ML17195A299

From kanterella
Jump to navigation Jump to search

EPFAQ 2016-002 Clarification of Equipment Damage (Completed)
ML17195A299
Person / Time
Site: Nuclear Energy Institute
Issue date: 07/14/2017
From: Young D
Nuclear Energy Institute
To:
Raymond Hoffman
References
EPFAQ 2016-002
Download: ML17195A299 (8)
v  d  e


Text

Emergency Preparedness Program Frequently Asked Question (EPFAQ)

EPFAQ Number: 2016-002 Originator: David Young Organization: NEI Relevant Guidance: NEI 99-01, Methodology for Development of Emergency Action Levels, Revisions 4 and 5; and NEI 99-01, Development of Emergency Action Levels for Non-Passive Reactors, Revision 6.

NUMARC/NESP-007, Methodology for Development of Emergency Action Levels.

Applicable Section(s): Initiating Condition (IC) HA2 in NEI 99-01, Revisions 4 and 5, and NUMARC/NESP-007, FIRE or EXPLOSION Affecting the Operability of Plant Safety Systems Required to Establish or Maintain Safe Shutdown ICs CA6 and SA9 in NEI 99-01, Revision 6: Hazardous event affecting a SAFETY SYSTEM needed for the current operating mode Definition of VISIBLE DAMAGE in NEI 99-01, Revisions 4, 5 and 6, and NUMARC/NESP-007 Status: Complete NOTE:

Based on NRC staff consideration of industry comments provided by letter dated February 16, 2017 (ADAMS Accession No. ML17079A228), a revision to these ICs was proposed at the public meeting held on April 4, 2017. These changes were attached to the public meeting notice (ADAMS Accession No. ML17089A458). Based on comments provided by the industry during the April 4, 2017 public meeting, the NRC staff revised the proposed revisions to these ICs.

QUESTION OR COMMENT:

A review of industry Operating Experience has identified a need to clarify an aspect of the definition of VISIBLE DAMAGE as it relates to the ICs cited above; adding this clarity is necessary to minimize the potential for an over-classification of an equipment failure. There may be cases where VISIBLE DAMAGE is the result of an equipment failure and limited to the failed component (i.e., the failure did not cause damage to any other component or a structure).

The current definition of VISIBLE DAMAGE does not adequately differentiate between damage resulting from, and affecting only, the failed piece of equipment vs. an equipment failure causing damage to another component or a structure (e.g., by a failure-induced fire or explosion). Can the definition of VISIBLE DAMAGE be clarified to help avoid an inappropriate emergency declaration in cases where an equipment failure does not result in damage to another component or a structure (i.e., VISIBLE DAMAGE affects only the failed component)?

A related question is also posed - Consistent with the approach used in other ICs, should a note be added to preclude an emergency declaration if the safety system affected by a hazard was not functional before the event occurred (e.g., tagged out for maintenance)?

PROPOSED SOLUTION:

Yes; the sentence below may be added to the definition of VISIBLE DAMAGE [as defined in NEI 99-01, Revisions 4, 5, and 6].

Damage resulting from an equipment failure and limited to the failed component (i.e., the failure did not cause damage to a structure or any other equipment) is not VISIBLE DAMAGE.

From a plant safety and change-in-risk perspective, the consequences from the failure of a 1

Emergency Preparedness Program Frequently Asked Question (EPFAQ) piece of equipment, accompanied by a hazard (e.g., a fire or explosion) that does not damage any other equipment or a structure, are essentially the same as the equipment failing with no attendant hazard. Neither event would appear to meet the definition of an Alert because the outcome does not involve an actual or potential substantial degradation of the level of safety of the plant (e.g., there has been no significant reduction in the margin to a loss or potential loss of a fission product barrier). Nuclear power plants are designed with redundant safety system trains that are required to be separated (i.e., installed in separate plant areas or have separation within an individual area).

Absent any collateral damage to another component or a structure, a hazard associated with an equipment failure does not affect the ability to protect public health and safety, and there is no additional response benefit to be gained by declaring an emergency. The normal plant organization has sufficient resources and adequate guidance to respond to an equipment failure - guidance includes operating procedures and Technical Specifications; the fire protection [program], industrial safety and corrective action programs; and work management and maintenance requirements.

Concerning the second question, an emergency declaration would not be appropriate in response to a hazard affecting a piece of equipment or system that was non-functional prior to the event (e.g., tagged out for maintenance). For this reason and consistent with the approach used in other ICs, the following note may be added to IC HA2 (NEI 99-01 R4 and R5), or ICs CA6 and SA9 (NEI 99-01 R6).

Note: If the affected safety system (or component) was already non-functional before the event occurred, then no emergency classification is warranted.

Consistent with the guidance in Regulatory Issue Summary (RIS) 2003-18, Supplement 2, Use of Nuclear Energy Institute (NEI) 99-01, Methodology for Development of Emergency Action Levels, Revision 4, dated January 2003, it is reasonable to conclude that the changes proposed above would be considered as a deviation.

NRC RESPONSE:

The proposed guidance is intended to ensure that an Alert should be declared only when actual or potential performance issues with SAFETY SYSTEMS have occurred as a result of a hazardous event. The occurrence of a hazardous event will result in a Notification of Unusual Event (NOUE) classification at a minimum. In order to warrant escalation to the Alert classification, the hazardous event should cause indications of degraded performance to one train of a SAFETY SYSTEM with either indications of degraded performance on the second SAFETY SYSTEM train or VISIBLE DAMAGE to the second SAFETY SYSTEM train, such that the operability or reliability of the second train is a concern. In addition, escalation to the Alert classification should not occur if the damage from the hazardous event is limited to a SAFETY SYSTEM that was inoperable, or out of service, prior to the event occurring. As such, the proposed guidance will reduce the potential of declaring an Alert when events are in progress that do not involve an actual or potential substantial degradation of the level of safety of the plant, i.e., does not cause significant concern with shutting down or cooling down the plant.

IC HA2 (NEI 99-01 R4 and R5; NUMARC/NESP-007), or ICs CA6 and SA9 (NEI 99-01 R6), do not directly escalate to a Site Area Emergency or a General Emergency due to a hazardous event. The Fission Product Barrier and/or Abnormal Radiation Levels/Radiological Effluent recognition categories would provide an escalation path to a Site Area Emergency or a General Emergency.

The proposed addition of the following notes, applicable to ICs HA2 (NEI 99-01 R4 and R5; NUMARC/NESP-007), or ICs CA6 and SA9 (NEI 99-01 R6), provide further clarification as to how these Alert emergency classifications are considered. The revisions to these EALs, 2

Emergency Preparedness Program Frequently Asked Question (EPFAQ) including the addition of the notes, are consistent with the current NRC-endorsed Alert classification language.

1. Adding the following note to the applicable EALs, per this EPFAQ, is acceptable as it meets the intent of the EALs, is consistent with other EALs (e.g., EAL HA5 from NEI 99-01, Revision 6; this revision was endorsed by the NRC in a letter dated March 28, 2013, available at ADAMS Accession No. ML12346A463), and ensures that declared emergencies are based upon unplanned events with the potential to pose a radiological risk to the public.

If the affected SAFETY SYSTEM train was already inoperable or out of service before the hazardous event occurred, then this emergency classification is not warranted.

2. Adding the following note to help explain the EAL is reasonable to succinctly capture the more detailed information from the Basis section related to when conditions would require the declaration of an Alert.

If the hazardous event only resulted in VISIBLE DAMAGE, with no indications of degraded performance to at least one train of a SAFETY SYSTEM, then this emergency classification is not warranted.

Revising the EALs and the Basis sections to ensure potential escalations from a NOUE to an Alert, due to a hazardous event, is appropriate as the concern with these EALs is: (1) a hazardous event has occurred, (2) one SAFETY SYSTEM train is having performance issues as a result of the hazardous event, and (3) either the second SAFETY SYSTEM train is having performance issues or the VISIBLE DAMAGE is enough to be concerned that the second SAFETY SYSTEM train may have operability or reliability issues.

Revising the definition for VISIBLE DAMAGE is appropriate as this definition is only used for these EALs and the revised EALs are based upon SAFETY SYSTEM trains rather than individual components or structures.

All of the changes discussed above are addressed in the attached markups to NEI 99-01, Revision 6. Licensees that use NESP-007, NEI 99-01 Revision 4, or NEI 99-01 Revision 5 EAL schemes can adopt this language in the relevant format the staff approved for their use.

Consistent with the guidance in Regulatory Issue Summary (RIS) 2003-18, Supplement 2, Use of Nuclear Energy Institute (NEI) 99-01, Methodology for Development of Emergency Action Levels, Revision 4, dated January 2003, a licensees scheme change based on this EPFAQ should be considered as a deviation because a classification based on NRC-endorsed industry guidance in NEI 99-01, Revisions 4, 5 and 6, as well as in NUMARC/NESP-007, could be different from a classification based on this EPFAQ.

RECOMMENDED FUTURE ACTION(S):

INFORMATION ONLY, MAINTAIN EPFAQ UPDATE GUIDANCE DURING NEXT REVISION 3

Emergency Preparedness Program Frequently Asked Question (EPFAQ)

CA6 ECL: Alert Initiating Condition: Hazardous event affecting SAFETY SYSTEMS needed for the current operating mode.

Operating Mode Applicability: Cold Shutdown, Refueling Example Emergency Action Levels:

Notes:

  • If the affected SAFETY SYSTEM train was already inoperable or out of service before the hazardous event occurred, then this emergency classification is not warranted.
  • If the hazardous event only resulted in VISIBLE DAMAGE, with no indications of degraded performance to at least one train of a SAFETY SYSTEM, then this emergency classification is not warranted.

(1) a. The occurrence of ANY of the following hazardous events:

  • Internal or external flooding event
  • FIRE
  • EXPLOSION
  • (site-specific hazards)
  • Other events with similar hazard characteristics as determined by the Shift Manager AND
b. 1. Event damage has caused indications of degraded performance on one train of a SAFETY SYSTEM needed for the current operating mode.

AND

2. EITHER of the following:
  • Event damage has caused indications of degraded performance to a second train of the SAFETY SYSTEM needed for the current operating mode, or
  • Event damage has resulted in VISIBLE DAMAGE to the second train of a SAFETY SYSTEM needed for the current operating mode.

Basis:

This IC addresses a hazardous event that causes damage to SAFETY SYSTEMS needed for the current operating mode. In order to provide the appropriate context for consideration of an ALERT classification, the hazardous event must have caused indications of degraded SAFETY SYSTEM performance in one train, and there must be either indications of performance issues with the second SAFETY SYSTEM train or VISIBLE DAMAGE to the second train such that the potential exists for this second SAFETY SYSTEM train to have performance issues. In other words, in order for this EAL to be classified, the hazardous event must occur, at least one SAFETY SYSTEM train must have indications of degraded performance, and the second SAFETY SYSTEM train must have indications of degraded performance or VISIBLE DAMAGE 4

Emergency Preparedness Program Frequently Asked Question (EPFAQ) such that the potential exists for performance issues. Note that this second SAFETY SYSTEM train is from the same SAFETY SYSTEM that has indications of degraded performance for criteria 1.b.1 of this EAL; commercial nuclear power plants are designed to be able to support single system issues without compromising public health and safety from radiological events.

Indications of degraded performance address damage to a SAFETY SYSTEM train that is in service/operation since indications for it will be readily available. The indications of degraded performance should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train.

Operators will make a determination of VISIBLE DAMAGE based on the totality of available event and damage report information. This is intended to be a brief assessment not requiring lengthy analysis or quantification of the damage. This VISIBLE DAMAGE should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train.

Escalation of the emergency classification level would be via IC AS1.

Developer Notes:

For (site-specific hazards), developers should consider including other significant, site-specific hazards to the bulleted list contained in EAL 1.a (e.g., a seiche).

Nuclear power plant SAFETY SYSTEMS are comprised of two or more separate and redundant trains of equipment in accordance with site-specific design criteria.

ECL Assignment Attributes: 3.1.2.B 5

Emergency Preparedness Program Frequently Asked Question (EPFAQ)

SA9 ECL: Alert Initiating Condition: Hazardous event affecting SAFETY SYSTEMS needed for the current operating mode.

Operating Mode Applicability: Power Operation, Startup, Hot Standby, Hot Shutdown Example Emergency Action Levels:

Notes:

  • If the affected SAFETY SYSTEM train was already inoperable or out of service before the hazardous event occurred, then this emergency classification is not warranted.
  • If the hazardous event only resulted in VISIBLE DAMAGE, with no indications of degraded performance to at least one train of a SAFETY SYSTEM, then this emergency classification is not warranted.

(1) a. The occurrence of ANY of the following hazardous events:

  • Internal or external flooding event
  • FIRE
  • EXPLOSION
  • (site-specific hazards)
  • Other events with similar hazard characteristics as determined by the Shift Manager AND
b. 1. Event damage has caused indications of degraded performance on one train of a SAFETY SYSTEM needed for the current operating mode.

AND

2. EITHER of the following:
  • Event damage has caused indications of degraded performance to a second train of the SAFETY SYSTEM needed for the current operating mode, or
  • Event damage has resulted in VISIBLE DAMAGE to the second train of a SAFETY SYSTEM needed for the current operating mode.

Basis:

This IC addresses a hazardous event that causes damage to SAFETY SYSTEMS needed for the current operating mode. In order to provide the appropriate context for consideration of an ALERT classification, the hazardous event must have caused indications of degraded SAFETY SYSTEM performance in one train, and there must be either indications of performance issues with the second SAFETY SYSTEM train or VISIBLE DAMAGE to the second train such that the potential exists for this second SAFETY SYSTEM train to have performance issues. In other words, in order for this EAL to be classified, the hazardous event must occur, at least one SAFETY SYSTEM train must have indications of degraded performance, and the second SAFETY SYSTEM train must have indications of degraded performance or VISIBLE DAMAGE 6

Emergency Preparedness Program Frequently Asked Question (EPFAQ) such that the potential exists for performance issues. Note that this second SAFETY SYSTEM train is from the same SAFETY SYSTEM that has indications of degraded performance for criteria 1.b.1 of this EAL; commercial nuclear power plants are designed to be able to support single system issues without compromising public health and safety from radiological events.

Indications of degraded performance address damage to a SAFETY SYSTEM train that is in service/operation since indications for it will be readily available. The indications of degraded performance should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train.

Operators will make a determination of VISIBLE DAMAGE based on the totality of available event and damage report information. This is intended to be a brief assessment not requiring lengthy analysis or quantification of the damage. This VISIBLE DAMAGE should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train.

Escalation of the emergency classification level would be via ICs FS1 or AS1.

Developer Notes:

For (site-specific hazards), developers should consider including other significant, site-specific hazards to the bulleted list contained in EAL 1.a (e.g., a seiche).

Nuclear power plant SAFETY SYSTEMS are comprised of two or more separate and redundant trains of equipment in accordance with site-specific design criteria.

ECL Assignment Attributes: 3.1.2.B 7

Emergency Preparedness Program Frequently Asked Question (EPFAQ)

VISIBLE DAMAGE: Damage to a SAFETY SYSTEM train that is readily observable without measurements, testing, or analysis. The visual impact of the damage is sufficient to cause concern regarding the operability or reliability of the affected SAFETY SYSTEM train.

8

Retrieved from "https://kanterella.com/w/index.php?title=ML17195A299&oldid=2006242"