ML19303A020

From kanterella
Jump to navigation Jump to search
NEI 96-07, Appendix D, Section 4.3.6 Revision 1, October 2019
ML19303A020
Person / Time
Site: Nuclear Energy Institute
Issue date: 10/15/2019
From: Austgen K
Nuclear Energy Institute
To: Philip Mckenna
Division of Inspection and Regional Support
Govan T, 415-6197, NRR/DRO
References
Download: ML19303A020 (10)
v  d  e


Text

From:

AUSTGEN, Kati To:

McKenna, Philip Cc:

GEIER, Stephen; VAUGHN, Stephen; Benner, Eric; Govan, Tekia; Morton, Wendell; Miller, Chris

Subject:

[External_Sender] RE: NEI 96-07, Appendix D Path Forward Date:

Tuesday, October 15, 2019 12:51:29 PM Attachments:

Section 4.3.6 NEI 96-07 Appendix D Rev 1 October 2019 Draft REDLINE.pdf Phil, et al.,

Attached is a mark-up of NEI 96-07, Appendix D, Section 4.3.6 with adjusted language for steps 5 and 6 to clearly align with the related language in NEI 96-07, Rev 1. If these adjustments are acceptable to NRC, NEI will update examples accordingly and resubmit Appendix D as Revision 1.

Thank you,

Kati AustgenlSr. Project Manager, New Reactors 1201 F Street, NW, Suite 1100 l Washington, DC 20004 P: 202.739.8068 M: 202.340.1224 nei.org

From: McKenna, Philip <Philip.McKenna@nrc.gov>

Sent: Monday, September 30, 2019 6:57 AM To: AUSTGEN, Kati <kra@nei.org>

Cc: GEIER, Stephen <seg@nei.org>; VAUGHN, Stephen <sjv@nei.org>; Benner, Eric

<Eric.Benner@nrc.gov>; Govan, Tekia <Tekia.Govan@nrc.gov>; Morton, Wendell

<Wendell.Morton@nrc.gov>; Miller, Chris <Chris.Miller@nrc.gov>

Subject:

[EXTERNAL] RE: NEI 96-07, Appendix D Path Forward

Kati, We acknowledge the path forward and the dates should be achievable. Thank you for the update.

Phil Philip J. McKenna Chief, ROP Support and Generic Communications Branch NRR/DIRS 301-415-0037 (o) 610-585-4981 (c)

From: AUSTGEN, Kati <kra@nei.org>

Sent: Friday, September 27, 2019 2:19 PM To: McKenna, Philip <Philip.McKenna@nrc.gov>; Benner, Eric <Eric.Benner@nrc.gov>; Govan, Tekia

<Tekia.Govan@nrc.gov>; Morton, Wendell <Wendell.Morton@nrc.gov>

Cc: GEIER, Stephen <seg@nei.org>; VAUGHN, Stephen <sjv@nei.org>

Subject:

[External_Sender] NEI 96-07, Appendix D Path Forward

Phil, et.al,

Below is the path forward that we propose for finalizing NEI 96-07, Appendix D:

NEI will adjust language for steps 5 and 6 to clearly align with the related language in NEI 96-07, Rev 1, then send to NRC by 10/15 NRC let NEI know if the adjustments are acceptable by 10/31 If NRC accepts, NEI will update examples accordingly and resubmit Appendix D by 11/15

Please let me know if you have any feedback on this path forward.

Thank you,

Kati AustgenlSr. Project Manager, New Reactors 1201 F Street, NW, Suite 1100 l Washington, DC 20004 P: 202.739.8068 M: 202.340.1224 nei.org

This electronic message transmission contains information from the Nuclear Energy Institute, Inc. The information is intended solely for the use of the addressee and its use by any other person is not authorized. If you are not the intended recipient, you have received this communication in error, and any review, use, disclosure, copying or distribution of the contents of this communication is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by electronic mail and permanently delete the original message. IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

Sent through www.intermedia.com This electronic message transmission contains information from the Nuclear Energy Institute, Inc. The information is intended solely for the use of the addressee and its use by any other person is not authorized. If you are not the intended recipient, you have received this communication in error, and any review, use, disclosure, copying or distribution of the contents of this communication is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by electronic mail and permanently delete the original message. IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

Sent through www.intermedia.com

NovemberOctober20182019

©NEI20198.Allrightsreserved.

nei.org33 Thefollowingeventsandcombinationofeventswillbeassessed:

a. LossofbothfeedwaterpumpsintheLossofFeedwateraccidentanalysis
b. IncreaseinmainfeedwaterflowtothemaximumoutputfrombothMFWPsintheExcess Feedwateraccidentanalysis
c. AllmainturbinesteaminletvalvesgoingfullyclosedintheTurbineTripaccidentanalysis
d. AllmainturbinesteaminletvalvesgoingfullyopenintheExcessSteamDemandaccident analysis
e. CombinationofaLossofFeedwatereventandaTurbineTripevent
f.

CombinationofaLossofFeedwatereventandanExcessSteamDemandevent

g. CombinationofanExcessFeedwatereventandaTurbineTripevent
h. CombinationofanExcessFeedwatereventandanExcessSteamDemandevent Events(A)though(D)arealreadyconsideredintheaccidentanalysesandrevisionstoexistingaccident analysesarepossible.Thus,events(A)through(D)doNOTcreatethepossibilityofanaccidentofa differenttype(fortheaspectbeingillustratedinthisexample).

Thecurrentsetofaccidentsidentifiedintheaccidentanalysesdonotconsiderthesimultaneous eventsrepresentedbyevents(E)through(H).

Therefore,events(E)though(H)willneednewaccidentanalysestobeperformed,creatingthe possibilityofaccidentsofadifferenttype(fortheaspectbeingillustratedinthisexample).

4.3.6 DoestheActivityCreateaPossibilityforaMalfunctionofanSSCImportanttoSafety withaDifferentResult?

INTRODUCTION NOTE:Duetotheuniquenatureofdigitalmodificationsandtheinherentcomplexitiestherein,the applicationofthiscriterionisespeciallyimportant.Specifically,theuniqueaspectofconcernis thepotentialforasoftwareCCFtocreatethepossibilityforamalfunctionwithadifferentresult.

Therefore,ratherthanprovidingsimplisticsupplementalguidancetothatalreadyincludedinNEI 9607,Section4.3.6,moredetailedguidancewillbeprovidedinthissection.

Review Toensuretheuniqueaspectsofdigitalmodificationsareaddressedcorrectlyandadequately,areview ofselecteddiscussionsandexcerptsfromNEI9607,includingmalfunctions,designfunctions,andsafety analyses,ispresentedfirst.

CAUTION:Thefollowingreviewsummariesareintendedforgeneralunderstandingonly.Forcomplete discussionsofeachterm,seethereferencesidentifiedforeachterm.

FromNEI9607,Section3.9:

NovemberOctober20182019

©NEI20198.Allrightsreserved.

nei.org34 MalfunctionofSSCsimportanttosafetymeansthefailureofSSCstoperformtheirintended designfunctionsdescribedintheUFSAR(whetherornotclassifiedassafetyrelatedin accordancewith10CFR50,AppendixB).[emphasisadded]

FromNEI9607,Section3.3:

DesignfunctionsareUFSARdescribeddesignbasesfunctionsandotherSSCfunctionsdescribed intheUFSARthatsupportorimpactdesignbasesfunctions...[emphasisadded]

Also, Designbasesfunctionsarefunctionsperformedbysystems,structuresandcomponents(SSCs) thatare(1)requiredby,orotherwisenecessarytocomplywith,regulations,licenseconditions, ordersortechnicalspecifications,or(2)creditedinlicenseesafetyanalysestomeetNRC requirements.[emphasisadded]

Furthermore, Designfunctions...includefunctionsthat,ifnotperformed,wouldinitiateatransientor accidentthattheplantisrequiredtowithstand.[emphasisadded]

Finally, Asusedabove,creditedinthesafetyanalysesmeansthat,iftheSSCwerenottoperformits designbasesfunctioninthemannerdescribed,theassumedinitialconditions,mitigativeactions orotherinformationintheanalyseswouldnolongerbewithintherangeevaluated(i.e.,the analysisresultswouldbecalledintoquestion).Thephrasesupportorimpactdesignbases functionsrefersbothtothoseSSCsneededtosupportdesignbasesfunctions(cooling,power, environmentalcontrol,etc.)andtoSSCswhoseoperationormalfunctioncouldadverselyaffect theperformanceofdesignbasesfunctions(forinstance,controlsystemsandphysical arrangements).Thus,bothsafetyrelatedandnonsafetyrelatedSSCsmayperformdesign functions.[emphasisadded]

Thisdefinitionisorientedaroundthedefinitionofdesignbasesfunction,whichitselfisdefinedinNEI 9704,AppendixB,GuidelinesandExamplesforIdentifying10CFR50.2DesignBases,endorsedby RegulatoryGuide1.186,andhighlightedinboldabove.

Amorecompleteunderstandingofthemeaningofadesignbasesfunctionscanbeobtainedby examinationofNEI9704,AppendixB.FromNEI9704,thethreecharacteristicsofdesignbases functionsaresummarizedasfollows:

1. Designbasesfunctionsarecreditedinthesafetyanalyses.
2. ThefunctionsofanyindividualSSCarefunctionallybelowthatofdesignbasesfunctions.
3. DesignbasesfunctionsarederivedprimarilyfromtheGeneralDesignCriteria.

Repeatingaportionfromabovetohighlighttheimportanceofidentifyingthedesignbasesfunctionand itsconnectiontoasafetyanalysisresult,wehavethefollowing:

NovemberOctober20182019

©NEI20198.Allrightsreserved.

nei.org35 Asusedabove,creditedinthesafetyanalysesmeansthat,iftheSSCwerenottoperformits designbasesfunctioninthemannerdescribed,theassumedinitialconditions,mitigativeactions orotherinformationintheanalyseswouldnolongerbewithintherangeevaluated(i.e.,the analysisresultswouldbecalledintoquestion).[emphasisadded]

Then,fromNEI9607,Section3.12:

SafetyanalysesareanalysesperformedpursuanttoNRCrequirementstodemonstratethe integrityofthereactorcoolantpressureboundary,thecapabilitytoshutdownthereactorand maintainitinasafeshutdowncondition,orthecapabilitytopreventormitigatethe consequencesofaccidentsthatcouldresultinpotentialoffsiteexposurescomparabletothe guidelinesin10CFR50.34(a)(1)or10CFR100.11...andinclude,butarenotlimitedto,the accidentanalysestypicallypresentedinChapter15oftheUFSAR.[emphasisadded]

Andfromthefirstsentenceoftheassociateddiscussion:

Safetyanalysesarethoseanalysesorevaluationsthatdemonstratethatacceptancecriteria forthefacilityscapabilitytowithstandorrespondtopostulatedeventsaremet.[emphasis added]

AlsoincludedinthedefinitionofsafetyanalysesaresupportingUFSARanalysesthatdemonstratethat SSCdesignfunctionswillbeaccomplishedascreditedintheaccidentanalyses.

FailureModesandEffectsAnalysis(FMEA)

NEI9607,Section4.3.6recognizesthattheeffectofaproposedmodificationmustbeassessed.This assessmentmayrequiretheuseofafailuremodesandeffectsanalysis(FMEA),includingthepossible creationofanewFMEA.

FromNEI9607,Section4.3.6:

Inevaluatingaproposedactivityagainstthiscriterion,thetypesandresultsoffailuremodesof SSCsthathavepreviouslybeenevaluatedintheUFSARandthatareaffectedbytheproposed activityshouldbeidentified.Thisevaluationshouldbeperformedconsistentwithanyfailure modesandeffectsanalysis(FMEA)describedintheUFSAR,recognizingthatcertainproposed activitiesmayrequireanewFMEAtobeperformed.[emphasisadded]

Ifanew/revisedFMEAisdeterminedtobeneeded,othereffectsofadigitalmodificationcouldcreate newfailuremodesinadditiontofailurescausedbysoftware(e.g.,combiningfunctions,creatingnew interactionswithothersystems,changingresponsetime).Forexample,ifpreviouslyseparatefunctions arecombinedinasingledigitaldevice,thefailureassessmentshouldconsiderwhethersinglefailures thatcouldpreviouslyhaveaffectedonlyindividualdesignfunctionscannowaffectmultipledesign functions.

OverallPerspective NEI9607,Section4.3.6providestheoverallperspectiveonthisEvaluationcriterionwithitsfirst sentence,whichstates:

NovemberOctober20182019

©NEI20198.Allrightsreserved.

nei.org36 MalfunctionsofSSCsaregenerallypostulatedaspotentialsinglefailurestoevaluateplantperformance withthefocusbeingontheresultofthemalfunctionratherthanthecauseortypeofmalfunction.

Expandinguponthisfoundation,thefollowingconclusionisreached,whichisbasedupondiscussion from63FR56106:

Unlesstheequipmentwouldfailinawaynotalreadyevaluatedinthesafetyanalysis,therecanbeno malfunctionofanSSCimportanttosafetywithadifferentresult.[emphasisadded]

GUIDANCE FromNEI9607,Section4.3.6,thetwoconsiderationsthatneedtobeassessedwhenansweringthis Evaluationquestionareaslikelytohappenasandtheimpactonthesafetyanalysismalfunctionresult.

Determinationof"AsLikelytoHappenAs" FromNEI9607,Section4.3.6:

Thepossiblemalfunctionswithadifferentresultarelimitedtothosethatareaslikelyto happenasthosedescribedintheUFSARaproposedchangeoractivitythatincreasesthe likelihoodofamalfunctionpreviouslythoughttobeincredibletothepointwhereitbecomesas likelyasthemalfunctionsassumedintheUFSARcouldcreateapossiblemalfunctionwitha differentresult.[emphasisadded]

Iftheoutcomeofthequalitativeassessmentissufficientlylow,thentheactivitydoesnotintroduceany failuresthatareaslikelytohappenasthoseintheUFSAR.Therefore,theactivitydoesnotcreatea possibilityforamalfunctionofanSSCimportanttosafetywithadifferentresultfromanypreviously evaluatedintheUFSAR.

Iftheoutcomeofthequalitativeassessmentisnotsufficientlylow,thentheactivitymayintroduce failuresthatareaslikelytohappenasthoseintheUFSARthatcancreateapossibilityforamalfunction ofanSSCimportanttosafetywithadifferentresultfromanypreviouslyevaluatedintheUFSAR.For thesecases,thisEvaluationcriterionalsoneedstoconsidertheimpactofthispotentialfailureonthe safetyanalysisresultusingassumptionsconsistentwiththeplantsUFSAR.

EXAMPLE Example416illustratestheNOCREATIONofthepossibilityforamalfunctionwithadifferentresult case.

Example416.NOCREATIONofthePossibilityforaMalfunctionwithaDifferentResult ProposedActivity Alargenumberofanalogtransmittersinseveraldifferentsystemsandusesarebeingreplaced withdigitaltransmitters.Thesetransmittersperformavarietyoffunctions,includingcontrolling theautomaticactuationofdevices(e.g.,valvestroking)thatarecreditedinasafetyanalysis.

QualitativeAssessmentOutcome

NovemberOctober20182019

©NEI20198.Allrightsreserved.

nei.org37 Aqualitativeassessmentwasincludedintheengineering/technicalinformationsupportingthechange.

Thequalitativeassessmentconsideredsystemdesignattributes,qualityofthedesignprocesses employed,andoperatingexperienceoftheproposedequipmentandconcludedthatthefailure likelihoodintroducedbythemodifiedSSCsissufficientlylow.Forthespecificitemsthatwere consideredwithineachfactor,refertothequalitativeassessmentdocumentedindesignchange packageX.

Conclusion WiththefailurelikelihoodintroducedbythemodifiedSSCsbeingsufficientlylow,theactivitydoesnot introduceanyfailuresthatareaslikelytohappenasthoseintheUFSARthatcaninitiateamalfunction ofanSSCimportanttosafety.Therefore,theactivitydoesnotcreateapossibilityforamalfunctionof anSSCimportanttosafetywithadifferentresultfromanypreviouslyevaluatedintheUFSAR(forthe aspectbeingillustratedinthisexample).

DeterminationofImpactonSafetyAnalysisMalfunctionResultImpact Forcasesinwhichthequalitativeassessmentoutcomeisafailurelikelihoodofnotsufficientlylow,the impactonthesafetyanalysisresultofamalfunctionofanSSCimportanttosafetyimpactneedstobe assessedtodetermineiftheresultisdifferent.

ThegenericprocesstodeterminetheimpactontheresultofamalfunctionofanSSCimportantto safetyonthesafetyanalyses(i.e.,acomparisonofthesafetyanalysesresultstoidentifyanydifferent results),consistsofmultiplesteps,assummarizednext.

Step1:Identifythefunctionsdirectlyorindirectlyrelatedtotheproposedmodification.

Consideringthescopeoftheproposeddigitalmodification,identifythefunctionsthataredirectlyor indirectlyrelatedtotheproposedactivity.

ThefunctionsidentifiedaspartofthisstepwillbefurtherclassifiedinStep2.

AsareminderoftheguidanceprovidedinNEI9607,thefollowingadditionalguidanceisprovidedto assistintheidentificationandconsiderationoftheproperscopeofSSCsandtheirfunctions:

1. IdentificationandconsiderationoftheproperscopeofSSCsisconcernedwiththefunctional involvementofanSSC,notnecessarilyonlyitslevelofdirectdescriptionintheUFSAR.
2. Incasesinwhichaproposedactivityinvolvesasubcomponent/componentthatisnotdirectly describedintheUFSAR,theeffectoftheproposedactivityinvolvingthesub component/componentneedstoconsidertheimpactonthesysteminwhichthesub component/componentisapart.
3. Incasesinwhichaproposedactivityinvolvesasubcomponent/componentthatisnot describedintheUFSAR,theeffectoftheproposedactivityinvolvingthesub component/componentneedstoconsidertheimpactonthesystemthatthe subcomponent/componentsupports.

NovemberOctober20182019

©NEI20198.Allrightsreserved.

nei.org38 Regardlessofthelevelofdescription,theassessmentoftheimpactalsoneedstoconsidertheelements ofadesignfunctionasdescribedinNEI9607,Section3.3,whicharerepeatedbelow:

Implicitlyincludedwithinthemeaningofdesignfunctionaretheconditionsunderwhich intendedfunctionsarerequiredtobeperformed,suchasequipmentresponsetimes,process conditions,equipmentqualificationandsinglefailure.

DesignfunctionsmaybeperformedbysafetyrelatedSSCsornonsafetyrelatedSSCsand includefunctionsthat,ifnotperformed,wouldinitiateatransientoraccidentthattheplantis requiredtowithstand.

Step2:IdentifywhichofthefunctionsfromStep1areDesignFunctionsand/orDesignBases Functions.

UtilizingNEI9607,Section3.3,classifyeachofthefunctionsfromStep1aseitherNOTadesignfunction orasadesignfunction.

Ifnodesignfunctionsareidentified,thentheproposedactivitydoesNOTcreatethepossibilityfora malfunctionofanSSCimportanttosafetywithadifferentresultbecausemalfunctions(andtheresults thereof)refersONLYtothefailureofanSSCtoperformitsintendeddesignfunctions.

Foreachdesignfunctionidentifiedabove,utilizeNEI9607,Section3.3(alongwithAppendixBtoNEI 9704,asneeded)toidentifywhichdesignfunctionsaredesignbasesfunctions,whichdesignfunctions supportorimpactdesignbasesfunctions,andwhichdesignfunctionsarenotinvolvedwithdesign basesfunctions,butarefunctionsthatifnotperformedwouldinitiateatransientoraccidentthatthe plantisrequiredtowithstand.Ifmultipledesignfunctionsareidentified,eachdesignfunctionistobe consideredinthismultistepprocess.

Onemeanstodetermineifadesignfunctionisadesignbasesfunctionwouldbebyidentifyingthe associatedGeneralDesignCriteria(GDC)towhichadesignbasesfunctionappliesor,morespecifically, theassociatedprincipaldesigncriteria(PDC)foranindividualfacility,theminimumstandardsforwhich aresetby10CFRPart50AppendixA(orperhapstheir1967precursors).Eachdesignfunctionmaythen berelatedtotherequirementsdiscussedwithintheGDCtodetermineifthatdesignfunctionisdirectly involvedwiththedesignbasesfunctionitselforifthedesignfunctionsupportsorimpactstherelated designbasesfunction.IfthedesignfunctionisfoundtodirectlyinvolvetheGDCrequirement,thenthat designfunctionisadesignbasesfunction.IfthedesignfunctionsupportsorimpactstheGDC requirement,thenitisnotadesignbasesfunction,butisstillcreditedinthesafetyanalysis.

AsdescribedinNEI9607,Section4.3.2(butequallyapplicablehere),safetyanalysestypicallyassume certainSSCsperformcertaindesignfunctionsaspartofdemonstratingtheadequacyofthedesign.The processofdeterminingifadesignfunctionisadesignbasesfunctionshouldincludebothdirectand indirecteffectsonthedesignfunctions.

However,safetyanalysesdonottypicallyidentifyalloftheSSCsthatarereliedupontoperformtheir designfunctions.Thus,certaindesignfunctions,whilenotspecificallyidentifiedinthesafetyanalyses, arecreditedinanindirectsense.Therefore,thereviewshouldnotbelimitedtoonlytheSSCsdiscussed inthesafetyanalyses.Forexample,performingadesignchangeonavalvecontrollerinahighpressure safetyinjectionsystemwouldbeconsideredtoinvolveanSSCcreditedinthesafetyanalyseseven thoughthevalveitselfmaynotbementionedinthesafetyanalyses.

NovemberOctober20182019

©NEI20198.Allrightsreserved.

nei.org39 Ifnodesignbasesfunctionsareinvolved,proceedtoStep5sinceneithertheperformanceof designbasesfunctionsnorthesupportorimpactofdesignbasesfunctionsareinvolved.

(NOTE:ThepotentialformoresevereaccidentinitiationisaddressedinStep5.)

Step3:DetermineifanewFMEAneedstobegenerated.

Iftheimpactonthedesignbasesfunctioninvolvedisreadilyapparent,nonewFMEAneedstobe generated.GotoStep4.

Forexample,thereisnoreasontocontemplatethegenerationofanewFMEAiftheimpactofthe failureonthedesignbasesfunctionsisrecognizedasbeingimmediate.Otherwise,generatethenew FMEAtodescribetheconnectionoftheproposedactivity,orfailuresduetotheproposedactivity,toan impactonthedesignbasesfunctions.

AspartoftheprocessforgeneratingthenewFMEA,presumecompliancewithpre existing/interdependent,modificationrelatedproceduresandutilizationofexistingequipmentto determineifadequateSSCdesignand/oroperational(i.e.,procedural)optionsexisttomitigate potentialdetrimentalimpactsondesignfunctions.

InterdependenceisdiscussedinNEI9607,Sections4.2and4.3(whichisdistinctfromcompensatory actionsdiscussedinNEI9607,Section4.4).Anexampleofaninterdependentprocedurechangewould bethemodificationstoanexistingproceduretoreflectoperationofthenewdigitalequipmentand controls,includinganynewfeaturessuchasacontrolsystemrestartoption.(NOTE:NEI9607,Section 4.3.2,Example4providesguidanceonassessingnewoperatoractions.)

Step4:Determineifeachdesignbasesfunctioncontinuestobeperformed/satisfied.

Ifalldesignbasesfunctionscontinuetobeperformed/satisfied,andtherearenootherdesignfunctions involved,thentheproposedactivitydoesNOTcreatethepossibilityforamalfunctionofanSSC importanttosafetywithadifferentresultbecausenomalfunctionoccurs.Withnomalfunction occurring,therecannotbeadifferentresult.

Foranydesignbasesfunctionsthatdonotcontinuetobeperformed/satisfied,orotherdesignfunctions thatareinvolved,continuetoStep5.

Step5:IdentifyallsafetyanalysesinvolvedmalfunctionsofanSSCimportanttosafetypreviously evaluatedintheUFSAR.

ConsideringthescopeofdesignfunctionsanddesignbasesfunctionsfromStep2,identifyallinvolved malfunctionsofanSSCimportanttosafetypreviouslyevaluatedintheUFSAR(i.e.,identifyallsafety analysesthatrelydirectlyorindirectlyonthedesignbasesfunctionsperformance/satisfaction).Also, identifyallsafetyanalysesrelatedtoanyotherdesignfunctionthatcouldimpacteithertheaccidents initiationortheeventsinitialconditions(i.e.,designfunctionsthat,ifnotperformed,wouldinitiatea transientoraccidentthattheplantisrequiredtowithstand).

Iftherearenosafetyanalysesinvolved,thentherecannotbeachangeintheresultofasafety analysismalfunctionofanSSCimportanttosafety.Therefore,inthiscase,theproposedactivitydoes NOTcreatethepossibilityforamalfunctionofanSSCimportanttosafetywithadifferentresult.

NovemberOctober20182019

©NEI20198.Allrightsreserved.

nei.org40 Step6:ForeachsafetyanalysisinvolvedmalfunctionofanSSCimportanttosafety,comparethe projected/postulatedresultswiththepreviouslyevaluatedresults.

NEI9607,Section4.3.6providesthefollowingguidanceregardingtheidentificationoffailuremodes andeffects:

OncethemalfunctionspreviouslyevaluatedintheUFSARandtheresultsofthesemalfunctions havebeendetermined,thenthetypesandresultsoffailuremodesthattheproposedactivity couldcreateareidentified.

IfanyofthepreviousevaluationsofinvolvedmalfunctionsofanSSCimportanttosafetyidentified(i.e.,

safetyanalyses)havebecomeinvalidduetotheirbasicassumptionsnolongerbeingvalid,e.g.,single failureassumptionisnotmaintained,orifthenumericalresult(s)ofanysafetyanalysiswouldnolonger satisfytheacceptancecriteria,i.e.,thesafetyanalysisisnolongerbounded,thentheproposedactivity DOEScreatethepossibilityforamalfunctionofanSSCimportanttosafetywithadifferentresult.

Aspartoftheresponseanddeterminingifthesafetyanalysesmalfunctionresultscontinuetobe bounded,includetheimpactontheseverityoftheinitiatingconditionsandtheimpactontheinitial conditionsassumedintheassociatedsafetyanalysis.Specifically,consideranydesignfunctionsthat,if notperformed,wouldinitiateatransientoraccidentthattheplantisrequiredtowithstand.

EXAMPLES Examples417through421illustratesomecasesofNOCREATIONofamalfunctionwithadifferent resultbyapplyingthemultistepprocessoutlinedabove.

Example417.NOCREATIONofaMalfunctionwithaDifferentResult ProposedActivity Afeedwatercontrolsystemisbeingupgradedfromananalogsystemtoadigitalsystem.

SafetyAnalysisResultImpact Step1:

Thepertinentfunctionofthefeedwatercontrolsystemistoestablishandmaintainsteam generatorwaterlevelwithinpredeterminedphysicallimitsduringnormaloperatingconditions.

Step2:

Thefunctionofthefeedwatercontrolsystemisclassifiedasadesignfunctionduetoitsabilityto initiateatransientoraccidentthattheplantisrequiredtowithstand.However,thedesignfunctionis notadesignbasesfunction.Withnodesignbasesfunctionsinvolved,proceedtoStep5.

Step3:

Notapplicable Step4:

Notapplicable

Retrieved from "https://kanterella.com/w/index.php?title=ML19303A020&oldid=4815363"