Revised Diversity and Defense-In-Depth Evaluation (D3), Framatome Document No. 51-9324096-004

ML22235A027
Person / Time
Site:	Turkey Point
Issue date:	08/19/2022
From:	Strand D Florida Power & Light Co
To:	Document Control Desk, Office of Nuclear Reactor Regulation
Shared Package
ML22235A670	List: L-2022-142, Revised Diversity and Defense-In-Depth Evaluation (D3), Framatome Document No. 51-9324096-004
References
20004-026, L-2022-142 51-9348245-000, Rev 1
Download: ML22235A027 (188)
v • d • e

Text

Official use Only - Proprietary Information August 19, 2022 L-2022-142 10 CFR 50.90 Official use Only - Proprietary Information When Attachment 1 to this document is removed, this document is decontrolled.

Florida Power & Light Company 9760 SW 344th Street, Homestead, FL 33035 U. S. Nuclear Regulatory Commission Attn: Document Control Desk Washington D C 20555-0001 RE:

Turkey Point Units 3 and 4 Docket Nos. 50-250 and 50-251 Subsequent Renewed Facility Operating License DPR-31 and DPR-41 Revised Turkey Point Units 3 & 4 Diversity and Defense-In-Depth Evaluation (D3), Framatome Document No. 51-9324096-004

Reference:

1.

Florida Power and Light letter L-2022-073, Turkey Point Units 3 & 4, Diversity and Defense-In-Depth Evaluation (D3), Framatome Document No. 51-9324096-004, May 3, 2022 (ADAMS Accession No. ML22123A231)

2.

Florida Power and Light letter L-2022-073, License Amendment Request 274, Reactor Protection System, Engineered Safety Features Actuation System, and Nuclear Instrumentation System Replacement Project, July 30, 2022 (ADAMS Accession Nos. ML22211A001 and ML22213A045)

In References 1 and 2, Florida Power and Light (FPL) submitted the Turkey Point Units 3 & 4, Diversity and Defense-In-Depth (D3) evaluation in support of a license amendment request (LAR) to upgrade the Turkey Point reactor protection system, engineered safety features actuation system, and nuclear instrumentation systems to a digital-based platform. The D3 evaluation addresses potential common-cause failure vulnerabilities associated with the replacement project.

Included with the D3 submittals of References 1 and 2 were affidavits which supported, pursuant to 10 CFR 2.390(a)(4), the withholding from public disclosure information deemed proprietary to Framatome, Inc., the owner of the information. During a July 21, 2022 teleconference with the NRC project manager, the NRC requested and FPL/Framatome agreed to revise by August 19, 2022, selected proprietary markings of the D3 analysis.

to this letter provides Framatome Document No. 51-9324096-004, which is the proprietary version of the D3 Evaluation with revised proprietary markings. Attachment 2 contains the redacted (non-proprietary) version of Attachment 1 and is suitable for public dissemination. The Title pages of these documents identify that some information, previously identified as proprietary has been revised to be non-proprietary and that no technical information has changed. Attachment 3 contains an affidavit which is dated to reflect the date of this change in proprietary markings from Framatome, Inc., (Framatome), which supports a request for withholding from public disclosure pursuant to 10 CFR 2.390(a)(4). The affidavit sets forth the basis on which the information may be withheld from public disclosure by the Nuclear Regulatory Commission (Commission) and addresses with specificity the considerations listed in paragraph (b)(4) of Section 2.390 of the Commission's regulations. Accordingly, FPL requests that the information which is proprietary to Framatome be withheld from public disclosure pursuant to 10 CFR 2.390(a)(4).

Correspondence with respect to the proprietary aspects of this information or the supporting Framatome

Turkey Point Nuclear Plant Docket Nos. 50-250 and 50-251 Official use Only - Proprietary Information L-2022-142 Page2 of2 affidavit should be addressed to Mr. Phillip Opsal, Manager, Product Licensing for Framatome, 3315 Old Forest Road, Lynchburg, Virginia 24501.

This letter contains no regulatory commitments.

Should you have any questions regarding this submission, please contact Mr. Kenneth Mack, Fleet Licensing Manager, at 561-904-3635.

Dianne Strand General Manager, Regulatory Affairs cc:

USNRC Regional Administrator, Region II USNRC Project Manager, Turkey Point Nuclear Plant USNRC Senior Resident Inspector, Turkey Point Nuclear Plant Ms. Cindy Becker, Florida Department of Health (Attachments 2 and 3 only)

Attachments

1.

Florida Power and Light Turkey Point Unit 3 & 4 Diversity and Defense-In-Depth Evaluation (03),

Framatome Document No. 51-9324096-004, Revision 1 (Proprietary Version)

2.

Florida Power and Light Turkey Point Unit 3 & 4 Diversity and Defense-In-Depth Evaluation (03),

Framatome Document No. 51-9348245-000, Revision 1 (Non-Proprietary Version)

3.

Affidavit for Attachment 1: Florida Power and Light Turkey Point Unit 3 & 4 Diversity and Defense-In-Depth Evaluation (03), Framatome Document No. 51-9324096-004

ATTACHMENT 2 Florida Power and Light Turkey Point Unit 3 & 4 Diversity and Defense-In-Depth Evaluation (D3), Framatome Document No. 51-9324096-000 (Non-Proprietary Version)

20004-026 (08/12/2020)

Page 1 of 182 Framatome Inc.

ENGINEERING INFORMATION RECORD Document No.:

51 9348245 -

000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Framatome Inc.

This redacted version is Non-Proprietary.

Some information previously marked as proprietary has been reclassified to be non-proprietary. All previously identified non-proprietary information remains as non-proprietary. Proprietary information contained within brackets and proprietary markings have been removed. Other than addition of previously identified proprietary information, technical content was not changed as attested to by the following individuals:

Preparer: Ted Quinn Reviewer: Philip Opsal Approver: Brian Haynes Signature and Date Signature and Date Signature and Date gnature and Date reparer: Ted Quinn 08/18/2022 OPSAL Philip Digitally signed by OPSAL Philip Date: 2022.08.19 00:56:52 -04'00' HAYNES Brian Digitally signed by HAYNES Brian Date: 2022.08.18 22:24:44 -07'00'

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 2 of 182 Safety Related? YES NO Does this document establish design or technical requirements? YES NO Does this document contain assumptions requiring verification? YES NO Does this document contain Customer Required Format? YES NO Signature Block Name and Title/Discipline Signature P/LP, R/LR, M, A-CRF, A Date Pages/ s Prepared/Reviewed/

Approved or Comments Jerry Mauck Licensing Engineer LP All Ted Quinn Licensing Engineer P

All Taha AbdelNaeem Project Lead/Technical Lead LR All John DiBartolomeo Independent Design Review (Delegated to Ted Quinn per email)

R All Brian Haynes Licensing Manager A

All Georgia Dikeakos Engineering Manager A

All Note: P/LP designates Preparer (P), Lead Preparer (LP)

M designates Mentor (M)

R/LR designates Reviewer (R), Lead Reviewer (LR)

A-CRF designates Project Manager Approver of Customer Required Format (A-CRF)

A designates Approver/RTM - Verification of Reviewer Independence N/A if not applicable Project Manager Approval of Customer References (N/A if not applicable)

Name (printed or typed)

Title (printed or typed)

Signature Date Ron Jaworowski Project Manager J MAUCK 4/28/2022 T QUINN 4/28/2022 TI ABDELNAEEM 4/28/2022 T QUINN 4/28/2022 RO JAWOROWSKI 4/29/2022 G DIKEAKOS 4/29/2022 BM HAYNES 4/29/2022

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 3 of 182 Record of Revision Revision No.

Pages/Sections/

Paragraphs Changed Brief Description / Change Authorization 000 Entire document Non-Proprietary version of 51-9324096-004.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 4 of 182 Table of Contents 1

EXECUTIVE

SUMMARY

............................................................................................................ 8 2

TURKEY POINT UNIT 3&4 DIGITAL UPGRADE PROJECT.................................................... 10 2.1 Scope........................................................................................................................... 10 2.2 Objectives..................................................................................................................... 11 2.3 Regulatory Position....................................................................................................... 11 2.4 Block Selection............................................................................................................. 14 2.5

[

]..................................................................................... 15 3

OVERVIEW OF TURKEY POINT DIGITAL CONTROL SYSTEM ARCHITECTURE................ 15 3.1 Turkey Point Power Plant Digital Control System (DCS)............................................... 15 3.2 DAS Qualification Criteria............................................................................................. 16 3.3 Tricon Quality............................................................................................................... 17 3.4 Control System - Echelon 1......................................................................................... 20 3.5 Reactor Protection System - Echelon 2........................................................................ 21 3.5.1 Reactor Trip Functions................................................................................... 22 3.6 ESFAS - Echelon 3...................................................................................................... 23 3.6.1 Engineered Safeguard Actuation System Functions....................................... 24 3.7 Manual and Indication - Echelon 4............................................................................... 26 3.8

[

]........................................................................................................ 27 3.9 Digital Diversity Evaluation within the Turkey Point Unit 3&4 I&C Architecture.............. 29 3.9.1 Foxboro I/A Diversity...................................................................................... 30 3.9.2 Manual Operator Action................................................................................. 32 4

INTRODUCTION TO SAFETY ANALYSIS............................................................................... 34 4.1 UFSAR Chapter 14 Accidents and Events.................................................................... 35 4.1.1 (UFSAR 14.1.1) Uncontrolled RCCA Withdrawal from a Sub-Critical Condition........................................................................................................ 43 4.1.2 (UFSAR 14.1.2) Uncontrolled RCCA withdrawal at Power............................. 45 4.1.3 (UFSAR 14.1.3) Malpositioning of the Part Length Rods................................ 47 4.1.4 (UFSAR 14.1.4) Rod Cluster Control Assembly (RCCA) Drop....................... 47 4.1.5 (UFSAR 14.1.5) Chemical and Volume Control System Malfunction.............. 49 4.1.6 (UFSAR 14.1.6) Startup of an Inactive Reactor Coolant Loop........................ 53 4.1.7 (UFSAR 14.1.7) Excess Feedwater Flow and Reduction in Feedwater Enthalpy Incident............................................................................................ 53 4.1.8 (UFSAR 14.1.8) Excessive Load Increase Incident........................................ 55 4.1.9 (UFSAR 14.1.9) Loss of Reactor Coolant Flow.............................................. 56 4.1.10 (UFSAR 14.1.10) Loss of External Electrical Load......................................... 60 4.1.11 (UFSAR 14.1.11) Loss of Normal Feedwater Flow......................................... 62 4.1.12 (UFSAR 14.1.12) Loss of Non-Emergency A-C Power to Plant Auxiliaries....................................................................................................... 64

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 5 of 182 4.1.13 (UFSAR 14.1.14) Accidental Depressurization of the Reactor Coolant System........................................................................................................... 66 4.1.14 (UFSAR 14.1.15) Anticipated Transient Without Scram................................. 67 4.1.15 (UFSAR 14.2.4) Steam Generator Tube Rupture........................................... 69 4.1.16 (UFSAR 14.2.5) Rupture of a Steam Pipe...................................................... 75 4.1.17 (UFSAR 14.2.6) Rupture of a Control Rod Mechanism Housing - RCCA Ejection.......................................................................................................... 82 4.1.18 (UFSAR 14.2.7) Feedwater System Pipe Break............................................. 85 4.1.19 (UFSAR 14.3.2.1) Best-Estimate Large Break Loss of Coolant Accident (BE-LOCA) Analysis....................................................................................... 88 4.1.20 (UFSAR 14.3.2.2) Small Break LOCA (Small Ruptured Pipes or Cracks in Large Pipes) Which Actuate the Emergency Core Cooling System............ 91 4.1.21 Containment Functional Design - Containment Spray and Containment Isolation.......................................................................................................... 96 4.2 Diversity Among Echelons of Defense........................................................................ 107 4.3 Spurious RPS/ESFAS Actuations............................................................................... 110 4.4 Control System Response to Postulated Spurious Actuations as a Result of a SWCCF in RPS/ESFAS.............................................................................................. 131 4.4.1

[

]............................................... 140 5

DIVERSE ACTUATION SYSTEM (DAS)................................................................................ 146 5.1 Diverse Automatic Mitigating Functions...................................................................... 153 5.2 Diverse Automatic Mitigating Functions [

]........................... 154 5.3 System Level RPS and ESFAS Manual Controls........................................................ 154 5.4 Diverse Process Variable/Alarm Indications................................................................ 158 5.5 Passive Protection Functions Available...................................................................... 163 6

CONCLUSIONS..................................................................................................................... 163 7

ABBREVIATIONS AND ACRONYMS.................................................................................... 166 8

GLOSSARY OF TERMS........................................................................................................ 170 9

REFERENCES....................................................................................................................... 171 APPENDIX A:

GUIDELINE ON THE DETERMINATION OF DIVERSE ACTUATION SYSTEM SETPOINTS FOR TURKEY POINT UNIT 3&4....................................................................... 177

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 6 of 182 List of Tables Page Table 4-1: Signals, Protection, and Safeguards Actions Associated with Turkey Point Unit 3&4 UFSAR Chapter 14 Incidents and Events........................................................................... 36 Table 4-2: Rod Withdrawal from Subcritical Results........................................................................... 45 Table 4-3: Rod Withdrawal at Power Results...................................................................................... 47 Table 4-4: Main Steam Line Break Dose Results................................................................................ 82 Table 4-5: Hot Full Power Rod Ejection Results.................................................................................. 84 Table 4-6: Hot Zero Power Rod Ejection Results................................................................................ 84 Table 4-7: Small Break LOCA Dose Results....................................................................................... 95 Table 4-8: Diversity and Dependencies Among Echelons of Defense............................................... 108 Table 4-9: RPS Spurious Actuation Caused by SWCCF................................................................... 111 Table 4-10: Safety Injection Spurious Actuations Caused by SWCCF.............................................. 112 Table 4-11: Main Feedwater Isolation Spurious Actuation Caused by SWCCF................................. 117 Table 4-12: Steam Line Isolation Spurious Actuations Caused by SWCCF...................................... 119 Table 4-13: Containment Isolation Phase A Spurious Actuation Caused by SWCCF........................ 120 Table 4-14: Containment Isolation Phase B Spurious Actuations Caused by SWCCF...................... 122 Table 4-15: Containment Ventilation Isolation Spurious Actuations Caused by SWCCF................... 124 Table 4-16: Containment Spray Spurious Actuations Caused by SWCCF........................................ 126 Table 4-17: [

] Actuations Caused by SWCCF..................................................................... 130 Table 4-18: NSSS Control System Response to Postulated RPS/ESFAS Tricon SWCCF................ 133 Table 5-1: Chapter 14 Initiating Events, Diverse Indications, and Alternate Mitigation Functions...... 147 Table 5-2: System Level RPS and ESFAS Manual Controls............................................................. 155 Table 5-3: Diverse Process Variable/Alarm Indications..................................................................... 159 Table A-1: [

]........................................................................................................ 179 Table A-2: [

]........................................................................................................... 180 Table A-3: [

]........................................... 181 Table A-4: [

].............................................................................................................................. 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 7 of 182 List of Figures Page Figure 3-1: Overview of Reactor Protection System Architecture........................................................ 23 Figure 3-2: Overview of ESFAS Architecture...................................................................................... 26 Figure 3-3: [

]................................................................................. 28

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 8 of 182 1

EXECUTIVE

SUMMARY

The Turkey Point Nuclear Power Plant Unit 3&4 Reactor Protection System (RPS)/Engineered Safety Features Actuation System (ESFAS)/Nuclear Instrumentation System (NIS) upgrade project is currently being completed by Framatome and Florida Power and Light (FPL) under Contract [1]. The digital upgrade replicates the safety functions currently implemented on the analog equipment. The upgrade design and configuration are based on digital control products designed and manufactured by Framatome and its industry partners. However, the installation of digital-based RPS/ESFAS/NIS systems presents a concern that a postulated Software Common Cause Failure (SWCCF) of a common digital safety platform might propagate across multiple trains and channels such that it defeats the required safety functions. The Diversity and Defense-in-Depth (D3) assessment documented herein demonstrates that there will be sufficient defense-in-depth and diversity to cope with a postulated SWCCF to the Triconex PLC (Tricon) digital platform in the RPS/ESFAS/NIS systems. [

]

[

] The D3 evaluation requires the installation of a non-Tricon based Diverse Actuation System (DAS) that will automatically actuate reactor trip and engineered safety feature functions using a select group of input parameters appropriate for the specific safety function to be accomplished. The non-Tricon based DAS will perform the required actuations following a postulated SWCCF in the Tricon based digital RPS/ESFAS functions concurrent with a Postulated Initiating Event (PIE). Accordingly, the D3 evaluation provides for a D3 solution that is comprised of a DAS augmented by existing non-Tricon based plant equipment that credits: [

]

The Turkey Point D3 report evaluates each applicable Updated Final Safety Analysis Report (UFSAR) Chapter 14 [2] PIE in conjunction with a postulated SWCCF using the guidance provided in Branch Technical Position (BTP) 7-19, Revision 8 [3] and its referenced documents. Each initiating event (single events only) documented in Turkey Point UFSAR Chapter 14 [2] was evaluated by performing an assessment of the deterministic UFSAR results to provide a qualitative assessment of the impact of differences between best estimate conditions (as allowed by BTP 7-19 [3]) and the conservative conditions used in the safety analyses documented in the Turkey Point UFSAR. This approach is referred to as qualitative deterministic methods in this report. Evaluation results are presented in Section 4 and Section 5 for all initiating events analyzed. Table 5-1 provides a summary of results from the qualitative assessment. Several key events were analyzed quantitively and these results are also presented in Table 5-1.

The D3 evaluation concludes that, with the addition of a non-Tricon based DAS and crediting certain existing non-RPS/ESFAS Tricon based plant equipment, the D3 acceptance criteria presented in BTP 7-19 [3] will be met for all evaluated PIEs as discussed in this report. The acceptance of the designated manual actuation times will be determined by plant operators and engineers, as noted by the actions documented in Sections 5 and 6. Overall conclusions are presented in Section 6 of this report.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 9 of 182

[

] In addition, certain diverse, non-RPS/ESFAS Tricon based manual actions and automatic mitigating functions provide additional assistance in meeting the objectives of the D3 analysis. Furthermore, the software for the DAS will be qualified in accordance with the Standard Review Plan (SRP) [10], Section 7.8. These functions will be qualified in accordance with BTP 7-19 [3].

[

] The results of these assessments are described in Section 4.3 and 4.4.

In summary, this Turkey Point Unit 3&4 D3 assessment has followed the applicable guidance provided in BTP 7-19, Rev 8 [3]. Solutions for all transients and accidents when postulating a SWCCF to the RPS/ESFAS Tricon digital platform has been provided as discussed in Sections 4 and 5 of this report. The conclusion section (6) of this report reiterates these findings and provides more details regarding diversity and defense-in-depth.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 10 of 182 2

TURKEY POINT UNIT 3&4 DIGITAL UPGRADE PROJECT 2.1 Scope With the advent of digital technology being implemented as part of safety systems (e.g., the Reactor Protection System and Engineered Safeguard Features Actuation System) in both operating and plants under construction, a concern has been identified that a postulated SWCCF of these software-based safety platforms could propagate across multiple trains and channels in a manner that would defeat the required safety functions. The NRC regulatory guidance for this concern is detailed in BTP 7-19 [3]. FPL is implementing digital technology in the Turkey Point Unit 3&4 RPS and ESFAS. Therefore, Framatome conducted a D3 evaluation and provides documented results herein demonstrating that there will be sufficient defense-in-depth and diversity to cope with a postulated SWCCF to the RPS/ESFAS software based digital platforms.

The guidance within BTP 7-19 [3] is discussed below and demonstrates that, for the replacement digital system, the acceptance criteria of BTP 7-19 [3] are met. However, the D3 solution was accomplished with the addition of a DAS that automatically actuates the required functions using a select group of input parameters. The DAS performs the required actuations upon failure of associated digital RPS/ESFAS functions due to a postulated SWCCF. Furthermore, [

]

The BTP 7-19 [3] guidance and the assessment process are discussed in the following sections of this report. The Tricon based RPS/ESFAS and [

] are discussed from a system architecture level. Details of these architectures, except for [

] are provided in the approved System Architecture Drawing [5].

[

] are provided in FPL Logic Diagram 5613/4-T-L1 sheet 33A/B/C [51]. Diversity between digital platforms is discussed. [

] This is discussed in more detail later in this report to demonstrate consistency with the guidance provided in NUREG/CR-6303 [6].

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 11 of 182 The Diversity and Defense-in-Depth Evaluation is a SAFETY-RELATED document under the Framatome and Turkey Point Unit 3&4 Quality Programs.

2.2 Objectives The objective of the D3 assessment is to eliminate potential vulnerabilities of the RPS/ESFAS upgrade to a postulated RPS/ESFAS SWCCF within these systems by performing a systematic assessment of the proposed architecture. If design features required to mitigate the consequences of a Chapter 14 [2] safety analysis are identified as susceptible to SWCCFs, such vulnerabilities are addressed by one of the following options:

2.3 Regulatory Position The Turkey Point Unit 3&4 RPS/ESFAS upgrade project is being designed and implemented to meet current regulatory requirements and guidance. The portion of the plant that is outside the boundaries of this upgrade is allowed to maintain the pre-existing regulations and guidance requirements as previously approved by the NRC.

Therefore, the upgraded portion and the existing portion of the plant will have two regulatory bases for acceptance. When requirements such as the GDCs and guidance are referenced in this document, it is for the latest published or endorsed version. An early version, if applicable, would be denoted by the year of interest.

Based on experience in previous detailed reviews, the NRC staff has established acceptance guidelines for D3 assessments as described in BTP 7-19 [3]. Further guidance was established through the efforts of the Digital Instrumentation and Control (DI&C) Task Working Group No. 2 on D3 with the development of DI&C-ISG-02

[7], Task Working Group No. 2: Diversity and Defense-in-Depth Issues Interim Staff Guidance, Revision 2.

This interim staff guidance (ISG) was developed with extensive review of D3 issues including both internal review within the NRC and external input through public meetings with representatives from industry, vendors, and the public. In addition, NUREG/CR-6303 [6] was published to provide guidance on certain D3 concerns such as diversity. In summary, while the NRC considers a software common cause failure (SWCCF) in digital systems to be beyond design basis, nuclear Power Plants (NPPs) must be protected against the effects of PIEs with a concurrent SWCCF in the digital protection system.

The following Points 1, 2, 3, and 4 of the NRC position in SRM-SECY-93-087 [8] apply to digital system modifications within operating and new plants, and were used by NRC to develop the D3 assessment guidelines in BTP 719 [3]:

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 12 of 182

1. The applicant shall assess the defense-in-depth and diversity of the proposed instrumentation and control system to demonstrate that vulnerabilities to common-mode failures have adequately been addressed.

2. In performing the assessment, the vendor or applicant shall analyze each postulated common-mode failure for each event that is evaluated in the accident analysis section of the safety analysis report (SAR) using best-estimate methods. The vendor or applicant shall demonstrate adequate diversity within the design for each of these events.

3. If a postulated common-mode failure could disable a safety function, then a diverse means, with a documented basis that the diverse means is unlikely to be subject to the same common-mode failure, shall be required to perform either the same function or a different function. The diverse or different function may be performed by a non-safety system if the system is of sufficient quality to perform the necessary function under the associated event conditions.

4. A set of displays and controls located in the main control room shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions.

The displays and controls shall be independent and diverse from the safety computer system identified in items 1 and 3 above.

Two types of manual initiation of protective functions may be necessary. To satisfy Institute of Electrical and Electronic Engineers (IEEE) Standard (Std) 603-1991 [9], Clauses 6.2 and 7.2, a safety-related means shall be provided in the control room to implement manual initiation of the automatically initiated protective actions at the division level. System level actuation of all divisions also may be used to meet the requirements of IEEE Std 603-1991 [9]. If a D3 analysis indicates that the safety-related manual initiation would be subject to the same potential SWCCF affecting the automatically initiated protective action, then under Point 4 of the BTP-19 NRC position on D3 [3], a diverse manual means of initiating protective action(s) would be needed (i.e., a second manual initiation means would be installed). This diverse manual means may be safety or non-safety. If the system/division level manual initiation required by IEEE Std 603-1991 [9] is sufficiently diverse, a diverse (second) manual system level or division level actuation would not be necessary for the automated protective actions; i.e., if the manual means of initiating protection functions is independent of the postulated SWCCF, a second means is not required.

The intent on requiring system level actuation was to assure that the actuation, however achieved, was possible using a minimum number of controls from within the control room without requiring plant operators to activate or control individual equipment at various locations within the plant. For cases where manual actuation is relied on for PIE mitigation, several documents provide guidance provisions to follow to achieve a safe shutdown condition with a postulated SWCCF to the Protection System concurrent with a Chapter 14 [2] single event. Among the documents containing these provisions are the following:

NUREG-0800, SRP Chapter 18, Revision 3 - December 2016 [10], indicates that responsible personnel should evaluate D3 submittals for compliance with the manual action criteria as shown in Section 3.9 of this report.

NUREG-0800, Appendix 18-A, Crediting Manual Operator Actions in Diversity and Defense-In-Depth Analyses, Final Revision 0, April 2014 [10], states a diversity and defense-in-depth analysis should include the justification of any operator actions that are credited for response to an AOO/PA concurrent with SWCCF as described in BTP 7-19, Revision 8 [3].

RG 1.62 [23] describes one method that is considered acceptable for use in complying with the NRCs regulations concerning the means for manual initiation of protective actions provided (1) by otherwise automatically initiated safety systems; or (2) as a method diverse from automatic initiation.

SECY-18-0090 [24] clarifies that either automatic or manual actuation within an acceptable time frame is a permissible diverse means of actuation. If the D3 assessment demonstrates that a possible SWCCF can be

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 13 of 182 reasonably mitigated by other means (e.g., using other installed systems), a diverse means that performs the same or a different function may not be needed.

American National Standards Institute (ANSI)/American Nuclear Society (ANS 58.8), Time Response Design Criteria for Safety-Related Operator Actions [12].

BTP 7-19 [3] states, when addressing point 3, FP&L may credit a manual operator action as a diverse means to accomplish the same or a different function credited in the D3 assessment or to mitigate spurious operation.

To be creditable, manual operator actions should be performed within a time frame adequate to effectively mitigate the event. In addition, a human factors evaluation process, such as the process outlined in SRP Chapter 18 [10], should show that the proposed manual operator action is both feasible and reliable.

The equipment necessary to perform these actions, including the supporting indications and controls, must be diverse (i.e., not vulnerable to the same sources of SWCCF as the equipment performing the same function within the safety related I&C system). [

]

Manual operator actions for the manual actuation scenarios are based upon, and ultimately included within, the Emergency Operating Procedures (EOPs) abnormal operating procedures, and alarm response procedures. To credit operator actions, an acceptable method is to demonstrate that the manual actions in response to a BTP 7-19

[3] SWCCF are both feasible and reliable, given the time available, and that the ability of operators to perform credited actions reliably will be maintained for as long as the manual actions are necessary to satisfy the defense-in-depth analysis.

What constitutes sufficient diversity is evaluated on a case-by-case basis, considering diversity attributes and attribute criteria that preclude or limit certain types of SWCCF, as documented in NUREG/CR-6303 [6].

Diversity attributes and associated attribute criteria, and a process for evaluating the application provide more objective guidance in answering the diversity question.

This D3 assessment demonstrates compliance, as discussed in BTP 7-19 [3], with the NRC position on D3. Since the acceptance criteria address confirmation that PIEs are mitigated in the presence of SWCCF, the focus of the D3 analyses is on the protection systems (RPS/ESFAS). [

]

The NRC identified four echelons of defense in NUREG/CR-6303 [6]:

Echelon 1

• Control System - The control system echelon usually consists of equipment that is not safety-related, that is used in the normal operation of an NPP, and routinely prevents operations in unsafe regimes of NPP operations.

Echelon 2

• Reactor Trip System - The Reactor Trip System (RTS) echelon consists of safety-related equipment designed to reduce reactivity rapidly in response to an uncontrolled excursion.

Echelon 3

• Engineered Safety Features Actuation System (ESFAS) - The ESFAS echelon consists of safety-related equipment that removes heat or otherwise assists in maintaining the integrity of the three physical barriers to radioactive release (cladding, vessel and reactor coolant system pressure boundary, and primary containment) and the logic components used to actuate this safety-related equipment, usually referred to as the ESF Actuation System (ESFAS), and controls.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 14 of 182 Echelon 4

• Monitoring and Indicator System - The monitoring and indicator system echelon consists of sensors, safety parameter displays, data communication systems, and independent manual controls relied upon by operators to respond to NPP operating events.

The application of defense-in-depth to the I&C system architecture at Turkey Point 3&4 is accomplished by incorporating four echelons of defense as noted above. The concept of the echelons of defense provides multiple systems with independent means to maintain desired operational conditions, prevent accidents, and ensure adequate protection during adverse events (e.g., failures). The original design goal was to maintain as much independence as possible between these four echelons with very little overlay.

The four echelons can be considered to act as one such that their systems can compensate with some overlapping capabilities that achieve the safety objectives of TP 3&4 if one or more of the systems or echelons fail. The means of accomplishing safety objectives for a specific echelon of defense can involve either avoidance of adverse conditions or mitigation of their effects. This echelon dependence is analyzed in Sections 3 and 4 of this report.

2.4 Block Selection

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 15 of 182 2.5 [

]

3 OVERVIEW OF TURKEY POINT DIGITAL CONTROL SYSTEM ARCHITECTURE 3.1 Turkey Point Power Plant Digital Control System (DCS)

To assist in performing a D3 evaluation, a discussion of the Turkey Point Unit 3&4 I&C architecture is provided below. [

]

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 16 of 182 3.2 DAS Qualification Criteria NUREG-0800 Section 7.8 [10] describes the review process and acceptance criteria for the DAS and equipment provided for the purpose of protecting against potential common-cause failures of protection systems. This includes a diverse actuation system (DAS) that is provided solely for the purpose of meeting the NRC position on D3. Additional criteria are defined in BTP 7-19 [3].

Specific criteria that DAS will meet are:

Quality Environment Seismic Software Power Source Testing

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 17 of 182 EMI/RFI Qualification 3.3 Tricon Quality The Tricon is a mature commercial PLC that has demonstrated more than thirty years of safe and reliable operation in safety critical applications. High reliability and system availability are achieved through the triple-modular-redundant (TMR) architecture. The TMR design enables the Tricon system to be highly fault tolerant, to identify and annunciate faults, and to allow online replacement of faulty modules to prevent overall process failure. These features are desirable characteristics of a nuclear safety system, and hence there has been substantial interest in the industry in generic qualification of the Tricon PLC.

The Tricon equipment incorporates several design measures for error avoidance and fault tolerance that both prevent and minimize the consequences of a postulated Tricon software failure. [

] Moreover, the Tricon based control system minimizes the potential for spurious safety system actuation.

The Tricon system was designed as a safety-critical system, and all aspects of its design are based on a thorough engineering evaluation of potential failure modes, confirmed by substantial testing. All new or revised hardware designs are tested by physically injecting faults and verifying proper error detection. All new or revised software is also tested for backwards compatibility with prior versions of the Tricon system. Throughout its life cycle, a quality assurance program and documented development process has been in place to control the design, verification and validation, and configuration management of the system (including both hardware and software).

Demonstration of high quality, robust design, and accurate performance has been required from the first version of the Tricon system because of the safety-critical nature of the applications in which it is used. Qualification of the system for use in safety-critical systems has required evaluation by various safety certification agencies, including Factory Mutual and TÜV Rhineland. The Framatome commitment to support the nuclear power industry is a natural extension of corporate history.

EPRI Technical Report (TR)-107330 [16] guidance is intended for qualifying a Programmable Logic Controller (PLC) as a replacement for specific segments of safety systems at existing facilities (for example, using a PLC to perform reactor protection system functions). The envisioned application is to place one or more PLCs in the control logic portion of each channel, division, or train of existing safety actuation systems to perform control actions that are currently performed using electro-mechanical devices, analog circuitry, and loop controllers. In this type of application, the disruption of existing separation and isolation is minimal which, in turn, minimizes the impact of the replacement on the current licensing basis for these systems.

EPRI TR107330 [16] provides generic guidance for qualifying commercial PLCs for use in safety-related applications in nuclear facilities. It defines the essential technical characteristics (e.g., input and output point requirements, scan rates, software features, etc.) that must be included to cover the needs of facility safety applications. Process-oriented considerations, including system and software development and quality assurance, are addressed in this specification primarily by reference to published standards and guidelines. The process-oriented guidance is provided as a means of achieving adequate software and systems quality for safety-related applications. This guidance was followed and met by the Tricon design.

Note that the Tricon V10 PLC system is a successor to the Tricon V9 system, which was qualified and approved for nuclear safety-related use in nuclear facilities by the NRC in a 2001 Safety Evaluation Report [17]. The Tricon

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 18 of 182 V10 includes the enhanced Main Processor module (model 3008N), the Next Generation Differential Analog Input (NGAID) module, the next generation Digital Output (NGDO) module, SMT (Surface Mount Technology) versions of previously qualified I/O modules, and the Tricon Communication Module (TCM). Also included are power supplies with new DC-DC converters and external termination assemblies (ETAs) with Electromagnetic Compatibility (EMC) enhancements. The new modules were evaluated in the SER for the approved Triconex Topical Report 7286-545-1 Rev 4 [18].

The Tricon V10 has been qualified on a generic basis to provide utilities and other users with a platform that has been shown to comply with the applicable requirements for digital safety systems. Compliance with the applicable requirements is defined in terms of a qualification envelope. This envelope defines the range of conditions within which the Tricon V10 meets the acceptance criteria. In applying the Tricon V10 to a specific safety-related application, the user must confirm that the qualification envelope bounds the facility-specific requirements. Additional guidance on use of the Tricon system in safety-related applications is provided in the Tricon Application Guide, Appendix B [19]. A comparison of the Tricon V10 qualification to the EPRI TR-107330 [16] requirements is documented in Appendix A [20].

The generic qualification of the Tricon V10 encompasses both the hardware and the software used in the system.

The Tricon system was described in Triconex Topical Report Document No. 7286-545, Revision 4 [21]. The description included termination assemblies, chassis, power supplies, main processor modules, communication modules, input/output modules, signal conditioners, and interconnecting cabling. The specific Tricon modules selected for qualification are defined in the Master Configuration List [22]. These modules provide the functionality that is typically required for safety-related control and protection systems in nuclear facilities. The Tricon software that has been qualified includes the embedded real time operating system and its associated communication and input/output modules, and the PC-based system configuration software, TriStation 1131. The process of qualifying the Tricon V10 has involved technical evaluations and qualification tests as type tests.

The Tricon Nuclear Qualification Project was initiated to qualify the Tricon V10 in accordance with EPRI TR-107330 [16] guidance. Quality assurance requirements and special procedures that were unique to the Tricon V10 Nuclear Qualification Project are described in Triconex Topical Report (Document No. 7286-545-1, Page: 8 of 113, Revision 4, 12/20/10 [21]), documented in the Framatome Turkey Point Unit 3&4 [

]

Replacement Project Quality Plan [25]. The major activities completed as part of this project include the following:

Identifying the specific PLC modules and supporting devices to be qualified. This hardware was integrated in a complete test system that was intended to demonstrate capabilities typical of various nuclear safety systems.

Developing an application program to support the required testing. The Test Specimen Application Program (TSAP) was developed to simulate operation of the Tricon in typical nuclear facility applications.

Development, including verification and validation (V&V) of the TSAP, was done in accordance with the Quality Assurance (QA) QSPDS program and a project-specific Software QA Plan.

Specifying the set of qualification tests to be performed on the test specimen, including defining a set of operability tests to be performed at suitable times in the qualification process. Operability tests are required to determine the baseline system performance and to demonstrate satisfactory system operation under the stresses applied during qualification testing.

Performing the qualification tests and documenting the results. Results of these tests define the qualification envelope and form the basis for the application guidance.

The design for the application software for Tricon follows the same NRC approved process as the operating system software. This process follows the NRC software development guidance described in the Standard Review Plan (SRP), NUREG-0800 Chapter 7 [10], and associated Regulatory Guides and standards, as addressed below.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 19 of 182 Framatome will perform other technical evaluations as needed to demonstrate compliance with regulatory requirements and other technical guidance in EPRI TR-107330 [16]. Evaluation of the embedded operating system and programming software is documented in the Turkey Point Unit 3&4 [

] Project Quality Plan [25], the Invensys Operations Management Software Qualification Report [97], and all associated project plans as follows:

Framatome Doc. No. 102-9321586, Rev. 003 [74], Turkey Point Unit 3&4 [

] Project Management Plan (PMP)

Framatome Doc. No.158-9324081, Rev. 002, [75], Turkey Point Unit 3&4 [

] Software Development Plan (SDP)

Framatome Doc. No. 09-9321605, Rev. 000 [76], Turkey Point Unit 3&4 Software Quality Assurance Plan (SQAP)

Framatome Doc. No. 136-9321606, Rev. 001 [77], Turkey Point Unit 3&4 Software Verification and Validation Plan (VVP)

Framatome Doc. No. 158-9321019, Rev. 000 [78], Turkey Point Unit 3&4 [

] Software Configuration Management Plan (SCMP)

Evaluation of the embedded operating system and programming software is documented in the Invensys Operations Management Software Qualification Report [97]. A failure modes and effects analysis evaluating the effects of component failures on Tricon operation is provided in Reference 26. Reference 27 documents an analysis of Tricon system reliability. Reference 28 provides a summary of the accuracy specifications for the Tricon system for use in calculating instrument measurement uncertainties and establishing critical control setpoints.

In summary, the Tricon digital platform offers the following factors that illustrate its proven quality:

Adherence to appropriate software standards including IEEE 1012 [43], which institutes independent V&V.

High quality software development practices and ensuing assurance of high quality.

Fault detection capability.

Failure management techniques.

Internal triplicated redundancy.

Diagnostic capabilities.

Maturity of the Tricon with significant operating history without operational software failure.

Formal review by NRC resulting in Tricon platform approval.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 20 of 182 3.4 Control System - Echelon 1 The control echelon includes control systems that are responsible for maintaining plant process variables within the limits assumed in the Turkey Point UFSAR Chapter 14 [2] safety analyses. A reliable control system is the best approach to plant safety because these systems limit the plant excursions before safety system action is necessary, which is proven at Turkey Point Unit 3&4 after many years of operation. The main function of these non-safety control systems is to actuate the automatic control and monitoring task when the power plant is in normal operation. Additionally, the non-safety control and monitoring systems also actuate the control and monitoring equipment after an accident to aid in achieving a safe shutdown condition (hot shutdown and an eventual cold shutdown condition). [

]

UFSAR Section 7.5 [2] provides examples of control systems (non-safety) placed in Block 2 and available for mitigation purposes using the BTP 7-19 best estimate criteria.

Generally, the operator conducts monitoring and control on the system using the non-safety information and control systems. When the non-safety control system is not available, the operator will monitor functions on the emergency control panel and can initiate reactor trip and ESFAS actuations by using system level manual controls on the MCB.

An evaluation was performed to determine the plant responses due to the above control system failures resulting from their dependencies on the RPS/ESFAS Tricon software upon a SWCCF. The impact of the SWCCF of these control signals is analyzed in Section 4.4.1.1 for the Fail-As-Is category, Section 4.4.1.2 for the Fail Low category, and Section 4.4.1.3 for the Fail High category.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 21 of 182 3.5 Reactor Protection System - Echelon 2 Section 7.2 of the Turkey Point Unit 3&4 UFSAR [2] describes the automatic RPS functions including the manual actuation functions associated with the RPS. The Reactor Protection Systems, including the logic functions, are being replaced with Tricon PLCs as indicated earlier in this report.

The following Turkey Point Unit 3&4 variables are required to be monitored to provide plant protection:

Pressures Flow Level Temperature Flux RCP Electrical

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 22 of 182 3.5.1 Reactor Trip Functions By monitoring the variables noted above, the RPS will consist of the following Reactor Protection System trip functions, which are Tricon based except for the manual trip per UFSAR Table 7.2-1 [2]:

The high-level architecture for RPS is shown in Figure 3-1 below. The figure shows the RPS portion of the Tricon Protection Logic and Voting Logic in the [

] digital replacement architecture.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 23 of 182 Figure 3-1: Overview of Reactor Protection System Architecture 3.6 ESFAS - Echelon 3 ESFAS is Echelon 3 as discussed in the D3 guidance. Chapter 7 of the Turkey Point Unit 3&4 UFSAR [2]

describes the ESFAS and its vital support systems.

The following generating station conditions require the actuation of engineered safeguards systems:

1. Loss of normal feedwater

2. Loss of AC power (station blackout)

3. Steam line break

4. Rod Control Cluster Assembly (RCCA) ejection

5. Loss of coolant accident (LOCA)

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 24 of 182

6. Steam generator tube rupture

7. Feedwater Line Break

8. Accidental Depressurization of RCS Upon automatic actuation of engineered safety features, the following variables are required to be monitored for mitigating the plant condition:

1. Ruptures in primary system piping including reactor coolant pipes:

a. Pressurizer pressure

b. Containment pressure

2. Steam generator tube rupture:

a. Pressurizer pressure

3. Secondary system steam piping breaks:

a. Pressurizer pressure

b. Steam Generator pressure

c. Steam line differential pressure

d. Steam line flow

e. Containment pressure

f. RCS loop hot and cold leg temperatures (wide range)

4. Secondary system feedwater piping breaks:

a. Steam generator water level

b. Pressurizer pressure

c. Containment pressure 3.6.1 Engineered Safeguard Actuation System Functions The ESFAS logic functions are being replaced with Tricon PLCs as indicated earlier in this report. The ESFAS automatic actuation functions are as follows:

1. Low Pressurizer Pressure Safety Injection (SI) Actuation

2. High Steam line Differential Pressure SI Actuation

3. High Steam line Flow Coincident with (Low Steam Generator Pressure OR Low Tavg) SI Actuation

4. High Containment Pressure SI Actuation

5. High Containment Pressure AND High-High Containment Pressure Containment Isolation Phase B and Containment Spray Actuation

6. Containment Isolation Phase A on SI Actuation

7. Containment Ventilation Isolation on SI Actuation or High Containment Radiation

8. Steam Line Isolation on High Containment Pressure AND High-High Containment Pressure

9. Steam Line Isolation on High Steam Line Flow AND (Low Steam Generator Pressure OR Low Tavg)

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 25 of 182

10. Main Feedwater Isolation on High-High Steam Generator Level

11. Main Feedwater Isolation on SI Actuation These ESFAS echelon functions include those protection functions that actuate the ESFAS that assist in maintaining the integrity of the fission-product barriers (cladding, reactor coolant system boundary, and primary containment boundary). The ESFAS functions and actuation signals including isolation (and the corresponding process instrument variable inputs) are listed in UFSAR Table 7.2.1 and 7.2-2 [2]. [

]

The manual ESFAS system-level controls include the following:

1. Manual SI Actuation (2 controls)

Note: SI manual actuation controls are routed through the Emergency Bus Load Sequencer.

2. Manual Steam Line Isolation (one per loop)

3. Manual Containment Isolation Phase A (2 controls)

4. Manual Containment Isolation Phase B (2 controls)

The following systems are ESFAS support systems:

1. Component Cooling Water System

2. Intake Cooling Water (ICW) Supply System

3. Electrical Power Distribution Systems (part)

4. Essential HVAC Systems (safety-related)

While not classified as ESFAS, the following systems are safety shutdown systems or other necessary systems which are also part of Echelon 3 and are discussed in various sections in the Turkey Point Unit 3&4 UFSAR [2].

They are listed below with their respective Sections.

1. Chemical and Volume Control (Section 9.2)

2. Residual Heat Removal (Section 6.2)

3. Auxiliary Feedwater (Section 9.4)

4. Emergency Diesel Generator Unit (Section 8.2)

5. Atmospheric Steam Discharge (ASD) Valve (Section 14.1.11)

The high-level architecture that depicts the ESFAS is shown in Figure 3-2, below. This figure shows the ESFAS portion of the Tricon Protection Logic and Voting Logic in the [

] digital replacement architecture.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 26 of 182 Figure 3-2: Overview of ESFAS Architecture 3.7 Manual and Indication - Echelon 4

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 27 of 182 The Turkey Point Unit 3&4 upgraded I&C design processes monitoring information through the RPS/ESFAS platform input modules and to the control board indicators through digital-to-analog (D/A) converters. The manual control and monitoring information required for meeting the BTP 7-19 guidelines is established during each event analysis as discussed in the following sections of this report. [

]

Turkey Point Unit 3&4 UFSAR [2] Section 7.5 (individual system discussions are in UFSAR Sections 7.2, 7.3, 7.4, 7.6, 7.7, and 7.8) discusses the monitoring and indication echelon in more detail. [

] Manual control is discussed throughout Turkey Point Unit 3&4 UFSAR Chapter 7.

This D3 evaluation encompasses all systems described above [

]. The purpose of this D3 qualitative and quantitative evaluation performed in Section 4 is to demonstrate that, for the proposed Turkey Point Unit 3&4 upgrade I&C architecture, adequate diversity and defense-in-depth is provided in the design approach to satisfy the regulatory requirements and guidance established by the NRC. If concerns are identified during this evaluation, additional evaluations/analyses are performed to determine the required diverse functions such that BTP 7-19 guidance is met.

3.8 [

]

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 28 of 182 Figure 3-3: [

]

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 29 of 182 3.9 Digital Diversity Evaluation within the Turkey Point Unit 3&4 I&C Architecture When a SWCCF is postulated to occur in the Tricon platform in RPS, and ESFAS, which most likely would affect both the primary and backup functions, it may fail to operate properly. [

]

The six different forms of diversity as discussed in NUREG/CR-6303 [6] and below are as follows:

1. Design Diversity

2. Equipment Diversity

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 30 of 182

3. Software Diversity

4. Functional Diversity

5. Signal Diversity

6. Human Diversity

[

] If an analysis identifies the need for diversity to address a potential SWCCF in safety systems, the applicant addresses the SWCCF vulnerability

[

] A fundamental acceptance criterion recognized in NUREG/CR-6303 [6] and BTP 7-19 [3] is the inclusion of a DAS for actuating safety functions where necessary.

3.9.1 Foxboro I/A Diversity NUREG/CR-6303 [6] states that where equipment diversity is limited, then software diversity coupled with either functional diversity or signal diversity be used to demonstrate that the systems being analyzed are diverse

[NUREG/CR-6303, Section 3.2.7 [6)). Therefore, we will describe the significant design diversity, equipment diversity, functional diversity, signal diversity, human diversity, and software diversity that provide the basis for our evaluation that the RPS/ESFAS Tricon and Foxboro I/A are diverse and functionally independent in meeting the criteria of NUREG/CR-6303 [6]. Each attribute is evaluated below.

1. Design diversity criteria are as follows:

a. Different technologies

b. Different approaches within a technology

c. Different architecture The Tricon and Foxboro I/A platforms meet the design diversity requirements, based on the following:

a. The Tricon technology was developed for highly critical oil and gas applications by a different firm (TRICONEX) which was later absorbed by Invensys, Inc., Schneider Electric Systems, and finally Framatome. The Foxboro I/A technology was developed internally by Invensys as an evolutionary development from their SPEC 200 and SPEC 200 MICRO equipment lines. Schneider is now the owner and manufacturer for the Foxboro I/A line of equipment. The design of the Tricon and Foxboro I/A are radically different based on their evolution and process applications.

b. As discussed above, two different companies developed the Tricon, and Foxboro I/A based on their internal needs assessment on approach to the industry. Additionally, in the late 1990s a major effort was begun to qualify the Tricon to nuclear safety-related standards with application to the NRC for certification as a Class 1E certified platform. This effort was not undertaken for the much more commercially available Foxboro I/A.

c. The architecture of the Tricon, as a triple-redundant microprocessor based on IEC 1131 [34] function block logic, is significantly different from the Foxboro I/A logic and equipment. Additionally, the Tricon was successfully put through the qualification process for NRC certification and was approved in December 2001 [35]. The V10 Tricon was approved in SER ML12146A010 [18] in 2012.

2. Equipment diversity criteria are as follows:

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 31 of 182

a. Different manufacturers of fundamentally different designs

b. Same manufacturer of fundamentally different designs

c. Different manufacturers making the same design

d. Different versions of the same design The Tricon and Foxboro I/A platforms meet the equipment diversity requirements.

As described above, the Tricon and Foxboro I/A were developed by two separate companies and reached mature commercialization with widespread use in industry. In addition, the Tricon was qualified to meet NRC certification in accordance with EPRI TR-107330 [16] in December 2001. Even after the merger of TRICONEX with Invensys, Inc, separate divisions oversaw the development and implementation of the Tricon and the Foxboro I/A. The two product lines are now owned by two different companies as discussed earlier. As a result, the two designs clearly meet the equipment diversity requirements.

3. Software Diversity criteria are as follows:

a. Different algorithms, logic, and program architecture

b. Different timing, order of execution

c. Different operating system

d. Different computer language The Tricon and Foxboro I/A platforms meet the software diversity requirements. For software diversity, each of these digital systems have different algorithms, logic, and program architecture as well as different timing, order of execution, and a different operating system. The Tricon uses a C+ language incorporated into a TriStation 1131 programming tool. The Foxboro I/A uses a Unix-based operating system using Foxview and Foxdraw software configuration tools to configure blocks for the needed purpose. Totally different development processes were incorporated by the two separate companies in developing and commercializing these products.

4. Functional diversity criteria are as follows:

a. Different underlying mechanism (e.g., rod insertion versus boron poisoning)

b. Different purpose, function, control logic, or actuation means

c. Different response time scale There is diversity between the operational functions associated with the Tricon based systems and the Foxboro I/A based control systems. The operation characteristic and the underlying mechanism of the Foxboro I/A based control systems are quite different when compared to the Tricon based systems. This is also true for the purpose, the function, the logic, and the actuation means for the systems associated with these two platforms, as defined by the criteria in NUREG/CR-6303 [6].

5. Signal diversity criteria are as follows:

a. Different reactor or process parameters sensed by different physical effects

b. Different reactor or process parameters sensed by the same physical effect

c. Same reactor or process parameters sensed by a redundant set of similar sensors NUREG/CR-6303 [6] also states that the standard for independence between the safety and control systems is that they must differ significantly in parameters, dynamics, and logic. The actuation logic for

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 32 of 182 the Foxboro I/A based control systems is significantly different than the actuation logic for the Tricon based safety systems. There is ample diversity in this area for functions between the Tricon based systems and the Foxboro I/A based systems. With diversity credit given for the other criteria, there remains ample diversity between Tricon and Foxboro I/A even if signal diversity for all cases is not available.

6. Human diversity criteria are as follows:

a. Different design organizations

b. Different engineering management team within the same company

c. Different designers, engineers, or programmers

d. Different testers, installers, or certification personnel The design diversity discussed above also applies to human diversity when the actual application of the systems is analyzed. Adequate human diversity is evident between the Tricon based systems and the Foxboro I/A based systems. As discussed above, two separate companies developed the Tricon architecture and the Foxboro I/A architecture. The functional structure of development, implementation, and delivery of these two separate products have remained largely independent with the highly skilled technical staff that matured with each design type staying with that design type (Tricon or Foxboro I/A).

NUREG/CR-6303 [6] states in part that two digital systems with different computer equipment (equipment diversity) made by different manufacturers (human diversity) would be considered diverse provided there is some functional diversity and signal diversity or some software diversity. There is complete equipment diversity since the two systems are so dissimilar, and human diversity since the manufacturers of the two systems are different, although within the same overall company structure at one time (Invensys Inc.). Now, two different companies own these two product lines. Of course, there is also design diversity in that the two systems have completely different software and hardware architectures. However, the design approach taken for both are similar since both designs are digital based. For software diversity, the two digital systems have different algorithms, logic, and program architecture as well as different timing, order of execution, and a different operating system.

3.9.2 Manual Operator Action

[

] For cases where manual actuation is relied on for event mitigation, several documents provide guidance provisions to follow to gain a safe shutdown condition given a SWCCF to the [

] concurrent with a single Chapter 14 [3] PIE. These documents were delineated in Section 2.3 of this report.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 33 of 182 Manual operator actions for these scenarios will be based upon, and ultimately included within, the Emergency Operating Procedures (EOPs) and executed from the main control room (MCR). To credit operator actions, an acceptable method would be to demonstrate that the manual actions in response to a BTP 7-19 SWCCF are both feasible and reliable, given the time available, and that the ability of operators to perform credited actions reliably will be maintained for as long as the manual actions are necessary to satisfy the defense-in-depth analysis.

The time available for manual actions is based upon the methods and criteria prescribed in BTP 7-19. The time required for operator action is estimated and validated using the guidance of SRP Chapter 18 [10]. To demonstrate that the manual actions are both feasible and reliable, and that the ability to perform the actions reliably within the time available is maintained, Framatome and FPL must follow a process of analysis, validation, and long-term monitoring consistent with SRP Chapter 18 [10].

SRP Chapter 18, Appendix A, Section 1A [10] states in part:

The basis for the specific time margin used in the analysis should be justified and documented.

Insights from the HFE program, especially the OER and Human Reliability Analysis, should be used. The identification of potential errors, error detection methods, and error recovery paths in event trees may be used to provide estimates of how much margin should be added to the operator response time estimates.

For complex situations and for actions with limited margin, such as less than 30 minutes between time available and time required, a more focused staff review will be performed.

Credited manual operator actions and their associated interfaces (controls, displays, and alarms) must be specifically addressed in the Turkey Point Unit 3&4 HFE Program. FPL will include the proposed defense-in-depth coping actions in an HFE Program consistent with that described in NUREG-0711, Human Factors Engineering Program Review Model, [11] and to provide the results of the HFE Program to the NRC prior to implementation of the proposed action(s).

For these cases, FP&L must demonstrate through a suitable human factors engineering (HFE) analysis that manual operator actions that can be performed inside the control room are acceptable in lieu of automated backup functions. SRP Chapter 18, Revision 3 - December 2016 [10], shows that the responsible personnel will evaluate D3 submittals for compliance with the following manual action criteria:

Acceptable methods for deriving analysis time estimates for individual task components include but are not limited to:

Operator interviews and surveys Operating experience reviews Software models of human behavior, such as task network modeling Use of control/display mockups

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 34 of 182 Expert panel elicitation American National Standards Institute (ANSI)/American Nuclear Society (ANS 58.8), Time Response Design Criteria for Safety-Related Operator Actions [12]

4 INTRODUCTION TO SAFETY ANALYSIS Event classification and acceptance criteria for the Turkey Point UFSAR safety analyses is based on ANS-51.1/N18.2-1973 [42]. Alignment between the acceptance defined in Reference 42 and BTP 7-19 [3] is defined below.

If a postulated SWCCF can disable a safety function, BTP 7-19 [3] of the Standard Review Plan requires a diverse means, not subject to the same SWCCF, to perform the same function or a different function. It specifies credit may be taken for any diverse system that performs the safety function or operator action; however, sufficient time must be available for the operator to diagnose the event and initiate action to protect the safety function. Therefore, the Turkey Point UFSAR Chapter 14 [2] safety analyses must be evaluated with respect to a potential SWCCF and the need to provide diverse means to protect the health and safety of the public. Section B.3.3 of BTP 7-19 specifically identifies the following acceptance criteria applicable to the plants accident analyses:

If the acceptance criteria below are met, the reviewer should conclude that the application shows that the consequences of potential CCFs of the proposed system or of portions of the proposed system are acceptable.

The acceptance criteria are as follows:

a. For those postulated spurious operations that have not been fully mitigated or eliminated from further consideration, the consequences of spurious operation of safety-related or NSR components are bounded by the acceptance criteria defined in the UFSAR or the LAR.

b. For each AOO in the design basis that occurs concurrently with the CCF, the plant response, calculated using realistic or conservative assumptions, does not result in radiation release exceeding 10 percent of the applicable siting dose guideline values, or in violation of the integrity of the primary coolant pressure boundary.

c. For each PA in the design basis that occurs concurrently with each single postulated CCF, the plant response, calculated using realistic or conservative assumptions, does not result in radiation release exceeding the applicable siting dose guideline values, in violation of the integrity of the primary coolant pressure boundary, or in violation of the integrity of the containment.

Postulated Spurious Operations that have not been Fully Mitigated (Item a)

Item a is not applicable to this D3 report because all spurious operations have been fully mitigated or eliminated from further consideration.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 35 of 182 Anticipated Operational Occurrences (Item b)/ANS Condition II Events Reactor Coolant System Overpressure: The primary reactor coolant system must not exceed a pressure of 3215 psia, consistent with the ASME Boiler and Pressure Vessel Code Service Level C stress limit criterion

[37] and the Turkey Point UFSAR Section 14.1.15 [2] ATWS analysis criterion.

Radiological Dose: Demonstration that fuel failure is precluded through the application of a minimum Departure from Nucleate Boiling ratio (mDNBR) criterion and subsequently ensures that the Regulatory Guide 1.183 [91] limits are not exceeded.

The mDNBR must be maintained above the correlation limit value associated with the fuel product implemented in the Turkey Point plant, which may be demonstrated through evaluation concluding that the UFSAR [2] result remains bounding.

Postulated Accidents (Item c)/ANS Condition III & IV Events Reactor Coolant System Overpressure: The primary reactor coolant system must not exceed a pressure of 3215 psia, consistent with the ASME Boiler and Pressure Vessel Code Service Level C stress limit criterion

[37] and the Turkey Point Unit 3&4 UFSAR Section 14.1.15 [2] ATWS analysis criterion.

Radiological Dose: Demonstration that the fuel failure rate associated with the supporting dose analysis is not exceeded based on best estimate analysis ensures that the radiological consequences of the current licensing basis are not exceeded and subsequently ensures that the Regulatory Guide 1.183 [91] limits are not exceeded.

For Chapter 14 Postulated Accidents in which the licensing basis analysis does not result in fuel failure, the results of the analysis must be demonstrated to be bounded by the licensing basis results. Alternately, for events relying on a mass release, such as main steam line break, the resultant dose analysis must be maintained within the Regulatory Guide 1.183 limits.

4.1 UFSAR Chapter 14 Accidents and Events Table 4-1 presents Turkey Point Units 3&4 Transients and Accidents showing primary protection and secondary protection for each transient and accident. Credited systems that are Tricon based have been described in Section

3.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 36 of 182 Table 4-1: Signals, Protection, and Safeguards Actions Associated with Turkey Point Unit 3&4 UFSAR Chapter 14 Incidents and Events UFSAR Section Event ANS Condition RTS and ESFAS Actuations Protective Signals1 14.1.1 Uncontrolled RCCA Withdrawal from a Sub-Critical Condition II

• Manual Action

• Reactor Trip

• Source Range High Neutron Flux

• Intermediate Range High Neutron Flux

• Power Range High Neutron Flux (Low and High Setting) 14.1.2 Uncontrolled RCCA withdrawal at Power II

• Manual Action

• Reactor Trip

• PSVs

• MSSVs

• Power Range Neutron Flux

• Overtemperature T

• Overpower T

• High Pressurizer Pressure

• High Pressurizer Water Level 14.1.3 Malpositioning of the Part Length Rods (not part of Licensing Basis)

N/A N/A N/A 14.1.4 Rod Cluster Control Assembly Drop II

• Manual Action

• Reactor Trip

• PSVs

• MSSVs

• Low Pressurizer Pressure

• Overtemperature T

• Power range neutron flux reactor trip, low and high setpoints (modes 1 and 2)

• Source range reactor trip (mode 2) 1 The protective signals reflected in Table 4-1 represent the protective functions typically credited in the safety analyses. Additional protective features may be implemented in the plant and discussed in each respective description of accident protection available for each event discussed in the subsections of Section 4.1.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 37 of 182 UFSAR Section Event ANS Condition RTS and ESFAS Actuations Protective Signals1 14.1.5 Chemical and Volume Control System Malfunction II

• Manual Action

• Reactor Trip

• Indication of the boric acid and blended flow rates (All Modes)

• CVCS pump status lights (All Modes)

• High flux at shutdown alarm (Modes 3-6)

• Indicated/audible increase in source range neutron flux count rate (Modes 3-6)

• Source range reactor trip (Mode 2)

• Axial flux difference alarm (mode 1)

• Control rod insertion limit low and low-low alarms (Modes 1 & 2)

• Overtemperature T alarm, turbine runback and reactor trip (Mode 1)

• Power range neutron flux, low and high setpoints (Modes 1 & 2) 14.1.6 Startup of an Inactive Reactor Coolant Loop (not part of Licensing Basis)

N/A N/A N/A 14.1.7 Excess Feedwater Flow and Reduction in Feedwater Enthalpy Incident II

• Manual Action

• Feedwater Isolation

• Safety Injection

• Reactor Trip

• High-High Steam Generator Level

• Low Pressurizer Pressure

• Power range neutron flux

• Overpower T

• Overtemperature T 14.1.8 Excessive Load Increase Incident II

• Reactor Trip

• Overtemperature T

• Power range high neutron flux

• Low pressurizer pressure

• Overpower T

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 38 of 182 UFSAR Section Event ANS Condition RTS and ESFAS Actuations Protective Signals1 14.1.9 Loss of Reactor Coolant Flow 14.1.9 Partial Loss of Forced Reactor Coolant Flow II

• Manual Action

• Reactor Trip

• Low primary coolant loop flow

• RCP undervoltage

• RCP underfrequency

• RCP circuit breaker opening 14.1.9 Complete Loss of Forced Reactor Coolant Flow III

• Manual Action

• Reactor Trip

• Low primary coolant loop flow

• RCP undervoltage

• RCP underfrequency

• RCP circuit breaker opening 14.1.9 Locked Rotor Accident IV

• Manual Action

• Reactor Trip

• Low primary coolant loop flow 14.1.10 Loss of External Electrical Load II

• Manual Action

• Reactor Trip

• PSVs

• MSSVs

• AFW

• High pressurizer pressure

• Overtemperature T

• High pressurizer water level

• Low-low steam generator water level 14.1.11 Loss of Normal Feedwater Flow II

• Manual Action

• Reactor Trip

• PSVs

• MSSVs

• AFW

• High pressurizer pressure

• Overtemperature T

• High pressurizer water level

• Low-low steam generator water level

• Any safety injection signal

• Trip of all main feedwater pumps on either unit.

• AMSAC Actuation

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 39 of 182 UFSAR Section Event ANS Condition RTS and ESFAS Actuations Protective Signals1 14.1.12 Loss of Non-Emergency A-C Power to Plant Auxiliaries II

• Manual Action

• Reactor Trip

• PSVs

• MSSVs

• AFW

• Safety Injection

• Low-low steam generator water Level

• Any safety injection signal

• Trip of all main feedwater pumps on either unit.

• AMSAC Actuation

• Manual Actuations 14.1.13 Turbine Generator Design Analysis NA NA NA 14.1.14 Accidental Depressurization of the Reactor Coolant System II

• Manual Action

• Reactor Trip

• Safety Injection

• Overtemperature T

• Low pressurizer pressure 14.1.15 Anticipated Transient Without SCRAM Beyond Design Basis

• Manual Action

• AMSAC Rx Trip

• AMSAC AFW

• PSVs

• MSSVs

• AMSAC Low Steam Generator Water Level 14.2.4 Steam Generator Tube Rupture III

• Manual Action

• Reactor Trip

• Safety Injection

• AFW

• Feedwater Isolation

• Steam Line Isolation

• Overtemperature T

• Low pressurizer pressure

• Low-low steam generator water Level

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 40 of 182 UFSAR Section Event ANS Condition RTS and ESFAS Actuations Protective Signals1 14.2.5 Rupture of a Steam Pipe 14.2.5.1 Inadvertent Opening of a Steam Generator Relief or Safety Valve II

• Manual Action

• Reactor Trip

• Safety Injection

• Accumulators

• Feedwater Isolation

• Steam Line Isolation

• Low pressurizer pressure

• Low-low steam generator water Level 14.2.5.2 Steam System Piping Failure at Hot Zero Power IV

• Manual Action

• Safety Injection

• AFW

• Feedwater Isolation

• Steam Line Isolation

• Low pressurizer pressure

• Low steam generator water Level

• High steam flow w/ low steam pressure

• High steam flow w/ low average reactor coolant temperature

• High Containment Pressure

• High Containment Rad Monitor 14.2.5.2 Steam System Piping Failure at Full Power IV

• Manual Action

• Reactor Trip

• Safety Injection

• AFW

• Feedwater Isolation

• Steam Line Isolation

• Overtemperature T

• Overpower T

• Power range high neutron flux

• Low pressurizer pressure

• High steam flow w/ low steam pressure

• High steam flow w/ low average reactor coolant temperature

• High Containment Pressure

• High Containment Rad Monitor 14.2.6 Rupture of a Control Rod Mechanism Housing -RCCA Ejection IV

• Reactor Trip

• PSVs

• MSSVs Power range high neutron flux

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 41 of 182 UFSAR Section Event ANS Condition RTS and ESFAS Actuations Protective Signals1 14.2.7 Feedwater System Pipe Break IV

• Manual Actions

• Reactor Trip

• Safety Injection

• AFW

• Feedwater Isolation

• Steam Line Isolation

• High pressurizer pressure

• High pressurizer water level

• Overtemperature T

• Low-low steam generator water Level

• Low pressurizer pressure

• High steam flow w/ low steam pressure

• High steam flow w/ low average reactor coolant temperature

• Steam flow/feedwater flow mismatch coincident with low SG water level

• High Containment Pressure 14.3.2 Loss of Coolant Accident 14.3.2.1 Best-Estimate Large Break Loss of Coolant Accident (BE-LOCA)

Analysis IV

• Manual Action

• Safety Injection

• Accumulators

• AFW

• Feedwater Isolation

• Steam Line Isolation

• Containment Isolation

• Containment Spray

• Fan Coolers

• Low pressurizer pressure

• Low-low steam generator water Level

• High containment pressure

• High containment rad monitors

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 42 of 182 UFSAR Section Event ANS Condition RTS and ESFAS Actuations Protective Signals1 14.3.2.2 Small Break LOCA (Small Ruptured Pipes or Cracks in Large Pipes) Which Actuate the Emergency Core Cooling System IV

• Manual Action

• Reactor Trip

• Safety Injection

• MSSVs

• AFW

• Feedwater Isolation

• Steam Line Isolation

• Containment Isolation

• Low pressurizer pressure

• Low-low steam generator water Level

• High containment pressure

• High containment rad monitors

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 43 of 182 4.1.1 (UFSAR 14.1.1) Uncontrolled RCCA Withdrawal from a Sub-Critical Condition Event Description This event is described in Turkey Point UFSAR [2] Section 14.1.1, Uncontrolled RCCA Withdrawal from a Subcritical Condition.

The event is defined as an uncontrolled addition of reactivity to the reactor core caused by withdrawal of one or more RCCA banks, resulting in a power excursion. Such a transient could be caused by a malfunction of the reactor control rod drive systems or due to operator error. This could occur when the reactor is either subcritical, at hot zero power, or at power. The "at-power" case is addressed in Section 4.1.2.

Should a continuous rod cluster control assembly bank withdrawal accident occur, the transient will be terminated by the following automatic features:

Source Range High Neutron Flux Intermediate Range High Neutron Flux Power Range High Neutron Flux (Low and High Setting)

In addition, control rod stops on high intermediate range flux level and high-power range flux level serve to discontinue rod withdrawal and prevent the need to actuate the intermediate range flux trip and the power range flux trip, respectively.

An uncontrolled rod cluster control assembly bank withdrawal from subcritical in Mode 3, 4, or 5 with two or more RCP in operation would be bounded by the analysis as performed in Mode 2. This conclusion is based upon the analysis assumption that reactor trip does not occur until the power range high neutron flux (low setting) setpoint is reached, and that two banks are withdrawn sequentially at maximum speed. These conservative assumptions result in the core returning to critical and generating some power prior to trip. Therefore, the primary system flow rate becomes an important consideration in the departure from nucleate boiling (DNB) evaluation.

Note that, in Mode 3, the Technical Specifications require three RCP to be in operation whenever the reactor trip breakers are closed.

In Modes 3, 4, and 5, the source range high neutron flux trip will be available to terminate the event, by tripping any withdrawn and withdrawing rods, before any significant power level could be attained. Therefore, DNB and primary system flow rate need not be considered. Also, the reactivity insertion rate would be slower when in any of the subcritical modes since a single failure in the rod control system could cause the withdrawal of only one bank. Its withdrawal rate would be expected to be slower than the maximum rod speed, which is possible when in automatic rod control as assumed in the Mode 2 analysis. Section 7.2.1 of the UFSAR [2] notes that the automatic rod withdrawal by the reactor control system has been permanently disabled. Therefore, this event can only occur due to human error.

Unless the transient response due to an uncontrolled rod cluster control assembly bank withdrawal from subcritical event is terminated by manual or automatic action, the resultant reactor coolant temperature rise, and RCS pressure rise could eventually result in DNB and/or a challenge to the integrity of the Reactor Coolant Pressure Boundary. To avert the possible damage that might otherwise result from this event, the RPS is designed to automatically terminate any such transient before the DNBR falls below the safety analysis limit value and before the peak pressures exceed the values at which the integrity of the pressure boundaries would be jeopardized.

Based on its frequency of occurrence, the Uncontrolled RCCA Bank Withdrawal from a Sub-Critical Condition event is considered a Condition II event as defined in UFSAR Section 14.1 [2] and specifically demonstrates that the plants DNB and overpressure acceptance criteria are met.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 44 of 182 Safety Functions The analysis of this accident assumes a reactor trip initiated by the Power Range High Neutron Flux (low setting, two-of-four power channels). Other RPS functions available to terminate this event include:

Source Range High Neutron Flux trip in Modes 3, 4, and 5 with the control rods latched Intermediate Range High Neutron Flux in Modes 1 and 2 Power Range Flux Level Trip (high setting)

However, credit is not taken for these trips. This is a conservatism that delays the reactor trip which increases the calculated power level.

The actuation of any of the above reactor protection functions results in the plant coming to a stabilized condition.

The plant can then be controlled to the design-basis shutdown condition of hot standby.

See Table 4-1 for the Signals, Protection, and Safeguards Actions associated with this event.

Control Functions Event-Specific Operator Action Requirements There are no event-specific operator actions required to safely terminate the uncontrolled RCCA bank withdrawal from subcritical event.

Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 45 of 182 Table 4-2: Rod Withdrawal from Subcritical Results 4.1.2 (UFSAR 14.1.2) Uncontrolled RCCA withdrawal at Power Event Description This event is described in Turkey Point UFSAR [2] Section 14.1.2, Uncontrolled RCCA withdrawal at Power.

The event is defined as the inadvertent addition of reactivity to the core caused by the withdrawal of RCCA bank(s) while at power, as opposed to the condition of zero power or subcritical, which is addressed in Section 4.1.1. The reactivity insertion resulting from the bank (or banks) withdrawal will cause an increase in core nuclear power and subsequent increase in core heat flux. Section 7.2.1 of the UFSAR [2] notes that the automatic rod withdrawal by the reactor control system has been permanently disabled. Therefore, this event can only occur due to human error.

To avoid the core damage that might otherwise result from this event, the reactor protection system is designed to automatically terminate any such event before the departure from nucleate boiling ratio (DNBR) falls below the limit value, the fuel rod linear heat generation rate (kW/ft) limit is reached, the peak pressures exceed the values at which the pressure boundaries would be jeopardized, or the pressurizer fills. Depending on the initial power level and the rate of reactivity insertion, the reactor may be tripped and the RCCA withdrawal terminated by any of the following trip signals:

Power range neutron flux Overtemperature t Overpower t High pressurizer pressure High pressurizer water level Based on its frequency of occurrence, the uncontrolled RCCA bank withdrawal at power event is considered a Condition II event as defined in UFSAR Section 14.1 [2] and specifically demonstrates that the plants DNB and overpressure acceptance criteria are met.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 46 of 182 Safety Functions In the DNB and MSS over pressurization (MSS OP) analysis for an uncontrolled RCCA bank withdrawal at power event, depending on the reactivity insertion rate and initial conditions, the RPS provides an automatic reactor trip on power range high neutron flux or overtemperature T signal. A power range high neutron flux reactor trip signal is actuated if two-out-of-three channels exceed an overpower setpoint. An overtemperature T reactor trip signal is actuated when the trip setpoint is reached in two-out-of-three loops.

In the DNBR analysis in UFSAR [2] Section 14.1.2, only the reactor trips on high neutron flux and the overtemperature T were credited.

In the analysis of RCS OP, in addition to the trips identified above for the DNB analysis, the RPS provides an automatic reactor trip on high pressurizer pressure that is actuated when the trip setpoint is exceeded in two-out-of-four channels.

The actuation of any of these reactor protection functions results in the plant coming to a stabilized condition. The plant can then be controlled to the design-basis shutdown condition of hot standby.

See Table 4-1 for the Signals, Protection, and Safeguards Actions associated with this event.

Control Functions Control systems are assumed to function only if their operation results in more-severe accident results. In the DNB and MSS OP analysis for the uncontrolled RCCA bank withdrawal at power event, the following features are assumed to function.

Pressurizer spray Opening of the pressurizer power-operated relief valves The operation of these control systems tends to reduce the primary system pressure, which minimizes the calculated DNBR values.

Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 47 of 182 Table 4-3: Rod Withdrawal at Power Results 4.1.3 (UFSAR 14.1.3) Malpositioning of the Part Length Rods This Section was deleted in UFSAR [2] Rev. 0, therefore no SWCCF evaluation is necessary.

4.1.4 (UFSAR 14.1.4) Rod Cluster Control Assembly (RCCA) Drop Event Description This event is described in Turkey Point UFSAR [2] Section 14.1.4, Rod Cluster Control Assembly (RCCA)

Drop.

The Turkey Point design-basis Rod Cluster Control Assembly (RCCA) mis-operation events are categorized as events which could be initiated by the movement or displacement of one or more RCCA(s) from normal or allowed RCCA bank positions resulting in reactivity and power distribution anomalies. The scenarios include:

Dropped RCCA(s)

One or more RCCA within the same group (the multiple drop configurations occur because they are connected via electrical circuitry)

A dropped RCCA bank Because FP&L has disconnected and removed all circuitry associated with an automatic rod withdrawal, the possibility of an automatic rod withdrawal due to a power mismatch arising from a dropped RCCA has been eliminated. Reactivity feedback will cause the core power to eventually rise to a level that corresponds to the steam flow rate and the plant will establish a new equilibrium condition. Thus, because of the disconnection of the

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 48 of 182 automatic rod withdrawal circuitry, the possibility of power overshoot is eliminated and a monotonic equilibrium process result.

Without manual or automatic protective actions, the core power following a dropped RCCA(s) event will inherently seek a level bounded by the steam load demand. However, the actuation of a reactor trip may terminate core power generation. The following RPS trip signals may be generated during a dropped RCCA(s) event due to a localized power reduction.

Low pressurizer pressure Overtemperature T Power range neutron flux reactor trip, low and high setpoints (modes 1 and 2)

Source range reactor trip (mode 2)

Due to the elimination of the automatic rod withdrawal function in the rod control system, an overpower condition will not result. With or without RPS trip actuation, it is required that the dropped RCCA(s) event not result in fuel cladding damage.

Based on its frequency of occurrence, the RCCA drop events are considered a Condition II event as defined in UFSAR Section 14.1 [2] and analyzed to demonstrate that the plants DNB design basis is met.

Safety Functions For the licensing-basis dropped RCCA(s) event analysis, the RPS provides an automatic reactor trip on low pressurizer pressure which is actuated by two-out-of-three low pressurizer pressure signals concurrent with being above the P-7 permissive setpoint (10% rated thermal power). For many dropped RCCA(s) scenarios, no RPS automatic trip is generated.

The actuation of the above reactor protection function will result in the plant coming to a stabilized condition. The plant can then be controlled to the design-basis shutdown condition of hot standby. No damage to the plant will result from the event.

Control Functions Control systems are assumed to function only if their operation results in more severe accident results. Because the rod drop automatic turbine runback has been disabled for Turkey Point Units 3 and 4, the licensing-basis dropped RCCA(s) event analysis does not take credit for the automatic actuation of turbine runback initiated by a rod drop signal from any rod position indication channel or from one or more of the four power range channels.

Because FP&L has disconnected and removed all circuitry associated with an automatic rod withdrawal, the possibility of an automatic rod withdrawal when a power mismatch is detected because of a dropped RCCA has been eliminated. Consequently, although automatic rod control is more limiting due to the potential for power spiking, rod control is assumed to be in the manual mode of operation for the Turkey Point Units 3 and 4 dropped RCCA(s) event.

The control system features assumed to function in the dropped RCCA(s) event analysis are the pressurizer spray and the pressurizer power-operated relief valves (PORVs). Assuming the functionality of these control system features provides for a more limiting DNB evaluation by minimizing the reactor coolant system pressure following a dropped RCCA(s) event.

See Table 4-1 for the Signals, Protection and Safeguards Actions associated with this event.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 49 of 182 Impact of Postulated SWCCF 4.1.5 (UFSAR 14.1.5) Chemical and Volume Control System Malfunction Event Description This event is described in Turkey Point UFSAR [2] Section 14.1.5, Chemical and Volume Control System Malfunction.

An inadvertent dilution of the reactor coolant system (RCS) boron concentration can be caused by a Chemical and Volume Control System (CVCS) malfunction or faulty operator action. The limiting scenario is the inadvertent opening of the primary water makeup control valve and failure of the blend system, either by controller or mechanical failure. The addition of unborated water to the RCS results in a positive reactivity insertion and erosion of the available plant shutdown margin. Should the event proceed without mitigation, core criticality may occur with subsequent nuclear power generation. Progression and mitigation of the event depends on the plant operating mode.

The alarms and indications that would alert the operator to the occurrence of a boron dilution event are the following:

Indication of the boric acid and blended flow rates (all modes)

CVCS pump status lights (all modes)

High flux at shutdown alarm (modes 3-6)

Indicated/audible increase in source range neutron flux count rate (modes 3-6)

Source range reactor trip (mode 2)

Intermediate range reactor trip (mode 2)

Axial flux difference alarm (mode 1)

Control rod insertion limit low and low-low alarms (modes 1 and 2)

Overtemperature T alarm, turbine runback, and reactor trip (mode 1)

Power range neutron flux reactor trip, low and high setpoints (modes 1 and 2)

Based on its frequency of occurrence, the Chemical and Volume Control System Malfunction resulting in an inadvertent dilution in boron concentration is considered a Condition II event as defined in UFSAR Section 14.1

[2] and is performed to demonstrate that there is sufficient time for the operators to identify and mitigate the boron dilution source before excessive shutdown margin is lost.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 50 of 182 Safety Functions Various alarms alert the Operator to the conditions of an inadvertent boron dilution event. In Mode 1 manual rod control, the power range neutron flux - high or low setpoint reactor trip or the overtemperature T reactor trip serves as the alarm as well as initiating RCCA insertion. The overtemperature T signal is actuated when the trip setpoint is reached in two-out-of-three channels. The power range neutron flux - high setpoint signal is actuated when the trip setpoint is reached in two-out-of-four channels. In Mode 1, automatic rod control, the power and temperature increase from the boron dilution results in insertion of the control rods and a decrease in the available shutdown margin. The rod insertion limit alarms (low and low-low settings) alert the operator that a dilution event is in progress. In Mode 2, the source range neutron flux reactor trip serves as the alarm as well as initiates RCCA insertion. This signal is actuated when the trip setpoint is reached in one-out-of-two channels. For the source range neutron flux reactor trip to be an alarm in Mode 2 requires that it not be blocked by operators after reaching the intermediate range neutron flux reactor trip interlock (P-6) setpoint. During Mode 2, rod control is in manual, and all normal actions required to change power level, either up or down, require operator initiation. For a normal approach to criticality, a process that takes several hours, the operator manually initiates a limited dilution and then manually withdraws the control rods. The Technical Specifications require that the operator determine the estimated critical position of the control rods prior to approaching criticality, thus assuring that the reactor does not go critical with the control rods below the insertion limits. Once critical, the power escalation must be sufficiently slow to allow the operator time to manually block the source range neutron flux reactor trip after reaching the P-6 setpoint. Failure to perform this manual action results in a reactor trip and immediate shutdown of the reactor. For Mode 2, it is assumed that the RCS boron concentration at time of trip corresponds to the predicted critical boron concentration for rods at the insertion limits, which minimizes the available shutdown margin. In the event of inadvertent boron dilution initiating after the source range neutron flux reactor trip is blocked in Mode 2, the plant will slowly escalate in power until the power range high neutron flux low setpoint is reached and a reactor trip occurs, or the operator initiates a manual reactor trip. No other functions available in these modes are taken credit for in providing a signal or alarm to the plant operator.

The actuation of the above reactor protection functions or the extended range neutron flux alarm followed by the operator action to isolate the dilution flow path and initiate a borated water flow to the RCS will terminate the boron dilution. No damage to the plant will result from the event.

Florida Power and Light received the Turkey Point Units 3 and 4 UFSAR Safety Evaluation Reports (SERs) prior to the issuance of Regulatory Guide 1.70 Revs. 2 and 3. Consequently, under the requirements of Regulatory Guide 1.70 Rev. 1 [52], the analysis of the boron dilution event was only performed in Modes 1, 2, and 6 (plant modes of full-power operation, plant startup, and refueling, respectively, as defined in Table 1.2 of the Turkey Point Technical Specifications [38]). However, Modes 3, 4, and 5 (hot standby, hot shutdown, and cold shutdown) are now also analyzed. The required operator action times to terminate the event are:

Mode 1: 15 minutes from time of dilution Mode 2: 15 minutes from time of dilution Mode 3: 15 minutes from time of dilution Mode 4: 15 minutes from time of dilution Mode 5: 15 minutes from time of dilution Mode 6: 30 minutes from time of dilution See Table 4-1 for the Signals, Protection, and Safeguards Actions associated with this event.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 51 of 182 Control Functions Control systems are assumed to function only if their operation results in more severe accident results. For the analysis of the inadvertent boron dilution event in Mode 1, the plant is assumed to be operating under both automatic and manual reactor control. A separate analysis is performed for each case since the assumed time of alarm is dependent upon whether there is automatic or manual rod control.

The initiating event could be caused by the failure of the primary water makeup control valve and the blend system to function as intended.

Event-Specific Operator Action Requirements The inadvertent boron dilution event is the only Condition II licensing-basis accident that fully relies on operator action for mitigation purposes. The operator action needed for this event is to determine the cause of the dilution and isolate the unborated water source, thereby terminating the dilution flow prior to the loss of plant shutdown margin. As noted in Section 14.1.5 of the UFSAR [2], following termination of the dilution flow, the reactor will be in a stable condition. The operator can then initiate a re-boration of the RCS to recover the shutdown margin lost due to the dilution event.

Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 52 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 53 of 182 4.1.6 (UFSAR 14.1.6) Startup of an Inactive Reactor Coolant Loop Event Description This event is described in Turkey Point UFSAR Section 14.1.6, Start-Up of an Inactive Reactor Coolant Loop

[2].

The current Turkey Point Technical Specifications [38] preclude plant operation with one or more reactor coolant loops inactive. The startup of an inactive reactor loop event was originally included in the UFSAR when the potential for operation with a loop out of service was allowed under plant technical specifications. Based on the current plant technical specifications, which prohibit plant startup and power operation (Modes 1 and 2) with one or more loops out of service, this event was removed from the Turkey Point licensing basis as part of the plant thermal uprate evaluation.

Impact of Postulated SWCCF Since this event is not part of the Turkey Point Unit 3&4 licensing basis, there is no need to consider its mitigation in the event of Tricon SWCCF.

4.1.7 (UFSAR 14.1.7) Excess Feedwater Flow and Reduction in Feedwater Enthalpy Incident Event Description This event is described in Turkey Point UFSAR [2] Section 14.1.7, Excess Feedwater Flow and Reduction in Feedwater Enthalpy Incident. The increase in feedwater flow or reduction in feedwater temperature will result in an increase in the heat transfer rate from primary to secondary in the steam generators and a consequential reduction in primary system temperature and pressure. The negative moderator and fuel temperature reactivity coefficients, which are characteristic of the Turkey Point design, cause core reactivity to rise as primary coolant temperature drops. If no automatic or manual action is taken, the core power will rise. The increase in core power coupled with a decrease in reactor coolant system (RCS) pressure could potentially violate the core thermal limits.

Based on its frequency of occurrence, the Excess Feedwater Flow and Reduction in Feedwater Enthalpy Incident is considered a Condition II event as defined in UFSAR Section 14.1 [2] and specifically demonstrates that the plants DNB acceptance criterion is met and that the event does not progress to a more serious event classification.

Safety Functions For a feedwater malfunction event resulting in excessive feedwater flow in Mode 1, reactor protection is automatically provided by the first primary-side protection function reached, initiating a reactor trip if the core thermal limits (DNB protection) or the RCS pressure (low) limit is approached. Alternatively, if no primary-side trip signal is actuated (overpower T, overtemperature T, or high neutron flux), a high-high steam generator water level signal will initiate a turbine trip and, with the power greater than the P-7 setpoint, a reactor trip.

Although not safety grade (turbine building is not seismically qualified), reactor protection is provided by a reactor trip on turbine trip. The high-high steam generator water level signal will also close the feedwater isolation valves and trip the main feedwater pumps.

For an excessive feedwater flow malfunction event in Mode 2, reactor trip would be provided by a high neutron flux signal. Similar to the Mode 1 event, the high-high steam generator water level signal will close the feedwater isolation valves and trip the main feedwater pumps.

The feedwater temperature reduction event does not typically require protection. The increased thermal load due to the opening of the low-pressure heater bypass valve would result in a transient very similar (but of reduced

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 54 of 182 magnitude) to the Excessive Load Increase incident presented in UFSAR [2] Section 14.1.8. The results of this event are bounded by the Excessive Load Increase event.

Control Functions Control systems are assumed to function only if the operation results in more-severe accident results. For the analysis of a feedwater malfunction event, cases are analyzed with the reactor in both manual and automatic rod control. Automatic rod control maintains the average RCS temperature possibly leading to a more DNB limiting RCS condition than the manual rod control case. Although the Turkey Point Units 3 and 4 automatic rod withdrawal has been disabled and rod withdrawal can only be manually accomplished, the automatic rod control case has been presented for completeness. Also, the following features are assumed to function because they make the predicted event response worse:

Pressurizer spray Opening of the pressurizer power-operated relief valves The operation of these control functions tends to reduce the primary system pressure, which minimizes the calculated DNBR values.

Event-Specific Operator Action Requirements There are no event-specific operator actions required to mitigate the effects of a feedwater system malfunction event.

Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 55 of 182 4.1.8 (UFSAR 14.1.8) Excessive Load Increase Incident Event Description This event is described in Turkey Point UFSAR [2] Section 14.1.8 Excessive Load Increase Incident.

An excessive load increase incident is defined as a rapid increase in steam generator steam flow causing a power mismatch between the reactor core power and the steam generator load demand. The Turkey Point reactor control system is designed to accommodate a 10 percent step load increase and a 5 percent per minute ramp load increase without a reactor trip in the range of 15 to 100 percent full power. Any loading rate in excess of these values may cause a reactor trip actuated by the protection system. If the load increase exceeds the capability of the reactor control system, the transient is terminated in sufficient time to prevent DNBR from going below the limit value since the core is protected by a combination of the power range neutron flux - high, the overpower-T, and overtemperature-T trips. An excessive load increase incident could result from either an administrative violation such as excessive loading by the operator or an equipment malfunction such as steam bypass control or turbine speed control. The load demand is limited to 100% load by the turbine load limiting feature in the turbine control system.

For the Beginning of Life (BOL) minimum moderator feedback case, there is a slight power increase, and the average core temperature shows a decrease. This results in a departure from DNBR that increases (after a slight decrease) above its initial value. For the End of Life (EOL) maximum moderator feedback, manually controlled case, there is a larger increase in reactor power due to the moderator feedback. A reduction in DNBR is experienced, but DNBR remains above the limit value.

The analysis demonstrated that for a 10-percent step load increase, the DNBR remains above the limit value. The plant rapidly reaches a stabilized, equilibrium condition following the load increase. During power operation, steam bypass to the condenser is controlled by signals of reactor coolant conditions, i.e., abnormally high reactor coolant temperature indicates a need for steam bypass. A single controller malfunction does not cause steam bypass because an interlock is provided which blocks the control signal to the valves unless a sudden large turbine load decrease has occurred. In addition, the reference temperature and loss of load signals are developed by independent sensors. Regardless of the rate of load increase, the reactor protection system will trip the reactor in time to prevent DNBR from going below the limit value. Increases in steam load to more than design flow is analyzed as steam line ruptures in UFSAR [2] Section 14.2.5. Based on its frequency of occurrence, the Excessive

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 56 of 182 Load Increase event is classified as a Condition II event in UFSAR Section 14.1 [2] and specifically demonstrates that the plants DNB acceptance criterion is met.

Safety Functions Protection against an excessive load increase accident is provided by the following reactor protection system signals:

Overtemperature T Power range neutron flux - high Low pressurizer pressure Overpower T In the Turkey Point UFSAR [2] Chapter 14.1.8 incident analysis, normal reactor control systems and engineered safety systems are not required to function. The reactor protection system is assumed to be operable; however, reactor trip was not encountered for the cases analyzed. No single active failure will prevent the reactor protection system from performing its intended function.

This type of event results in an increase in core power due to a direct increase in the secondary system steam load.

Based on the Turkey Point UFSAR Chapter 14.1.8 discussion of this event, the safety analysis demonstrates that the event results in the plant reaching a new steady state condition without actuation of the reactor trip system.

Table 4-1 summarizes the safety protection and safeguard functions applied to the UFSAR Section 14.1.8 events.

Control Functions Control systems are assumed to function only if the operation results in more-severe accident results. For the excessive load increase analysis, cases are analyzed with the reactor operating with the rod control system in automatic. Although the Turkey Point Units 3 and 4 automatic rod withdrawal has been disabled and rod withdrawal can only be manually accomplished, the two automatic rod control cases have been presented for completeness. Also, the following features are assumed to function because they make the predicted event response worse:

Pressurizer spray Opening of the pressurizer power-operated relief valves The operation of these control functions tends to reduce the primary system pressure, which minimizes the calculated DNBR values.

Impact of Postulated SWCCF 4.1.9 (UFSAR 14.1.9) Loss of Reactor Coolant Flow The following loss of flow coastdown accident cases are analyzed:

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 57 of 182

1. Loss of two RCPs (Partial Loss of Flow)

2. Loss of all three RCPs (Complete Loss of Flow)

3. Locked Rotor Accident 4.1.9.1 Partial/Complete Loss of Forced Reactor Coolant Flow Event Description This event is described in Turkey Point UFSAR [2] Section 14.1.9, Loss of Reactor Coolant Flow.

The design-basis partial loss of forced reactor coolant flow (PLOF) event is defined as a reduction in reactor coolant flow caused by the loss of two-out-of-three RCPs at full power. A PLOF can result from a mechanical or electrical failure in an RCP, or from a fault in the power supply to the pump supplied by the RCP motor buses.

Since normal power for the RCPs is supplied through two buses connected to the generator, only the loss of two RCPs is considered for this event. (A total loss of forced reactor coolant flow, based on a complete loss of power to all three RCPs, is considered below.)

The design-basis complete loss of forced reactor coolant flow (CLOF) event is defined in UFSAR Section 14.1.9 as a reduction in reactor coolant flow caused by the simultaneous loss of electrical power to all three RCPs at full power. A CLOF can result from electrical failure in the RCPs from a simultaneous loss of electrical power (undervoltage or UV) to all RCPs or from a reduction in the motor supply frequency (underfrequency or UF) to all three RCPs due to a frequency disturbance on the power grid.

Protection from a PLOF event is provided by a reactor trip on low primary coolant flow, which is actuated by two-out-of-three low flow signals in any single reactor coolant loop. Above the P-8 permissive (approximately 45% of rated thermal power (RTP), per Tech Spec 2.2.1), [38] low flow in any single loop will result in a reactor trip. Between the P-7 permissive (10% of RTP, per Tech Spec 2.2.1) and the P-8 permissive, low flow in any two loops will actuate a reactor trip. Below the P-7 permissive, natural RCS circulation flow provides adequate core cooling.

A reactor trip from pump breaker position is provided as a backup to the low flow signal. Similar to the low flow trip, above P-8, a breaker open signal from any pump will actuate a reactor trip, and between P-7 and P-8, a breaker open signal from any two pumps will actuate a reactor trip. Reactor trip on RCP breaker open is blocked below Permissive 7.

For a CLOF event, protection is provided by a reactor trip on RCP undervoltage (UV), RCP underfrequency (UF)

(via RCP Breaker position), or low primary coolant flow which is generated by two-out-of-three low flow signals per reactor coolant loop. The RCP UV trip function is blocked below the P-7 permissive. Permissives affecting the low flow trip function, previously described for the PLOF event, similarly apply here.

The reactor may be tripped by any of the following RPS trip signals:

Low primary coolant loop flow RCP undervoltage RCP underfrequency (via RCP breaker opening)

RCP circuit breaker opening Based on its frequency of occurrence, the Partial Loss of Flow event is classified as a Condition II event and the Complete Loss of Flow is classified as a Condition III event in UFSAR Section 14.1 [2] and specifically demonstrates that the plants DNB and overpressure acceptance criteria are met.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 58 of 182 Safety Functions For a PLOF event, the RPS provides an automatic reactor trip on low primary coolant flow which is actuated by two-out-of-three low flow signals in any single reactor coolant loop. Above approximately 45% RTP, the setpoint of the P-8 permissive, low flow in any single loop will result in a reactor trip. Between 10% RTP, the setpoint of the P-7 permissive, and 45% RTP, low flow in any two loops will actuate a reactor trip. Below 10% RTP, natural RCS circulation flow provides adequate core cooling.

Core protection for a CLOF event is provided by an automatic reactor trip on RCP UV, RCP UF (via RCP breaker position), or low primary coolant flow (produced by two-out-of-three low flow signals per reactor coolant loop).

The RCP UV trip function is blocked below 10% RTP; however, natural circulation flow in the RCS provides adequate core cooling under these conditions. Permissives affecting the low flow trip function, described in the previous paragraph, also apply here.

The trip signals generated by the RPS in response to a loss of forced reactor coolant flow result in the safety limits identified in the UFSAR [2] being met. Additionally, the reactor trip results in the plant coming to a stabilized condition from which a controlled cooldown to shutdown condition can be initiated.

Control Functions The power-operated pressurizer relief valves, pressurizer heaters and sprays, and the automatic reactor rod control are assumed to not be credited. The operability of pressurizer pressure control systems is not assumed, as no credit is taken for the increase in RCS pressure which would result in a DNBR benefit.

Impact of Postulated SWCCF Partial Loss of Coolant Flow Complete Loss of Coolant Flow

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 59 of 182 4.1.9.2 Locked Rotor Accident Event Description This event is described in Turkey Point UFSAR [2] Section 14.1.9, Locked Rotor Accident.

The design-basis RCP shaft seizure event is defined as an instantaneous seizure of a single RCP rotor which results in a rapid reduction in reactor coolant loop flow from full power. The locked rotor event is hypothesized based on the RCP impeller severely rubbing a stationary member.

Protection from a locked rotor event is provided by a reactor trip on low primary coolant flow, which is actuated by two-out-of-three low flow signals in the affected reactor coolant loop. Above the P-8 permissive (approximately 45% of rated thermal power (RTP)), low flow in any single loop will result in a reactor trip.

Below the P-8 permissive, the RPS trip logic changes to low flow in any two loops actuating a reactor trip. At this power level, sufficient margin to the safety limits exists such that reactor protection is not required for this event below the P-8 permissive.

Based on its frequency of occurrence, the Locked Rotor accident is classified as a Condition IV event as defined in UFSAR Section 14.1 [2] but specifically demonstrates that the plants Condition II DNB and overpressure acceptance criteria are met.

Safety Functions For an RCP locked rotor event, the RPS provides an automatic reactor trip on low primary coolant flow which is actuated by two-out-of-three low flow signals in any single reactor coolant loop. Above approximately 45% RTP, the setpoint of the P-8 permissive, low flow in any single loop will result in a reactor trip.

The trip signal generated by the RPS in response to the design-basis locked rotor event results in the safety limits being met.

Control Functions Control systems are assumed to function only if the operation results in more severe accident results. For the design-basis locked rotor hot spot cases, no credit is taken for automatic reactor rod control, pressurizer sprays or heaters, pressurizer power-operated relief valves, steam dump, or main steam system (MSS) power-operated relief valves since these control functions would mitigate the temperature and pressure effects and lessen the consequences of the event. The design-basis locked rotor rods-in-DNB analysis uses the same control function assumptions.

Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 60 of 182 4.1.10 (UFSAR 14.1.10) Loss of External Electrical Load Event Description This event is described in Turkey Point UFSAR [2] Section 14.1.10, Loss of External Electrical Load.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 61 of 182 The loss of external electrical load and/or turbine trip event is defined as a complete loss of steam load from full power without a direct reactor trip, or a turbine trip with a direct reactor trip. The station is designed to accept a 50% step loss of load without actuating a reactor trip with all NSSS control systems in automatic (reactor control system, pressurizer pressure and level, steam generator water level control, and steam dumps). The automatic steam dump system, together with the reactor control system, can accommodate the load rejection. Reactor power is reduced to a new equilibrium value consistent with the capability of the rod control system. The pressurizer power-operated relief valves may be actuated but the pressurizer safety valves and the steam generator safety valves do not lift for the 50% load rejection with steam dump.

For a turbine trip, the reactor would be tripped directly from a signal derived from the turbine EHC header pressure (a two-out-of-three signal).

Based on its frequency of occurrence, the Loss of External Load event is classified as a Condition II event as defined in UFSAR Section 14.1 [2]. However, for the purposes of the SWCCF case, the event results in an ATWS, which has been specifically analyzed by Westinghouse to demonstrate the RCS is maintained within the ASME Service Level C pressure limits.

Safety Functions For a loss of load/turbine trip, the reactor would be tripped directly from a signal derived from the turbine EHC header pressure (a two-out-of-three signal). In the event the steam dump valves fail to open following a large loss of load, the steam generator safety valves will lift, and the reactor may be tripped by the high pressurizer pressure signal, the high pressurizer water level signal, the overtemperature T signal, or the low-low steam generator water level signal.

The actuation of any of these reactor protection functions, and steam relief would result in the plant coming to a stabilized condition from which a controlled cooldown to the shutdown condition can be initiated.

In the UFSAR analysis (Section 14.1.10) [2], only the overtemperature T and high pressurizer pressure reactor trips are assumed operable. No credit is taken for a reactor trip on high pressurizer level, the direct reactor trip on turbine trip, or the low-low steam generator water level reactor trip.

Control Functions Control systems are assumed to function only if their operation results in more severe accident results. For the loss of load and/or turbine trip analysis, cases are analyzed both with and without automatic pressure control to assure that the reactor is protected for either operation. The cases with automatic pressure control are those which result in more DNB-limiting transients than those with no automatic pressure control; in contrast, the cases without automatic pressure control are those which result in the RCS pressure-limiting transients.

For the cases with automatic pressure control, the following features are assumed to function:

Pressurizer spray Opening of the pressurizer power-operated relief valves Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 62 of 182 4.1.11 (UFSAR 14.1.11) Loss of Normal Feedwater Flow Event Description This event is described in Turkey Point UFSAR [2] Section 14.1.11, Loss of Normal Feedwater Flow.

The loss of normal feedwater flow event is defined as a reduction in the capability of the secondary system to remove heat generated in the reactor core which could result in core damage and reactor coolant system (RCS) over pressurization. If an alternate supply of feedwater was not supplied to the plant, core residual heat following reactor trip would heat the coolant in the RCS to the point where water relief from the pressurizer would occur, resulting in a loss of coolant inventory from the RCS. The event is analyzed with and without offsite AC power.

The Loss of Normal Feedwater (LONF) event is analyzed to demonstrate that following a loss of feedwater, the auxiliary feedwater system can remove the stored and residual heat. Additionally, the LONF event is analyzed to determine the acceptability of the low-low steam generator water level reactor trip setpoint.

The reactor may be tripped by any of the following RPS trip signals:

Low-low steam generator water level Overtemperature T High pressurizer pressure High pressurizer water level Three turbine-driven auxiliary feedwater (AFW) pumps shared by Turkey Point Units 3 and 4 are initiated by the following signals:

Low-low water level in any steam generator Any safety injection signal Trip of all main feedwater pumps in either unit Manual actuation AMSAC actuation Bus stripping Based on its frequency of occurrence, the Loss of Normal Feedwater Flow event is classified as a Condition II event as defined in UFSAR Section 14.1 [2] and demonstrates that the RCS pressure limits are met and that sufficient auxiliary feedwater can be provided to remove decay heat such that the pressurizer does not overfill due to thermal expansion.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 63 of 182 Safety Functions The reactor protection system performs a safety function to limit the consequences of Condition II events by, at most, a shutdown of the reactor and turbine and actuation of the engineered safety features with the plant capable of returning to operation after corrective action. The reactor protection system features impose a limiting boundary region to plant operation, which ensures that the reactor safety limits, and RCS pressure limits are not exceeded during Condition II events and that these events can be accommodated without developing into more severe conditions.

If a primary side protection system limit is approached for this event, reactor trip would be provided by the high pressurizer pressure, the high pressurizer water level, or the overtemperature T signal. In the instance of a coincident LOOP, the reactor trip would be provided by the RCP underfrequency and 4kv Bus undervoltage signals. If no primary side protection system limit is reached, the reactor would be tripped by the low-low steam generator water level signal. For the loss of normal feedwater flow analysis, no credit is taken for any primary side RPS signals, and the transient is thereby delayed to the point of receipt of a low-low steam generator water level signal in any steam generator. This results in a limiting transient produced by the elevated temperatures in the RCS and the main steam system and the reduced heat sink inventory in all steam generators. Actuation of the auxiliary feedwater system is also performed upon receipt of a low-low steam generator water level signal in any steam generator. This is the first and only ESFAS signal produced for the loss of normal feedwater flow event.

The elevated temperatures in the RCS and the main steam system and the reduced heat sink inventory in the steam generators provide a limiting set of conditions against which the AFW must function to mitigate the consequences of the loss of normal feedwater flow event.

Long-term steam relief on the secondary side is provided by the steam generator safety valves to limit the pressure increase due to decay heat generation.

The actuation of any of these reactor protection functions, and steam relief would result in the plant coming to a stabilized condition from which a controlled cooldown to the shutdown condition can be initiated.

Control Functions Control systems are assumed to function only if their operation results in more severe accident results. For the loss of normal feedwater flow analysis, both cases, with and without loss of offsite power, assume functioning of the following features:

Pressurizer spray Pressurizer heaters (proportional and backup on pressure effect only)

The loss of normal feedwater analysis assumes these features represent a more-limiting transient with respect to filling of the pressurizer. Power operated relief valves (PORVs) were considered for both cases to determine the limiting condition. The loss of normal feedwater flow with offsite power available case was more limiting with PORVs available, and the loss of offsite power case was more limiting with PORVs unavailable.

Automatic rod control is not assumed for the loss of normal feedwater flow event. Assuming the reactor is in manual rod control allows for greater RCS heatup prior to the reactor trip signal and maximizes the temperatures in both the RCS and the main steam system.

Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 64 of 182 4.1.12 (UFSAR 14.1.12) Loss of Non-Emergency A-C Power to Plant Auxiliaries Event Description This event is described in Turkey Point UFSAR [2] Section 14.1.12, Loss of Non-Emergency A-C Power to Plant Auxiliaries.

A complete loss of non-emergency AC power may result in the loss of all power to the plant auxiliaries, i.e., the RCPs, condensate pumps, etc. The loss of power may be caused by a complete loss of the offsite grid accompanied by a turbine generator trip at the station, or by a loss of the onsite AC distribution system.

Following a loss of AC power with turbine and reactor trips, the following sequence of events will occur:

1. Plant vital instruments are supplied from emergency DC power sources.

2. As the steam system pressure rises following the trip, the atmospheric dump valves can be opened to the atmosphere. The condenser is assumed not to be available for steam dump. If the steam flow rate through the dump valves is not available, the main steam safety valves may lift to dissipate the sensible heat of the fuel and coolant plus the residual decay heat produced in the reactor.

3. As the no-load temperature is approached, the atmospheric dump valves (or safety valves, if the dump valves are not available) are used to dissipate the residual decay heat and to maintain the plant at the hot shutdown condition.

4. Following a Loss of Offsite Power to the Vital 4kv Buses, the Emergency Bus Load Sequencers perform Bus Stripping, which opens the normal bus feeder breakers, opens all load breakers on the associated 4kv buses, starts both Emergency Diesel Generators, and initiates AFW. After the 4kv Buses are cleared of all feeder and load breakers, the Bus Clearing circuit allows for the EDG breakers to close onto the 4kv Buses to commence load sequencing. For a Loss of Offsite Power, the Emergency Bus Load Sequencers load the Vital 480-volt Load Centers, Intake Cooling Water pumps, and Component Cooling water pumps. Additional loads will be manually loaded as required by Emergency Operating procedures.

Based on its frequency of occurrence, the Loss of Non-Emergency A-C Power to Plant Auxiliaries event is classified as a Condition II event as defined in UFSAR Section 14.1 [2] and is analyzed to demonstrate the adequacy of auxiliary feedwater to remove decay heat and prevent the event from progressing to a more serious classification of event, given a loss of main feedwater with a concurrent loss of flow due to a loss of AC power.

The DNB acceptance criterion is not directly addressed for this event, as the loss of normal feedwater event is bounding.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 65 of 182 Safety Functions If a primary side protection system limit is approached for this event, reactor trip would be provided by the high pressurizer pressure, the high pressurizer water level, or the overtemperature T signal. In the instance of a coincident LOOP, the reactor trip could also be provided by the RCP undervoltage signal. If no primary side protection system limit is reached, the reactor would be tripped by the low-low steam generator water level signal.

Three turbine-driven auxiliary feedwater pumps (shared by Units 3 and 4) are started on any of the following:

Low-low water level in any steam generator Any safety injection signal Trip of all main feedwater pumps on either unit Manual actuation AMSAC actuation Bus Stripping The auxiliary feedwater turbine utilizes steam from the main steam line to drive the auxiliary feedwater pump to deliver water to the steam generators. The pumps take suction directly from the condensate storage tanks for delivery to the steam generators.

If a primary side protection system limit is approached for this event, reactor trip would be provided by the high pressurizer pressure, the high pressurizer water level, or the overtemperature T signal. In the instance of a coincident LOOP, the reactor trip would be provided by the RCP underfrequency and 4kv Bust undervoltage signals. If no primary side protection system limit is reached, the reactor would be tripped by the low-low steam generator water level signal.

The safety features credited in the UFSAR [2] analysis are Reactor trip and AFW start on low-low steam generator water level.

Control Systems The analysis includes modeling of the following features:

Pressurizer spray Pressurizer heaters (proportional and backup on pressure effect only)

The loss of offsite power case was more limiting with PORVs unavailable.

Assuming the reactor is in manual rod control allows for a greater RCS heatup prior to the reactor trip signal and maximizes the temperatures in both the RCS and the main steam system.

Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 66 of 182 4.1.13 (UFSAR 14.1.14) Accidental Depressurization of the Reactor Coolant System Event Description This event is described in Turkey Point UFSAR [2] Section 14.1.14, Accidental Depressurization of the Reactor Coolant System.

An accidental depressurization of the Reactor Coolant System (RCS) could occur as a result of an inadvertent opening of a pressurizer PORV, pressurizer safety valve (PSV), or pressurizer spray valve. The depressurization resulting from the opening of a PORV or PSV is much more rapid than that which would occur from the accidental opening of a pressurizer spray valve. Since a PSV is sized to relieve approximately twice the steam flow rate of a PORV, the most severe core conditions resulting from an accidental depressurization of the RCS are those associated with an inadvertent opening of a pressurizer safety valve.

Initially, the event results in a rapidly decreasing RCS pressure, which could reach the hot leg saturation pressure without reactor protection system intervention. If saturated conditions were to be reached, the rate of depressurization would be slowed considerably. However, the pressure continues to decrease throughout the event. The power remains essentially constant throughout the initial stages of the transient.

Based on its frequency of occurrence, the RCS Depressurization event is classified as a Condition II event as defined in UFSAR Section 14.1 [2] and is analyzed to demonstrate that the DNB design basis is satisfied.

Additionally, a condition II event should not generate a postulated accident without other faults occurring independently.

Safety Functions The reactor may be tripped by the following reactor protection system signals:

Overtemperature T Pressurizer low pressure See Table 4-1 for the Signals, Protection, and Safeguards Actions associated with this event.

Control Functions Normal reactor control systems are not required to function unless their function makes the results of the licensing basis analysis worse. Although automatic rod withdrawal has been disabled, the event was conservatively analyzed assuming automatic rod withdrawal. Operation of the rod control system attempts to maintain the full power Tavg, which delays reactor trip, thereby resulting in a limiting analysis.

Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 67 of 182 4.1.14 (UFSAR 14.1.15) Anticipated Transient Without Scram Event Description This event is described in Turkey Point UFSAR [2] Section 14.1.15, Anticipated Transient Without Scram.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 68 of 182 An Anticipated Transient Without scram (ATWS) event is defined as an AOO followed by the failure of the reactor trip portion of the protection system specified in GDC-20 [90]. For Westinghouse pressurized water reactors (PWR), 10 CFR 50.62(c)(l) [31] requires that each plant must have equipment that is diverse from the reactor trip system to automatically initiate the Auxiliary Feedwater (AFW) system and initiate a turbine trip under conditions indicative of an ATWS event. This equipment must perform its function in a reliable manner and be independent of the existing reactor trip system.

An ATWS event is an operational transient such as a loss of normal feedwater, loss of load/turbine trip, loss of offsite power, accidental Reactor Coolant System (RCS) depressurization, uncontrolled rod bank withdrawal at power, followed by a failure of the RPS to shut down the reactor. This requirement has been satisfied by the addition of the AMSAC, which, in addition to the 10 CFR 50.62 requirements for automatically initiating a turbine trip and the AFW system, initiates a reactor trip by opening the Control Rod Motor Generator (MG) Set output breakers. AMSAC serves as a non-safety-related backup protective system to RPS by preventing over pressurization of the RCS, providing for conservation of steam generator inventory, and assuring insertion of the control rods following an ATWS event.

The ATWS Rule 10 CFR 50.62(c)(l) [31] and AMSAC design are based on WCAP-10858-NP, AMSAC Generic Design Package [33]. The basis for this rule and the AMSAC design are supported by Westinghouse generic analyses. These analyses were performed based on guidelines published in NUREG-0460 [50]. WCAP-8330-NP [32] and subsequent related documents, which formed the initial Westinghouse submittal to the NRC for ATWS, addressed five Condition II ATWS events including loss of load/turbine trip, loss of normal feedwater, loss of offsite power, stuck open pressurizer safety valve, and uncontrolled rod withdrawal at power. Inputs varied with the reference plant designs noting that 3-loop reference plants used AFW full flow of 1400 gpm and a 40%

steam dump capacity while the analyses for all plants assumed a conservative delay of 60 seconds in AFW flow following AMSAC initiation. This delay generically included time for emergency diesel generator (EDG) start and load sequencing (for plants with electric motor driven AFW pumps) and pump acceleration. The ATWS analysis assumed full AFW flow was reached 36 seconds after the actuation signal occurred. The time to purge the feedwater piping of hot water was also considered in the analysis as an additional delay in the delivery of cool AFW flow to the steam generators.

The NRC approved the Westinghouse Owners Group (WOG) generic design modification with its issuance of a SER on August 10, 1983. The NRC issued a plant specific SER for GL 83-28 Item 4.3 on December 3, 1984, and the required AMSAC design modifications were installed at Turkey Point in July 1985 for Unit 3 and in June 1986 for unit 4.

For operation at EPU conditions, the two most limiting RCS overpressure ATWS transients from the Westinghouse generic ATWS analyses, Loss of Normal Feedwater (LONF) and Loss of Load (LOL), were analyzed.

The results of the ATWS analyses at the EPU conditions show that the peak RCS pressure obtained in the LONF and LOL ATWS events, 3174.5 psia and 2960.2 psia, respectively, did not exceed the B&PV code, Service Level C stress limit criterion of 3215 psia (3200 psig). As such, the analytical basis for the ATWS Rule continues to be met for operation at EPU conditions. The updated EPU analyses place no restrictions on the existing AMSAC setpoint.

Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 69 of 182 4.1.15 (UFSAR 14.2.4) Steam Generator Tube Rupture Event Description This event is described in Turkey Point UFSAR [2] Section 14.2.4, Steam Generator Tube Rupture.

The steam generator tubes represent the pressure boundary between the reactor coolant system (RCS) and the secondary side of the steam generators. Failure of a steam generator tube results in a loss of reactor coolant into the secondary side of the affected steam generator. A design basis steam generator tube rupture (SGTR) is defined as a double-ended rupture of a single steam generator tube in one steam generator.

The RPS will produce a reactor trip on a low pressurizer pressure or overtemperature-T signal (OTT). The reactor trip will result in a turbine trip, and if offsite power is available, the steam dump valves will open, permitting steam dump to the condenser. However, the assumption of a loss-of-offsite power coincident with reactor trip indicates that the steam dump valves remain closed to protect the condenser. Therefore, following

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 70 of 182 reactor and turbine trip, the steam generator pressure increases rapidly, resulting in steam discharge to the atmosphere through the steam generator ADVs and/or MSSVs. The normal feedwater flow to the steam generators will be automatically terminated and auxiliary feedwater flow will be initiated because of the reactor trip and assumed loss-of-offsite power.

A safety injection (SI) signal will be subsequently generated by low pressurizer pressure due to the continued loss of reactor coolant. The RCS pressure will then trend toward the equilibrium value where the SI flow rate equals the break flow rate. The primary-to-secondary break flow and the steam releases from the ruptured steam generator to the atmosphere will continue until operator actions are performed to terminate the break flow and cool the plant down using the intact steam generators.

The operator actions for the recovery from an SGTR with reactor trip are provided in the plant operating procedures, which are based on the Westinghouse Owners Group Emergency Response Guidelines. The operators must first diagnose the event as a steam generator tube rupture and then perform the required recovery actions.

The major SGTR recovery actions include isolation of the ruptured steam generator, RCS cooldown to ensure adequate subcooling, RCS depressurization to restore coolant inventory, and termination of safety injection to stop the break flow. After these actions are completed, the RCS and ruptured steam generator pressures will equalize, and the break flow will be terminated.

Based on its frequency of occurrence, the Steam Generator Tube Rupture accident is classified as a Condition III event as defined in UFSAR Section 14.2 [2] and analyzed to demonstrate that the radiological dose limits of Regulatory Guide 1.183 [91] are met and to demonstrate that the ruptured steam generator does not overfill.

Safety Functions/Control Systems The RPS provides for shutdown of the reactor and turbine to prevent the reactor safety limits from being exceeded. For a steam generator tube rupture, the RPS provides an automatic reactor trip on a low pressurizer pressure or overtemperature T signal. The emergency core cooling system (ECCS) is actuated on a low pressurizer pressure signal and provides pumped safety injection flow into the RCS to make up for the loss of reactor coolant inventory due to the tube rupture. The main feedwater flow is terminated, and the auxiliary feedwater system is actuated to provide make up to the steam generators to facilitate the removal of core decay heat. After reactor trip and initiation of safety injection, the RCS pressure tends to stabilize at the point where the incoming safety injection flow rate is equal to the tube rupture break flow rate. The core decay heat is removed through heat absorption by the safety injection water, and through heat transfer to the steam generators due to heat absorption by the auxiliary feedwater and release of steam to the atmosphere via the steam generator ADVs or MSSVs.

After the automatic protective actions have occurred and plant conditions have stabilized, operator actions are necessary to terminate the primary-to-secondary break flow and the steam release from the steam generators to mitigate the offsite radiation doses. The major operator actions required include identification and isolation of the ruptured steam generator, RCS cooldown to ensure adequate subcooling, RCS depressurization to restore coolant inventory, and termination of safety injection to stop the break flow.

The ruptured steam generator is identified by the asymmetric level changes when compared to the intact steam generators using the steam generator narrow range level instrumentation. The secondary radiation monitors may also provide information which can be used to identify the ruptured steam generator. Isolation of the ruptured steam generator is accomplished by closing the associated main steam line isolation valve (MSIV) and isolating any other steam flow paths between the MSIV and the steam generator and isolating the auxiliary feedwater flow to the steam generator. RCS cooldown is performed by dumping steam to the atmosphere using the atmospheric dump valves on the intact steam generators. Depressurization of the RCS is performed by using the pressurizer power-operated relief valves or the auxiliary pressurizer spray system. After the RCS depressurization is

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 71 of 182 completed, the safety injection system is isolated, and the charging system can be used as required to maintain RCS coolant inventory. After these actions are completed, the RCS and ruptured steam generator pressures will equalize, and break flow will be terminated.

Two cases are considered in the UFSAR [2], one case addresses the dose consequences and the second addresses steam generator overfill. The need for manual operator intervention and the manual actions taken are similar between both cases, with the primary goal being to depressurize the primary RCS to the ruptured steam generator pressure and subsequently isolate the break flow.

Event Specific Operator Action Requirements Operator actions are required to mitigate the consequences of a steam generator tube rupture accident. The major operator actions include the identification and isolation of the ruptured steam generator, RCS cooldown, RCS depressurization, and termination of the safety injection flow. These operator actions are not explicitly modeled in the steam generator tube rupture analysis, but it is assumed that these actions are completed to terminate the break flow. At this point, the plant will be in a stable condition and the immediate concerns associated with the steam generator tube rupture will have been addressed. After this, the operators will perform the actions to cooldown and depressurize the plant to cold shutdown conditions. The plant cooldown will be performed using the intact steam generators until the temperature for operation of the RHR system is reached. At this time, the ruptured steam generator pressure and the RCS pressure will be simultaneously reduced to the RHR operating pressure.

After the RHR operating conditions are reached, cooldown to cold shutdown can be performed using the RHR system and the RCS depressurization can be completed.

The NRC has raised licensing issues with the SGTR event including specific justification of the operator action times assumed in the analysis. The justification of the operator action response times is included in the Turkey Point critical operator action procedure.

Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 72 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 73 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 74 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 75 of 182 4.1.16 (UFSAR 14.2.5) Rupture of a Steam Pipe A rupture of a steam pipe is assumed in Turkey Point UFSAR [2] Section 14.2.5 to include any accident which results in an uncontrolled steam release from a steam generator. The analyses performed assuming a rupture of a main steam line are given in UFSAR Section 14.2.5, relevant sections of which are summarized as noted below:

Inadvertent Opening of a Steam Generator Relief or Safety Valve (this document Section 4.1.16.1)

Steam System Piping Failure at Hot Zero Power (this document Section 4.1.16.2)

Steam System Piping Failure at Full Power (this document Section 4.1.16.3) 4.1.16.1 Inadvertent Opening of a Steam Generator Relief or Safety Valve Event Description This event is described in Turkey Point UFSAR [2] Section 14.2.5.1 as an inadvertent opening of a single turbine bypass valve, atmospheric steam dump valve, or main steam safety valve (MSSV).

The inadvertent opening of a steam generator relief or safety valve is designated as a main steam system depressurization event and could include any steam system valve (e.g., power-operated relief valve, main steam safety valve, or steam dump valve). However, Turkey Point does not have a boron injection tank (BIT) and therefore does not have an acceptance criterion for precluding a return-to-criticality during the depressurization cases. Instead, the primary acceptance criterion for the depressurization case is that the minimum calculated DNBR should not violate the DNBR safety analysis limit. This is the same primary acceptance criterion for the main steam line rupture case (which is a Condition IV event but is conservatively analyzed to Condition II acceptance criteria) which models a double-ended rupture of the main steam line. The break flow is much higher

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 76 of 182 than for the depressurization case causing a more severe reactor coolant system cooldown and subsequent return to power. As such, the minimum DNBR is more limiting for the hypothetical break cases.

See Table 4-1 for the Signals, Protection, and Safeguards Actions associated with this event.

Based on its frequency of occurrence, the Inadvertent Opening of a Steam Generator Relief or Safety Valve event is classified as a Condition II event as defined in UFSAR Section 14.2 [2] and primarily analyzed to demonstrate that the DNB design basis is met.

Impact of Postulated SWCCF 4.1.16.2 Steam System Piping Failure at Hot Zero Power Event Description As discussed in UFSAR [2] Section 14.2.5.2, steam system piping failures (e.g., rupture) permit steam to be discharged from the steam generators. This escaping steam is seen by the reactor coolant system as an increase in steam flow which results in an increase in the heat extraction rate and a consequential reduction in primary system temperature and pressure. The negative moderator and fuel temperature reactivity coefficients, which are characteristic of the Turkey Point Unit 3 and 4 core design, cause core reactivity to rise as primary coolant temperature drops. This reactivity/temperature negative correlation is weak at the beginning of the fuel cycle and becomes stronger as the end of the fuel cycle is approached. If no automatic or manual actions are taken, the core power will eventually rise to a level that corresponds to the increased steam flow rate.

Uncontrolled steam releases could also result from the inadvertent opening of a steam generator relief or safety valve (UFSAR 14.2.5.1). Such occurrences are less limiting than the double-ended rupture of a main steam line presented in this section.

The event definition includes an assumption that the most-reactive RCCA is stuck in its fully withdrawn position.

This assumption increases the likelihood that the cooldown-induced reactivity excursion will reach criticality, despite the insertion of all other RCCAs, and increases the radial peaking factors that must be considered when evaluating core-related consequences (i.e., the likelihood of DNB and the extent of potential fuel/clad damage).

Additional conservatisms in the analysis include the assumption of maximum reactivity feedback (achieved by mixing BOL and EOL parameters to create a worst-case condition), feedwater flow increases to the full power value at break initiation until terminated by an isolation signal, maximum auxiliary feedwater is supplied throughout the event, and initial condition uncertainties are assumed in the most adverse direction.

The major core-related hazard/challenge posed by the main steam system piping failure is fuel clad damage. Other hazards/challenges that may be raised by steam system piping failures include reactor coolant system integrity (including steam generator tube integrity), equipment qualification concerns due to elevated containment pressures and temperatures, and damage from hydraulic forces.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 77 of 182 Based on its frequency of occurrence, the Hot Zero Power Main Steam Line Break accident is classified as a Condition IV event as defined in UFSAR Section 14.2 [2], however, it is analyzed to Condition II acceptance Criteria and demonstrates that the DNB design basis is met and to ensure that the resultant dose is maintained within Regulatory Guide 1.183 [91] limits.

Event Mitigation Since the Mode 2 analysis for this transient is initiated at zero power with the shutdown banks inserted, no credit is taken for the Reactor Trip System. The ESFAS is available to limit the consequences of steam system piping failures by terminating or limiting uncontrolled steam releases and by supplying negative reactivity by the introduction of borated water into the core. However, the Reactor Trip System is available during the Mode 1 analysis discussed in Section 4.1.16.3.

During a steam line break event, the safety injection system can be actuated by any of the following ESFAS signals:

Low pressurizer pressure High steam flow coincident with either:

o Low steam line pressure, or o Low reactor coolant system average temperature High containment pressure High differential pressure between any steam line and the main steam header The engineered safety features can terminate or limit the uncontrolled steam releases resulting from a steam line break event by automatically isolating the steam lines. Steam line isolation can be actuated by any of the following ESFAS signals:

High steam flow coincident with either:

o Low steam line pressure, or o Low reactor coolant system average temperature high-high containment pressure coincident with high containment pressure signals The engineered safety features will also automatically isolate main feedwater and initiate auxiliary feedwater flow whenever a safety injection signal is received from the ESFAS. In the safety analysis of the steam system piping failures, protective actions are triggered by some of the available signals listed above.

See Table 4-1 for the Signals, Protection and Safeguards Actions associated with this event.

Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 78 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 79 of 182 4.1.16.3 Steam System Piping Failure at Full Power Event Description As discussed in UFSAR [2] Section 14.2.5.2, steam system piping failures (e.g., rupture) will permit steam to be discharged from the steam generators. This escaping steam is seen by the reactor coolant system as an increase in steam flow, which results in an increase in the heat extraction rate and a consequential reduction in primary system temperature and pressure. The negative moderator and fuel temperature reactivity coefficients, which are characteristic of the Turkey Point Unit 3 and 4 core designs, cause core reactivity to rise as primary coolant temperature drops. This reactivity/temperature negative correlation is weak at the beginning of the fuel cycle and becomes stronger as the end of the fuel cycle is approached. If no automatic or manual actions are taken, the core power will eventually rise to a level that corresponds to the increased steam flow rate. Conservatisms in the analysis include the assumption of maximum reactivity feedback (achieved by mixing BOL and EOL parameters to create a worst-case condition) and feedwater flow is set equal to steam flow until terminated by an isolation signal. Because the event is initiated at hot full power conditions, the Westinghouse revised thermal design procedure is applied and the analysis assumes that the initial power, pressure, flowrate, and temperature are at nominal conditions. Because concurrent events are not required to be analyzed per BTP 7-19, the full power main steam line break event does not consider a concurrent loss of offsite power. The event is analyzed over a spectrum of break sizes to demonstrate the protective nature of the reactor protection system.

The major core-related hazard/challenge posed by the Steam System Piping Failure at Full Power is fuel cladding damage and a peak linear heat generation rate (expressed in kW/ft) that would cause fuel centerline melt.

Based on its frequency of occurrence, the Hot Full Power Main Steam Line Break accident is classified as a Condition IV event as defined in UFSAR Section 14.2 [2], however, it is analyzed to Condition II acceptance criteria and demonstrates that the DNB design basis is met and that the resultant dose is maintained within Regulatory Guide 1.183 [91] limits.

Safety Functions/Control Systems The analysis of the Steam System Piping Failure event traditionally assumes initial operation in Mode 2. The greatest cooldown, and therefore the greatest reactivity excursion, would occur from a Mode 2 condition where the decay heat level is low and the steam generator shell-side inventory and pressure is high. However, uprated full-power conditions at Turkey Point Units 3 and 4 may challenge the ability of the overpower T protection function to protect against the nuclear fuel overpower limit; therefore, the analysis is also performed at full power to demonstrate that a reactor trip is demanded by the Reactor Protection System and is executed in time to provide adequate protection to preclude fuel cladding damage and a peak linear heat generation rate (expressed in kW/ft) that would cause fuel centerline melt in order to ensure safe shutdown during Mode 1 operation. Once the reactor is tripped, the potential for fuel and cladding damage during the remainder of the transient would be bounded by the Hot Zero Power analyses described in the previous section of this report (Section 0).

During a steam line break event, reactor trips can be generated by any of the following RTS signals:

Overpower T Overtemperature T

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 80 of 182 High neutron flux (power range)

Low pressurizer pressure High steam flow with low steam pressure High steam flow with low average reactor coolant temperature In the safety analysis of the Steam System Piping Failure at Full Power, reactor trip is provided by one of the available signals listed above.

The UFSAR [2] Section 14.2.5.2 analysis assumes that the most reactive rod cluster control assembly (RCCA) is stuck in its fully withdrawn position after reactor trip, which reduces the scram reactivity worth and minimizes the resulting shutdown margin. In the presence of a negative moderator temperature coefficient, the cooldown results in a reduction of core shutdown margin due to a positive reactivity insertion from the negative MTC. The cooldown is attenuated by feedwater isolation initiated through automatic means or by operator action. An automatic steam line isolation signal will either terminate the cooldown if the break occurs downstream of the main steam line isolation valve (MSIV) or limit the blowdown to one steam generator if the break is between the steam generator and the MSIV. In the event that the break occurs between the steam line exit nozzle and the MSIV, the steam release will eventually be terminated due to the equalization of the pressure in the faulted steam generator and containment or due to the depletion of the coolant inventory in the faulted steam generator.

The RTS and ESFAS both function to limit the consequences of a steam line rupture event by:

Actuation of reactor and turbine trips The safety injection system Feedwater isolation Steam line isolation High steam flow with low steam pressure High steam flow with low average reactor coolant temperature Additionally, the passive accumulators provide the capability to add coolant inventory and boron to the reactor coolant system if steam line rupture results in a large cooldown and depressurization of the reactor coolant system. Due to the assumed SWCCF, the automatic RTS and ESFAS are not available to mitigate the steam line rupture event. However, with respect to the best-estimate evaluation, the conservative safety analysis assumptions such as a stuck RCCA, conservative reactivity feedback effects, the worst single failure, or minimum safety injection pump performance do not have to be considered to address the postulated SWCCF. This lessens the concern of achieving an overpower condition at full power.

Should the reactor be in Mode 1 at the time of a steam line break, the reactor will be tripped by the normal overpower protection system when power level reaches a trip point. Following a trip at power, the reactor coolant system contains more stored energy than at no-load, the average coolant temperature is higher than at no-load, and there is appreciable energy stored in the fuel. Thus, the additional stored energy is removed via the cool down caused by the steam release before the no-load conditions of RCS temperature and shutdown margin assumed in the analyses are reached. After the additional stored energy has been removed, the cool down and reactivity insertions proceed in the same manner as in the analysis which assumes no-load condition at time zero.

See Table 4-1 for the Signals, Protection, and Safeguards Actions associated with this event.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 81 of 182 Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 82 of 182 Table 4-4: Main Steam Line Break Dose Results 4.1.17 (UFSAR 14.2.6) Rupture of a Control Rod Mechanism Housing - RCCA Ejection Event Description This event is described in Turkey Point UFSAR [2] Section 14.2.6, Control Rod Mechanism (CRDM) Housing -

RCCA Ejection.

The event is defined by an assumed failure of a control rod mechanism pressure housing such that the Reactor Coolant System (RCS) pressure would eject the control rod and drive shaft to the fully withdrawn position. The consequence of this mechanical failure is a rapid positive reactivity insertion together with an adverse core power distribution, possibly leading to localized fuel rod damage.

The position of all control rods is continuously indicated in the control room. An alarm will occur if one rod assembly deviates from its bank. There are low and low-low RCCA insertion monitors with visual and audio signals. Operating instructions require boration with the low position alarm and emergency boration with the low-low position alarm. Therefore, should a rod ejection occur from its normal position during power operation, only a minor reactivity excursion would be expected. The alarm functions ensure that the accident will not be worse than the cases analyzed.

Reactor protection will be provided by the power range high neutron flux reactor trip (high and low settings). At low power levels, the intermediate and source range neutron flux reactor trips are also available to provide protection.

Based on its frequency of occurrence, the Rupture of a Control Rod Mechanism Housing accident is classified as a Condition IV event as defined in UFSAR Section 14.2 [2] and analyzed to demonstrate that average fuel pellet enthalpy at the hot spot must be maintained below 225 cal/gm for unirradiated and 200 cal/gm for irradiated fuel, peak reactor coolant pressure must be less than that which could cause RCS stresses to exceed the faulted-condition stress limits, and fuel melting is limited to less than 10 percent of the fuel volume at the hot spot.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 83 of 182 Safety Functions The rod ejection analysis assumes automatic initiation by two-out-of-four Power Range High Neutron Flux channels. The Power Range High Neutron Flux setpoint used in the zero-power cases is the low setting (plus uncertainties) while the high setting (plus uncertainties) is assumed in the full-power cases.

The Intermediate Range Neutron Flux and the Source Range Neutron Flux reactor trips are not explicitly assumed in the rod ejection event analysis. The Intermediate Range Neutron Flux reactor trip provides backup protection to the Power Range Neutron Flux (low setting) and the Source Range Neutron Flux reactor trip provides primary protection for lower modes of operation where the Power Range Neutron Flux channel may not be operable.

Control Functions Control systems are assumed to function only if their operation results in more severe accident results. No control systems are assumed to function in the rod ejection event because the transient is faster than the expected effects of control system operation.

Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 84 of 182 Table 4-5: Hot Full Power Rod Ejection Results Table 4-6: Hot Zero Power Rod Ejection Results

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 85 of 182 4.1.18 (UFSAR 14.2.7) Feedwater System Pipe Break Event Description This event is described in Turkey Point UFSAR [2] Section 14.2.7, Feedwater System Pipe Break. The feedwater line break event was not part of the original Turkey Point licensing basis and not considered to be a typical design basis safety analysis. Rather, the analysis originally performed to support the extended power uprate project was intended to provide reasonable assurance that the event consequences would not present a safety concern.

The event is defined as a break in a feedwater pipe large enough to prevent the addition of sufficient feedwater to maintain shell-side fluid inventory in the steam generators (SGs). Based on the size of the break and the plant operating conditions at the time the break occurs, a FWLB could cause either a cooldown via excessive energy discharge through the break, or a heatup of the reactor coolant system (RCS). As the consequences of an RCS cooldown resulting from a FWLB are bounded by the cooldown consequences of a Steam System Piping Failure, the FWLB event is analyzed only with respect to RCS heatup. The FWLB event is analyzed to demonstrate the ability of the auxiliary feedwater (AFW) system to adequately remove long-term decay heat and prevent excessive heatup of the RCS that would cause the core to become uncovered with water.

Unless the effects of the FWLB and subsequent SG water level reduction are counteracted by manual or automatic action, the rise in reactor coolant temperature could eventually result in a loss of subcooled margin in the RCS hot or cold legs and/or a challenge to the integrity of the RCS and MSS pressure boundaries.

Note that the low feedwater line pressure resulting from a FWLB can deprive the unfaulted loop SGs of some of the available AFW flow. Therefore, operator action may be needed to isolate the AFW flow from the break and redirect that flow to the unfaulted loops.

UFSAR [2] Section 14.2.7.2, Analysis of Effects and Consequences, provides a large number of conservative assumptions in the analysis. Although safety injection is modeled, the shutoff head for the safety injection system, 1400 psig, is well below the minimum reactor coolant system pressure during a FWLB transient, and thus no safety injection flow occurs. Additionally, flow from only one auxiliary feedwater pump is modeled based on the single failure assumption in the UFSAR safety analysis and the trip setpoint is modeled at 0% narrow range level for both the reactor trip and auxiliary feedwater initiation. Further, the steam generator atmospheric relief valves were not available and the initial conditions were skewed to very limiting conditions. Finally, the low-low steam generator level reactor trip was set to zero-percent span to conservatively address the potential for the

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 86 of 182 instrumentation being impacted by an adverse environment inside containment. Additionally, the UFSAR analysis assumes a manual operator action to isolate auxiliary feedwater flow to the faulted steam generator 10 minutes following receipt of the auxiliary feedwater actuation signal. As such, the safety analysis presented in UFSAR Section 14.2.7 provides an extremely conservative basis for the feedwater line break accident.

Based on its frequency of occurrence, the Feedwater Line Break accident is classified as a Condition IV event as defined in UFSAR Section 14.2 [2] and is analyzed to demonstrate that auxiliary feedwater flow is adequate to remove core residual and decay heat by demonstrating that there is no bulk boiling in the hot legs.

Safety Functions The Reactor Trip System (RTS) and Engineered Safety Features Actuation System (ESFAS) both function to limit the consequences of an FWLB event by actuating a reactor trip, a turbine trip, and the AFW system. The primary RTS and ESFAS safety functions credited in the FWLB licensing basis analysis are reactor trip and AFW pump startup, both of which are actuated when the SG level decreases to the low-low setpoint in two-out-of-three level channels in any SG. Other RTS functions available that could be actuated following an FWLB include high pressurizer pressure, high pressurizer water level, overtemperature T, SI signal, low pressurizer pressure, and steam flow/feedwater flow mismatch coincident with low SG water level in any SG. A case in which the reactor trips on an SI signal due to high containment pressure was considered to cover the possibility that the low-low SG water level reactor trip function fails due to a harsh environment.

The following functions provide the necessary protection in the event of an FWLB:

The reactor can be tripped on any of the following reactor trip signals:

o High pressurizer pressure o High pressurizer water level o Overtemperature T o Low-low SG water level o Low pressurizer pressure o Steam flow/feedwater flow mismatch coincident with low SG water level in any SG o High steam flow with low steam pressure o High steam flow with low average reactor coolant temperature o Safety injection (SI) signal. For an FWLB, an SI signal may actuate due to any of the following:

High containment pressure Low pressurizer pressure High differential pressure between the steam line header and any steam line High steam line flow coincident with either low SG pressure or low Tavg (vessel average temperature)

Three turbine-driven AFW pumps shared by Units 3 and 4 are started on any of the following:

o Low-low water level in any steam generator o SI signal o Bus stripping o AMSAC o Trip of all main feedwater pump breakers in either unit

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 87 of 182 o Manual actuation Other equipment credited with providing a safety function following an FWLB event are the self-actuated MSSVs, which provide an additional heat sink and protection against secondary-side overpressure. Note that steam relief would normally be provided by the steam generator atmospheric relief valves or condenser dump valves for most FWLB events. However, these valves were conservatively assumed to be unavailable.

Also credited in the FWLB licensing basis analysis is operator action to isolate the portion of the total AFW flow lost through the break and redirect some of that flow to the two unfaulted steam generators. With this AFW flow redirection, the AFW flow rate to each unfaulted steam generator is increased. The analyzed auxiliary feedwater flowrate is consistent with supplying feedwater to both units at the Turkey Point site from one auxiliary feedwater pump, as the second pump is assumed to be lost as the limiting single failure.

Although SI was modeled as being available in the licensing basis analysis, the shutoff head for the SI system, 1400 psig, is well below the minimum RCS pressure expected during an FWLB transient, and thus no SI flow is expected.

Actuation of the above-described safety functions would result in the plant transitioning to a stabilized condition.

The plant could then, in a controlled manner, be placed in a safe shutdown condition.

Control Functions Control systems are assumed to function only if their operation results in more severe accident results. For the FWLB analysis, the pressurizer PORVs were assumed to be available and were modeled as being operable for maintaining RCS pressure, which is conservative for the primary concern of bulk boiling in the RCS. The pressurizer sprays and heaters were not modeled. Also, the rod control system was assumed to be in manual control mode, which allows for a greater RCS heatup prior to reactor trip, compared to having rod control in automatic mode, and maximizes the temperatures in both the RCS and MSS. With automatic rod control, the control rods would insert in an attempt to maintain Tavg at the nominal value.

Operator Action Requirements Credited in the FWLB licensing basis analysis is operator action to isolate the portion of the total AFW flow lost through the break and to redirect some of that flow to the two unfaulted steam generators within 10 minutes from the receipt of the auxiliary feedwater actuation signal. The benefit of this action for the FWLB analysis is an increase in the AFW flow rate to each unfaulted steam generator from 96 gpm to 124 gpm.

Note that after the event turnaround, the plant operators are expected to take action to bring the plant to a stable condition, but these actions are not considered in the analysis because they are not required to demonstrate acceptable results.

Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 88 of 182 4.1.19 (UFSAR 14.3.2.1) Best-Estimate Large Break Loss of Coolant Accident (BE-LOCA)

Analysis Event Description This event is described in Turkey Point UFSAR [2] Section 14.3.2.1, Best-Estimate Large Break Loss of Coolant Accident (BE-LOCA) Analysis.

Loss-of-coolant accidents (LOCA) are defined as hypothetical accidents that would result from the loss of reactor coolant, at a rate in excess of the capability of the reactor coolant makeup system, from breaks in pipes in the reactor coolant pressure boundary up to and including a break equivalent in size to the double-ended rupture of the largest pipe in the reactor coolant system.

Large break LOCA transients are characterized by a rapid depressurization, virtually complete depletion of liquid in the reactor vessel, a large containment pressure and temperature increase, and distinct blowdown and vessel refilling phases. LOCA transients that demonstrate behavior which more closely parallels these characteristic phenomena than the distinctly different characteristic phenomena of a small break LOCA (discussed in Section 4.1.20 of this report) are considered large breaks. The flexibility in this definition, along with the recognition that some LOCA break sizes will include phenomena associated with both small and large break LOCA characteristic behavior, has led to differing large break definitions within the industry. The Westinghouse definition for a large break is a break in the reactor coolant pressure boundary having a cross-sectional area greater than or equal to 1.0 ft2.

Prior to the break, the RCS is assumed to be at normal full power operating conditions. The instantaneous opening of a large break in the RCS cold leg leads to a rapid system depressurization. Offsite power is conservatively assumed such that RCPs continue to run throughout the transient. Steam line and main feedwater isolation are assumed to occur coincidentally with break initiation.

Although not explicitly modeled, depressurization to the low pressurizer pressure setpoint produces a reactor trip signal. No credit is taken for control rod insertion in the initial phase of the large break LOCA analysis. Power

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 89 of 182 generation in the core is shut down on the negative reactivity added due to voiding in the core. Control rods are assumed to be inserted at the time of the hot leg switchover during the recovery phase from a cold leg large break LOCA. This assumption only applies to cold leg large break LOCA, not to hot leg large break LOCA for which the control rods are ignored for the entire duration of the accident.

Further depressurization to the pressurizer low pressure safety injection (SI) setpoint initiates pumped SI after a delay consistent with the assumption of offsite power available. For standard Appendix K [40] analyses, an SI signal would typically be generated earlier on the containment high pressure setpoint.

Based on its frequency of occurrence, the Large Break LOCA is classified as a Condition IV event as defined in UFSAR Section 14.3 [2] and analyzed to ensure that ECCS limits cladding temperature to 2200 °F, metal-water reaction is limited to less than 1% of the available Zircaloy, and cladding oxidation is limited to less than 17% of the cladding thickness. Additionally, the event must demonstrate that the resultant dose remains within Regulatory Guide 1.183 [91] limits.

Event Mitigation Numerous systems, subsystems, and components would contribute to the mitigation of the consequences of a LOCA. However, this section will focus on those systems which contribute to ensuring that the consequences conform to the Acceptance Criteria of 10 CFR 50.46 [41]. These criteria have been established to gauge the adequacy of the cooling capability of the ECCS, being the primary mitigation system for a LOCA. Other systems and components which significantly contribute to the mitigation of large break LOCA consequences include the protection system, the containment pressure-reducing equipment, and the Emergency Power System (emergency diesel generators, Emergency Bus Load Sequencer, etc.). Other systems such as the component cooling water (CCW) system and service water systems provide secondary contributions.

The electrical equipment assumed to be available for the mitigation of a LOCA must be qualified Class 1E. The following sections describe the significant systems, components, and structures which contribute to the mitigation of large break LOCA consequences.

The primary safety signals that provide protection in the event of a Large Break LOCA include:

Low pressurizer pressure Low-low steam generator water level High containment pressure High containment rad monitors Engineered Safety Features Based on plant measurements, the Engineered Safety Features (ESF) actuate equipment and systems important to safety. For a large break LOCA, the RCS depressurizes rapidly to the low pressurizer pressure safety injection trip setpoint. The ESFAS generates a signal which then causes certain Class 1E electrical equipment to be loaded onto emergency power buses in the event of a loss of offsite power. As a result, the safety injection pumps, containment isolation, and active containment heat removal systems are available to mitigate the consequences of a LOCA. In actual plant operation, because of a reactor trip and safety injection signals (turbine trip, MFW isolation, etc.), other systems and equipment are actuated in the plant. However, for a large break LOCA analysis, the operability of these systems is conservatively modeled such that the realistic availability may not be credited in the analysis.

Emergency Core Cooling System The consequences of a large break LOCA are mitigated by the ECCS. The most important function is supplying borated water from the accumulators and delivering safety injection from the Refueling Water Storage Tank

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 90 of 182 (RWST) to the RCS to provide short-term core cooling. Pumped ECCS is assumed to initiate following receipt of the low pressurizer pressure SI signal. The pumped ECCS flow from the low head and high head safety injection (LHSI and HHSI) pumps and the passive accumulator injection provide subcooled liquid to the reactor vessel to replace inventory lost through the break.

Emergency Power System The limiting conditions for the design basis LBLOCA include the assumption of offsite power available. The availability of offsite power (no-LOOP vs. LOOP) is analyzed in the confirmatory study. The LOCA uncertainty analysis uses the more limiting no-LOOP configuration.

Operator Action No operator actions are assumed, or required, to mitigate the short-term consequences of a large break LOCA.

Capability is provided for the operator to initiate containment isolation and steam line isolation as well as other mitigative measures such as safety injection and reactor trip.

Control Functions Only safety Class 1E equipment and systems are assumed to function in the event of a LOCA.

See Table 4-1 for the Signals, Protection, and Safeguards Actions associated with this event.

Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 91 of 182 4.1.20 (UFSAR 14.3.2.2) Small Break LOCA (Small Ruptured Pipes or Cracks in Large Pipes)

Which Actuate the Emergency Core Cooling System Event Description This event is described in Turkey Point UFSAR [2] Section 14.3.2.2, Small Break LOCA (Small Ruptured Pipes or Cracks in Large Pipes) Which Actuate the Emergency Core Cooling System.

Small breaks are defined as having cross-sectional areas less than 1 ft². The value of 1 ft² was chosen to be the boundary between large and small break LOCAs for Peak Cladding Temperature (PCT) calculations.

Westinghouse has developed specific ECCS Evaluation Models (EM) for both large and small breaks. Therefore, for the purpose of calculating the PCT, the small break size range is between a very small break approximately equal to a circular 3/8-inch diameter rupture (below which break flow can be made up using normal plant charging flow) and a 1 ft² rupture of the main reactor coolant pressure boundary. Furthermore, a review of the primary RCS branch lines indicates that there are no lines greater than 4 inches (Small Break) and less than 10 inches (Large Break).

A Loss-of-Coolant Accident results in a loss of the core cooling function, a release of mass and energy into the containment, and consequently, the development of potentially adverse radiological consequences. The requirement for the analysis of loss-of-coolant accidents is identified in 10 CFR 50.46 [41]. Small break LOCAs are typically less limiting than large break LOCAs; they are analyzed due to the unique phenomena associated with the small break LOCA (SBLOCA) transient. The SBLOCA transient limiting conditions assume a break in the reactor cold leg, loss of offsite power (LOOP), a single failure of Emergency Core Cooling System (ECCS) equipment, and minimum safeguards ECCS capability as discussed in the following sections.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 92 of 182 A small break LOCA causes a gradual depressurization of the RCS to a pressure slightly above that of the steam generator secondary side main steam safety valves (MSSV). The MSSV provide a significant path for RCS energy release until steam venting through the break occurs (referred to as loop seal clearing). The primary pressure and the duration of time that the primary pressure remains above the secondary side pressure is governed by the rate of decay energy removal through the break and the amount of heat transferred to the steam generator secondary. The transient is considered terminated once safety injection exceeds or is in equilibrium with the break flow, the mixture level in the core is continuing to increase, and the calculated cladding temperature is decreasing.

Additionally, any delay or reduction in safety injection due to the switchover from RWST injection phase to cold leg recirculation phase is taken into account as part of the termination criteria. Accumulator injection is dependent upon break size and is not required for smaller breaks in which the PCT is calculated before the RCS pressure decreases to the accumulator injection pressure.

The RCS is initially at 100% licensed core power. Following break initiation, depressurization to the pressurizer low pressure reactor trip setpoint initiates control rod insertion, RCP trip and coastdown, and main steam line isolation. Safety injection is initiated when the modeled low pressurizer pressure setpoint is reached as the RCS continues to depressurize. The SI signal initiates pumped ECCS actuation, auxiliary feedwater (AFW) system actuation, and main feedwater (MFW) isolation.

In a realistic scenario such as Tricon SWCCF, a loss of offsite power does not need to be assumed. Hence the RCPs would not be tripped at the beginning of the accident; the operator would trip them when the appropriate setpoint (subcooling margin) is reached as dictated by the EOPs.

For the break sizes where the RCS depressurizes to approximately 575 psig, the passive accumulators begin to inject borated water into the reactor coolant loops.

In the Turkey Point UFSAR [2] Section 14.3.2.2 analysis of this event, the onset of safety injection flow, assumed to start below the shutoff head value of 1400 psia, from two high head safety injection pumps was assumed to be delayed 45 seconds following the occurrence of the injection signal to account for emergency diesel generator startup and emergency power bus loading in the case of a loss-of-offsite-power coincident with a LOCA.

Based on its frequency of occurrence, the Small Break LOCA is classified as an ANS Condition IV event as defined in UFSAR Section 14.3 [2] and is analyzed to show that the available flow from the ECCS and the accumulators is sufficient to maintain RCS inventory and core heat removal, such that the peak cladding temperature is less than 2200°F, the maximum local oxidation is less than 17 percent, the core wide hydrogen generation is less than 1 percent, the core geometry remains in a coolable geometry, and the dose remains within the Regulatory Guide 1.183 [91] limits.

Safety Functions The various automatic Reactor Protection Systems (RPS) and Engineering Safety Features (ESF) which are available to mitigate the consequences of a small break LOCA are discussed in the following sections and include:

Low pressurizer pressure Low-low steam generator water level High containment pressure High containment rad monitors Reactor Protection System Based on plant measurements, the reactor protection system provides and processes signals which actuate equipment and systems important to safety. For a small break LOCA, the system depressurizes rapidly to the low

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 93 of 182 pressurizer pressure reactor trip setpoint. At 9.5 seconds after the break, the pressure decreases to the low pressurizer pressure reactor trip setpoint of 1805 psia (UFSAR [2] Section 14.3.2.2). The protection system generates a reactor trip signal which results in the insertion of the shutdown control banks, reducing the heat generation in the core to the decay levels required by 10 CFR 50, Appendix K [40]. Further depressurization to the low pressurizer pressure safety injection setpoint generates an S-signal which actuates the safety injection system, generates a Containment Phase A isolation signal and a control room isolation signal. Other systems and equipment are also actuated because of the generation of the reactor trip and safety injection signals.

Emergency Core Cooling System (ECCS)

The ECCS performs many functions in mitigating the consequences of a small break LOCA. The most important function is supplying borated water from the Refueling Water Storage Tank (RWST) to the RCS to provide short-term core cooling. At 19.1 seconds, the pressure decreases to the assumed low pressurizer pressure safety injection setpoint of 1615 psia. Pumped ECCS flow is assumed to initiate following receipt of the low pressurizer pressure S-signal. There is a delay in SI delivery due to signal processing, EDG startup (for LOOP), sequencing, SI pump startup and speed up, valve alignment, etc.

The pumped ECCS flow from the high head safety injection (HHSI) pumps provides subcooled liquid to the reactor vessel to replace inventory lost through the break. For some larger small break LOCAs, the system may depressurize sufficiently to permit passive injection from the cold leg accumulators. This flow would supplement HHSI in providing additional liquid mass for recovering any uncovered portion of the core in the short-term. The automatic operation of the residual heat removal (RHR) or low head safety injection (LHSI) pumps is not considered for the small break LOCA analysis.

Auxiliary Feedwater (AFW)

Main Feedwater (MFW) isolation is modeled to occur following an S-signal during a small break LOCA. Upon receipt of the safety injection signal, the MFW isolation and AFW flow is initiated. The MFW isolation is completed after a signal processing delay time followed by a pump coastdown time. There is a delay between the time of the S-signal and the time that AFW flow is provided to the SG due to signal processing, equipment sequencing (for LOOP), pump start-up, valve alignment, etc. Under the limiting small break LOCA condition (LOOP, loss of a train), the AFW system is assumed to provide flow to each steam generator from one turbine driven AFW pump. During portions of the small break LOCA transient, core heat removal is achieved via primary-to-secondary heat transfer across the SG tubes. The AFW system provides the SG shell side liquid which is the heat sink for this heat removal mechanism.

Main Steam Safety Valves (MSSVs)

The conservative assumptions associated with a small break LOCA lead to the isolation of steam flow from the SG through the main steam line. Following the break, the pressure in the steam generator rises due to the continued heat removal from the primary side via generation of steam in the SG secondary side. The pressure stabilizes when the pressure is high enough to lift one or more of the MSSVs. This provides a path for the release of energy (heat) from the combined primary/secondary system.

Emergency Power System The limiting conditions for the design basis small break LOCA include the assumption of the loss of offsite power (LOOP). With the LOOP, the EDGs, emergency buses, and sequencing equipment of the Emergency Power System are required to supply power to the necessary safety-related (AC-powered) equipment. The delays associated with the startup of EDGs, sequencing/loading of equipment on the emergency buses, etc., are included in the delay times assumed for the important safety systems (SI delay, etc.).

See Table 4-1 for the Signals, Protection, and Safeguards Actions associated with this event.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 94 of 182 Impact of Postulated SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 95 of 182 Table 4-7: Small Break LOCA Dose Results

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 96 of 182 4.1.21 Containment Functional Design - Containment Spray and Containment Isolation Event Description This event is described in UFSAR [2] Section 14.3.4.3, Containment Response. The UFSAR analysis of LBLOCA and MSLB events credit automatic initiation of the emergency containment cooling fans, containment isolation, and containment spray.

Safety Systems Actuated by Containment Pressure Signals The purpose of the containment high-pressure and high-high-pressure safety system actuations is to prevent or minimize the release of radioactive fission products to the environment. Events that could result in the release of mass and energy from the RCS to the containment building include large and small break LOCAs (including rod-ejection) and large steam line breaks inside containment. The Rod Ejection analysis is discussed in Section 4.1.17 and shows the SBLOCA is bounding. The safety systems actuated to limit the release to containment caused by these accidents are SI (and subsequent reactor trip), feedwater isolation, auxiliary feedwater startup, containment ventilation isolation, and containment isolation phase A. On high-high containment pressure, containment spray actuation limits the pressure rise inside containment while containment cooling limits the temperature.

Containment isolation phase B actuation limits the release of radiological nuclides.

High containment pressure signals in two out of three channels actuate the Safety Injection System (SIS), which subsequently trips the reactor. These signals also actuate main feedwater isolation, auxiliary feedwater flow, containment isolation phase A, containment ventilation isolation, and control room/technical support center ventilation isolation.

High-high containment pressure signals in two out of three channels, coincident with high containment pressure in two out of three channels, actuates containment spray and containment isolation phase B, and actuates steam line isolation by closing the main steam line stop valves and steam line bypass valves.

UFSAR Section 14.3.4 [2] credits these functions:

Emergency Containment Cooling Fans are actuated on a high containment pressure signal.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 97 of 182 Containment spray is actuated on the High-High containment pressure setpoint in coincidence with High containment pressure.

Control Room and Technical Support Center HVAC isolation on containment high radiation, Safety Injection, Containment Isolation Phase A & B (Manual) - not required for D3 due to MCR dose. MCR rad monitor is independent from Tricon and generates an independent isolation/MCR vent signal.

Event-Specific Operator Action Requirements During the injection phase (pumped safety injection from the RWST) of a LOCA, the phase prior to realignment of the ECCS to sump recirculation, no credit is taken for operator action with respect to operation of the ESF.

During this period, the operator is not required to take any mitigating actions. The operator should be verifying equipment operation and containment isolation and preparing for sump recirculation.

Impact of Postulated SWCCF 4.1.21.1 Defensive Measures

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 98 of 182 Coolant Line Leakage

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 99 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 100 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 101 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 102 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 103 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 104 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 105 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 106 of 182 Conclusions

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 107 of 182 4.2 Diversity Among Echelons of Defense Table 4-8 identifies the diversity and dependency that exists among the four echelons of defense as identified in BTP 7-19 [3]:

1. Control Systems [

]

2. RPS

3. ESFAS

4. Monitoring and Indication

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 108 of 182 Table 4-8: Diversity and Dependencies Among Echelons of Defense Reactor Trip System (RTS)

ESF Actuation System (ESFAS)

Feature Control Systems Process Voting Logic Process Voting Logic Safety Controls and Indication Sensors (direct)

Sensors terminated on process protection controller and isolated outputs hardwired to external devices or systems Calculated values computed in protection process controller and isolated outputs hardwired to control

[

]

Input sensors powered from process rack RCP bus undervoltage/

underfrequency, RCP breaker status contacts, turbine auto stop oil pressure switches, and stop valve position switches -

otherwise no direct sensor inputs.

Sensors, A/D conversion, Engineering Unit conversion, and signal compensation shared with RPS Containment pressure switches -

otherwise no direct sensor inputs Sensors terminated in process racks and output to converter/isolation devices for control room displays Hardware Various vendors including Tricon, Foxboro I/A, AECL, and Yokogawa Tricon Tricon Tricon Tricon Diverse manual controls for ESFAS and for RTS. Diverse indications routed independently from Tricon

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 109 of 182 Reactor Trip System (RTS)

ESF Actuation System (ESFAS)

Feature Control Systems Process Voting Logic Process Voting Logic Safety Controls and Indication Software Various vendors Tricon Tricon Tricon Tricon Diverse manual controls not dependent on software.

Diverse indications routed independent from Tricon software Assumptions

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 110 of 182 4.3 Spurious RPS/ESFAS Actuations NUREG-800, Chapter 7, BTP 7-19, [3] states the following concerning postulated spurious actuations caused by a SWCCF:

The evaluation of potential spurious operations is an important part of the overall D3 assessment for a proposed DI&C system to ensure that spurious operations do not lead to events with unacceptable consequences. Although a spurious operation is not always anticipated, it can be detected because this type of failure is normally self-announcing through instrumentation on the actuated system. However, in some circumstances a spurious operation may not occur until a particular signal or set of signals is present. In these cases, rather than occurring immediately upon system startup, the spurious operation would occur only under certain plant conditions. Such a spurious operation is still self-announcing (by the actuated system), even if failure did not occur on initial test

[

]

[

] The results of the evaluation are provided in the following tables:

1. Table 4-9: RPS Spurious Actuation Caused by SWCCF

2. Table 4-10: Safety Injection Spurious Actuations Caused by SWCCF

3. Table 4-11: Main Feedwater Isolation Spurious Actuation Caused by SWCCF

4. Table 4-12: Steam Line Isolation Spurious Actuations Caused by SWCCF

5. Table 4-13: Containment Isolation Phase A Spurious Actuation Caused by SWCCF

6. Table 4-14: Containment Isolation Phase B Spurious Actuations Caused by SWCCF

7. Table 4-15: Containment Ventilation Isolation Spurious Actuations Caused by SWCCF

8. Table 4-16: Containment Spray Spurious Actuations Caused by SWCCF

9. Table 4-17: [ AMSAC ] Actuations Caused by SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 111 of 182 Table 4-9: RPS Spurious Actuation Caused by SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 112 of 182 Table 4-10: Safety Injection Spurious Actuations Caused by SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 113 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 114 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 115 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 116 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 117 of 182 Table 4-11: Main Feedwater Isolation Spurious Actuation Caused by SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 118 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 119 of 182 Table 4-12: Steam Line Isolation Spurious Actuations Caused by SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 120 of 182 Table 4-13: Containment Isolation Phase A Spurious Actuation Caused by SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 121 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 122 of 182 Table 4-14: Containment Isolation Phase B Spurious Actuations Caused by SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 123 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 124 of 182 Table 4-15: Containment Ventilation Isolation Spurious Actuations Caused by SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 125 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 126 of 182 Table 4-16: Containment Spray Spurious Actuations Caused by SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 127 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 128 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 129 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 130 of 182 Table 4-17: [

] Actuations Caused by SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 131 of 182 4.4 Control System Response to Postulated Spurious Actuations as a Result of a SWCCF in RPS/ESFAS The following ground rules as provided in the guidance of BTP 7-19 (Refer to reference 3 section 3) and the FMEA report (Refer to reference 26 section 4) are [

]

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 132 of 182 The following definitions are derived from the guidance of BTP 7-19 (Refer to reference 3 section 3) and the FMEA report (Refer to reference 26 section 4). [

]

The results of the evaluation are provided in Table 4-18 which provides the following information:

a. NSSS control systems

b. Signal inputs to each control system.

c. Consequences of the RPS/ESFAS/NIS input signals to the NSSS control systems [

]

d. Consequences of the RPS/ESFAS/NIS input signals to the NSSS control systems [

]

e. Consequences of the RPS/ESFAS/NIS input signals to the NSSS control systems [

]

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 133 of 182 Table 4-18: NSSS Control System Response to Postulated RPS/ESFAS Tricon SWCCF

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 134 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 135 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 136 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 137 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 138 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 139 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 140 of 182 4.4.1 [

]

4.4.1.1

[

]

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 141 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 142 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 143 of 182 4.4.1.2

[

]

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 144 of 182 4.4.1.3

[

]

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 145 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 146 of 182 5

DIVERSE ACTUATION SYSTEM (DAS)

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 147 of 182 Table 5-1: Chapter 14 Initiating Events, Diverse Indications, and Alternate Mitigation Functions UFSAR Section Event Operator Actions for Successful Mitigation Diverse Indications Category and Recommended Analysis or Design Change Alternate Mitigation Functions 14.1.1 Uncontrolled RCCA Withdrawal from a Sub-Critical Condition (ANS-II)

None

• Power Range Neutron Flux

• Intermediate Range Neutron Flux

• Source Range Neutron Flux

• (Only Power Range necessary)

Category A Event reaches new steady state condition without requiring reactor protection

• None required 14.1.2 Uncontrolled RCCA withdrawal at Power (ANSII)

None

• Power Range Neutron Flux

• Rod Position Category A Event reaches new steady state condition without requiring reactor protection

• None Required 14.1.4 Rod Cluster Control Assembly (RCCA) Drop (ANS-II)

None

• Rod Position

• Power Range Neutron Flux Category A Event reaches new steady state condition without requiring reactor protection

• None Required

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 148 of 182 UFSAR Section Event Operator Actions for Successful Mitigation Diverse Indications Category and Recommended Analysis or Design Change Alternate Mitigation Functions 14.1.5 Chemical and Volume Control System Malfunction (ANS-II)

Yes. The required operator action times to terminate the event are:

Mode 1: 15 minutes from time of dilution Mode 2: 15 minutes from time of dilution Mode 3: 15 minutes from time of dilution Mode 4: 15 minutes from time of dilution Mode 5: 15 minutes from time of dilution Mode 6: 30 minutes from time of dilution

• Gamma Metrics Wide Range Flux

• Power Range Neutron Flux Mode 1 & 2 - Category B Terminated by manual operator action

• Manual Action Mode 3,4,5 & 6 -

Category A

• Manual Action 14.1.7 Excess Feedwater Flow and Reduction in Feedwater Enthalpy Incident (ANS-II)

None

• Power Range Neutron Flux

• Pressurizer Pressure Category C Bounded by 14.2.5 Steam Line Break

• Manual Action

• Diverse High Neutron Flux (Rod Ejection)

• Diverse Low Pressurizer Pressure Rx Trip (SBLOCA)

Category B Steam Generator Overfill terminated by DAS

• Diverse Main Feedwater Isolation (Excess Feedwater) 14.1.8 Excessive Load Increase Incident (ANS-II)

None

• Power Range Neutron Flux

• Pressurizer Pressure Category A Event reaches new steady state condition without requiring reactor protection

• None Required

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 149 of 182 UFSAR Section Event Operator Actions for Successful Mitigation Diverse Indications Category and Recommended Analysis or Design Change Alternate Mitigation Functions 14.1.9 Partial Loss of Forced Reactor Coolant Flow (ANS-II)

None

• Reactor Coolant Flow Category C Bounded by 14.1.9 Complete Loss of Flow

• MSSVs

• PSVs 14.1.9 Complete Loss of Forced Reactor Coolant Flow (ANS-III)

None

• Reactor Coolant Flow

• SG NR Level

• Pressurizer Pressure

• Pressurizer Level Category C Bounded by 14.1.9 Locked Rotor

• MSSVS

• PSVs 14.1.9 Locked Rotor Accident (ANS-IV)

None

• Reactor Coolant Flow

• RCS WR Pressure Category A Event reaches new steady state condition without requiring reactor protection

• None required 14.1.10 Loss of External Electrical Load (ANS-II)

None

• SG NR Level

• RCS WR Pressure Category C Bounded by UFSAR 14.1.13 ATWS analyses

• AMSAC

• PSVs

• MSSVs 14.1.11 Loss of Normal Feedwater Flow (ANS-II)

None

• SG NR Level

• RCS WR Pressure Category C Bounded by UFSAR 14.1.13 ATWS analyses

• AMSAC

• PSVs

• MSSVs 14.1.12 Loss of Non-Emergency A-C Power to Plant Auxiliaries (ANS-II)

None

• SG NR Level

• RCS WR Pressure Category C Bounded by UFSAR 14.1.13 ATWS analyses

• AMSAC

• PSVs

• MSSVs

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 150 of 182 UFSAR Section Event Operator Actions for Successful Mitigation Diverse Indications Category and Recommended Analysis or Design Change Alternate Mitigation Functions 14.1.14 Accidental Depressurization of the Reactor Coolant System (ANS-II)

None

• Pressurizer Pressure

• Containment Pressure UFSAR Case:

Category B Terminated by DAS

• Diverse low pressurizer pressure Rx Trip (SBLOCA)

• Diverse low pressurizer pressure SI (SBLOCA)

Supplemental Pressurizer Overfill Case:

Category B

• Manual Actuation 14.1.15 Anticipated Transient Without SCRAM (Beyond Design Basis)

None

• SG NR Level

• RCS WR Pressure Category B

• AMSAC

• PSVs

• MSSVs 14.2.4 Steam Generator Tube Rupture (ANS-III)

Feedwater Isolate to the ruptured SG.

AFW termination.

SI flow reduction.

Ruptured SG Identification.

Ruptured SG steam flow isolation.

Ruptured loop RCP trip.

RCS cooldown on intact SGs.

Establish charging flow.

Depressurize RCS.SI Termination Balance charging flow

• Pressurizer Pressure

• SG NR Level

• Steam Generator Pressure

• Condenser Air Ejector radiation Category B Event terminated by DAS and by manual operator action.

• Manual actions

• Diverse low pressurizer pressure SI (SBLOCA)

• Diverse low pressurizer pressure Rx Trip (SBLOCA)

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 151 of 182 UFSAR Section Event Operator Actions for Successful Mitigation Diverse Indications Category and Recommended Analysis or Design Change Alternate Mitigation Functions 14.2.5.1 Inadvertent Opening of a Steam Generator Relief or Safety Valve (ANS-II)

None

• Power Range Neutron Flux

• RWST Level Indication and Alarm

• SG SV/RV Status Indication

• Steam Generator Pressure Category C Bounded by UFSAR 14.2.5 Steam Line Break events

• Diverse low pressurizer pressure Rx Trip (SBLOCA)

• Diverse low pressurizer pressure SI (SBLOCA) 14.2.5.2 Steam System Piping Failure at Hot Zero Power (ANS-IV)

MSIV Closure

• SG NR Level

• RWST Level Indicator and Alarm

• Pressurizer Pressure

• Steam Generator Pressure

• Containment Pressure

• Containment Radiation Monitor

• Containment Sump Level Category B Terminated by DAS

• Manual Action

• Diverse low pressurizer pressure SI (SBLOCA)

• Passive accumulator injection

• Diverse Main Feedwater Isolation (Excess Feedwater) 14.2.5.2 Steam System Piping Failure at Full Power (ANS-IV)

MSIV Closure SI Termination

• SG NR Level

• RWST Level Indicator and Alarm

• Pressurizer Pressure

• Steam Generator Pressure

• Containment Pressure

• Containment Radiation Monitor

• Containment Sump Level Category B Terminated by DAS

• Manual Action

• Diverse low pressurizer pressure Rx Trip (SBLOCA)

• Diverse low pressurizer pressure SI (SBLOCA)

• Diverse High Neutron Flux (Rod Ejection)

• Diverse Main Feedwater Isolation (Excess Feedwater)

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 152 of 182 UFSAR Section Event Operator Actions for Successful Mitigation Diverse Indications Category and Recommended Analysis or Design Change Alternate Mitigation Functions 14.2.6 Rupture of a Control Rod Mechanism Housing -RCCA Ejection (ANS-IV)

None

• Power Range neutron Flux Category B Terminated by DAS

• Diverse High Neutron Flux (Rod Ejection) 14.2.7 Feedwater System Pipe Break (ANS-IV)

Isolation and realignment of auxiliary feedwater

• SG NR Level

• Steam Generator Pressure

• Pressurizer Pressure

• AMSAC actuation alarms Category B Terminated by AMSAC

• Manual actions

• AMSAC 14.3.2.1 Best-Estimate Large Break Loss of Coolant Accident (BE-LOCA) Analysis (ANS-IV)

Manual RHR initiation Manual SI actuation Manual SI suction switchover from RWST to Containment sump

• Pressurizer Pressure

• Containment Pressure

• Containment Radiation monitors

• RWST Level Indication and Alarm

• Containment Sump Level Category A Event eliminated from D3 Consideration through leak detection and fracture mechanics evaluation

• None required 14.3.2.2 Small Break LOCA (Small Ruptured Pipes or Cracks in Large Pipes) Which Actuate the Emergency Core Cooling System (ANS-IV)

Manual Containment Isolation Manual Containment Spray Actuation Manual Containment Cooling Actuation Manual RHR initiation Manual RCP Trip

• Pressurizer Pressure

• Containment Pressure

• Containment Radiation monitors

• RWST Level Indication and Alarm

• Containment Sump Level Category B Terminated by DAS

• Manual Action

• Diverse low pressurizer pressure Rx Trip (SBLOCA)

• Diverse low pressurizer pressure SI (SBLOCA)

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 153 of 182 5.1 Diverse Automatic Mitigating Functions

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 154 of 182 5.2 Diverse Automatic Mitigating Functions [

]

5.3 System Level RPS and ESFAS Manual Controls The manual actions listed in Table 5-2 are required based on the evaluations presented in Section 4 and Table 5-1 of this report.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 155 of 182 Table 5-2: System Level RPS and ESFAS Manual Controls

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 156 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 157 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 158 of 182 The events requiring manual operator action are identified in Table 4-18 and Table 5-1. [

]

5.4 Diverse Process Variable/Alarm Indications Diverse process variables and alarm indications that are required by the operators to assess the status of the plant prior to taking a manual action are provided in Table 5-3. [

]

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 159 of 182 Table 5-3: Diverse Process Variable/Alarm Indications

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 160 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 161 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 162 of 182

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 163 of 182 5.5 Passive Protection Functions Available There are several passive functions that are available and credited for events discussed in Section 4 of this report.

Their successful operation does not depend on the RPS/ESFAS Tricon platform and, as a result are placed in Block 2. They are as follows:

6 CONCLUSIONS The Turkey Point Unit 3&4 licensing basis UFSAR [2] Chapter 14 safety analyses were evaluated to determine which events required RPS/ESFAS primary or backup protection actuations when a postulated SWCCF occurs.

Those events identified as requiring the RPS/ESFAS for primary protection system response were reviewed to determine if a timely diverse means of automatically mitigating the transient/accident was available or annunciators and indicators were available to allow the operator to diagnose the event and manually bring the plant to a safe shutdown condition in a timely manner.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 164 of 182 The latter two failure modes are considered spurious actuations and were analyzed as such. The conclusion resulting from the examination of the latter two modes identified no safety concerns. [

]

Details for these analyses are provided in Section 4.4.1.1, 4.4.1.2 and 4.4.1.3 as well as Section 4.1 where credit is given to [

]

[

] These are also discussed in Sections 4 and 5 of this report. Table 5-1 presents the results of this assessment and shows the diverse mitigation functions required to mitigate the events.

For most transients and accidents, no operator action is required since sufficient non-RPS/ESFAS based automatic functions exist, [

]

ACTION:

Turkey Point 3&4 will include the proposed defense-in-depth coping actions in an HFE Program as discussed in Section 3.9 of the D3 report along with proof that times allotted are within plant means.

Manual actuation times will be validated by plant operators and engineers. For example, plant operations must be able to prove the feasibility of [

]

(Sections 4 and 5 of the D3 report) unless currently provided in a plant procedure.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 165 of 182 The events requiring manual operator action are identified in Table 5-1. [

]

The diversity assessment presented in Chapter 3 followed the applicable guidance provided in BTP 7-19, Rev. 8

[3]. Solutions for all PIEs when postulating a SWCCF to the RPS/ESFAS digital platform are provided, [

]

The required diverse indicators and alarms for events requiring operator action are provided and operate independently from the RPS/ESFAS software. Should a PIE occur, these indicators and alarms are available to alert the operator so that timely and appropriate operator action for PIEs can be taken. Furthermore, [

]

Spurious actuations, both partial and full, for the RPS/ESFAS digital platform are assessed and conclusions reached regarding their impact. [

]

Based on the evaluation herein, the acceptance criteria will be met for all evaluated PIEs. This conclusion is applied to the proposed upgrade I&C design and is demonstrated in the evaluations shown in Section 4 of this report. Section 4 assumes that a SWCCF disables the digital-based RPS/ESFAS Tricon portion (Block 1) of the upgrade I&C design while the diverse systems (Block 2) [

] are not susceptible to the same SWCCF and remain available to perform required functions.

Lastly, the setpoints calculated for the DAS will be validated for protecting the required analysis limits. [

]

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 166 of 182 7

ABBREVIATIONS AND ACRONYMS Acronyms/Abbreviations Description 2-o-o-4 Two out of four 2-o-o-3 Two out of three A/D Analog to Digital ADV Atmospheric Dump Valves AECL Atomic Energy of Canada Limited AFW Auxiliary Feedwater AMSAC ATWS Mitigating System Actuation Circuitry ANS American Nuclear Society ANSI American National Standards Institute AOO Anticipated Operational Occurrence ASD Atmospheric Steam Discharge ASME American Society of Mechanical Engineers ATWS Anticipated Transient Without Scram B&PV Boiler and Pressure Vessel BE Best Estimate BIT Boron Injection Tank BOL Beginning of Life BTP Branch Technical Position CCF Common Cause Failure CCW Component Cooling Water CFCU Containment Fan Coil Unit CFR Code of Federal Regulations CLOF Complete Loss of Flow CR Control Room CS Containment Spray CVCS Chemical and Volume Control System D/A Digital to Analog D3 Defense-In-Depth and Diversity Evaluation DAS Diverse Actuation System DBA Design Basis Accident DCS Distributed Control System DI&C Digital Instrumentation and Control DNB Departure from Nucleate Boiling DNBR Departure from Nucleate Boiling Ratio EAB Exclusion Area Boundary

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 167 of 182 Acronyms/Abbreviations Description ECCS Emergency Core Cooling System EDG Emergency Diesel Generator EMC Electromagnetic Compatibility EMI/RFI Electromagnetic Interference/Radio Frequency Interference EOL End of Life EOP Emergency Operations Procedure EPRI Electric Power Research Institute EPU Extended Power Uprate ESFAS Engineered Safety Features Actuation System ETA External Termination Assembly FCG Fatigue Crack Growth FPL Florida Power and Light Framatome Framatome USA FT Foot FWLB Feedwater Line Break GDC Generic Design Criteria GL Generic Letter GPM (gpm)

Gallons Per Minute HFE Human Factors Engineering HFP Hot Full Power HHSI High Head Safety Injection HVAC Heating, Ventilation and Air Conditioning I&C Instrumentation and Control I/A Intelligent Automation - Foxboro-Schneider ICW Intake Cooling Water IEC International Electrotechnical Commission IEEE Institute of Electrical and Electronic Engineers ISG Interim Staff Guidance LBB Leak-Before-Break LBLOCA Large Break LOCA LCO Limiting Condition of Operation LHSI Low Head Safety Injection LOCA Loss of Coolant Accident LOL Loss of Load LONF Loss of Normal Feedwater LOOP Loss of Offsite Power LPZ Low Population Zone

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 168 of 182 Acronyms/Abbreviations Description MCB Main Control Board MCC Motor Control Center MCR Main Control Room mDNBR Minimum Departure from Nuclear Boiling Ratio MFW Main Feedwater MG Motor Generator MOV Motor Operated Valve MSIV Main Steam Isolation Valve MSLB Main Steam Line Break MSSV Main Steam Safety Valve MSS Main Steam System MTC Moderator Temperature Coefficient MTTF Mean-Time-To-Failure NGAID Next Generation Differential Analog Input NGDO Next Generation Digital Output NIS Nuclear Instrumentation System NPP Nuclear Power Plant NR Narrow Range NRC United States Nuclear Regulatory Commission NSR Non-Safety Related OTT Overtemperature Delta-T PA Postulated Accident PCT Peak Clad Temperature PFD Probability of Failure on Demand PIE Postulated Initiating Event PLC Programmable Logic Controller PLOF Partial Loss of Flow PMP Project Management Plan PORV Pilot Operated Relief Valve (definition); or Power Operated Relief Valve PQP Project Quality Plan PRA Probabilistic Risk Analysis PRMS Process Radiation Monitoring System PRZ Pressurizer PSIG Pounds Per Square Inch Gage PSV Pressurizer Safety Valve Turkey Point Unit 3&4 Plant Turkey Point Nuclear Plant Unit 3&4 QA Quality Assurance

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 169 of 182 Acronyms/Abbreviations Description QSPDS Qualified Safety Parameter Display System RCCA Rod Cluster Control Assembly RCP Reactor Coolant Pump RCS Reactor Coolant System RG Regulatory Guide RHR Residual Heat Removal RPS Reactor Protection System RTB Reactor Trip Breaker RTP Rated Thermal Power RTS Reactor Trip System RWAP Rod Withdrawal at Power RWSC Rod Withdrawal Sub Critical RWST Refueling Water Storage Tank SAR Safety Analysis Report SBLOCA Small Break LOCA SCMP Software Configuration Management Plan SDP Software Development Plan SER Safety Evaluation Report SG Steam Generator SGTR Steam Generator Tube Rupture SGTR Steam Generator SI Safety Injection SIA Structural Integrity Associates SMT Surface Mount Technology SQAP Software Quality Assurance Plan SR Surveillance Requirement SRP Standard Review Plan Std Standard SVDU Flat Panel Display - Safety Video Display Unit SVVP Software Verification and Validation Plan SWCCF Software Common Cause Failure SWGR Switchgear Tavg Temperature-Average TCM Tricon Communication Module TI Test Interval TLAA Time-Limited Aging Analysis TMR Triple Modular Redundant

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 170 of 182 Acronyms/Abbreviations Description TR Topical Report (non-EPRI references); or Technical Report Tricon Triconex PLC TS Technical Specifications TSAP Test Specimen Application Program UF Under Frequency UFSAR Updated Final Safety Analysis Report UV Under Voltage V&V Verification and Validation VAC Volt AC VCT Volume Control Tank WR Wide Range 8

GLOSSARY OF TERMS The following definitions are provided for special terms used in this document.

Term Definition Anticipated operational occurrence (AOO) (10 CFR Part 50 Appendix A)

Those conditions of normal operation which are expected to occur one or more times during the life of the nuclear power unit and include but are not limited to loss of the turbine generator set, isolation of the main condenser, and loss of offsite power.

Common-mode failure (CMF)

(NUREG/CR-6303)

Causally related failures of redundant or separate equipment. CMF embraces all causal relations, including severe environments, design errors, calibration and maintenance errors, and consequential failures.

Design basis accident (DBA)

(NUREG/CR 6303)

Occurrences that are not expected to occur but are postulated because their consequences would include the potential for the release of significant amounts of radioactive material.

Diverse component or system (IEC 880)

A component or system that duplicates the function of another component or system by employing different physical construction or different principles of operation.

Diversity & Defense-in-Depth (D3)

A concentric arrangement of protective barriers or means, all of which must be breached before a hazardous material or dangerous energy can adversely affect human beings or the environment.

Echelons of defense (NUREG/CR 6303)

Specific applications of the principle of defense-in-depth to the arrangement of instrumentation and control systems attached to a nuclear reactor for the purpose of operating the reactor or shutting it down and cooling it.

Redundant component or system (IEEE 379)

A piece of equipment or system that duplicates the essential function of another piece of equipment or system to the extent that either may perform the required function, regardless of the state of operation or failure of the other.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 171 of 182 Term Definition Single Failure Criterion (IEEE 379)

The safety systems shall perform all required safety functions for a design basis event in the presence of the following:

• Any single detectable failure within the safety systems concurrent with all identifiable but non-detectable failures.

• All failures caused by the single failure.

• All failures and spurious actions that cause, or are caused by, the design basis event requiring the safety function.

• The single failure could occur prior to, or at any time during, the design basis event for which the safety function is required to function.

9 REFERENCES

1.

FPL contract to Framatome-BHI JPC #02419951.

2.

Turkey Point Nuclear Updated Final Safety Analysis Report, Chapters 6, 7 and 14.

3.

NRC BTP-7-19, Guidance for Evaluation of Defense in Depth and Diversity to Address Common-Cause Failure Due to Latent Design Defects in Digital Safety Systems, Revision 8, January 2021.

4.

Generic Letter (GL) 85-06, Quality Assurance Guidance for ATWS Equipment That Is Not Safety-Related, April 16, 1985.

5.

System Architecture Drawing 02-9321047-D Rev 004

6.

NUREG/CR-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems, December 1994.

7.

United States Nuclear Regulatory Commission, DI&C-ISG-02, Task Working Group No. 2:

Diversity and Defense-in-Depth Issues Interim Staff Guidance, Revision 2.

8.

SRM-SECY-93-087, U.S. Nuclear Regulatory Commission, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs,, July 21, 1993.

9.

IEEE Std 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations.

10.

NUREG-0800, Standard Review Plan, Chapters 3, 4, 7, (Revision 7); Chapter 18, Human Factors Engineering (Revision 3); and Appendix 18-A, Crediting Manual Operator Actions in Diversity and Defense-In-Depth Analyses, (Revision 0)

11.

NUREG-0711, Human Factors Engineering Program Review Model, Revision 3.

12.

ANSI/ANS 58.8, Time Response Design Criteria for Safety-Related Operator Actions.

13.

NUREG-0493, A Defense-in-Depth & Diversity Assessment of the RESAR-414 Integrated Protection System, March 1979.

14.

10 CFR Part 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants.

15.

10 CFR Part 21, Reporting of defects and noncompliance.

16.

EPRI TR-107330, Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Applications for Nuclear Power Plants, December 1996.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 172 of 182

17.

U.S. Nuclear Regulatory Commission, Review of Corporation Topical Reports 7286-545, Qualification Summary Report and 7386-546, Amendment 1 to Qualification Summary Report, Revision 1, dated Dec 11, 2001 (ML013470433).

18.

Final Safety Evaluation by the Office of Nuclear Reactor Regulation, Part 1 of Approved Triconex Topical Report 7286-545-1-A Revision 4, Invensys Operating Management, Project No. 709, May 15, 2012 (ADAMS Accession No. ML12146A010).

19.

Application Guide, Appendix B, Part 6 of Approved Triconex Topical Report, Document No. 7286-545-1-A Revision 4, May 15, 2012.

20.

V10 Qualification/EPRI TR-107330 requirements, Appendix A, Part 5 of Approved Triconex Topical Report, Document No. 7286-545-1-A Revision 4, May 15, 2012.

21.

Triconex Topical Report; Part 4 of Approved Triconex Topical Report, Document No. 7286-545-1-A Revision 4, May 15, 2012.

22.

Triconex Topical Report, Master Configuration List, Document No. 7286-545-1, Page: 7 of 113, Revision 3, 07/11/10.

23.

Regulatory Guide 1.62, Rev. 1 Manual Initiation of Protective Actions, June 2010.

24.

SECY-18-0090, Plan for Addressing Potential Common Cause Failure in Digital Instrumentation and Control Systems, September 2018.

25.

Framatome Doc. No. 56-9321451, Rev. 004, Turkey Point Unit 3&4 RPS/ESFAS/NIS Project Quality Plan.

26.

Failure Modes and Effects Analysis (FEMA) for TRICON V10 PLC, Triconex Document No.

9600164-531, dated May 23, 2007.

27.

Reliability/Availability Study for Tricon PLC Controller, Triconex Document No. 9600164-532.

28.

Tricon System Accuracy Specifications, Triconex Document No. 9600164-534.

29.

10 CFR 50.67, Accident Source Term.

30.

Turkey Point Units 3 and 4 License Amendment Request for Extended Power Uprate, L-2010-113.

31.

10 CFR 50.62, Requirements for Reduction of Risk from Anticipated Transients without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants.

32.

Westinghouse WCAP-8330-NP, Westinghouse Anticipated Transients Without Trip Analysis.

33.

Westinghouse WCAP-10858-NP, AMSAC Generic Design Package.

34.

IEC 1131, Standard Programming Language.

35.

U.S. Nuclear Regulatory Commission, Review of Triconex Corporation Topical Reports 7286-545, Qualification Summary Report, and 7286-546, Amendment 1 To Qualification Summary Report, Revision 1, December 11, 2001 (ADAMS Accession No. ML013470433).

36.

U.S. Nuclear Regulatory Commission, DI&C ISG-05, Highly-Integrated Control RoomsHuman Factors Issues (HICRHF), Rev 1, 11/03/2008.

37.

ASME Boiler and Pressure Vessel Code Service Limit C stress criterion.

38.

Technical Specifications, TP Units 3 and 4, Appendix to License Nos. DPR-31 and DPR-41, Section 3/4.4.1 and 3.4.6, Reactor Coolant Loops and Coolant circulation, License Amendment No.

137/132, effective August 28, 1991.

39.

Not used.

40.

10 CFR 50 Appendix K, ECCS Evaluation Models.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 173 of 182

41.

10 CFR 50.46, Acceptance criteria for emergency core cooling systems for light-water nuclear power reactors.

42.

ANS-51.1/N18.2-1973, Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants.

43.

IEEE 1012, IEEE Standard for Software Verification and Validation, 2004.

44.

USAS B31.1, Power Piping Code.

45.

USAS B31.7, Nuclear Power Piping Code.

46.

Regulatory Guide 1.45, Guidance on Monitoring and Responding to Reactor Coolant System Leakage, Revision 1.

47.

Technical Specification (TS) Surveillance Requirement (SR).

48.

Regulatory Guide 1.97, Criteria for Accident Monitoring Instrumentation for Nuclear Power Plants, Revision 3.

49.

Not used.

50.

NUREG-0460, Volume 1, Anticipated transients without scram for light water reactors, April 1978 (ADAMS Accession No. ML15134A025).

51.

[

]

52.

Regulatory Guide 1.70, Rev 1, Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants.

53.

[

]

54.

[

]

55.

[

]

56.

[

]

57.

[

]

58.

[

]

59.

[

]

60.

[

]

61.

[

]

62.

Not used.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 174 of 182

63.

[

]

64.

[

]

65.

[

]

66.

[

]

67.

EPRI-NP-7450(A), RETRAN-3D --- A Program of Transient Thermal-Hydraulic Analysis of Complex Fluid Flow Systems, October 2020.

68.

EPRI-NP_2511-CCM-A, VIPRE A Thermal-Hydraulic Code for Reactor Cores, May 2020.

69.

NSAL-93-016, Containment Spray System Issues, August 6, 1993.

70.

Not used.

71.

Not used.

72.

Not used.

73.

Not used.

74.

Framatome Doc. No. 102-9321586, Rev 003, Turkey Point Unit 3&4 RPS/ESFAS/NIS Project Management Plan (PMP).

75.

Framatome Doc. No.158-9324081, Rev. 002, Turkey Point Unit 3&4 RPS/ESFAS/NIS Software Development Plan (SDP).

76.

Framatome Doc. No. 09-9321605, Rev. 000, Turkey Point Unit 3&4 Software Quality Assurance Plan (SQAP).

77.

Framatome Doc. No. 136-9321606, Rev. 001, Turkey Point Unit 3&4 Software Verification and Validation Plan (SVVP).

78.

Framatome Doc. No. 158-9321019, Rev. 000, Turkey Point Unit 3&4 RPS/ESFAS/NIS Software Configuration Management Plan (SCMP).

79.

10 CFR 50.69 Risk-informed categorization and treatment of structures, systems, and components for nuclear power reactors.

80.

Not used.

81.

NRC NRR Safety Evaluation Report Related to the Subsequent License Renewal of Turkey Unit Generating Units 3 and Power and Light, July 22, 2019 (ML19191A057).

82.

Framatome Reliability and Availability Report, F.504706-RELA-3XNS-0001, dated March 15, 2021.

83.

[

]

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 175 of 182

84.

WCAP-15354, Revision 1, Technical Justification for Eliminating Primary Loop Pipe Rupture as a Structural Design Basis for Turkey Point Units 3 and 4 Nuclear Power Plants for the Subsequent License Renewal Time-Limited Aging Analysis Program (80 Years) Leak-Before-Break Evaluation, September 2017. In: Turkey Point Units 3 and 4 Subsequent License Renewal Application, Enclosure 4: Non-proprietary Reference Documents and Redacted Versions of Proprietary Reference Documents (Public Version), (ADAMS Accession No. ML18037A837).

85.

10 CFR 54.21, Requirements for Renewal of Operating Licenses for Nuclear Power Plants, Contents of applicationtechnical information.

86.

Not used.

87.

Not used.

88.

Not used.

89.

[

]

90.

1967 Proposed GDC 20, Protection Systems Redundancy and Independence.

91.

Regulatory Guide 1.183, Alternative Radiological Source Terms for Evaluating Design Basis Accidents at Nuclear Power Reactors, 07/2000.

92.

Not used.

93.

Not used.

94.

NUREG 1061-Volume 3, Report of the U.S. Nuclear Regulatory Commission Piping Review Committee Evaluation of Potential for Pipe Breaks, Revision 3, November 1994.

95.

Turkey Point Unit 3&4 Excessive Reactor Coolant System Leakage, 3-ONOP-041.3 dated July 9, 2019.

96.

Regulatory Guide 1.180, Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems, Revision 1, 10/2003.

97.

Invensys Operations Management, Software Qualification Report, Document 9600164-535, Revision 1, August 5, 2009, (ADAMS Accession No. ML100192059).

98.

NEXTera Energy, Conduct of Operations, OP-AA-100-1000, Rev. 33, 11/05/20.

99.

[

]

100.

Not used 101.

WCAP -13045 Revisions 1 and 2, Compliance to ASME Code Case N-481 of the Primary Loop Pump Casings of Westinghouse Type Nuclear Steam Supply Systems (ADAMS Legacy Accession No. 9111080138).

102.

NUREG/CR-4513, Revision 1, Estimation of Fracture Toughness of Cast Stainless Steels during Thermal Aging in LWR [Light-Water Reactor] Systems, dated August 1994 (ADAMS Accession No. ML052360554) 103.

10 CFR Part 50 Appendix A, General Design Criteria for Nuclear Power Plants 104.

[

]

105.

10 CFR 54.2, Contents of Application 106.

[

]

107.

[

]

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 176 of 182 References identified with an (*) are maintained within Turkey Point Nuclear Records System and are not retrievable from Framatome Records Management. These are acceptable references per Framatome Administrative Procedure 0402-01, Attachment 7. See page 2 for Project Manager Approval of customer references.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 177 of 182 APPENDIX A:

GUIDELINE ON THE DETERMINATION OF DIVERSE ACTUATION SYSTEM SETPOINTS FOR TURKEY POINT UNIT 3&4 A.1 PURPOSE The purpose of this document is to provide a guideline for the determination of DAS setpoints for Turkey Point Unit 3&4 for those parameters requiring automatic actuation in the DAS by the D3 Report. [

]

A.2 References

1. ISA S67.04 Part 1, Setpoints for Nuclear Safety-Related Instrumentation, 2006.

2. ISA S67.04 Part 2, Methodologies for the Determination of Setpoints for Nuclear Safety-Related Instrumentation, 2000.

3. ISA TR67.04.08-1996, Setpoints for Sequenced Actions.

4. [

]

5. FPL Turkey Point Plant Unit 3&4 Technical Specifications through Amendment 292.

A.3 Guideline Description of Setpoint Methodology for DAS Setpoints A.3.1 General The primary RPS/ESFAS setpoints shall be selected to provide sufficient allowance between the trip setpoint and the safety limit to account for uncertainties. Detailed requirements for establishing these safety-related setpoints are provided in References A.2.1, A.2.2, and A.2.4 and are based on the plant specific safety analysis and the uncertainties in the specific equipment utilized to actuate the safety function. This section will provide only an overview of this design process. Refer to References A.2.1, A.2.2, and A.2.4 for additional guidance on the specific steps of the methodology.

The safety analysis establishes (1) an analytical limit in terms of a measured or calculated variable, and (2) a specific time after that value is reached to begin protective action. Satisfying these two constraints will ensure that the safety limit for plant protection will not be exceeded during anticipated operational occurrences and design-basis events.

Analytical Limits (AL) represent a value that should not be exceeded prior to accomplishing the prescribed action.

Establishing the analytical limit for a setpoint must carefully consider the overall function of the setpoint.

Generally, the analytical limit is provided through design documentation or other calculations.

The trip setpoint for the RPS/ESFAS function will be the value that the final setpoint device is set to actuate. Data used to select the trip setpoint may be taken from any of the following sources as described in References A.2.1, A.2.2, and A.2.4, operating experience, equipment qualification tests, vendor design specifications, engineering analysis, laboratory tests, and engineering drawings.

An allowance shall be provided between the RPS/ESFAS trip setpoint and the analytical limit to ensure a trip occurs before the analytical limit is reached. The allowance used shall account for all applicable design-basis events and the following process instrument uncertainties unless they were included in the determination of the analytical limit: (from Reference A.2.4)

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 178 of 182 Instrument calibration uncertainties Instrument uncertainties during normal operation Instrument drift Instrument uncertainties caused by design-basis events Process dependent events Calculation effects Dynamic effects Calibration and installation bias accounting Bias term Channel Uncertainty (CU) is calculated by combining all the terms that meet the conditions for combining terms using Square Root Sum of the Square (SRSS). The RPS/ESFAS trip setpoint is determined by:

1. Trip Setpoint (TS) = AL - CU for an increasing setpoint

2. Trip Setpoint (TS) = AL + CU for a decreasing setpoint A.3.2 DAS Setpoints The following section provides the actual DAS setpoint calculation listing the instrument accuracy values for the specific equipment including a document reference and the calculation of the DAS setpoints.

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 179 of 182 Table A-1: [

]

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 180 of 182 Table A-2: [

]

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 181 of 182 Table A-3: [

]

20004-026 (08/12/2020)

Document No.: 51-9348245-000 Diversity and Defense-in-Depth Evaluation Florida Power & Light Co. Turkey Point Unit 3&4 Digital Modernization Page 182 of 182 Table A-4: [

]

ATTACHMENT 3

Affidavit for Attachment 1 Florida Power and Light Turkey Point Unit 3 & 4 Diversity and Defense-In-Depth Evaluation (D3),

Framatome Document No. 51-9324096-004

A F F I D A V I T

1.

My name is Philip A. Opsal. I am Manager, Product Licensing for Framatome Inc. (formally known as AREVA Inc.), and as such I am authorized to execute this Affidavit.

2.

I am familiar with the criteria applied by Framatome to determine whether certain Framatome information is proprietary. I am familiar with the policies established by Framatome to ensure the proper application of these criteria.

3.

I am familiar with the Framatome information contained in Framatome Document No. 51-9324096-004, Diversity and Defense-In-Depth Evaluation Florida Power &

Light Co. Turkey Point Unit 3 & 4 Digital Modernization. Information contained in this Document has been classified by Framatome as proprietary in accordance with the policies established by Framatome for the control and protection of proprietary and confidential information.

4.

This Document contains information of a proprietary and confidential nature and is of the type customarily held in confidence by Framatome and not made available to the public. Based on my experience, I am aware that other companies regard information of the kind contained in this Document as proprietary and confidential.

5.

This Document has been made available to the U.S. Nuclear Regulatory Commission in confidence with the request that the information contained in this Document be withheld from public disclosure. The request for withholding of proprietary information is made in accordance with 10 CFR 2.390. The information for which withholding from disclosure is requested qualifies under 10 CFR 2.390(a)(4) Trade secrets and commercial or financial information.

6.

The following criteria are customarily applied by Framatome to determine whether information should be classified as proprietary:

(a)

The information reveals details of Framatomes research and development plans and programs or their results.

(b)

Use of the information by a competitor would permit the competitor to significantly reduce its expenditures, in time or resources, to design, produce, or market a similar product or service.

(c)

The information includes test data or analytical techniques concerning a process, methodology, or component, the application of which results in a competitive advantage for Framatome.

(d)

The information reveals certain distinguishing aspects of a process, methodology, or component, the exclusive use of which provides a competitive advantage for Framatome in product optimization or marketability.

(e)

The information is vital to a competitive advantage held by Framatome, would be helpful to competitors to Framatome, and would likely cause substantial harm to the competitive position of Framatome.

The information in this Document is considered proprietary for the reasons set forth in paragraphs 6(b), 6(d), and 6(e) above.

7.

In accordance with Framatomes policies governing the protection and control of information, proprietary information contained in this Document has been made available, on a limited basis, to others outside Framatome only as required and under suitable agreement providing for nondisclosure and limited use of the information.

8.

Framatome policy requires that proprietary information be kept in a secured file or area and distributed on a need-to-know basis.

9.

The foregoing statements are true and correct to the best of my knowledge, information, and belief.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on August 19, 2022.

Philip A. Opsal Manager, Product Licensing Framatome Inc.