United States Nuclear Regulatory Commission - Protecting People and the Environment

ACCESSION #:  9508080294

                       LICENSEE EVENT REPORT (LER)


DOCKET NUMBER:  05000250



EVENT DATE:  11/03/94   LER #:  94-005-02   REPORT DATE:  07/17/95





10 CFR 50.73(a)(2)(ii), (a)(2)(v), (a)(2)(vii), 10 CFR 21


NAME:  C. L. Mowrey, Licensing OEF          TELEPHONE:  (305) 246-6204







On November 3, 1994, Turkey Point Unit 3 was in Mode 1 at 100% power, and

Unit 4 was in Mode 5 during a refueling outage.  During the Unit 4

Integrated Safeguards Test, the 3A sequencer failed to respond to the

Unit 4 Safety Injection signal.  A defect was found in the sequencer

software logic which, for a limited period of time, could inhibit any or

all of the four sequences from responding to specific valid signals.  The

defect only affects the sequences during manual or automatic testing.

The sequences were installed in late 1991.

Monthly manual testing of the sequencer has been resumed.  Front panel

visual examinations are being performed every 8 hours, and internal

visual examinations are being performed every 24 hours.  A permanent

repair to the software logic is being evaluated.  Independent consultants

performed an assessment of the existing sequencer design, software

design, and the Validation and Verification process.  Two other

conditions were discovered, one involving Containment Spray (CS) pump

autostart, and one involving the 480 Volt Load Center feeder breaker

autoclosure.  Both were determined to have minimal safety significance.

The CS system and the 480 Volt Load Centers remain operable.


TEXT                                                         PAGE 2 OF 23

Supplement 2 of this LER reports on (1) the original test logic defect

discovered last November, and reported in the original LER; (2) the

Containment Spray Autostart issue discovered in January as part of the

design review described in corrective action #9, and reported in

Supplement #1; and (3) an additional condition involving 480 Volt Load

Center feeder breaker autoclosure, discovered in June while preparing the

software modifications to fix the earlier two issues.  Where applicable,

each major section of the LER contains subsections appropriate to each of

the three issues listed.



On November 3, 1994, Turkey Point Unit 3 was operating in Mode 1 at 100%

power, and Unit 4 was in Mode 5 during a refueling outage.  During the

Unit 4 Integrated Safeguards Test, a failure of the 3A sequencer [JE:34]

to respond to the opposite unit's Safety Injection (SI) signal occurred.

Troubleshooting resulted in the discovery of a defect in the sequencer

software logic which, under certain conditions, could inhibit the

sequencer from responding to a valid emergency signal.  The defect

manifested itself in the failure of the 3A High Head Safety Injection

(HHSI) pump [BQ:p] to start.  Turkey Point has four HHSI pumps; one per

train, per unit.  Each HHSI pump is capable of providing 50 percent of

system requirements, therefore two of the four are required to mitigate

the consequences of accidents analyzed in the Updated Final Safety

Analysis Report (UFSAR).  In order to meet single failure criteria, each

sequencer signals its associated HHSI pump to start, and the opposite

unit's sequences signal their associated HHSI pumps to start.  For

example, an SI signal on Unit 3, Train A, signals the 3A sequencer and

both of the Unit 4 sequences.  With no equipment failures, all four HHSI

pumps will respond to an SI signal on either unit.

The software logic defect is limited to the test function, but the defect

is common to all four sequences (one sequencer per train, per unit).  The

design intent of the sequences is such that should a "real" emergency

signal occur while the sequencer is being tested, the test signal clears,

allowing actuation of the Engineered Safety Features controlled by the


Because the sequences would not have responded properly to an SI signal

as designed, Turkey Point Units 3 and 4 have been operating outside their

design basis.  This condition was reported to the NRCOC at 1609 on

November 3, 1994, in accordance with 10CFR50.72(b)(ii)(B).


The detailed review of the sequencer software, described in Corrective

Action #6, resulted in the discovery of one other error in the software,

which is independent of the test mode.  A potential condition was

identified which, for a remote set of circumstances, would preclude the

automatic start of the Containment Spray (CS) pumps [BE:p].  The

condition identified occurs when the Hi-Hi Containment Pressure (HHCP)

signal is received by the sequencer during an approximate 60 millisecond

(ms) time window just prior to the end of sequencer load block 3 for Loss

of Coolant Accident (LOCA) or Loss of Offsite Power coincident with LOCA

(LOOP/LOCA) events.  The sequencer is designed to autostart the CS pumps

11 to 13 seconds after an SI

TEXT                                                         PAGE 3 OF 23

signal (without LOOP) if the HHCP signal is present or at or after 44

seconds under conditions where the HHCP signal occurs more than 13

seconds after receipt of the SI signal.  For a LOOP/LOCA, these times are

shifted by the bus stripping and Emergency Diesel Generator (EDG) [EK:dg]

start delay of approximately 16 seconds.  Thus the 60 ms window occurs

12.886 to 12.945 seconds after receipt of an LOCA signal, or 28.886 to

28.945 seconds after receipt of a LOOP/LOCA signal.

Although Turkey Point is licensed to accommodate a LOCA with or without a

concurrent LOOP, the sequencer was designed to accommodate non-concurrent

LOOP/LOCA sequences as well.  As a result, for certain non-concurrent

events, a Main Steam Line Break or a Small Break LOCA (but large enough

to cause a HHCP signal) can also create conditions under which this error

may manifest itself.

Automatic CS pump start actually involves two HHCP signals; one via the

sequencer logic as described above, and one directly from Engineered

Safety Features Actuation System (ESFAS) relay [JE:44].  Because of the

minimum pulse required to assure CS pump breaker [BE:bkr] closure, and a

potential relay race with a CS pump start permissive from ESFAS, the CS

pump breaker may not receive a close signal of sufficient duration to

assure breaker closure.  The identified condition is unique to the start

of the CS pump because the CS pump start signal duration decreases as the

postulated receipt of a HHCP signal approaches the end of load block 3.

All other sequenced equipment receives a start pulse of fixed duration,

either 2 or 5 seconds.  This condition was determined to be not

significant, in part because the manual start capability of the CS pump

is not affected (and is adequately proceduralized), and in part because

the probability of occurrence of the condition is lower than the

probability of a common-mode failure of both trains of containment spray.

The significance of the condition is discussed further in Section III.


During verification and validation of modifications associated with the

corrective actions for the original defect, an additional condition was

discovered wherein the 4.16 KV breakers [EA:52] which feed the safety-

related 480 Volt Load Centers [ED] may fail to automatically close during

certain unique events.

If an SI signal is received between 15.5 and 16 seconds after a LOOP, the

sequencer will provide a breaker close signal to the 4.16 KV breakers

which feed the 480 Volt Load Centers at the same time that a breaker

strip signal is present.  This will result in the Load Centers not being

automatically reloaded onto the bus.  The failure of the Load Centers to

automatically load can occur on all four sequences if a simultaneous

undervoltage signal occurs for both units (complete LOOP) and signals

from both trains of SI are present.

When a LOOP event takes place, the sequencer initiates bus stripping

approximately 1 second after the undervoltage input.  Approximately 8

seconds later the EDG output breaker closes.  The first LOOP load block

is sequenced on at 16.5 seconds after the loss of offsite power.  The

design intended that if an SI signal is received prior to 16 seconds

after the LOOP, the LOOP/LOCA loads are automatically sequenced on

without re-stripping the bus.  If an SI signal is received after the EDG

output breaker is closed, then the LOOP loads are re-stripped from the

bus, the sequencer timers would reset and after a time delay, the

LOOP/LOCA loads would be sequenced on.  The sequencer pulse to strip the

bus is 1 second in duration.

TEXT                                                         PAGE 4 OF 23

If the Load Center breakers receive a close pulse when a strip pulse is

present, the breaker control logic prevents the breaker from responding

to the close signal.  This breaker control logic, commonly known as an

"anti-pumping" circuit, is designed as a protective feature for the

breaker.  The breaker will not respond unless the strip and close signals

are both removed and the close pulse is reapplied.  Since, under the

identified condition, the sequencer can provide a strip signal concurrent

with a close signal, followed by removal of the close signal (which is

not reapplied), the load center breakers would not automatically close.

This condition was determined to be one which alone could have prevented

the fulfillment of the safety function of a system needed to mitigate the

consequences of an accident.  It was reported to the NRCOC on June 19,

1995, in accordance with 10 CFR 50.72(b)(2)(iii).


Each of the four sequences, 3C23A-1, 3C23B-1, 4C23A-1, and 4C23B-1, is

associated with a given train (3A, 3B, 4A, and 4B, respectively).  They

are designated Class 1E, Seismic Category I, since their operation is

required for safe shutdown of the reactor in the event of a LOOP and to

mitigate the consequences of a design basis accident.

The sequences are Programmable Logic Controller (PLC)-based cabinets

using a PLC for bus stripping and load logic and control.  The signal

path structure of the PLC uses dedicated input modules, control logic,

and dedicated output modules.

LOOP Signal Only

On a LOOP in a given unit, both sequences associated with that unit will

respond accordingly to clear their associated buses, stripping all 4.16

KV loads and specified 480 Volt loads within one second after the LOOP

signal is generated.  The Emergency Diesel Generators (EDGs) [EK:dg] will

start, and within 15 seconds the EDG output breakers [EK:bkr] close, then

loads required for safe reactor shutdown are sequentially connected to

the corresponding bus; the first load block output signal is generated

16.5 seconds after the onset of the LOOP.  The first load block output

signal closes the 480 Volt Load Center feeder breakers.

LOCA Signal Only

If either unit experiences a LOCA, and preferred (offsite) power is

available, bus stripping signals and EDG breaker closure permissive

signals will not be initiated by the sequences.  Vital loads will be

sequentially connected to the buses by the sequences (including the

opposite unit's HHSI pumps).  If an EDG is already operating and

parallelled to offsite power, and either unit experiences a LOCA, the EDG

breaker will trip.  The EDG will continue to run in a standby condition.

On the LOCA unit, Engineered Safety Features (ESF) equipment will be

sequentially loaded onto the bus by the sequencer.  Following a LOCA, if

any given train experiences undervoltage, bus stripping, EDG breaker

closure, and sequential loading will be directed.

TEXT                                                         PAGE 5 OF 23


After a LOOP on both units, if one unit experiences a LOCA, the buses

associated with the LOCA unit will be stripped and ESF loads will be

loaded onto the bus.  On the non-LOCA unit, both buses are stripped

again, and reloaded with essential equipment; both HHSI pumps will also


Sequencer Testing

Each sequencer is provided with Manual test and Automatic Self-test

capability.  The test mode is determined by a three-position Test

Selector switch.  The three positions are AUTO (self-tests 15 steps or

scenarios in the automatic test sequence), MAN (each test is manually

initiated), and OFF (no test signals are generated).  In the automatic

test mode, the sequencer continuously tests the input cards, output

cards, and output relay coils, and exercises the program logic.  The

sequencer is designed to abort the manual and automatic test modes in

response to a valid input.  The automatic self-test function is normally

in operation, however it is not required to be in service for the

sequencer to perform its safety function.  The manual test, in addition

to testing all the conditions covered by the automatic test, actuates the

output relays.  However, blocking relays energize before the output

relays energize, and the output relays de-energize before the blocking

relays de-energize.

Placing the Test Selector switch in MAN stops automatic self-testing.

Manual testing involves five stripping/clearing scenarios (bus clearing,

480 Volt undervoltage with SI present, 480 Volt degraded voltage, 4.16 KV

undervoltage, and safety injection [LOCA] on an isolated bus).  Upon

completion of the stripping tests, sequencing scenarios are tested

manually by rotation of a Sequencing Mode Test Selector switch through

eleven steps or loading scenarios (LOOP; LOOP/LOCA same train; LOOP/LOCA

other unit; LOCA same train; LOCA other unit; LOOP/LOCA same train with

concurrent HHCP; LOOP/LOCA same train with HHCP before 13 seconds;

LOOP/LOCA same train with HHCP after 13 seconds; LOCA same train with

concurrent HHCP; LOCA same train with HHCP before 13 seconds; LOCA same

train with HHCP after 13 seconds).

Automatic self-testing cycles through 15 of the 16 test steps in the same

order (the bus clearing scenario is not tested in AUTO).  The test steps

start roughly an hour apart, and there is one hour in the automatic test

sequence in which no testing takes place, so a full cycle of automatic

self-testing takes approximately sixteen hours.  Then the cycle begins

again.  Should a valid process input signal be received during manual or

automatic testing, the testing stops, the test signal clears, and the

inhibit signal is supposed to clear if present, allowing the valid signal

to sequentially energize the output relays and their associated ESF


TEXT                                                         PAGE 6 OF 23



The 3A sequencer failed to respond as expected to an opposite unit SI

signal.  The 3A sequencer had dropped out of the Automatic Self-Test

without alarming, indicating that it had received a valid input signal.

During troubleshooting, the input LED for a 4A SI signal was found to be

lit, indicating the signal was still present.  The 3A sequencer response

should have been to start the 3A HHSI pump after a 3 second delay.

However, the pump failed to start because it did not receive a start

signal from the sequencer.

Following the failure of 3A HHSI pump to start in response to a 4A SI

input signal as described above, an analysis of the sequencer software

logic was performed to determine the root cause of the failure.  A

software design defect was discovered whereby the start signal for the 3A

HHSI pump remained inhibited during sequencer automatic test step 3

(LOOP/LOCA Other Unit) even though a valid process input was present.  In

parallel with the above analysis, this particular fault was duplicated on

the sequencer simulator which is identical to the 3C23A-1 (3A) sequencer.

This is in contrast to the original design bases of the sequencer

Automatic Self-Test and Manual Test functions.

The review was then expanded to include additional test modes, process

inputs, and required outputs.  It was found that the problem exists

during both manual and automatic testing, during sequencer test steps 2,

3, 6, 8, and 10.  These steps correspond to the following scenarios:

     Step 2    LOOP/LOCA

     Step 3    LOOP/LOCA Other Unit

     Step 6    LOOP/LOCA with concurrent High High Containment Pressure

     Step 8    LOOP/LOCA with High High Containment Pressure less than 13

               seconds later

     Step 10   LOOP/LOCA with High High Containment Pressure more than 13

               seconds later

Note that these are tested scenarios, not potential plant events.  Note

too that all five of the affected test step scenarios involve LOOP and


If a valid SI signal is received 15 seconds or later into one of the

above tests, the test signal clears as intended, but the inhibit signal

is maintained by means of latching logic.  This latching logic is

originally established by the test signal, but may be maintained by the

process input signal if it arrives prior to removal of the test signal.

Since the above condition is applicable to both the automatic self-test

and manual testing, the sequencer must be considered inoperable during

both testing modes.  Note, however, that this defect will not cause a

sequencer operating malfunction with the Test Selector switch in any

position for any design basis scenario which involves a loss of offsite


TEXT                                                         PAGE 7 OF 23

This software logic defect was introduced during the detailed logic

design phase of the software development.  The detailed logic designer

and the independent verifier failed to recognize the interaction between

some process logic inhibits and the test logic.  The defect in the

software logic was not detected during the Validation and Verification

process (V&V) because the response to valid inputs was not tested during

all stripping and loading sequences of the automatic and manual testing

logic.  FPL has evaluated the V&V for the sequences and concluded that

the existing V&V adequately addresses operation of the sequences with the

Test Selector switch in OFF.

This logic defect can occur when the sequencer is in either the manual or

automatic test mode, and the test sequence currently being executed is

loading sequence test 2, 3, 6, 8, or 10.  This was determined based on a

review of the sequencer logic drawings for the 15 steps in the automatic

test sequence, and design basis event signals.  The sequencer simulator

was used to confirm the results of the review.  The defect cannot affect

sequencer operation with the Test Selector switch OFF.

In loading sequence tests 2, 6, 8, or 10, the sequencer may be inhibited

from responding to a valid SI signal on the same train.  In loading

sequence test 3, the sequencer may be inhibited from responding to a

valid SI signal on the opposite unit.


For the 480 Volt Load Center feeder breaker autoclosure failure, the

design implementation failed to account for the duration of time between

closing of the EDG breaker, which is the permissive for re-stripping, and

the beginning of LOOP load sequencing at 16 seconds.  During this window

of time, if an SI signal is received an unnecessary strip pulse occurs.

For the most part, the unnecessary pulse is inconsequential since the bus

is already strapped.  However, if the strip pulse occurs between 1 second

and 0.5 seconds prior to the first LOOP load block (between 15.5 and 16

seconds after offsite power loss), the strip pulse overlaps the breaker

close pulse.  After 16 seconds, receipt of an SI signal resets the load

sequence timers and the overlap does not occur.

A test was conducted on the sequencer in the Training Building to confirm

that both stripping and sequencing signals to the Load Center feeder

breakers could be simultaneously generated by a LOOP followed by a LOCA

during an approximate half second window of Load Block 1.  The test was

performed using the EDG 3A sequencer logic in the training sequencer.

The PLC software was modified to simulate the timing for a valid SI same

train signal upon receipt of a valid LOOP (4.16 KV undervoltage input)

over the 15.5 to 16 second window.  The testing confirmed that the

overlapping strip/load signals could occur as described.



As a result of the erroneous inhibit signals, the potential exists for

any sequencer output to be prevented from being generated when required.

Exactly which output or outputs is(are) determined by a combination of

factors, i.e., which test scenario is in progress, how long since the

test scenario was initiated, and which process input or inputs are

received.  In

TEXT                                                         PAGE 8 OF 23

general, for the approximate one-hour duration of each of the above test

steps (with the Test Selector switch in AUTO), the sequencer will not

respond correctly to a valid process input signal.

With the sequencer Test Selector switch in AUTO, the sequencer steps

sequentially through sixteen steps as described above; first the five bus

stripping/clearing steps, followed by the eleven LOOP and/or LOCA

scenarios.  Note that the five test steps affected by the software defect

are all in the loading sequence test steps, so the first affected step is

the seventh step in the total testing sequence.  During each of these

affected test steps, fifteen seconds after the initiation of the step,

the sequencer would not have responded properly to a valid process input

signal.  So the sequencer was inoperable for about five hours out of each

sixteen hour period as long as its Test Selector switch was in AUTO.  The

sequencer was also inoperable for the duration of any Manual test of the

five test steps listed above.  A complete manual test on one sequencer

takes about one hour.

The review of the sequencer logic determined that improper operation of

the sequencer could occur for only certain sequencer stripping/loading

scenarios in which an SI signal without LOOP occurs.  The sequencer logic

software defect does not affect any scenarios where a LOOP also occurs,

whether before, after, or concurrent with an SI signal.  A failure modes

and effects matrix identified the following four potential plant events

where the logic software defect could affect the operation of the

sequencer, depending upon which of the five affected test steps

(discussed above in CAUSE OF THE EVENT II.a) are being performed when the

SI signal is received by the sequencer:

     #1   LOCA Same Train

     #2   LOCA on other Unit

     #3   LOCA w/High High Containment Pressure (HHCP) < 13 seconds

     #4   LOCA w/HHCP > 13 seconds

Note that these are potential plant events, not test step scenarios.

Note too that in contrast to the list of affected test step scenarios

presented earlier, none of the potential plant events affected involve a


For each of these events, the sequencer could receive a valid SI signal

but the logic defect could inhibit the sequencer from starting equipment.

Events #1, #3, and #4 above each have four logic test steps out of a

total of sixteen which would inhibit the sequencer from providing a start

signal to the equipment it controls while event #2 is affected by only

one of the sixteen logic test steps.

The probability that an individual sequencer would not respond to a valid

same train SI signal is 4 hours/16 hours = 2.5E-1.  The probability that

an individual sequencer would not respond to a valid opposite unit SI

signal is 1 hour/16 hours = 6.25E-2.

The equipment affected due to the failure of a sequencer was identified

from plant drawings.  The equipment listed below is specific to the 3A

sequencer.  The equipment lists would be similar for the other three


TEXT                                                         PAGE 9 OF 23

For event #1, the following equipment would not be automatically loaded

by the sequencer:

     Residual Heat Removal Pump 3A [BP:p]

     HHSI Pump 3A

     Intake Cooling Water Pumps 3A (1) and 3C (1) [BI:p]

     Emergency Containment Cooler Fan 3B and 3C [BK:fan]

     Component Cooling Water Pumps 3A (1) and 3C (1) [CC:p]

     Emergency Containment Filter Fans 3B and 3C {BK:fan]

     Note (1): The equipment identified may already be in operation and

               may not require manual action to start.

For events #3 and #4 (LOCA w/HHCP < 13 sec; LOCA w/HHCP > 13 sec),

Containment Spray Pump 3A would be affected in addition to the equipment

identified above for event #1.

For event #2 (LOCA Other Unit), only the 3A HHSI Pump would not be

automatically started.

It should be noted that one of the initiating signals for Auxiliary

Feedwater (AFW) system [BA:p] is bus stripping, which is controlled by

the sequencer.  No credit is taken, however, for bus stripping in the

accident analyses for initiating AFW.  AFW is also initiated on low-low

steam generator level, SI, manual initiation and trip of all Main

Feedwater pumps [SJ:p].

Using the above information, the defect in the sequencer test logic

represents a potential concern for events where SI is required for

mitigation and no LOOP is experienced.


Using the Turkey Point baseline Probabilistic Safety Assessment (PSA)

model, the probability of dual train failure of the CS system if called

on to operate has been estimated to be approximately 2.6E-3.  This

estimate reflects CS system and support system component failure

probabilities not including either of the software errors reported here.

The failure to automatically start a CS pump due to this software error

can only occur under a very remote set of circumstances.  The 60 ms

window is on the same order as the tolerance on relay pick-up times and

the sequencer processing and timing tolerances.  Even with sophisticated

timing equipment, it is unlikely that the failure mode could be

demonstrated repeatedly.  The probability of receipt of a HHCP signal

during a 60 ms window of vulnerability compared to the range of timing

conditions for which the sequencer is designed is considerably smaller

than the overall system reliability identified above.  If it is assumed

that HHCP can occur at any time within approximately two minutes after

the SI signal (the earliest time at which SI is postulated to be reset),

then the probability of the evaluated condition occurring on one train


     0.060 sec/(2 min x 60 sec/min) = 5.0E-4

The estimate of the probability of a CS pump not starting automatically

in a LOCA or LOOP/LOCA due to the reported software error is therefore

approximately a factor of five below the estimated probability of both CS

trains failing during a design basis event.

TEXT                                                        PAGE 10 OF 23

The probability of the software error affecting both trains is

considerably lower, since it would require: 1) the initiating SI signals

to be at the sequencer inputs within 60 ms of each other; 2) the two

trains of HHCP both occurring within the 60 ms window of vulnerability;

3) the sequencer input processing times to be identical; and 4) the

timing of the two sequences in synchronization.  The difference in the

cumulative delay time for relay actuations on the two trains of ESFAS and

differences in sequencer processing, in all likelihood would be

sufficient to preclude the condition on both trains.  This conclusion is

supported by a review of previous Integrated Safeguards Test data.

The difference between the train A and B CS pump recorded start times

during a simulated LOOP/LOCA has been between 90 and 500 ms.  Since some

timing differences between the trains can be expected, and timing

differences greater than 60 ms have been recorded during previous

safeguards tests, the probability that the specific error could affect

both trains of Containment Spray is therefore considerably less than the

single train probability.


The limiting components affected by loss of the load centers are the Unit

4 EDGs auxiliary equipment, including cooling fans.  The loss of the Unit

4 EDG auxiliaries means that the EDG will start to heat up in a short

period of time.  At full EDG loading, the EDG would exceed its

temperature ratings after about 8 minutes.  However, because the load

centers were not energized, the EDG would only be partly loaded.

Considering lower pump flows, Unit 4 EDG loading is estimated below:

     LOAD           KW

     SI Pump        220 KW

     RHR Pump       140 KW

     CS Pump        110 KW

     ICW Pump       265 KW

     CCW Pump       380 KW


     Total          1115 KW

Under these lower loading conditions, overheating of the Unit 4 EDGs is

not expected to occur for approximately 14 minutes.  Other loads lost as

a result of the loss of the load centers include motor operated valves

which must open to allow high and low head safety injection flow.  These

valves are significant primarily to analyzed accidents, specifically

Small Break LOCAs, as discussed below.

Effect on Analyzed Accidents


A review of the Turkey Point UFSAR Chapter 14 Accident Analyses was

performed to determine which accidents would be potentially affected by

the sequencer test software logic defect.  This review identified 7 of

the 22 accidents which may be affected.  Two of the seven, "Loss of

External Load" and "Loss of A.C.  Power" were determined to be dependent

on the sequencer but not affected, since the inhibited sequencer failure

mode applies to LOCA scenarios only, i.e., no LOOP.

TEXT                                                        PAGE 11 OF 23

The five accidents which both require SI, and are affected by the

sequencer test software logic defect, are the following:

     1.   Large Break Loss-of-Coolant Accident (LBLOCA)

     2.   Small Break LOCA (SBLOCA)

     3.   Rupture of a Steam Pipe (Main Steam Line Break, or MSLB)

     4.   Steam Generator Tube Rupture (SGTR)

     5.   Rupture of a Control Rod Mechanism Housing

The effects of the sequencer test logic defect will be discussed below

for each of the five accidents.  In each case, the transient is described

and equipment necessary for mitigation of accidents is identified.  Each

transient is then evaluated assuming all four sequences fail to operate

properly.  Credit is assumed for operator action to start HHSI pumps as

well as other ESF equipment within 10 minutes as described below.


A LOCA would result from a rupture of the Reactor Coolant System (RCS) or

any line connected to that system up to the first closed valve.  For a

postulated LBLOCA, a reactor trip is initiated by pressurizer low

pressure (1790 psig) while the SI signal is actuated by pressurizer low

pressure at 1636 psig.  The consequences of the LBLOCA are limited in two


     1.   Reactor trip and borated water injection supplement void

          formation in causing rapid reduction of nuclear power to a

          residual level corresponding to fission product decay.

     2.   Injection of borated water ensures sufficient flooding of the

          core to prevent excessive temperatures and provide long term


The reactor is designed to withstand the thermal effects caused by a

LBLOCA including the double ended severance of the largest RCS pipe.  The

reactor core and internals, together with the Emergency Core Cooling

System (ECCS), are designed so that the reactor can be safely shutdown

and the essential heat transfer geometry of the core will be preserved

following an accident.

The LBLOCA analysis presented in Section 14.3 of the UFSAR assumes that 2

of 4 HHSI pumps and 1 of 2 RHR pumps are automatically actuated during

the accident.  If all four sequences were inoperable because of the

simultaneous presence of the test logic defect, SI actuation would not

occur automatically.

The LBLOCA is a design basis event whose probability of occurrence is

extremely small.  A LBLOCA is considered to be a break with a total

cross-sectional area equal or greater than 1.0 ft**2.

LBLOCA sensitivity studies, performed in 1988 to assess the impact of

delaying SI, indicate that the maximum permissible SI delay is about 1

minute in order not to exceed the Peak Clad Temperature criteria of 10

CFR 50.46, and about 5 minutes to avoid exceeding fuel melt temperature,

for a generic Westinghouse four-loop PWR.  As a result of the test logic

defect, Turkey Point tested operator reaction times to manually start SI

in the absence of an automatic start (described below under MITIGATION OF

SEQUENCER FAILURE MODES).  The maximum time did not exceed 4 minutes.

This information was provided to Westinghouse, who then determined that

if SI is delayed 3 minutes and 15 seconds, the peak clad temperature for

the hot rod will not exceed 1922 degrees Fahrenheit.  If a conservative

adiabatic heat

TEXT                                                        PAGE 12 OF 23

up rate of six degrees per second is assumed for the fuel, SI may be

delayed until four minutes into the LOCA without exceeding 10 CFR 50.46

PCT criteria.  Therefore,if reasonable operator action is credited, no

core damage would be expected.

     Containment Response to a LBLOCA

A LBLOCA results in a significant mass and energy release into

containment that results in pressurization of the containment structure.

The UFSAR indicates that the pressurization event is limited by the size

of containment, by containment heat sinks, and by the operation of

containment cooling equipment (containment sprays and emergency

containment coolers).

The containment analysis for the LBLOCA was assessed using better

estimate techniques in 1989 by Westinghouse.  This analysis showed that

peak containment pressure for a Double Ended Pump Suction (DEPS) to be on

the order of 42 to 45 psig.  Using the mass and energy release values

developed for the design basis reconstitution work, Westinghouse

re-performed the Turkey Point containment analysis assuming no operation

of the containment spray pumps or the emergency containment coolers, for

ten minutes.  This reanalysis shows that the peak pressure of the DEPS

LOCA to be approximately 44.3 psig.  Accordingly, since this peak

pressure is less than the design pressure of 55 psig and less than the

originally analyzed peak pressure of 49.9 psig, the results are

acceptable.  The ultimate strength of the Turkey Point containments is

estimated to be approximately 140 psig based on the Individual Plant

Examination (IPE) analysis work.

     Dose Consequences for a LBLOCA

The UFSAR contains an offsite dose evaluation that assumes a total core

release (100% noble gas, 50% halogens) occurring at time t = 0 with

results that remain within 10 CFR Part 100 guidelines.  The event under

review, however, is different than that evaluated in the UFSAR in that

engineered safety features are assumed to be delayed.  Using knowledge

learned from observation of accident phenomena and advanced light water

reactor development programs, it has been concluded that an instantaneous

core melt and release of fission products to containment is not credible.

Rather, significant release to the containment would not be expected to

occur during the first 10 minutes of an accident.  During this time,

credit is taken for operator action to start SI, containment sprays, etc.

Manual actuation of the containment sprays and emergency filters would

provide for fission product cleanup within containment.  While a

calculation has not been performed, it is expected that the offsite dose

consequences for this event will not exceed those stated in the UFSAR.

Operation of sprays and filters will provide radioactive material cleanup

prior to any significant fission product release from the containment.


SBLOCAs are slow transients which take longer to initiate SI and

therefore are less sensitive to delays in the actuation of the HHSI

pumps.  Containment response and dose consequences for the SBLOCA event,

for the original software defect involving Autotest, are bounded by

LBLOCA discussions above.

TEXT                                                        PAGE 13 OF 23

The 480 Volt Load Center condition involves the SBLOCA analyses, since a

specific size of small break would be required to generate the specific

event timing which leads to the condition (SI signal 15.5-16 seconds

after a LOOP).  The effect of that condition on the SBLOCA analyses is

discussed later.


The UFSAR analyzes two separate steam line break events; opening a relief

or safety valve, and main steam piping failure.  The piping failure

bounds the opening of the relief or safety valve.  Since the sequencer

issue is only a concern for the offsite power available case, only a main

steam piping failure with offsite power available will be addressed.  The

most limiting cooldown event occurs at zero power with no decay heat.  As

indicated in the UFSAR, credit is taken for a single HHSI pump to provide

borated water to return the core to a subcritical state.

Westinghouse re-performed the limiting MSLB accident with offsite power

available assuming SI was not available for 10 minutes.  The results of

this analysis indicate that the event can be accommodated without SI for

10 minutes with acceptable results.

A Main Steam Line Break inside containment also results in a containment

pressurization transient.  This event was rerun by Westinghouse assuming

no active containment pressure mitigating features (i.e.  no containment

sprays or containment coolers).  Assuming no safeguards actuation, peak

containment pressure for the MSLB was 48.8 psig occurring approximately

300 seconds (5 minutes) into the transient.  This is within the

containment design pressure of 55 psig and is therefore acceptable.


The event examined in the UFSAR is a complete tube break adjacent to the

tube sheet.  Each steam generator tube has a nominal diameter of 0.875

inches with a wall thickness of 0.050 inches.  Accordingly, the cross-

sectional break area of a double ended tube rupture is less than 1.0

square inches.  This very small break area shows that this event is

bounded by the SBLOCA in terms of assessing the potential for core damage

resulting from this event, and that dose releases for this event will not

increase as a result of delayed SI.


The event examined in the UFSAR is a failure of a control rod mechanism

pressure housing such that RCS pressure would eject the control rod and

drive shaft to a fully withdrawn position.  The consequence of this

mechanical failure is a rapid positive reactivity insertion together with

an adverse core power distribution.  The reactivity transient is

terminated by the Doppler reactivity effects of the increased fuel

temperature, and by subsequent reactor trip before conditions are reached

that can result in fuel melt.

Actions are included in the Emergency Operating Procedures (EOPs) to

address a SBLOCA that could be caused by a failed control rod mechanism

pressure housing.  Accident consequences of a SBLOCA in the reactor

vessel upper head are bounded by the design-basis SBLOCA.

TEXT                                                        PAGE 14 OF 23

Summary of Potential Accident Consequences

Of the five UFSAR accidents affected, four are bounded by the LBLOCA.

Consequences of a LBLOCA are acceptable if operator action to start ESF

equipment takes place within four minutes of the start of the accident.

Consequences of the SBLOCA, SGTR, and RCCA ejection are acceptable even

if no operator action is taken for 10 minutes.  The consequences of a

MSLB are acceptable without operator action for 10 minutes, since

containment pressure peaks, below the design pressure, 5 minutes into the



The UFSAR analyzed a spectrum of SBLOCAs, as provided below:

                                                       BREAK SIZE

                                   1.5-inch       2.0-inch       3.0-inch

     Break Initiation, sec.        0.0            0.0            0.0

     Reactor Trip Signal, sec.     67.3           35.2           15.0

     Safety Injection Signal, sec. 107.5          56.2           25.8

     Top of Core Uncovered, sec.   approximately

                                   3500           1562           700

     Accumulator Injection Begins  N/A            N/A       approximately


     Peak Clad Temp. Occurs, sec.  5034           2692           1305

     Top of Core Recovered, sec.   >5050          >4000     approximately


A LOOP is assumed to occur concurrent with a reactor trip.  Assuming an

instantaneous LOOP at reactor trip and extrapolating from the above

table, a break size of about 2.5 inch equivalent diameter would result in

the timing sequence of concern.

The credibility of the occurrence of the UFSAR analyzed scenario creating

the conditions necessary to cause the loss of the 480 Volt Load Center

feeder breaker automatic function has been evaluated.  The two major

mechanistic possibilities for such a loss would be either; (1) a failure

of the transfer of both buses from the auxiliary to start-up transformers

(fast bus transfer); or (2) the loss of the switchyard or transmission

system due to the loss of a Turkey Point unit.

For a LOOP caused by the failure of the fast bus transfer, it is

improbable that it would occur simultaneously with the reactor trip

because of the delay time designed into the reactor trip/turbine

trip/generator lockout logic sequences.

A reactor trip caused by low pressurizer pressure initiates a turbine

trip.  Provided there are no other events and/or failures which would

cause a direct generator lockout signal, there is a designed 30 second

time delay between turbine trip and generator lockout.  At the end of the

30 second time delay, a generator lockout signal will be generated.  The

generator lockout signal will trip the generator field breaker, the

generator mid and

TEXT                                                        PAGE 15 OF 23

east switchyard breakers, the auxiliary transformer breakers and will

close the startup transformer breakers (fast bus transfer).  Failure of

the fast bus transfer would cause a LOOP, pickup of the undervoltage

relays, strip the 4.16 KV buses, start the EDGs and sequence the

emergency loads on the EDGs.  Therefore, on the failure of both the A bus

and B bus fast transfer, the LOOP would be expected to be initiated 30+

seconds after a reactor trip without an SI.

If at any time during this 30 second time delay an SI signal is

generated, the auxiliary transformer breaker will open and fast bus

transfer to the start-up transformer will be initiated.  Should the fast

bus transfer fail, a LOOP would be generated and the sequence above would

not occur.  The resultant event is essentially a "simultaneous" LOOP/LOCA

and the sequencer would operate as designed.  Therefore, the break would

have to be of a specific size which would generate the conditions

necessary to initiate SI at approximately 46 seconds after

reactor/turbine trip occurs and the operators do not manually initiate

the SI signal.

The other mechanistic scenario, loss of the transmission system due to

loss of a single unit is also very unlikely since the grid is operated in

such a manner as to remain stable in any single contingency situation

such as loss of a unit or a large transmission line.

As part of the original safety review performed in November 1994 for the

sequencer auto-test issue, FPL evaluated the impact of delaying safety

injection for 10 minutes for a spectrum of SBLOCAs.  Using the EPRI MAAP

code, small breaks of 2 and 6 inch equivalent diameter were examined.

For the 6 inch break, the accumulator would not deplete for more than 20

minutes and core melt would not be expected for more than 50 minutes.

For the 2 inch break, the accumulator did not deplete and core melt was

not expected to occur.  It was judged that provided the accumulator had

not depleted and SI was restored, core damage would not occur (i.e.  peak

clad temperature would not exceed 2200 degrees F).  Westinghouse has

subsequently performed a SBLOCA analysis using NOTRUMP, which is an NRC

approved code, for a 2.3 inch equivalent diameter break (the break size

was iterated on to obtain the proper delay between LOOP and SI) assuming

safety injection is restored 10 minutes into the event.  For this event,

a peak clad temperature of 954 degrees F occurred at 1818 seconds

(approx.  30 minutes) into the event.  Based on this event sequence,

additional time would be available to the operator beyond 10 minutes to

restore safety injection.


Because the presence of an SI signal during sequencer testing (automatic

or manual mode) may render the sequencer inoperative, the dependence on

SI was the primary consideration for determining the five affected

accidents.  For each of the affected accidents, the EOPs were reviewed to

determine what mitigating actions would be taken by the operator.  The

effectiveness of the mitigating actions was also assessed based on its

sequence within the procedures.

Upon initiation of any of the five affected accidents discussed above,

the reactor would trip placing the operators in procedure 3/4-EOP-E-0,

"Reactor Trip or Safety Injection." At Step 4 in EOP-E-0, the operator

verifies whether SI is actuated or is required.  If an SI is required,

the operator verifies that HHSI and RHR pumps have started, or he is

required to manually start these pumps in Step 8.  These two steps are

part of the immediate actions to be taken by an operator following a

reactor trip.

TEXT                                                        PAGE 16 OF 23

In addition, the foldout pages for EOP-E-0 contains specific reactor trip

and SI actuation criteria which require operators to start the HHSI

pumps.  Therefore FPL concludes that for these five accidents, there is a

high probability that timely mitigating actions would have been taken by

the operators to activate safeguards equipment even if the sequencer had


To assess the operators' ability to accommodate sequencer test software

logic defects, the Turkey Point Training Department constructed three

different scenarios involving design basis accidents with failed

sequences.  The failure mode modeled was a failure of the sequencer to

load safeguards equipment.  These scenario runs were completed on

November 5, 1994.  The three scenarios were:

     1.   A LOOP/LBLOCA with Unit 3 sequences failed.

     2.   A LBLOCA with no LOOP, with Unit 3 sequences failed.

     3.   A SBLOCA with no LOOP, with Unit 3 sequences failed, Unit 4

          HHSI pump breakers racked out, and the Unit 3 HHSI pump control

          switches in PULL TO LOCK on the Unit 4 control board.

Six control room crews ran each of the three scenarios, for a total of 18

simulator exercises.  The Training Department was primarily interested in

determining how long it took the control room crew to successfully

energize all available safeguards equipment.  A summary of the control

room crew response times follows:


                    INITIATION (IN MIN.SEC)


               SCENARIO      SCENARIO   SCENARIO

      A          2:40         2:30        2:45

      B          2:00         2:10        1:40

      C          2:50         1:30        1:30

      D          8:00         1:30        1:55

      E          4:40         3:15        1:05

      F          2:50         1:32        1:20

The simulator training coordinator stated that the longest time required

to initiate SI flow was during Crew D's 8 minute LOOP/LOCA scenario; it

took them approximately 4 minutes.  However, the sequencer defect is not

present for LOOP scenarios.  The longest non-LOOP response time was 3

minutes and 15 seconds.  The longest time to energize all available ESF

loads, even with a LOOP, was 8 minutes, which applies to the Containment

Spray issue and the 480 Volt Load Center issue.  An assumed operator

response time of 10 minutes is therefore conservative.

TEXT                                                        PAGE 17 OF 23

In addition to the scenario exercises described above, a review of

earlier observations of operating crews in simulator training during July

and August 1994 was made.  These observations illustrated that it took

each crew 4 to 5 minutes from event initiation to complete alignment of

the required safeguards equipment associated with a full sequencer


Operator verification of SI, and HHSI pump flow, is performed within the

immediate action steps (Steps 4 and 8 respectively) of EOP-E-0.  The

first 14 steps are memorized by the control room crew.  In addition,

immediate action steps are required to be re-verified by the operators.

Therefore FPL concludes that the control room crew would be successful in

timely initiation of HHSI pump flow in the event of a sequencer




A probabilistic safety assessment was performed to estimate the safety

impact of inhibited emergency sequencer operation due to a logic error in

the software associated with the test feature.  The assessment is based

on the Turkey Point IPE Submittal and subsequent updates, and includes

the effect of the failure of all four sequences.  The recovery actions

are added to the model for different scenarios, e.g., recovery for LBLOCA

vs. SBLOCA.  These operator actions are calculated based on the time

available to do the actions (NUREG/CR-4550, Vol. 3, Rev. 1, Part 1), and

the time it takes the operators to perform the actions obtained from a

review of 3/4-EOPs-0 and from simulator scenario runs.

The probabalistic safety assessment determined that the estimated change

in the Core Damage Frequency (CDF) under the above conditions, with all

four sequences inoperable, is 6.3E-6/yr.  However, all four sequences

were not inoperable at all times.  Each sequencer is inoperable during 5

of the 16 tests.  In order for all sequences to fail simultaneously, all

sequences would have to be in an affected test.  This would happen most

often if all four sequencer test cycles were synchronized.  Even if all

four sequences were synchronized on the same test cycle, the sequences

would all be inoperable during only 5 of the 16 tests.  Therefore, all

four sequences would be inoperable approximately one-third of the time.

This results in an estimated change in CDF of 2.1E-6/yr.  This change in

core damage frequency increases the baseline CDF by 3.2%.  The PSA

calculation considers an average probability over a one year period.

The 3.2% increase in the CDF is a conservative estimate for this

situation.  This increase in CDF is not safety significant, based on the

acceptance criteria stipulated in the draft EPRI PSA Application Guide.

The estimated risk impact of loss of sequences for LBLOCAs is relatively

low due to the low initiating event frequency of LBLOCAs, and recovery

actions described in the early steps of the EOP E-0 for reactor trip and

SI.  Although SBLOCAs have a higher initiating event frequency the risk

is relatively low because the operator has more time available to perform

recovery actions.

TEXT                                                        PAGE 18 OF 23


An estimate of the potential risk impact of the failure of the CS pumps

to automatically start was performed.  The scenario is assumed to occur

for a certain size LOCA or MSLB such that the HHCP signal is generated at

the 12.9 to 13.0 second window during which the sequences may not actuate

CS pumps automatically.  A further assumption is that failure of all

containment spray with a medium LOCA leads directly to core damage.  The

core damage frequency increase is thus estimated to be:

     CDF =     (frequency of event [medium and small LOCAs, MSLBJ) times

               (probability of "right size" break to cause the event)

               times (probability of failure of manual starting of CS


          =    (1.0E-4 + 1.0E-3 + 1.0E-4) x (5.0E-4) x (6.0E-3)

          =    3.6 E-9/year

Note that the frequency of the event is conservatively estimated to be

that of the medium LOCA (6-13.5 inches), the small LOCA (2-6 inches) or a

MSLB.  Since a specifically-timed LOOP would be required for either the

small LOCA or the MSLB to be of concern, the CDF is actually lower.

A estimated increase in the CDF of 3.6E-9/yr is insignificant compared to

the baseline CDF of 6.63E-5/yr.


To provide a bounding estimate of the probability of such an event over

the half second interval of interest, the following expression is used:

Probability of a certain size LOCA * Conditional probability of induced

LOOP which coincides with the LOCA that satisfies the certain half second


     1.26E-3/Yr * 1.0E-3  * .5/60 = 1.05E-8/Yr


1.26E-3/Yr =   the frequency of a small-small LOCA, plus stuck open Power

               Operated Relief Valve (PORV) (not recoverable)

1.OE-3     =   the probability of LOOP given a reactor trip

.5/60      =   the exact timing fraction for the certain break size that

               results in scenario of interest (see below)

This calculation includes all the LOCA scenarios that can generate an SI

signal between 15.5 and 75.5 seconds after the reactor trip (the LOOP is

postulated to occur from 0 to 60 seconds after the reactor trip).

Considering the timing between the trip and SI actuation, FPL concluded

that there are two scenarios that can cause such events; (1) a

small-small LOCA (between 3/8" and 2.5" breaks); or (2) a PORV sticks

open and hardware or operators fail to isolate the leak.  For the case of

a small-small LOCA, the initiating event frequency is 1.0E-3/Yr .  For

the case of one PORV sticking open, the initiating event frequency is

2.6E-2/Yr.  Normally the PORVs close if the pressure drops below 2000

psi; if they fail to close, the operator can block the leak by using

block valves.  A recovery action failure probability of .01 can be

conservatively assumed for controlling the PORV opening.  Therefore, the

overall non-recoverable PORV sticking open initiating event frequency may

be estimated as 2.6E-4/Yr (2.6E-2 * .01 = 2.6E-4).

TEXT                                                        PAGE 19 OF 23

Based on a study performed by the Federal Power Commission, the

probability that offsite power would be lost as a result of the generator

trip caused by a LOCA is estimated to be 1.0E-3.  For the specific break

size to coincide in a certain half second interval the fraction of LOOP

then SI event timing may be estimated as .5/60.  This estimate assumes a

uniform distribution for the coincident LOOP and SI signals within a 60

second interval.

Note that the above estimates are conservative in several aspects.

First, all SI events may not present the same degree of challenge to the

plant safety systems.  Secondly, no operator actions are credited for

mitigating the core damage scenarios.  Thus the scenarios initiated by a

LOCA followed by a LOOP and subsequent actuation of SI contribute at most

1.05E-8/Yr to the CDF.  These scenarios are not considered safety

significant.  if operator recovery action is considered, the core damage

frequency would be expected to drop one to two orders of magnitude.

Comparing this event to NRC stated safety criteria for the industry shows

that this event is several orders of magnitude less severe than that

which would require NRC action.  Comparison to industry developed PSA

criteria shows that this scenario is several orders of magnitude below

that which would require action.



The periodic inoperability of all four sequences, as described above, has

existed since the sequences were installed during the dual unit outage in

1990/1991.  The sequences were accepted as operational in September and

October, 1991, for Units 3 and 4, respectively.  From early December,

1991, until November, 1992 (Unit 3) and May, 1993 (Unit 4) the sequences'

Test Selector switches were in OFF except for monthly manual tests, as

described in LER 251/91-007.

Since then, there have been four challenges to the bus sequences (between

the two units).  LER 251/92-004 reported an inadvertent Safety Injection

on Unit 4; all plant equipment responded as designed, including the Unit

3 HHSI pumps.  LERs 250/92-009 and 250/92-013 reported a LOOP (due to

hurricane Andrew), and an inadvertent 3A bus stripping.  In these three

instances the sequences Test Selector switches were not in AUTO, and they

performed as designed.

LER 250/94-002 reported an inadvertent ESF actuation on Unit 3, in which

all equipment responded as design, except the 4A HHSI pump.  At that time

the failure of the 4A HHSI pump was attributed to an intermittent

failure, which could not be reproduced.  As a result of the discovery of

the defect reported herein, that earlier event can now be reproduced at

will on the sequencer simulator.  FPL believes that the 4A HHSI pump

failed to start because of the same defect that caused the 3A HHSI pump

failure to start, reported in this LER.  Since there have been no actual

events requiring Engineered Safety Features actuation to protect the

plant, the health and safety of the public has not been affected by the

periodic inoperability of the sequences.

This event is reportable under the requirements of 10 CFR 50.73

(a)(2)(i)(B), (a)(ii)(A), (a)(ii)(B), (a)(v), (a)(vii), and 10 CFR 21.

TEXT                                                        PAGE 20 OF 20


Regarding the second software error involving the CS pump autostart, FPL

has concluded  that the CS system remains OPERABLE because, in the highly

unlikely event that the condition were to occur, simple operator action

to start the CS pumps, in accordance with the plant's emergency operating

procedures, would ensure compliance with the system specified functions.

The ability to manually start the CS pumps as much as 10 minutes into the

event and maintain required cooling is supported by analysis, procedures,

and training.  In addition the safety significance of the evaluated

condition is extremely low because the probability of the evaluated

condition is lower than the probability of a common mode failure of both

CS trains, as discussed earlier under Possible Accident Consequences for

Sequencer Failure Modes.  In any case, the contribution to CDF of this

software error is negligible.


Similar arguments obtain for the condition involving the 480 Volt Load

Center feeder breaker autoclosure failure.  The probability of occurrence

of the specific scenario is very low.  The contribution to CDF is

similarly very low, neglecting any mitigating operator action.

Nevertheless, should the scenario occur, simple operator action, again as

much as 10 minutes into the event, drops the CDF by one to two orders of


In accordance with Generic Letter 91-18, a licensee cannot replace

automatic action with manual action if the automatic action is needed to

avoid exceeding a "Safety Limit." Safety limit is defined in 10CFR50.36,

as is limiting safety system setting.  "Where a limiting safety system

setting is specified for a variable on which a safety limit has been

placed, the setting must be so chosen that automatic protective action

will correct the abnormal situation before a safety limit is exceeded."

Turkey Point's safety limits and limiting safety system settings are

defined in Technical Specifications.  The limiting safety system settings

are reactor trip setpoints.  There is no reactor trip setpoint on 480

Volt Load Centers.  The only two safety limits are reactor pressure, and

a graph combining pressure, Ta sub avg, and reactor power.  Neither of

these are challenged by the loss of the automatic re-energization of the

480 Volt Load Centers.

Therefore manual action can be credited to determine the operability of

the 480 Volt Load Centers, if it can be shown that such action (1) is

proceduralized, and (2) is not heroic.  Emergency Operating Procedures

3/4-EOP-E-0, Reactor Trip or Safety injection, direct the reactor

operators to verify ECCS flow, and provide guidance to get flow in the

Response Not Obtained column.  The actions are taken from the control

board, are part of the standard training of reactor operators, and

involve no hazard.  Indeed, when the scenario in question was imposed on

several crews on the simulator, their delay in re-energizing the load

centers was in waiting for the sequencer to finish sequencing.  Thus the

actions (1) are proceduralized, and (2) are not heroic.  Therefore, FPL

concludes that the 480 Volt Load Centers remain operable.

TEXT                                                        PAGE 21 OF 23


1.   The Test Selector switches on all four sequences were placed in OFF.

     Tags have been hung on each switch to require specific permission

     from the Nuclear Plant Supervisor to change the position of the

     switch.  With the sequencer test mode switch in the OFF position,

     the automatic test logic is disabled.  The sequencer is fully

     functional and will respond properly to input signals.  The

     automatic test function is not a requirement for periodic

     surveillance of the sequencer.

2.   With the Test Selector switch in OFF, additional visual inspections

     are being performed on a eight hour basis as described below:

     a.   The local reflash annunciators points are verified not in


     b.   The I/O power, PLC Power, and ANN Power switches are verified

          in the ON position and the Processor Power white indicating

          light is verified illuminated.

     c.   The Test Selector switch is verified in the OFF position; the

          Stripping Clearing Test Selector and Sequencing Mode Test

          Selector Switches are verified in the OFF position.

     d.   The 2 green test reset indicating lights and the sequencing

          reset green indicating lights are verified illuminated.

     e.   The other indicating lights are verified not to be illuminated

          (except the ground fault indicating lights are supposed to be

          dimly lit).

     f.   Every 24 hours, the sequencer door is opened, the Processor

          Indicator LED is verified to be a solid green and the 9

          indicator I/O cards "ACTIVE" LED are verified to be a solid


3.   A detailed review of the original Validation and Verification

     process was performed; it has been concluded that an oversight

     occurred because not all sequencer functions were validated during

     all modes of automatic and manual testing.  The existing

     verification and validation sufficiently covers the sequencer safety

     functions if the Test Selector switch remains OFF.

4.   Functional testing on the sequencer simulator of design basis inputs

     has been repeated with the Test Selector switch OFF, with acceptable


5.   A safety evaluation has been issued demonstrating sequencer

     operability with the test selector switch in the OFF position.  This

     safety evaluation was approved by the Plant Nuclear Safety Committee

     on November 4, 1994.

6.   Independent consultants were retained to perform an assessment of

     the existing sequencer design, software design and V&V.  This

     "Independent Assessment Team" (IAT) concluded that operation of the

     sequences with the Test Selector switch in OFF represented a safe

     condition and that FPL's evaluation of the condition was


     The second phase of the IAT's assignment was to provide a detailed

     review of the software documentation.  Some drawing discrepancies

     were identified and have been evaluated.  In general the


TEXT                                                        PAGE 22 OF 23

     dealt with the inclusion of additional information on the logic

     diagrams not reflected in the ladder diagrams, to aid in

     understanding the logic diagrams.  One other software error was

     identified involving autostart of the CS pumps, and has been

     discussed earlier in the LER.  The drawing discrepancies will be

     corrected when the software is modified (see Corrective Action #9


     The IAT confirmed that the V&V was not comprehensive enough to test

     certain aspects of the logic.  "The plan was weak in that it relied

     almost completely on testing as the V&V methodology.  More emphasis

     on the analysis of the requirements and design would have increased

     the likelihood of discovering the design flaw." A revision to the

     V&V documentation will be made coincident with the design

     modifications described on Corrective Action #9 below.

7.   The original software vendor, United Controls, Inc.  has been

     notified of this defect and its significance.

8.   In order to eliminate issues related to the use of one-of-a-kind or

     first-of-a-kind equipment, FPL implemented Nuclear Policy NP-905,

     Equipment Selection, in October of 1991.  This policy states in part

     that, "FPL's nuclear engineering department shall select only

     specific models of equipment with proven records of reliable

     performance for use in FPL nuclear facilities.  Verification of the

     equipment reliability must be established through contact with

     NPRDS, nuclear station managers, or other appropriate sources.  If

     no prior operating experience is available, appropriate prototype

     testing, under equivalent plant operating conditions, must be

     undertaken to establish its reliability before it is placed in

     service at FPL nuclear facilities." The Engineering Quality

     Instructions contain the Nuclear Policy requirements for design


9.   Design modifications to eliminate the identified problems will be

     implemented during the next refueling outages of each unit.

10.  Other safety-related process computer suppliers were notified of the

     event on November 14, 1994.  These suppliers responded that similar

     software errors do not exist in other safety-related process


11.  An FPL Nuclear Engineering standard will be developed on the use of

     PLCs, prior to the procurement of any additional PLC-based


12.  Manual testing of the sequences was resumed on January 11, 1995.

13.  Emergency Operating Procedures 3/4-EOP-E-0, Reactor Trip or Safety

     Injection, have been revised to require the operator to verify that

     the Load Centers associated with the energized 4.16 KV bus(es) are



     EIIS Codes are shown in the format [EIIS SYSTEM: IEEE component

     function identifier, second component function identifier (if


     The Programmable Logic Controllers used in the sequences are made by

     Allen-Bradley; the sequences are assembled by United Controls, Inc.

     (UCI).  According to UCI, Florida Power & Light Company is the only

     utility to which UCI supplied this sequencer.

TEXT                                                        PAGE 23 OF 23

     The condition wherein the 480 Volt Load Center feeder breakers may

     not close automatically may have generic implications not associated

     with digital load sequences.  It appears that any time such a

     breaker is presented with conflicting simultaneous close and trip

     signals, if that breaker has an "anti-pumping" circuit like the one

     described in this report, that breaker will not close.  FPL is not

     able to determine if such conflicting signals may be generated by an

     analog or "relay-based" load sequencer system.


Page Last Reviewed/Updated Monday, March 30, 2020