ML19303B437

From kanterella
Jump to navigation Jump to search
Section 4.3.6 NEI 96-07 Appendix D Rev 1 October 2019 Draft Redline v2
ML19303B437
Person / Time
Issue date: 10/30/2019
From: Tekia Govan
NRC/NRR/DRO/IRSB
To:
Govan T, 415-6197, NRR/DRO
References
Download: ML19303B437 (8)


Text

November October 20182019 The following events and combination of events will be assessed:

a. Loss of both feedwater pumps in the Loss of Feedwater accident analysis
b. Increase in main feedwater flow to the maximum output from both MFWPs in the Excess Feedwater accident analysis
c. All main turbine steaminlet valves going fully closed in the Turbine Trip accident analysis
d. All main turbine steaminlet valves going fully open in the Excess Steam Demand accident analysis
e. Combination of a Loss of Feedwater event and a Turbine Trip event
f. Combination of a Loss of Feedwater event and an Excess Steam Demand event
g. Combination of an Excess Feedwater event and a Turbine Trip event
h. Combination of an Excess Feedwater event and an Excess Steam Demand event Events (A) though (D) are already considered in the accident analyses and revisions to existing accident analyses are possible. Thus, events (A) through (D) do NOT create the possibility of an accident of a different type (for the aspect being illustrated in this example).

The current set of accidents identified in the accident analyses do not consider the simultaneous events represented by events (E) through (H).

Therefore, events (E) though (H) will need new accident analyses to be performed, creating the possibility of accidents of a different type (for the aspect being illustrated in this example).

4.3.6 Does the Activity Create a Possibility for a Malfunction of an SSC Important to Safety with a Different Result?

INTRODUCTION NOTE: Due to the unique nature of digital modifications and the inherent complexities therein, the application of this criterion is especially important. Specifically, the unique aspect of concern is the potential for a software CCF to create the possibility for a malfunction with a different result.

Therefore, rather than providing simplistic supplemental guidance to that already included in NEI 9607, Section 4.3.6, more detailed guidance will be provided in this section.

Review To ensure the unique aspects of digital modifications are addressed correctly and adequately, a review of selected discussions and excerpts from NEI 9607, including malfunctions, design functions, and safety analyses, is presented first.

CAUTION: The following review summaries are intended for general understanding only. For complete discussions of each term, see the references identified for each term.

From NEI 9607, Section 3.9:

© NEI 20198. All rights reserved. nei.org 33

November October 20182019 Malfunction of SSCs important to safety means the failure of SSCs to perform their intended design functions described in the UFSAR (whether or not classified as safetyrelated in accordance with 10 CFR 50, Appendix B). [emphasis added]

From NEI 9607, Section 3.3:

Design functions are UFSARdescribed design bases functions and other SSC functions described in the UFSAR that support or impact design bases functions... [emphasis added]

Also, Design bases functions are functions performed by systems, structures and components (SSCs) that are (1) required by, or otherwise necessary to comply with, regulations, license conditions, orders or technical specifications, or (2) credited in licensee safety analyses to meet NRC requirements. [emphasis added]

Furthermore, Design functions...include functions that, if not performed, would initiate a transient or accident that the plant is required to withstand. [emphasis added]

Finally, As used above, credited in the safety analyses means that, if the SSC were not to perform its design bases function in the manner described, the assumed initial conditions, mitigative actions or other information in the analyses would no longer be within the range evaluated (i.e., the analysis results would be called into question). The phrase support or impact design bases functions refers both to those SSCs needed to support design bases functions (cooling, power, environmental control, etc.) and to SSCs whose operation or malfunction could adversely affect the performance of design bases functions (for instance, control systems and physical arrangements). Thus, both safetyrelated and nonsafetyrelated SSCs may perform design functions. [emphasis added]

This definition is oriented around the definition of design bases function, which itself is defined in NEI 9704, Appendix B, Guidelines and Examples for Identifying 10 CFR 50.2 Design Bases, endorsed by Regulatory Guide 1.186, and highlighted in bold above.

A more complete understanding of the meaning of a design bases functions can be obtained by examination of NEI 9704, Appendix B. From NEI 9704, the three characteristics of design bases functions are summarized as follows:

1. Design bases functions are credited in the safety analyses.
2. The functions of any individual SSC are functionally below that of design bases functions.
3. Design bases functions are derived primarily from the General Design Criteria.

Repeating a portion from above to highlight the importance of identifying the design bases function and its connection to a safety analysis result, we have the following:

© NEI 20198. All rights reserved. nei.org 34

November October 20182019 As used above, credited in the safety analyses means that, if the SSC were not to perform its design bases function in the manner described, the assumed initial conditions, mitigative actions or other information in the analyses would no longer be within the range evaluated (i.e., the analysis results would be called into question). [emphasis added]

Then, from NEI 9607, Section 3.12:

Safety analyses are analyses performed pursuant to NRC requirements to demonstrate the integrity of the reactor coolant pressure boundary, the capability to shut down the reactor and maintain it in a safe shutdown condition, or the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposures comparable to the guidelines in 10 CFR 50.34(a)(1) or 10 CFR 100.11...and include, but are not limited to, the accident analyses typically presented in Chapter 15 of the UFSAR. [emphasis added]

And from the first sentence of the associated discussion:

Safety analyses are those analyses or evaluations that demonstrate that acceptance criteria for the facilitys capability to withstand or respond to postulated events are met. [emphasis added]

Also included in the definition of safety analyses are supporting UFSAR analyses that demonstrate that SSC design functions will be accomplished as credited in the accident analyses.

Failure Modes and Effects Analysis (FMEA)

NEI 9607, Section 4.3.6 recognizes that the effect of a proposed modification must be assessed. This assessment may require the use of a failure modes and effects analysis (FMEA), including the possible creation of a new FMEA.

From NEI 9607, Section 4.3.6:

In evaluating a proposed activity against this criterion, the types and results of failure modes of SSCs that have previously been evaluated in the UFSAR and that are affected by the proposed activity should be identified. This evaluation should be performed consistent with any failure modes and effects analysis (FMEA) described in the UFSAR, recognizing that certain proposed activities may require a new FMEA to be performed. [emphasis added]

If a new/revised FMEA is determined to be needed, other effects of a digital modification could create new failure modes in addition to failures caused by software (e.g., combining functions, creating new interactions with other systems, changing response time). For example, if previously separate functions are combined in a single digital device, the failure assessment should consider whether single failures that could previously have affected only individual design functions can now affect multiple design functions.

Overall Perspective NEI 9607, Section 4.3.6 provides the overall perspective on this Evaluation criterion with its first sentence, which states:

© NEI 20198. All rights reserved. nei.org 35

November October 20182019 Malfunctions of SSCs are generally postulated as potential single failures to evaluate plant performance with the focus being on the result of the malfunction rather than the cause or type of malfunction.

Expanding upon this foundation, the following conclusion is reached, which is based upon discussion from 63 FR 56106:

Unless the equipment would fail in a way not already evaluated in the safety analysis, there can be no malfunction of an SSC important to safety with a different result.3 [emphasis added]

GUIDANCE From NEI 9607, Section 4.3.6, the two considerations that need to be assessed when answering this Evaluation question are as likely to happen as and the impact on the safety analysismalfunction result.

Determination of "As Likely to Happen As" From NEI 9607, Section 4.3.6:

The possible malfunctions with a different result are limited to those that are as likely to happen as those described in the UFSARa proposed change or activity that increases the likelihood of a malfunction previously thought to be incredible to the point where it becomes as likely as the malfunctions assumed in the UFSAR could create a possible malfunction with a different result. [emphasis added]

If the outcome of the qualitative assessment is sufficiently low, then the activity does not introduce any failures that are as likely to happen as those in the UFSAR. Therefore, the activity does not create a possibility for a malfunction of an SSC important to safety with a different result from any previously evaluated in the UFSAR.

If the outcome of the qualitative assessment is not sufficiently low, then the activity may introduce failures that are as likely to happen as those in the UFSAR that can create a possibility for a malfunction of an SSC important to safety with a different result from any previously evaluated in the UFSAR. For these cases, this Evaluation criterion also needs to consider the impact of this potential failure on the safety analysis result using assumptions consistent with the plants UFSAR.

EXAMPLE Example 416 illustrates the NO CREATION of the possibility for a malfunction with a different result case.

Example 416. NO CREATION of the Possibility for a Malfunction with a Different Result Proposed Activity 3 This conclusion is based upon the discussion from 63 FR 56106, which states: Unless the equipment would fail in a way not already evaluated in the safety analysis, there is no need for NRC review of the change that led to the new type of malfunction. Although the final rule reflected the change from malfunctions of a different type to those with a different result, nothing suggested the Commission intended to change the longstanding position in the proposed rule.

© NEI 20198. All rights reserved. nei.org 36

November October 20182019 A large number of analog transmitters in several different systems and uses are being replaced with digital transmitters. These transmitters perform a variety of functions, including controlling the automatic actuation of devices (e.g., valve stroking) that are credited in a safety analysis.

Qualitative Assessment Outcome A qualitative assessment was included in the engineering/technical information supporting the change.

The qualitative assessment considered system design attributes, quality of the design processes employed, and operating experience of the proposed equipment and concluded that the failure likelihood introduced by the modified SSCs is sufficiently low. For the specific items that were considered within each factor, refer to the qualitative assessment documented in design change package X.

Conclusion With the failure likelihood introduced by the modified SSCs being sufficiently low, the activity does not introduce any failures that are as likely to happen as those in the UFSAR that can initiate a malfunction of an SSC important to safety. Therefore, the activity does not create a possibility for a malfunction of an SSC important to safety with a different result from any previously evaluated in the UFSAR (for the aspect being illustrated in this example).

Determination of Impact on Safety AnalysisMalfunction Result Impact For cases in which the qualitative assessment outcome is a failure likelihood of not sufficiently low, the impact on thesafety analysis result of a malfunction of an SSC important to safety impact needs to be assessed to determine if the result is different.

The generic process to determine the impact on the result of a malfunction of an SSC important to safety on the safety analyses (i.e., a comparison of the safety analyses results to identify any different results), consists of multiple steps, as summarized next.

Step 1: Identify the functions directly or indirectly related to the proposed modification.

Considering the scope of the proposed digital modification, identify the functions that are directly or indirectly related to the proposed activity.

The functions identified as part of this step will be further classified in Step 2.

As a reminder of the guidance provided in NEI 9607, the following additional guidance is provided to assist in the identification and consideration of the proper scope of SSCs and their functions:

1. Identification and consideration of the proper scope of SSCs is concerned with the functional involvement of an SSC, not necessarily only its level of direct description in the UFSAR.
2. In cases in which a proposed activity involves a subcomponent/component that is not directly described in the UFSAR, the effect of the proposed activity involving the sub component/component needs to consider the impact on the system in which the sub component/component is a part.

© NEI 20198. All rights reserved. nei.org 37

November October 20182019

3. In cases in which a proposed activity involves a subcomponent/component that is not described in the UFSAR, the effect of the proposed activity involving the sub component/component needs to consider the impact on the system that the subcomponent/component supports.

Regardless of the level of description, the assessment of the impact also needs to consider the elements of a design function as described in NEI 9607, Section 3.3, which are repeated below:

  • Implicitly included within the meaning of design function are the conditions under which intended functions are required to be performed, such as equipment response times, process conditions, equipment qualification and single failure.
  • Design functions may be performed by safetyrelated SSCs or nonsafetyrelated SSCs and include functions that, if not performed, would initiate a transient or accident that the plant is required to withstand.

Step 2: Identify which of the functions from Step 1 are Design Functions and/or Design Bases Functions.

Utilizing NEI 9607, Section 3.3, classify each of the functions from Step 1 as either NOT a design function or as a design function.

If no design functions are identified, then the proposed activity does NOT create the possibility for a malfunction of an SSC important to safety with a different result because malfunctions (and the results thereof) refers ONLY to the failure of an SSC to perform its intended design functions.

For each design function identified above, utilize NEI 9607, Section 3.3 (along with Appendix B to NEI 9704, as needed) to identify which design functions are design bases functions, which design functions support or impact design bases functions, and which design functions are not involved with design bases functions, but are functions that if not performed would initiate a transient or accident that the plant is required to withstand. If multiple design functions are identified, each design function is to be considered in this multistep process.

One means to determine if a design function is a design bases function would be by identifying the associated General Design Criteria (GDC) to which a design bases function applies or, more specifically, the associated principal design criteria (PDC) for an individual facility, the minimum standards for which are set by 10 CFR Part 50 Appendix A (or perhaps their 1967 precursors). Each design function may then be related to the requirements discussed within the GDC to determine if that design function is directly involved with the design bases function itself or if the design function supports or impacts the related design bases function. If the design function is found to directly involve the GDC requirement, then that design function is a design bases function. If the design function supports or impacts the GDC requirement, then it is not a design bases function, but is still credited in the safety analysis.

As described in NEI 9607, Section 4.3.2 (but equally applicable here), safety analyses typically assume certain SSCs perform certain design functions as part of demonstrating the adequacy of the design. The process of determining if a design function is a design bases function should include both direct and indirect effects on the design functions.

© NEI 20198. All rights reserved. nei.org 38

November October 20182019 However, safety analyses do not typically identify all of the SSCs that are relied upon to perform their design functions. Thus, certain design functions, while not specifically identified in the safety analyses, are credited in an indirect sense. Therefore, the review should not be limited to only the SSCs discussed in the safety analyses. For example, performing a design change on a valve controller in a high pressure safety injection system would be considered to involve an SSC credited in the safety analyses even though the valve itself may not be mentioned in the safety analyses.

If no design bases functions are involved, proceed to Step 5 since neither the performance of design bases functions nor the support or impact of design bases functions are involved.

(NOTE: The potential for more severe accident initiation is addressed in Step 5.)

Step 3: Determine if a new FMEA needs to be generated.

If the impact on the design bases function involved is readily apparent, no new FMEA needs to be generated. Go to Step 4.

For example, there is no reason to contemplate the generation of a new FMEA if the impact of the failure on the design bases functions is recognized as being immediate. Otherwise, generate the new FMEA to describe the connection of the proposed activity, or failures due to the proposed activity, to an impact on the design bases functions.

As part of the process for generating the new FMEA, presume compliance with pre existing/interdependent, modificationrelated procedures and utilization of existing equipment to determine if adequate SSC design and/or operational (i.e., procedural) options exist to mitigate potential detrimental impacts on design functions.

Interdependence is discussed in NEI 9607, Sections 4.2 and 4.3 (which is distinct from compensatory actions discussed in NEI 9607, Section 4.4). An example of an interdependent procedure change would be the modifications to an existing procedure to reflect operation of the new digital equipment and controls, including any new features such as a control system restart option. (NOTE: NEI 9607, Section 4.3.2, Example 4 provides guidance on assessing new operator actions.)

Step 4: Determine if each design bases function continues to be performed/satisfied.

If all design bases functions continue to be performed/satisfied, and there are no other design functions involved, then the proposed activity does NOT create the possibility for a malfunction of an SSC important to safety with a different result because no malfunction occurs. With no malfunction occurring, there cannot be a different result.

For any design bases functions that do not continue to be performed/satisfied, or other design functions that are involved, continue to Step 5.

Step 5: Identify all safety analyses involved malfunctions of an SSC important to safety previously evaluated in the UFSAR.

Considering the scope of design functions and design bases functions from Step 2, identify all involved malfunctions of an SSC important to safety previously evaluated in the UFSAR (i.e., identify all safety

© NEI 20198. All rights reserved. nei.org 39

November October 20182019 analyses4 that rely directly or indirectly on the design bases functions performance/satisfaction). Also, identify all safety analyses related to any other design function that could impact either the accidents initiation or the events initial conditions (i.e., design functions that, if not performed, would initiate a transient or accident that the plant is required to withstand).

If there are no safety analyses involved, then there cannot be a change in the result of a safety analysismalfunction of an SSC important to safety. Therefore, in this case, the proposed activity does NOT create the possibility for a malfunction of an SSC important to safety with a different result.

Step 6: For each safety analysis involved malfunction of an SSC important to safety, compare the projected/postulated results with the previously evaluated results.

NEI 9607, Section 4.3.6 provides the following guidance regarding the identification of failure modes and effects:

Once the malfunctions previously evaluated in the UFSAR and the results of these malfunctions have been determined, then the types and results of failure modes that the proposed activity could create are identified.

If any of the previous evaluations of involved malfunctions of an SSC important to safety identified (i.e.,

safety analyses5) have become invalid due to their basic assumptions no longer being valid, e.g., single failure assumption is not maintained, or if the numerical result(s) of any safety analysis would no longer satisfy the acceptance criteria, i.e., the safety analysis is no longer bounded, then the proposed activity DOES create the possibility for a malfunction of an SSC important to safety with a different result.

As part of the response and determining if the safety analysesmalfunction results continue to be bounded, include the impact on the severity of the initiating conditions and the impact on the initial conditions assumed in the associated safety analysis. Specifically, consider any design functions that, if not performed, would initiate a transient or accident that the plant is required to withstand.

EXAMPLES Examples 417 through 421 illustrate some cases of NO CREATION of a malfunction with a different result by applying the multistep process outlined above.

Example 417. NO CREATION of a Malfunction with a Different Result Proposed Activity A feedwater control system is being upgraded from an analog system to a digital system.

Safety Analysis Result Impact Step 1:

The pertinent function of the feedwater control system is to establish and maintain steam generator water level within predetermined physical limits during normal operating conditions.

4 NEI 9607, Section 3.12, Safety Analysis 5 NEI 9607, Section 3.12, Safety Analysis

© NEI 20198. All rights reserved. nei.org 40