Section 4.3.6 NEI 96-07 Appendix D Rev 1 October 2019 Draft Redline v2

ML19303B437
Person / Time
Issue date:	10/30/2019
From:	Tekia Govan NRC/NRR/DRO/IRSB
To:
Govan T, 415-6197, NRR/DRO
References
Download: ML19303B437 (8)
v • d • e

Text

NovemberOctober20182019

©NEI20198.Allrightsreserved.

nei.org33 Thefollowingeventsandcombinationofeventswillbeassessed:

a. LossofbothfeedwaterpumpsintheLossofFeedwateraccidentanalysis

b. IncreaseinmainfeedwaterflowtothemaximumoutputfrombothMFWPsintheExcess Feedwateraccidentanalysis

c. AllmainturbinesteaminletvalvesgoingfullyclosedintheTurbineTripaccidentanalysis

d. AllmainturbinesteaminletvalvesgoingfullyopenintheExcessSteamDemandaccident analysis

e. CombinationofaLossofFeedwatereventandaTurbineTripevent

f.

CombinationofaLossofFeedwatereventandanExcessSteamDemandevent

g. CombinationofanExcessFeedwatereventandaTurbineTripevent

h. CombinationofanExcessFeedwatereventandanExcessSteamDemandevent Events(A)though(D)arealreadyconsideredintheaccidentanalysesandrevisionstoexistingaccident analysesarepossible.Thus,events(A)through(D)doNOTcreatethepossibilityofanaccidentofa differenttype(fortheaspectbeingillustratedinthisexample).

Thecurrentsetofaccidentsidentifiedintheaccidentanalysesdonotconsiderthesimultaneous eventsrepresentedbyevents(E)through(H).

Therefore,events(E)though(H)willneednewaccidentanalysestobeperformed,creatingthe possibilityofaccidentsofadifferenttype(fortheaspectbeingillustratedinthisexample).

4.3.6 DoestheActivityCreateaPossibilityforaMalfunctionofanSSCImportanttoSafety withaDifferentResult?

INTRODUCTION NOTE:Duetotheuniquenatureofdigitalmodificationsandtheinherentcomplexitiestherein,the applicationofthiscriterionisespeciallyimportant.Specifically,theuniqueaspectofconcernis thepotentialforasoftwareCCFtocreatethepossibilityforamalfunctionwithadifferentresult.

Therefore,ratherthanprovidingsimplisticsupplementalguidancetothatalreadyincludedinNEI 9607,Section4.3.6,moredetailedguidancewillbeprovidedinthissection.

Review Toensuretheuniqueaspectsofdigitalmodificationsareaddressedcorrectlyandadequately,areview ofselecteddiscussionsandexcerptsfromNEI9607,includingmalfunctions,designfunctions,andsafety analyses,ispresentedfirst.

CAUTION:Thefollowingreviewsummariesareintendedforgeneralunderstandingonly.Forcomplete discussionsofeachterm,seethereferencesidentifiedforeachterm.

FromNEI9607,Section3.9:

NovemberOctober20182019

©NEI20198.Allrightsreserved.

nei.org34 MalfunctionofSSCsimportanttosafetymeansthefailureofSSCstoperformtheirintended designfunctionsdescribedintheUFSAR(whetherornotclassifiedassafetyrelatedin accordancewith10CFR50,AppendixB).[emphasisadded]

FromNEI9607,Section3.3:

DesignfunctionsareUFSARdescribeddesignbasesfunctionsandotherSSCfunctionsdescribed intheUFSARthatsupportorimpactdesignbasesfunctions...[emphasisadded]

Also, Designbasesfunctionsarefunctionsperformedbysystems,structuresandcomponents(SSCs) thatare(1)requiredby,orotherwisenecessarytocomplywith,regulations,licenseconditions, ordersortechnicalspecifications,or(2)creditedinlicenseesafetyanalysestomeetNRC requirements.[emphasisadded]

Furthermore, Designfunctions...includefunctionsthat,ifnotperformed,wouldinitiateatransientor accidentthattheplantisrequiredtowithstand.[emphasisadded]

Finally, Asusedabove,creditedinthesafetyanalysesmeansthat,iftheSSCwerenottoperformits designbasesfunctioninthemannerdescribed,theassumedinitialconditions,mitigativeactions orotherinformationintheanalyseswouldnolongerbewithintherangeevaluated(i.e.,the analysisresultswouldbecalledintoquestion).Thephrasesupportorimpactdesignbases functionsrefersbothtothoseSSCsneededtosupportdesignbasesfunctions(cooling,power, environmentalcontrol,etc.)andtoSSCswhoseoperationormalfunctioncouldadverselyaffect theperformanceofdesignbasesfunctions(forinstance,controlsystemsandphysical arrangements).Thus,bothsafetyrelatedandnonsafetyrelatedSSCsmayperformdesign functions.[emphasisadded]

Thisdefinitionisorientedaroundthedefinitionofdesignbasesfunction,whichitselfisdefinedinNEI 9704,AppendixB,GuidelinesandExamplesforIdentifying10CFR50.2DesignBases,endorsedby RegulatoryGuide1.186,andhighlightedinboldabove.

Amorecompleteunderstandingofthemeaningofadesignbasesfunctionscanbeobtainedby examinationofNEI9704,AppendixB.FromNEI9704,thethreecharacteristicsofdesignbases functionsaresummarizedasfollows:

1. Designbasesfunctionsarecreditedinthesafetyanalyses.

2. ThefunctionsofanyindividualSSCarefunctionallybelowthatofdesignbasesfunctions.

3. DesignbasesfunctionsarederivedprimarilyfromtheGeneralDesignCriteria.

Repeatingaportionfromabovetohighlighttheimportanceofidentifyingthedesignbasesfunctionand itsconnectiontoasafetyanalysisresult,wehavethefollowing:

NovemberOctober20182019

©NEI20198.Allrightsreserved.

nei.org35 Asusedabove,creditedinthesafetyanalysesmeansthat,iftheSSCwerenottoperformits designbasesfunctioninthemannerdescribed,theassumedinitialconditions,mitigativeactions orotherinformationintheanalyseswouldnolongerbewithintherangeevaluated(i.e.,the analysisresultswouldbecalledintoquestion).[emphasisadded]

Then,fromNEI9607,Section3.12:

SafetyanalysesareanalysesperformedpursuanttoNRCrequirementstodemonstratethe integrityofthereactorcoolantpressureboundary,thecapabilitytoshutdownthereactorand maintainitinasafeshutdowncondition,orthecapabilitytopreventormitigatethe consequencesofaccidentsthatcouldresultinpotentialoffsiteexposurescomparabletothe guidelinesin10CFR50.34(a)(1)or10CFR100.11...andinclude,butarenotlimitedto,the accidentanalysestypicallypresentedinChapter15oftheUFSAR.[emphasisadded]

Andfromthefirstsentenceoftheassociateddiscussion:

Safetyanalysesarethoseanalysesorevaluationsthatdemonstratethatacceptancecriteria forthefacilityscapabilitytowithstandorrespondtopostulatedeventsaremet.[emphasis added]

AlsoincludedinthedefinitionofsafetyanalysesaresupportingUFSARanalysesthatdemonstratethat SSCdesignfunctionswillbeaccomplishedascreditedintheaccidentanalyses.

FailureModesandEffectsAnalysis(FMEA)

NEI9607,Section4.3.6recognizesthattheeffectofaproposedmodificationmustbeassessed.This assessmentmayrequiretheuseofafailuremodesandeffectsanalysis(FMEA),includingthepossible creationofanewFMEA.

FromNEI9607,Section4.3.6:

Inevaluatingaproposedactivityagainstthiscriterion,thetypesandresultsoffailuremodesof SSCsthathavepreviouslybeenevaluatedintheUFSARandthatareaffectedbytheproposed activityshouldbeidentified.Thisevaluationshouldbeperformedconsistentwithanyfailure modesandeffectsanalysis(FMEA)describedintheUFSAR,recognizingthatcertainproposed activitiesmayrequireanewFMEAtobeperformed.[emphasisadded]

Ifanew/revisedFMEAisdeterminedtobeneeded,othereffectsofadigitalmodificationcouldcreate newfailuremodesinadditiontofailurescausedbysoftware(e.g.,combiningfunctions,creatingnew interactionswithothersystems,changingresponsetime).Forexample,ifpreviouslyseparatefunctions arecombinedinasingledigitaldevice,thefailureassessmentshouldconsiderwhethersinglefailures thatcouldpreviouslyhaveaffectedonlyindividualdesignfunctionscannowaffectmultipledesign functions.

OverallPerspective NEI9607,Section4.3.6providestheoverallperspectiveonthisEvaluationcriterionwithitsfirst sentence,whichstates:

NovemberOctober20182019

©NEI20198.Allrightsreserved.

nei.org36 MalfunctionsofSSCsaregenerallypostulatedaspotentialsinglefailurestoevaluateplantperformance withthefocusbeingontheresultofthemalfunctionratherthanthecauseortypeofmalfunction.

Expandinguponthisfoundation,thefollowingconclusionisreached,whichisbasedupondiscussion from63FR56106:

Unlesstheequipmentwouldfailinawaynotalreadyevaluatedinthesafetyanalysis,therecanbeno malfunctionofanSSCimportanttosafetywithadifferentresult.3[emphasisadded]

GUIDANCE FromNEI9607,Section4.3.6,thetwoconsiderationsthatneedtobeassessedwhenansweringthis Evaluationquestionareaslikelytohappenasandtheimpactonthesafetyanalysismalfunctionresult.

Determinationof"AsLikelytoHappenAs" FromNEI9607,Section4.3.6:

Thepossiblemalfunctionswithadifferentresultarelimitedtothosethatareaslikelyto happenasthosedescribedintheUFSARaproposedchangeoractivitythatincreasesthe likelihoodofamalfunctionpreviouslythoughttobeincredibletothepointwhereitbecomesas likelyasthemalfunctionsassumedintheUFSARcouldcreateapossiblemalfunctionwitha differentresult.[emphasisadded]

Iftheoutcomeofthequalitativeassessmentissufficientlylow,thentheactivitydoesnotintroduceany failuresthatareaslikelytohappenasthoseintheUFSAR.Therefore,theactivitydoesnotcreatea possibilityforamalfunctionofanSSCimportanttosafetywithadifferentresultfromanypreviously evaluatedintheUFSAR.

Iftheoutcomeofthequalitativeassessmentisnotsufficientlylow,thentheactivitymayintroduce failuresthatareaslikelytohappenasthoseintheUFSARthatcancreateapossibilityforamalfunction ofanSSCimportanttosafetywithadifferentresultfromanypreviouslyevaluatedintheUFSAR.For thesecases,thisEvaluationcriterionalsoneedstoconsidertheimpactofthispotentialfailureonthe safetyanalysisresultusingassumptionsconsistentwiththeplantsUFSAR.

EXAMPLE Example416illustratestheNOCREATIONofthepossibilityforamalfunctionwithadifferentresult case.

Example416.NOCREATIONofthePossibilityforaMalfunctionwithaDifferentResult ProposedActivity 3 Thisconclusionisbaseduponthediscussionfrom63FR56106,whichstates:Unlesstheequipmentwouldfailin awaynotalreadyevaluatedinthesafetyanalysis,thereisnoneedforNRCreviewofthechangethatledtothe newtypeofmalfunction.Althoughthefinalrulereflectedthechangefrommalfunctionsofadifferenttypeto thosewithadifferentresult,nothingsuggestedtheCommissionintendedtochangethelongstandingpositionin theproposedrule.

NovemberOctober20182019

©NEI20198.Allrightsreserved.

nei.org37 Alargenumberofanalogtransmittersinseveraldifferentsystemsandusesarebeingreplaced withdigitaltransmitters.Thesetransmittersperformavarietyoffunctions,includingcontrolling theautomaticactuationofdevices(e.g.,valvestroking)thatarecreditedinasafetyanalysis.

QualitativeAssessmentOutcome Aqualitativeassessmentwasincludedintheengineering/technicalinformationsupportingthechange.

Thequalitativeassessmentconsideredsystemdesignattributes,qualityofthedesignprocesses employed,andoperatingexperienceoftheproposedequipmentandconcludedthatthefailure likelihoodintroducedbythemodifiedSSCsissufficientlylow.Forthespecificitemsthatwere consideredwithineachfactor,refertothequalitativeassessmentdocumentedindesignchange packageX.

Conclusion WiththefailurelikelihoodintroducedbythemodifiedSSCsbeingsufficientlylow,theactivitydoesnot introduceanyfailuresthatareaslikelytohappenasthoseintheUFSARthatcaninitiateamalfunction ofanSSCimportanttosafety.Therefore,theactivitydoesnotcreateapossibilityforamalfunctionof anSSCimportanttosafetywithadifferentresultfromanypreviouslyevaluatedintheUFSAR(forthe aspectbeingillustratedinthisexample).

DeterminationofImpactonSafetyAnalysisMalfunctionResultImpact Forcasesinwhichthequalitativeassessmentoutcomeisafailurelikelihoodofnotsufficientlylow,the impactonthesafetyanalysisresultofamalfunctionofanSSCimportanttosafetyimpactneedstobe assessedtodetermineiftheresultisdifferent.

ThegenericprocesstodeterminetheimpactontheresultofamalfunctionofanSSCimportantto safetyonthesafetyanalyses(i.e.,acomparisonofthesafetyanalysesresultstoidentifyanydifferent results),consistsofmultiplesteps,assummarizednext.

Step1:Identifythefunctionsdirectlyorindirectlyrelatedtotheproposedmodification.

Consideringthescopeoftheproposeddigitalmodification,identifythefunctionsthataredirectlyor indirectlyrelatedtotheproposedactivity.

ThefunctionsidentifiedaspartofthisstepwillbefurtherclassifiedinStep2.

AsareminderoftheguidanceprovidedinNEI9607,thefollowingadditionalguidanceisprovidedto assistintheidentificationandconsiderationoftheproperscopeofSSCsandtheirfunctions:

1. IdentificationandconsiderationoftheproperscopeofSSCsisconcernedwiththefunctional involvementofanSSC,notnecessarilyonlyitslevelofdirectdescriptionintheUFSAR.

2. Incasesinwhichaproposedactivityinvolvesasubcomponent/componentthatisnotdirectly describedintheUFSAR,theeffectoftheproposedactivityinvolvingthesub component/componentneedstoconsidertheimpactonthesysteminwhichthesub component/componentisapart.

NovemberOctober20182019

©NEI20198.Allrightsreserved.

nei.org38

3. Incasesinwhichaproposedactivityinvolvesasubcomponent/componentthatisnot describedintheUFSAR,theeffectoftheproposedactivityinvolvingthesub component/componentneedstoconsidertheimpactonthesystemthatthe subcomponent/componentsupports.

Regardlessofthelevelofdescription,theassessmentoftheimpactalsoneedstoconsidertheelements ofadesignfunctionasdescribedinNEI9607,Section3.3,whicharerepeatedbelow:

Implicitlyincludedwithinthemeaningofdesignfunctionaretheconditionsunderwhich intendedfunctionsarerequiredtobeperformed,suchasequipmentresponsetimes,process conditions,equipmentqualificationandsinglefailure.

DesignfunctionsmaybeperformedbysafetyrelatedSSCsornonsafetyrelatedSSCsand includefunctionsthat,ifnotperformed,wouldinitiateatransientoraccidentthattheplantis requiredtowithstand.

Step2:IdentifywhichofthefunctionsfromStep1areDesignFunctionsand/orDesignBases Functions.

UtilizingNEI9607,Section3.3,classifyeachofthefunctionsfromStep1aseitherNOTadesignfunction orasadesignfunction.

Ifnodesignfunctionsareidentified,thentheproposedactivitydoesNOTcreatethepossibilityfora malfunctionofanSSCimportanttosafetywithadifferentresultbecausemalfunctions(andtheresults thereof)refersONLYtothefailureofanSSCtoperformitsintendeddesignfunctions.

Foreachdesignfunctionidentifiedabove,utilizeNEI9607,Section3.3(alongwithAppendixBtoNEI 9704,asneeded)toidentifywhichdesignfunctionsaredesignbasesfunctions,whichdesignfunctions supportorimpactdesignbasesfunctions,andwhichdesignfunctionsarenotinvolvedwithdesign basesfunctions,butarefunctionsthatifnotperformedwouldinitiateatransientoraccidentthatthe plantisrequiredtowithstand.Ifmultipledesignfunctionsareidentified,eachdesignfunctionistobe consideredinthismultistepprocess.

Onemeanstodetermineifadesignfunctionisadesignbasesfunctionwouldbebyidentifyingthe associatedGeneralDesignCriteria(GDC)towhichadesignbasesfunctionappliesor,morespecifically, theassociatedprincipaldesigncriteria(PDC)foranindividualfacility,theminimumstandardsforwhich aresetby10CFRPart50AppendixA(orperhapstheir1967precursors).Eachdesignfunctionmaythen berelatedtotherequirementsdiscussedwithintheGDCtodetermineifthatdesignfunctionisdirectly involvedwiththedesignbasesfunctionitselforifthedesignfunctionsupportsorimpactstherelated designbasesfunction.IfthedesignfunctionisfoundtodirectlyinvolvetheGDCrequirement,thenthat designfunctionisadesignbasesfunction.IfthedesignfunctionsupportsorimpactstheGDC requirement,thenitisnotadesignbasesfunction,butisstillcreditedinthesafetyanalysis.

AsdescribedinNEI9607,Section4.3.2(butequallyapplicablehere),safetyanalysestypicallyassume certainSSCsperformcertaindesignfunctionsaspartofdemonstratingtheadequacyofthedesign.The processofdeterminingifadesignfunctionisadesignbasesfunctionshouldincludebothdirectand indirecteffectsonthedesignfunctions.

NovemberOctober20182019

©NEI20198.Allrightsreserved.

nei.org39 However,safetyanalysesdonottypicallyidentifyalloftheSSCsthatarereliedupontoperformtheir designfunctions.Thus,certaindesignfunctions,whilenotspecificallyidentifiedinthesafetyanalyses, arecreditedinanindirectsense.Therefore,thereviewshouldnotbelimitedtoonlytheSSCsdiscussed inthesafetyanalyses.Forexample,performingadesignchangeonavalvecontrollerinahighpressure safetyinjectionsystemwouldbeconsideredtoinvolveanSSCcreditedinthesafetyanalyseseven thoughthevalveitselfmaynotbementionedinthesafetyanalyses.

Ifnodesignbasesfunctionsareinvolved,proceedtoStep5sinceneithertheperformanceof designbasesfunctionsnorthesupportorimpactofdesignbasesfunctionsareinvolved.

(NOTE:ThepotentialformoresevereaccidentinitiationisaddressedinStep5.)

Step3:DetermineifanewFMEAneedstobegenerated.

Iftheimpactonthedesignbasesfunctioninvolvedisreadilyapparent,nonewFMEAneedstobe generated.GotoStep4.

Forexample,thereisnoreasontocontemplatethegenerationofanewFMEAiftheimpactofthe failureonthedesignbasesfunctionsisrecognizedasbeingimmediate.Otherwise,generatethenew FMEAtodescribetheconnectionoftheproposedactivity,orfailuresduetotheproposedactivity,toan impactonthedesignbasesfunctions.

AspartoftheprocessforgeneratingthenewFMEA,presumecompliancewithpre existing/interdependent,modificationrelatedproceduresandutilizationofexistingequipmentto determineifadequateSSCdesignand/oroperational(i.e.,procedural)optionsexisttomitigate potentialdetrimentalimpactsondesignfunctions.

InterdependenceisdiscussedinNEI9607,Sections4.2and4.3(whichisdistinctfromcompensatory actionsdiscussedinNEI9607,Section4.4).Anexampleofaninterdependentprocedurechangewould bethemodificationstoanexistingproceduretoreflectoperationofthenewdigitalequipmentand controls,includinganynewfeaturessuchasacontrolsystemrestartoption.(NOTE:NEI9607,Section 4.3.2,Example4providesguidanceonassessingnewoperatoractions.)

Step4:Determineifeachdesignbasesfunctioncontinuestobeperformed/satisfied.

Ifalldesignbasesfunctionscontinuetobeperformed/satisfied,andtherearenootherdesignfunctions involved,thentheproposedactivitydoesNOTcreatethepossibilityforamalfunctionofanSSC importanttosafetywithadifferentresultbecausenomalfunctionoccurs.Withnomalfunction occurring,therecannotbeadifferentresult.

Foranydesignbasesfunctionsthatdonotcontinuetobeperformed/satisfied,orotherdesignfunctions thatareinvolved,continuetoStep5.

Step5:IdentifyallsafetyanalysesinvolvedmalfunctionsofanSSCimportanttosafetypreviously evaluatedintheUFSAR.

ConsideringthescopeofdesignfunctionsanddesignbasesfunctionsfromStep2,identifyallinvolved malfunctionsofanSSCimportanttosafetypreviouslyevaluatedintheUFSAR(i.e.,identifyallsafety

NovemberOctober20182019

©NEI20198.Allrightsreserved.

nei.org40 analyses4thatrelydirectlyorindirectlyonthedesignbasesfunctionsperformance/satisfaction).Also, identifyallsafetyanalysesrelatedtoanyotherdesignfunctionthatcouldimpacteithertheaccidents initiationortheeventsinitialconditions(i.e.,designfunctionsthat,ifnotperformed,wouldinitiatea transientoraccidentthattheplantisrequiredtowithstand).

Iftherearenosafetyanalysesinvolved,thentherecannotbeachangeintheresultofasafety analysismalfunctionofanSSCimportanttosafety.Therefore,inthiscase,theproposedactivitydoes NOTcreatethepossibilityforamalfunctionofanSSCimportanttosafetywithadifferentresult.

Step6:ForeachsafetyanalysisinvolvedmalfunctionofanSSCimportanttosafety,comparethe projected/postulatedresultswiththepreviouslyevaluatedresults.

NEI9607,Section4.3.6providesthefollowingguidanceregardingtheidentificationoffailuremodes andeffects:

OncethemalfunctionspreviouslyevaluatedintheUFSARandtheresultsofthesemalfunctions havebeendetermined,thenthetypesandresultsoffailuremodesthattheproposedactivity couldcreateareidentified.

IfanyofthepreviousevaluationsofinvolvedmalfunctionsofanSSCimportanttosafetyidentified(i.e.,

safetyanalyses5)havebecomeinvalidduetotheirbasicassumptionsnolongerbeingvalid,e.g.,single failureassumptionisnotmaintained,orifthenumericalresult(s)ofanysafetyanalysiswouldnolonger satisfytheacceptancecriteria,i.e.,thesafetyanalysisisnolongerbounded,thentheproposedactivity DOEScreatethepossibilityforamalfunctionofanSSCimportanttosafetywithadifferentresult.

Aspartoftheresponseanddeterminingifthesafetyanalysesmalfunctionresultscontinuetobe bounded,includetheimpactontheseverityoftheinitiatingconditionsandtheimpactontheinitial conditionsassumedintheassociatedsafetyanalysis.Specifically,consideranydesignfunctionsthat,if notperformed,wouldinitiateatransientoraccidentthattheplantisrequiredtowithstand.

EXAMPLES Examples417through421illustratesomecasesofNOCREATIONofamalfunctionwithadifferent resultbyapplyingthemultistepprocessoutlinedabove.

Example417.NOCREATIONofaMalfunctionwithaDifferentResult ProposedActivity Afeedwatercontrolsystemisbeingupgradedfromananalogsystemtoadigitalsystem.

SafetyAnalysisResultImpact Step1:

Thepertinentfunctionofthefeedwatercontrolsystemistoestablishandmaintainsteam generatorwaterlevelwithinpredeterminedphysicallimitsduringnormaloperatingconditions.

4 NEI9607,Section3.12,SafetyAnalysis 5 NEI9607,Section3.12,SafetyAnalysis