a change to current Surveillance Requirement acceptance criteria. Performance of the Surveillance Requirement during POWER OPERATION results in equipment out of service, inoperable EDG, which is addressed by current Technical Specification limiting condition for operation. Therefore, performance of the EDG 24-hour functional testing during POWER OPERATION does not create the possibility of a new or different kind of accident from any previously evaluated.

(3) Operation of the facility in accordance with the proposed amendment would not involve a significant reduction in a margin of safety.

The proposed changes are associated with surveillance requirements for the EDGs. The proposed changes allow the EDG 24-hour functional testing to be performed during POWER OPERATION.

Performing the functional test during POWER OPERATION will not impact the plant design bases or safety analyses because the affected EDG will be declared inoperable during the test.

During the time that the EDG in test is declared inoperable, the system is considered to be exempt from the single failure criterion such that adequate emergency power will remain available to support the system design bases.

From a design basis perspective, the inoperable EDG effectively represents a single failure for the system. Since the emergency power system is designed to accomplish its system safety functions with only two of the three EDGs in service, and recovery of a failed component is not credited in the plant safety analysis (i.e., the single failure remains in effect for the entire accident sequence),

removing an EDG from service to perform a 24-hour functional test during POWER OPERATION will not reduce the margin of safety assumed in the plant safety analyses.

The Probabilistic Safety Assessment (PSA) results fall below the Acceptance Guidelines for TS changes contained in Regulatory Guides 1.174 and 1.177. Therefore, the risk of performing the EDG 24-hour run during POWER OPERATION has only a small quantitative impact on plant risk.

An integrated assessment of the risk impact of performing the 24-hour functional test during POWER OPERATION for a single inoperable EDG has determined that the risk contribution is small and is within regulatory guidelines. Therefore, facility operation in accordance with the proposed amendments would not involve a significant reduction in a margin of safety.

Based on the discussion presented above, FPL has concluded that the proposed license amendments involve no significant hazards consideration.

Enclosure 1 to L-2002-009 TURKEY POINT UNITS 3 AND 4 MARKED-UP TECHNICAL SPECIFICATION PAGE Page 3/4 8-7 (marked-up)

Page 3/4 8-8 (provided for info only)

ELECTRICAL POWER SYSTEMS SURVViLLANCE REQUIREMENTS (Continued) connected loads within 15 seconds, energizes the auto connected shutdown loads through the load sequencer and operates for greater than or equal to 5 minutes while its generator is loaded with the auto-connected shutdown loads.

After automatic load sequencing, the steady-state voltage (

and frequency of the emergency busses shall be maintained at 4160 +/- 420 volts and 60 +/- 1.2 Hz during this test.

5) Verifying that on an ESF Actuation test signal, without loss-of offsite power, the diesel generator starts on the auto-start

(

signal and operates on standby for greater than or equal to 5 minutes. The generator voltage and frequency shall be 4160 +/-

420 volts and 60 +/- 1.2 Hz within 15 seconds after the auto-start signal; the steady-state generator voltage and frequency shall

(

be maintained within these limits during this test;

6) Simulating a loss-of-offsite power in conjunction with an ESF Actuation test signal, and: (

a) b)

Verifying deenergization of the emergency busses and load shedding from the emergency busses; Verifying the diesel starts on the auto-start signal, energizes the emergency busses with any permanently

(

connected loads within 15 seconds, energizes the auto-connected emergency (accident) loads through the load sequencer and operates for greater than or equal to 5 minutes while its generator is loaded with the K

emergency loads. After automatic load sequencing, the steady-state voltage and frequency of the emergency busses shall be maintained at 4160 +/- 420 volts and 60 +/- 1.2 Hz during this test; and

)

c) Verifying that diesel generator trips that are made operable during the test mode of diesel operation are 7)*

inoperable.

Verifying the diesel generator operates for at least 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. ()

During the first 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of this test, the diesel generator 4 shall be loaded to 2550-2750 kW (Unit 3), 2950-3150 kW (Unit 4)** (

and during the remaining 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br /> of this test, the diesel )

generator shall be loaded to 2300-2500 kW (Unit 3), 2650-2850 (

kW (Unit 4)**. The generator voltage and frequency shall be 4160 +/- 420 volts and 60 +/- 1.2 Hz within 15 seconds after the (

start signal; the steady-state generator voltage and frequency )

  • For the purpose of this test, warmup procedures, such as idling, gradual acceleration, and gradual loading as recommended by the manufacturer may be (

used.

"**Momentary transients outside these load bands do not invalidate this test.

AinT+ - 0T 0T3K TURKEY POINT - UNITS 3 & 4 (4W 3/4 8-rr 3/4 8-7 POW ONEMO ER D .

AMENDMENT NOS.

N 13 8AND 13 3 I

ELECTRICAL POWER SYSTEMS SURVEILLANCE REQUIREMENTS (Continued) shall be maintained within these limits during this test.

Within 5 minutes after completing this 24-hour test, verify the diesel starts and accelerates to reach a generator voltage and frequency of 4160 +/- 420 volts and 60 + 1.2 Hz within 15 seconds after the start signal.

8) Verifying that the auto-connected loads to each diesel generator do not exceed 2500 kW (Unit 3), 2874 kW (Unit 4);
9) Verifying the diesel generator's capability to:

a) Synchronize with the offsite power source while the generator is loaded with its emergency loads upon a simulated restoration of offsite power, b) Transfer its loads to the offsite power source, and c) Be restored to its standby status.

10) Verifying that the diesel generator operating in a test mode, connected to its bus, a simulated Safety Injection signal overrides the test mode by: (1) returning the diesel generator to standby operation, and (2) automatically energizing the emergency loads with offsite power;
11) Verifying that the fuel transfer pump transfers fuel from the fuel storage tank (Unit 3), fuel storage tanks (Unit 4) to the day tanks of each diesel associated with the unit via the installed cross-connection lines;
12) Verifying that the automatic load sequence timer is OPERABLE with the interval between each load block within + 10% of its design interval;
13) Verifying that the diesel generator lockout relay prevents the diesel generator from starting;
    • If verification of the diesel's ability to restart and accelerate to a generator voltage and frequency of 4160 +/- 420 volts and 60 +/- 1.2 Hz within 15 seconds following the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> operation test of Specification 4.8.1.1.2.g.7) is not satisfactorily completed, it is not necessary to repeat the 24-hour test. Instead, the diesel generator may be operated between 2300-2500 kW Unit 3, 2650-2850 kW (Unit 4) for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> or until operating temperature has stabilized (whichever is greater). Following the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />s/operating temperature stabilization run, the EDG is to be secured and restarted within 5 minutes to confirm its ability to achieve the required voltage and frequency within 15 seconds.

TURKEY POINT - UNITS 3 & 4 3/4 8-8 AMENDMENT NOS. 175 AND 169

Retrieved from "https://kanterella.com/w/index.php?title=L-2002-009,_Proposed_License_Amendments,_Surveillance_Requirement_4.8.1.1.2.g.7_Change_to_Perform_the_Emergency_Diesel_Generator_24-Hour_Functional_Testing_During_Power_Operation&oldid=2713320"