ML17067A026

From kanterella
Jump to navigation Jump to search
NEI 96-07 Appendix D - Section 4, NEI Meeting Presentation
ML17067A026
Person / Time
Site: Nuclear Energy Institute
Issue date: 03/08/2017
From: Ramendick D
Nuclear Energy Institute
To:
Office of Nuclear Reactor Regulation
Holonich J
References
NEI 06-07
Download: ML17067A026 (30)
v  d  e


Text

NEI 96-07, Appendix D, Supplemental Guidance for Application of 10 CFR 50.59 to Digital Modifications David Ramendick

SUMMARY

OF NEI 96-07, APPENDIX D, SECTION 4, EVALUATION GUIDANCE March 8, 2017

  • NRC 1

OBJECTIVES

  • Summarize Proposed Appendix D, Section 4 (Evaluation Guidance)
  • Illustrate Proposed Section 4 Guidance using Main Feedwater Control System Replacement example
  • Solicit NRC Staff Input

- Scope of topics expected to be addressed in 50.59 Evaluation Questions 1, 2, 5 and 6

- Expected content of responses to 50.59 Evaluation Questions 1, 2, 5 and 6 2

SECTION 4 - General Information

  • Introduction (including the CAUTION)

- Reiterates the necessity of using both the main body and Appendix D

- Provides administrative information

  • Common Cause Failure (CCF) Outcomes

- Source: CCF Susceptibility Analysis

- Possible CCF Outcomes CCF Not Credible CCF Credible, but CCF likelihood << CCF due to a single random failure 3

SECTION 4 - General Information

  • Examples

- Used to illustrate a specific aspect or topic provided in the guidance

- Not all inclusive Focuses only on the aspect or topic being discussed Deliberate exclusion of some aspects or topics that could, upon inclusion, change the conclusion

- Extensive use of the Main Feedwater (MFW) System MFW is one of the few non-safety-related systems whose failure can initiate an accident.

Failure of the MFW System is one of the few SSC malfunctions that is also an accident initiator.

4

SECTION 4.1 - Accident Frequency Criteria to be Considered

  • Negligible: A negligible effect on the frequency of occurrence of an accident exists when the change in frequency is so small or the uncertainties in determining whether a change in frequency has occurred are such that it cannot be reasonably concluded that the frequency has actually changed (i.e., there is no clear trend toward increasing the frequency).
  • Attributable

- Definition - Due to, or related to, the proposed activity

- If the CCF outcome is not credible, then the impact is NOT attributable

- If the CCF outcome is credible, then the impact may be attributable 5

SECTION 4.1 - Accident Frequency Illustration of Guidance Using Appendix D, Example 4-2 Proposed Activity:

A licensee has two non-safety-related main feedwater pumps (MFWPs),

each with its own flow control valve. There are two analog control systems (one per MFWP and flow control valve combination) that are physically and functionally the same. Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same.

CCF Outcome:

CCF is credible, but CCF likelihood << CCF due to a single random failure 6

SECTION 4.1 - Accident Frequency Application of Attributable

  • Accident Initiators (Equipment-related)

- Loss of one MFWP

- Closure of one flow control valve

Conclusion:

Attributable to the digital modification

  • Justification: The feedwater control system provides signals to the MFWPs and the flow control valves 7

SECTION 4.1 - Accident Frequency Factors to Consider

  • Use of software
  • Use of digital components (e.g., microprocessors)
  • Creation of a software CCF
  • Intended benefits
  • ? [Additional input from NRC Staff requested]

8

SECTION 4.1 - Accident Frequency Expected Response Content Based on the factors that were considered, the proposed activity has an attributable impact on the frequency of occurrence of the Loss of Feedwater event. However, the net change in the frequency of occurrence of the Loss of Feedwater event is negligible due to the interdependent effects of CCF (negative) and the improved SSC performance (positive).

9

SECTION 4.2 - Malfunction Likelihood Criteria to be Considered

  • Negligible: A negligible effect on the likelihood of occurrence of a malfunction exists when the change in malfunction is so small or the uncertainties in determining whether a change in likelihood has occurred are such that it cannot be reasonably concluded that the likelihood has actually changed (i.e., there is no clear trend toward increasing the likelihood).
  • Attributable

- Definition - Due to, or related to, the proposed activity

- If the CCF outcome is not credible, then the impact is NOT attributable

- If the CCF outcome is credible, then the impact may be attributable 10

SECTION 4.2 - Malfunction Likelihood Illustration of Guidance Using Appendix D, Example 4-6 Proposed Activity:

Same main feedwater control system replacement previously described.

CCF Outcome:

CCF is credible, but CCF likelihood << CCF due to a single random failure 11

SECTION 4.2 - Malfunction Likelihood Application of Attributable

  • Affected Malfunctions:

- Loss of one MFWP

- Closure of one MFWP flow control valve

  • Malfunction Initiator (Equipment-related): Failure of a feedwater control system

Conclusion:

Attributable to the digital modification

  • Justification: The feedwater control system provides signals to the MFWPs and the flow control valves 12

SECTION 4.2 - Malfunction Likelihood Factors to Consider

  • Use of software
  • Use of digital components (e.g., microprocessors)
  • Creation of a software CCF
  • Intended benefits
  • ? [Additional input from NRC Staff requested]

13

SECTION 4.2 - Malfunction Likelihood Expected Response Content Based on the factors that were considered, the proposed activity has an attributable impact on the likelihood of occurrence of the loss of a MFWP or the closure of a MFWP flow control valve. However, the net change in the likelihood of occurrence of the loss of a MFWP or the closure of a MFWP flow control valve is negligible due to the interdependent effects of CCF (negative) and the improved SSC performance (positive).

14

SECTION 4.5 - Different Accident

  • General Considerations

- 50.59 Accident = Anticipated Operational Occurrences (AOOs) and Postulated Accidents (PAs)

- Criteria to be Considered Credible Bounded/Related

  • Guidance Application

- Relationship of CCF Outcomes to Credible criterion

- Application of Bounded/Related criterion 15

SECTION 4.5 - Different Accident

  • Relationship of CCF Outcomes to Credible Criterion

- CCF Not Credible = Accident of a different type is NOT credible

- CCF Credible = Accident of a different type is credible

  • Bounded/Related Criterion (for credible ONLY)

- Use of events/sequences to address bounded

- Application of proposed revision to NEI 96-07, Rev. 1 discussed in Draft Regulatory Guide DG-1334 (Section C.1.a.) to address the related criterion 16

SECTION 4.5 - Different Accident

  • Application of the Bounded Criterion Guidance:

Events/sequences currently considered in the UFSAR form the basis for comparison of events, which makes it possible to identify and evaluate the limiting case.

  • Application of the Related Criterion Guidance:

Accidents of a different type are credible accidents that the proposed activity could create that have an impact on the type of events/sequences previously evaluated in the UFSAR (i.e., a different accident analysis would be needed for this different type of accident, not just a revision of a current accident analysis).

17

SECTION 4.5 - Different Accident Illustration of Guidance Using Appendix D, Example 4-9 Proposed Activity:

Same main feedwater control system replacement previously described.

CCF Outcome:

CCF is credible 18

SECTION 4.5 - Different Accident Application of Bounded/Related (Satisfaction of the Credible criterion has been established.)

  • Malfunction/Accident Initiator: Loss of one MFWP
  • Accident Type: Decrease in heat removal by the secondary system
  • Has a NEW event/sequence been created? YESloss of both MFWPs.

Conclusion:

No impact on the accident type

  • Justification: Still a decrease in heat removal from the secondary system 19

SECTION 4.5 - Different Accident Application of Bounded/Related (Satisfaction of the Credible criterion has been established.)

  • Is a NEW accident analysis required? NOthe loss feedwater flow is already analyzed.
  • Is a REVISION of an accident analysis required? YESto incorporate the new feedwater flow value (i.e., zero).

Conclusion:

Does NOT create the possibility of an accident of a different type

  • Justification

- Accident type is not impacted

- Current accident analyses address reduction/loss of feedwater 20

SECTION 4.6 - Different Result

  • Criteria to be Considered

- Credible

- Bounding

  • Guidance Application

- Relationship of CCF Outcomes to Credible criterion

- Application of Bounding criterion 21

SECTION 4.6 - Different Result

  • Relationship of CCF Outcomes to Credible Criterion

- CCF Not Credible = Malfunction with a different result is NOT credible

- CCF Credible = Malfunction with a different result is credible

  • Bounded Criterion (for credible ONLY)

- Types of Malfunctions

- Sources of Results

- Types of Results 22

SECTION 4.6 - Different Result NOTE on 50.59 FMEA

  • FMEA as used in NEI 96-07 is distinct from common technical usage (i.e., as described in IEEE Standards)
  • As used in NEI 96-07, no regulatory requirement dictates the structure and/or content of a FMEA
  • As a practical measure within NEI 96-07, UFSAR-described FMEA may be thought of as how malfunctions are postulated as potential single failures to evaluate plant performance in the accident analyses 23

SECTION 4.6 - Different Result TYPES OF MALFUNCTIONS

  • Previously evaluated, consistent with any Failure Modes and Effects Analyses (FMEAs) as evaluated in the accident analysis
  • New, based on any new FMEAs performed to reflect the source (identified on the next slide) 24

SECTION 4.6 - Different Result SOURCE OF RESULTS Failure to perform a design function as evaluated in the accident analysis (e.g., Chapters 6 and 15) 25

SECTION 4.6 - Different Result FOCUS ON END RESULTS

  • Final state/condition
  • Plant level result/response as evaluated in the safety analysis 26

SECTION 4.6 - Different Result Illustration of Guidance Using Appendix D, Example 4-11 Proposed Activity:

Same main feedwater control system replacement previously described.

CCF Outcome:

CCF is credible 27

SECTION 4.6 - Different Result Application of Bounded (Satisfaction of the Credible criterion has been established.)

  • Types of Malfunctions

- Previously Evaluated: Loss of one MFWP

- New: Loss of both MFWPs (from the new FMEA that was performed)

  • Types of Results (Previously Evaluated): End Result is Loss of Feedwater event (plant level)
  • Types of Results (New): End Result is Loss of Feedwater event (plant level) 28

SECTION 4.6 - Different Result Application of Bounded (Satisfaction of the Credible criterion has been established.)

Conclusion:

Does NOT create the possibility of a malfunction with a different result

  • Justification: The end result is acceptable as evaluated in the safety analysis (i.e.,

Loss of Feedwater event) 29

QUESTIONS / COMMENTS / FEEDBACK 30

Retrieved from "https://kanterella.com/w/index.php?title=ML17067A026&oldid=2440060"