Text

Emergency Preparedness Program Frequently Asked Question (EPFAQ)

(Draft for April 4, 2017 Public Meeting Discussion Only)

EPFAQ Number: 2016-002 Date Accepted for Review:

Originator: David Young Organization: NEI Submission: ADAMS Accession No. ML16182A308 Relevant Guidance: This question concerns NEI 99-01, Methodology for Development of Emergency Action Levels, Revisions 4 and 5; and NEI 99-01, Development of Emergency Action Levels for Non-Passive Reactors, Revision 6.

Applicable Section(s):

Initiating Condition (IC) HA2 in NEI 99-01, Revisions 4 and 5: FIRE or EXPLOSION Affecting the Operability of Plant Safety Systems Required to Establish or Maintain Safe Shutdown ICs CA6 and SA9 in NEI 99-01, Revision 6: Hazardous event affecting a SAFETY SYSTEM needed for the current operating mode Definition of VISIBLE DAMAGE in NEI 99-01, Revisions 4, 5 and 6 Status: Available for Public Comment QUESTION OR COMMENT:

A review of industry Operating Experience has identified a need to clarify an aspect of the definition of VISIBLE DAMAGE as it relates to the ICs cited above; adding this clarity is necessary to minimize the potential for an over-classification of an equipment failure. There may be cases where VISIBLE DAMAGE is the result of an equipment failure and limited to the failed component (i.e., the failure did not cause damage to any other component or a structure).

The current definition of VISIBLE DAMAGE does not adequately differentiate between damage resulting from, and affecting only, the failed piece of equipment vs. an equipment failure causing damage to another component or a structure (e.g., by a failure-induced fire or explosion). Can the definition of VISIBLE DAMAGE be clarified to help avoid an inappropriate emergency declaration in cases where an equipment failure does not result in damage to another component or a structure (i.e., VISIBLE DAMAGE affects only the failed component)?

A related question is also posed - Consistent with the approach used in other ICs, should a note be added to preclude an emergency declaration if the safety system affected by a hazard was not functional before the event occurred (e.g., tagged out for maintenance)?

PROPOSED SOLUTION:

Yes; the sentence below may be added to the definition of VISIBLE DAMAGE [as defined in NEI 99-01, Revisions 4, 5, and 6].

Damage resulting from an equipment failure and limited to the failed component (i.e., the failure did not cause damage to a structure or any other equipment) is not VISIBLE DAMAGE.

From a plant safety and change-in-risk perspective, the consequences from the failure of a piece of equipment, accompanied by a hazard (e.g., a fire or explosion) that does not damage any other equipment or a structure, are essentially the same as the equipment failing with no attendant hazard. Neither event would appear to meet the definition of an Alert because the outcome does not involve an actual or potential substantial degradation of the level of safety of the plant (e.g., there has been no significant reduction in the margin to a loss or potential loss of a fission product barrier). Nuclear power plants are designed with redundant safety system trains that are required to be separated (i.e., installed in separate plant areas or have separation 1

Emergency Preparedness Program Frequently Asked Question (EPFAQ)

(Draft for April 4, 2017 Public Meeting Discussion Only) within an individual area).

Absent any collateral damage to another component or a structure, a hazard associated with an equipment failure does not affect the ability to protect public health and safety, and there is no additional response benefit to be gained by declaring an emergency. The normal plant organization has sufficient resources and adequate guidance to respond to an equipment failure - guidance includes operating procedures and Technical Specifications; the fire protection [program], industrial safety and corrective action programs; and work management and maintenance requirements.

Concerning the second question, an emergency declaration would not be appropriate in response to a hazard affecting a piece of equipment or system that was non-functional prior to the event (e.g., tagged out for maintenance). For this reason and consistent with the approach used in other ICs, the following note may be added to IC HA2 (NEI 99-01 R4 and R5), or ICs CA6 and SA9 (NEI 99-01 R6).

Note: If the affected safety system (or component) was already non-functional before the event occurred, then no emergency classification is warranted.

Consistent with the guidance in Regulatory Issue Summary (RIS) 2003-18, Supplement 2, Use of Nuclear Energy Institute (NEI) 99-01, Methodology for Development of Emergency Action Levels, Revision 4, dated January 2003, it is reasonable to conclude that the changes proposed above would be considered as a deviation.

NRC RESPONSE:

The proposed guidance is intended to clarify that an Alert should only be declared only when actual, or potential, performance issues with SAFETY SYSTEMS has occuroccurred as a result of s based upon a hazardous event occurring. The occurrence of a hazardous event will result in a Notification of Unusual Event (NOUE) classification at a minimum. In order to warrant escalation to the ALERT classification, the hazardous event should cause indications of degraded performance to one train of a SAFETY SYSTEM with either indications of degraded performance onf a second SAFETY SYSTEM train or VISIBLE DAMAGE to a second SAFETY SYSTEM train, such that its operability or reliability is suspecta concern. In addition, escalation to the ALERT classification should not occur if the damage from the hazardous event is limited to a SAFETY SYSTEM that was inoperable, or out of service, prior to the event occurring. As such, the proposed guidance will reduce the potential of declaring an Alert when events are in progress that do not involve an actual or potential substantial degradation of the level of safety of the plant, i.e., does not cause significant concern with shutting down or cooling down, the plant.

IC HA2 (NEI 99-01 R4 and R5), or ICs CA6 and SA9 (NEI 99-01 R6), do not directly escalate to a Site Area Emergency or a General Emergency due to a hazardous event. The Fission Product Barrier and/or Abnormal Radiation Levels/Radiological Effluent recognition categories would provide an escalation path to a Site Area Emergency or a General Emergency.

The proposed changes to notes applicable to ICs HA2 (NEI 99-01 R4 and R5), or ICs CA6 and SA9 (NEI 99-01 R6), provide further clarification to the guidance currently provided in NEI 99-01, Revisions 4, 5, and 6, and are more consistent with the current NRC-endorsed Alert classification language. The revised language would continue to meet the intent of the proposed response to the EPFAQs.

1. Adding the following note to the applicable EALs, per for this EPFAQ, is acceptable as it meets the intent of the EALs, and is consistent with other EALs (e.g., EAL HA5 from NEI 99-01, Revision 6; this revision NEI-99-01 was endorsed by the NRC in aby letter dated 2

Emergency Preparedness Program Frequently Asked Question (EPFAQ)

(Draft for April 4, 2017 Public Meeting Discussion Only)

1. March 28, 2013, available at ADAMS Accession No. ML12346A463), and to ensures that declared eventsemergencies are based upon unplanned events with the potential to pose a radiological risk to the public.

3

Emergency Preparedness Program Frequently Asked Question (EPFAQ)

(Draft for April 4, 2017 Public Meeting Discussion Only) declared events are based upon unplanned events with the potential to pose a radiological risk to the public.

If the affected safety system train (or component) was already inoperable or out of service before the event occurred, then this emergency classification an emergency declaration is not warranted as long as the damage was is limited to theis affected safety system train (or component).

2. Adding the following note to help explain the EAL is reasonable to succinctly capture the more detailed information from the Basis section related to when conditions would require the declaration on an to consider the ALERT classification.

If the event results only resulted in VISIBLE DAMAGE, with no indications of degraded performance to any at least one train of a SAFETY SYSTEM train, then an this emergency declaration classification is not warranted.

3. Revising the EAL, and the Basis section, to limit potential escalations from a NOUE to an ALERT, due to a classifications for hazardous event, escalation (from NOUE to ALERT),

is appropriate as the concern with these EALs is: (1) a hazardous event has occurred, (2) one SAFETY SYSTEM train is having performance issues as a result of the hazardous event, and (3) either a second SAFETY SYSTEM train is having performance issues or the VISIBLE DAMAGE is enough to be concerned that this second SAFETY SYSTEM train may have operability or reliability issues.

4. Revising the definition for VISIBLE DAMAGE is appropriate as this definition is only used for these EALs; . Hhowever, rather than use this definition to better inform the EALs, an actually revision of ing the EALs themselves is more appropriate to ensure proper understanding and assessment.

All of the changes discussed above are addressed in the attached as markups to NEI 99-01, Revision 6. Licensees that use NESP-007, NEI 99-01 Revision 4, or NEI 99-01 Revision 5 EAL schemes can adopt this language in the relevant format the staff approved for their use.

Consistent with the guidance in Regulatory Issue Summary (RIS) 2003-18, Supplement 2, Use of Nuclear Energy Institute (NEI) 99-01, Methodology for Development of Emergency Action Levels, Revision 4, dated January 2003, it is reasonable to conclude that the changes proposed (discussed above and as attached) would be considered as a deviation.

RECOMMENDED FUTURE ACTION(S):

INFORMATION ONLY, MAINTAIN EPFAQ UPDATE GUIDANCE DURING NEXT REVISION 4

Emergency Preparedness Program Frequently Asked Question (EPFAQ)

(Draft for April 4, 2017 Public Meeting Discussion Only)

CA6 ECL: Alert Initiating Condition: Hazardous event affecting SAFETY SYSTEMS needed for the current operating mode.

Operating Mode Applicability: Cold Shutdown, Refueling Example Emergency Action Levels:

Notes: If the affected safety system train (or component) was already inoperable or out of service before the event occurred, then this emergency classification is not warranted as long as the damage was limited to this affected safety system train (or component).

If the event only resulted in VISIBLE DAMAGE, with no indications of degraded performance to at least one train of a SAFETY SYSTEM, then this emergency classification is not warranted.

(1) a. The occurrence of ANY of the following hazardous events:

Seismic event (earthquake)

Internal or external flooding event High winds or tornado strike FIRE EXPLOSION (site-specific hazards)

Other events with similar hazard characteristics as determined by the Shift Manager AND

b. Event damage has caused indications of degraded performance in one train of a SAFETY SYSTEM needed for the current operating mode AND Event damage has caused indications of degraded performance, or has resulted in VISIBLE DAMAGE, to a second train of a SAFETY SYSTEM needed for the current operating mode.

Basis:

This IC addresses a hazardous event that causes damage to SAFETY SYSTEMS needed for the current operating mode. Hazardous events are not selective in how they may effect SAFETY SYSTEMS. In order to provide the appropriate context for consideration of an ALERT classification, the hazardous event must have caused indications of degraded SAFETY SYSTEM performance in one train, and there must be either indications of performance issues with a second SAFETY SYSTEM train or VISIBLE DAMAGE to a second 5

Emergency Preparedness Program Frequently Asked Question (EPFAQ)

(Draft for April 4, 2017 Public Meeting Discussion Only) train such that the potential exists for this second SAFETY SYSTEM train to have performance issues. In other words, in order for this EAL to be classified, the hazardous event must occur, at least one SAFETY SYSTEM train must have indications of degraded performance, and a second SAFETY SYSTEM train must have indications of degraded performance or VISIBLE DAMAGE such that the potential exists for performance issues. This condition significantly reduces the margin to a loss or potential loss of a fission product barrier, and therefore represents an actual or potential substantial degradation of the level of safety of the plant.

Indications of degraded performance addresses damage to a SAFETY SYSTEM train that is in service/operation since indications for it will be readily available. The indications of degraded performance should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train.

VISIBLE DAMAGE addresses damage to a SAFETY SYSTEM train that is not in service/operation and that potentially could cause performance issues. Operators will make this determination based on the totality of available event and damage report information. This is intended to be a brief assessment not requiring lengthy analysis or quantification of the damage.

This VISIBLE DAMAGE should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train.

Escalation of the emergency classification level would be via IC AS1.

Developer Notes:

For (site-specific hazards), developers should consider including other significant, site-specific hazards to the bulleted list contained in EAL 1.a (e.g., a seiche).

Nuclear power plant SAFETY SYSTEMS are comprised of two or more separate and redundant trains of equipment in accordance with site-specific design criteria.

ECL Assignment Attributes: 3.1.2.B 6

Emergency Preparedness Program Frequently Asked Question (EPFAQ)

(Draft for April 4, 2017 Public Meeting Discussion Only)

SA9 ECL: Alert ECL: Alert SA9 Initiating Condition: Hazardous event affecting SAFETY SYSTEMS needed for the current operating mode.

Operating Mode Applicability: Cold Shutdown, RefuelingPower Operation, Startup, Hot Standby, Hot Shutdown Example Emergency Action Levels:

Notes: If the affected safety system train (or component) was already inoperable or out of service before the event occurred, then an emergency declaration is not warranted as long as the damage is limited to the affected safety system train (or component)then this emergency classification is not warranted as long as the damage was limited to this affected safety system train (or component).

If the event results in VISIBLE DAMAGE, with no indications of degraded performance to any SAFETY SYSTEM train, then an emergency declaration is not warrantedIf the event only resulted in VISIBLE DAMAGE, with no indications of degraded performance to at least one train of a SAFETY SYSTEM, then this emergency classification is not warranted.

(1) a. The occurrence of ANY of the following hazardous events:

Seismic event (earthquake)

Internal or external flooding event High winds or tornado strike FIRE EXPLOSION (site-specific hazards)

Other events with similar hazard characteristics as determined by the Shift Manager AND

b. 1. Event damage has caused indications of degraded performance on in one train of a SAFETY SYSTEM needed for the current operating mode.

AND

2. Either of the following:

7

Emergency Preparedness Program Frequently Asked Question (EPFAQ)

(Draft for April 4, 2017 Public Meeting Discussion Only)

Event damage has caused indications of degraded performance to a second train of a SAFETY SYSTEM needed for the current operating mode, or Event damage hhas resulted in VISIBLE DAMAGE, to a second train of a SAFETY SYSTEM needed for the current operating mode.

Basis:

This IC addresses a hazardous event that causes damage to SAFETY SYSTEMS needed for the current operating mode. Hazardous events are not selective in how they may effect affect SAFETY SYSTEMS. In order to provide the appropriate context for consideration of basis for an ALERT classificationdeclaration, the hazardous event must have caused indications of degraded SAFETY SYSTEM performance in one train, and there must be either indications of performance issues with a second SAFETY SYSTEM train or VISIBLE DAMAGE to a second train such that the potential 8

Emergency Preparedness Program Frequently Asked Question (EPFAQ)

(Draft for April 4, 2017 Public Meeting Discussion Only) exists for this second SAFETY SYSTEM train to have performance issues. In other words, in order for this EAL to be classified, the hazardous event must occur, at least one SAFETY SYSTEM train must have indications of degraded performance, and a second SAFETY SYSTEM train must have indications of degraded performance or VISIBLE DAMAGE such that the potential exists for performance issues. This condition significantly reduces the margin to a loss or potential loss of a fission product barrier, and therefore represents an actual or potential substantial degradation of the level of safety of the plant.

Indications of degraded performance addresses damage to a SAFETY SYSTEM train that is in service/operation since indications for it will be readily available. The indications of degraded performance should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train.

VISIBLE DAMAGE addresses damage to a SAFETY SYSTEM train that is not in service/operation and that potentially could cause performance issues. Operators will make this determination based on the totality of available event and damage report information. This is intended to be a brief assessment not requiring lengthy analysis or quantification of the damage.

This VISIBLE DAMAGE should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train.

Escalation of the emergency classification level would be via IC FS1 or AS1.

Developer Notes:

For (site-specific hazards), developers should consider including other significant, site-specific hazards to the bulleted list contained in EAL 1.a (e.g., a seiche).

Nuclear power plant SAFETY SYSTEMS are comprised of two or more separate and redundant trains of equipment in accordance with site-specific design criteria.

ECL Assignment Attributes: 3.1.2.B 9

Emergency Preparedness Program Frequently Asked Question (EPFAQ)

(Draft for April 4, 2017 Public Meeting Discussion Only)

VISIBLE DAMAGE: Damage to a SAFETY SYSTEM train that is readily observable without measurements, testing, or analysis. The visual impact of the damage is sufficient to cause concern regarding the operability or reliability of the affected SAFETY SYSTEM train.

1