ML20023B413
| ML20023B413 | |
| Person / Time | |
|---|---|
| Site: | Shoreham File:Long Island Lighting Company icon.png |
| Issue date: | 05/02/1983 |
| From: | Earley A HUNTON & WILLIAMS, LONG ISLAND LIGHTING CO. |
| To: | |
| Shared Package | |
| ML20023B408 | List: |
| References | |
| ISSUANCES-OL, NUDOCS 8305050029 | |
| Download: ML20023B413 (367) | |
Text
CONETED vusc
'83 ['l -d Nl l39 UNITED STATES OF AMERICA NUCLEAR REGULATORY-COMMISSION Before the Atomic Safety and Licensing Board In the Matter of )
)
LONG ISLAND LIGHTING COMPANY ) Docket No. 50-322 (OL)
)
(Shoreham Nuclear Power Station, )
Unit 1) )
LILCO'S PROPOSED OPINION, FINDINGS OF FACT AND CONCLUSIONS OF LAW IN THE FORM OF A PARTIAL INITIAL DECISION January 17,- 1983 Hunton & Williams P. O. Box 1535 May 2, 1983 (Revised) Richmond, Virginia 23212 VOLUME TWO OF THREE:
SAFETY CLASSIFICATION AND SYSTEMS INTERACTION 8305050029 830502 PDR ADOCK 05000322 T PDR
UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION ATOMIC SAFETY AND LICENSING BOARD
~
Before Administrative Judges:
Lawrence Brenner, Chairman Dr. James H. Carpenter Dr. Peter A. Morris -
)
)
In the Matter of ) Docket No. 50-322-OL LONG ISLAND LIGHTING COMPANY
.))
(Shoreham Nuclear Power Station, ) , 1983 Unit 1) )
)
)
PARTIAL INITIAL DECISION (Operating License) t 2
PRELIMINARY STATEMENT This volume continues the briefing of issues litigated in the Shoreham operating license proceeding. The Long Island Lighting Company has previously served:
LILCO's Proposed Opinion, Findings of Fact
- and Conclusions of Law in the Form of a Partial Initial Decision, Volumes One to Three (January 17, 1983),
LILCO's Reply.to the Proposed Opinions, Find-ings and Conclusions of Suffolk County and the Staff, Volumes One and Two (February 22, 1983),
LILCO's QA/QC and EQ Supplement to its Pro-posed Opinion, Findings of Fact and Conclu-sions of Law in the Form of a Partial Initial Decision, Volumes One and Two (March 28, 1983),
and LILCO's Reply to the Proposed QA/QC and EQ Opinions, Findings and Conclusions of Suffolk County and the Staff, Volume One of One' (April 25, 1983)
The present document is the ninth in the series just described. It revises and replaces LILCO's Pfoposed Opinion, Findings of Fact and Conclusions of Law in the Form of a Partial Initial Decision, Volume Two of Three, filed on January 17, 1983, to incorporate testimony given during the reopened portion of the SC/ SOC Contention 7B record.
For the reasons set out below, we urge the Board's adoption of the following opinion and findings.
Respectfully submitted,
/ , .,
WL, . (" 'L arlef,'f'Cc Antihony F. Jr. /
One of L. CO's Counselv Hunton & Williams P. O. Box 1535 Richmond, Virginia 23212 DATED: May 2, 1983 i
VOLUME TWO TABLE OF CONTENTS 1
Page 4
II. OPINION continued -
B. SAFETY CLASSIFICATION AND SYSTEMS INTERACTION............................... 1 4
- 1. Safety Classification of Structures, Systems and Components at Shoreham........... 5 3
- a. Shoreham's Classification Scheme........ 5
- b. Methodology,for Classification.......... 7
?
(1) Design and Operational Experience......................... 8 (2) Systematic Analyses............... 11
. (3) NRC Regulations................... 13 i
I (4) NRC and Industry Guidance i Documents......................... 14
- c. No Evidence of Improper Classification......................... 15
- 2. Important to Safety......................... 22
- a. Pertinent Regulations and Their History.......................... 25 (1) Part 50, Appendix A............... 28
- (2) Part 50, Appendix B............... 34 (3) Part 100, Appendix A.............. 36
i (4) Others............................ 39
- b. Industry and NRC Practice.............. 40
- c. Need for Rulemaking if the Denton Memorandum is to be Adopted............ 46
- 3. Compliance with General Design Criteria..... 50
- a. Quality Assurance for Non-Safety Related Structures, Systems and Components at Shoreham................. 52
- b. NRC Staff Testimony on LILCO's Compliance with GDC 1.................. 61
- d. Compliance with Regulations During Operations...................... 65
- 4. Systems Interactions........................ 80
- a. Consideration of Systems Interactions for Shoreham.............. 82
- b. Staff Requirements and Review.......... 88
- c. Examples of Systems Interaction........ 88
- d. Shoreham Probabilistic Risk Assessment (PRA)....................... 92
- e. Unresolved Safety Issue A-17........... 98
- f. SER Open Item 47...................... 105
- 5. SOC Contention 19(b)....................... 108
- 6. Conclusion................................. 113 2 III. FINDINGS OF FACT continued........................... 115 B. SAFETY CLASSIFICATION AND SYSTEMS INTERACTIONS............................ 115
-ii-
, - - , - . . , - , , - - , . . ~ , - . , - - . . - - - -
- - ,,,----,e , - - , - - - . . . - - - - - - - - , - - - - - - - . - , , , , ,
- 1. Safety Classification of Structures, Systems and Components at Shoreham............ 120
- a. Shoreham's Classification Scheme......... 120
- b. Methodology for Classification........... 123 (1) Design and Operational Experience.......................... 124 (a) General Electric............... 125 (b) Stone & Webster................ 130 (2) Systematic Analyses................. 134 (a) Design Bases Analysis.......... 134 (b) ANS-22 and Nuclear Safety Operational Analysis (NSOA).... 140 (3) NRC Regulations..................... 148 (4) NRC and Industry Guidange Documents........................... 151 (5) x Operating E'perience................ 154 (6) Alternate Methodologies............. 154
- c. No Evidence of Improper Classification........................... 157 (1) Standby Liquid Control (SLC) System........................ 157 (2) Rod Block Monitor (RBM)............. 160 (3) Reactor Core Isolation Cooling (RCIC) System............... 165 (4) High Water Level (Level 8)
Trip of Main Turbine and
-iii-
..__....-m.-
Feedwater Pumps..................... 169 (5) Turbine Bypass System............... 173 (6) Alleged Inconsistencies in FSAR Table 3.2.1-1............... 179 (a) Use of Quality Group D as Non-Safety Related........ 180 (b) Reactor Water Cleanup (RWCU) System.................. 184 (c) Alleged Inconsistencies Between Quality Assurance Classification and Seismic Classification................. 185 (d) Level of Detail in Table 3.2.1-1.................. 187
- 2. Important to Safety........................... 189
- 3. Compliance with General Design Criteria...................................... 219
- a. General Electric......................... 223
- b. Stone & Webster.......................... 227
- c. LILCO.................................... 234
- d. NRC Staff Review of Non-Safety Related Structures, Systems and Components................... 240
- 4. Compliance with Regulations During Operations.................................... 244
- 5. Conran Testimony.............................. 260
- 6. Systems Interactions.......................... 272
- a. Consideration of Systems Inter-
-iv-
actions for Shoreham..................... 272 (1) Stone & Webster / General Electric Design Process...................... 272 (2) Specific Systems Interactions Studies............................. 276 (a) Pipe Failure and Internal Flooding....................... 277.
(b) Missiles....................... 279 (c) Fire Hazard Analysis........... 280 (d) Cable Separation............... 281 (e) Failure Mode and Effects .
Analyses (FMEAs)............... 284 (f) Electrical Bus Failures........ 285 (g) Control System Failures........ 285 (h) High Energy Line Break......... 288 (i) Probabilistic Risk Assessment.. 289 (j) Heavy Loads.................... 290 (k) Protection Systems............. 291 (1) Scram Reliability.............. 292 (m) Common Mode Failures in Protection and Control Instrumentation................ 293 (n) Water Level Instrumentation.... 294 (o) TMI-2 Implications............. 295 (3) Preoperational Testing.............. 296
-v-
(4) Continuing Review of Systems Interactions for Shoreham........... 298
- b. Staff Review and Requirements............ 300
- c. Examples of Systems Interactions Cited By Suffolk County.................. 311 (1) Water Level Instrumentation (Pilgrim)........................... 311 (2) Water Level Instrumentation (Michelson)......................... 314
- d. Systems Interactions and the Shoreham Probabilistic Risk Assessment............................... 317 (1) Background.......................... 317 (2) Shorehhm PRA Methodology............ 321 (3) Consideration of Systems Interaction in the Shoreham PRA................................. 323 (4) Staff Testimony on the Use of PRAs to Consider Systems Interactions........................ 323 ,
(5) Concerns About the Shoreham PRA Raised in the Intervenors' Contention.......................... 340 (6) Conclusions Regarding the Use of PRAs for Systems Interaction Identification and Evaluation....... 344
- 7. SOC Contention 19(b).......................... 348
- a. Development of EOPs................. ....349
- b. Purpose of EOPs.......................... 352
-vi-
- c. Review of Shoreham EOPs.................. 353
- d. Flaws in the Intervenors' Analysis................................. 355 4
-vii-
II. OPINION 1/
B. SAFETY CLASSIFICATION AND SYSTEMS INTERACTION SC/ SOC Contention 7B concerns (1) the adequacy of the methodology used by the Applicant and its principal contrac-tors, Stone & Webster and General Electric, to classify struc-tures, systems and components at Shoreham, including in particular (2) whether this methodology adequately took into-account systems interaction (Board Finding B-1). SOC Conten-tion 19(b) concerns the alleged failure of the NRC Staff to require LILCO to comply with certain provisions of the latest revisions of Regulatory Guide 1.26, " Quality Group 1/ Pursuant to the Board's request that LILCO make clear all revisions to LILCO's Proposed Opinion, Findings of Fact and Conclusions of Law in the Form of an Initial Decision (Safety Classification and Systems Interaction), filed January 17, 1983, the following conventions have been adopted:
- 1. If a finding or a paragraph in the opinion consists of material which is totally new, an asterisk appears at the beginning of that para-graph or finding, e.g., *B-3A.
- 2. If a finding or a paragraph in the opinion is modified, two asterisks appear at the beginning of that paragraph or finding. In addition, any new material is underlined and a line is drawn through any material which has been deleted.
t
_1_
Classifications and Standards for Water , Steam , and Radioactive Waste Containing Components of Nuclear Power Plants," and Regulatory Guide 1.29, " Seismic Design Classifica-tion" (Board Finding B-2). Suffolk County, LILCO and the Staff testified on these contentions 2/ (Board Finding B-3).
SC/ SOC 7B was developed by the Board from three sets of contentions submitted by Suffolk County and the Shoreham Oppo-nents Coalition.3/ The resulting contention was closely 2/ Suffolk County's written direct testimony specifically addressed SC/ SOC 7B. Separate tsstimony was not filed by SOC or the County on SOC 19(b). The SC/ SOC 7B testimony did, how-ever, address some of the issues raised in SOC 19(b). LILCO and the NRC Staff filed testimony on 19(b) as part of their respective testimony on 7B.
3/ Namely:
- 1. SOC 7B(1) and SC 29 -- IREP-Probabilistic Risk Assessment;
- 2. SOC 7B(2) and SC 7 -- Systems Interaction; '
- 3. SOC 7B(4) and SC 6 -- Classification and Qualification of Safety Equipment.
SC Contention 29 repeated essentially verbatim the final para-graph of SOC 7B(1). SC Contentions 6 and 7 were stated differ-ently than SOC 7B(4) and (2) but had the same thrusts. See LILCO's Response to Proposed County Contentions 1 to 31, at 2 (Feb. 18, 1982) (Response to SC Contentions).
The Applicant specified its opposition to the litigation of these matters in the above filing and in LILCO's opposition (footnote continued) related to the subject matter of SOC 19(b)4/ and, thus, the two (footnote continued) to SOC Contention 7B (Dec. 18, 1981) (Opposition to SOC). The Applicant argued that these TMI-related contentions asked for the same relief -- some sort of event / fault tree analysis of Shoreham, coupled with an additional physical inspection of plant systems and components -- but that the desired analysis and the related inspection were not defined in the proposed contentions. See Response to SC Contentions at 2-3. Further, the Applicant opposed these TMI-related contentions because they were based on items in NUREG-0660 (NRC Action Plan Developed As a Result of the TMI-2 Accident) rather than on NUREG-0737 (the Commission's subsequent Clarification of TMI Action Plan Requirements). .See Opposition to SOC at 2-7.
The Board rejected portions of the proposed contentions, combined them into one, and rest'ated them to focus on the questions of methodology noted above. See Memorandum and Order Confirming Rulings Made at the Conference of Parties (Regarding Remaining Objections to the Admissibility of Contentions and Establishment of Hearing Schedule) at 4-12 (March 15, 1982), 15 NRC at 604-12. Licensing Boards are not in accord on the ad-missibility of contentions such as SC/ SOC 7B, even as pruned and restated by the Board. Compare this Board's ruling with Public Service Co. of New Hampshire (Seabrook Station, Units 1 and 2), Dockets Nos. 50-443 and -444 OL, slip op. at 59-60 (Sept. 13, 1982) (contention identical to SC/ SOC 7B rejected for lack of regulatory basis).
4/ This contention had a long and complex evolution. LILCO initially objected to its admission as untimely, inadequately particularized and without regulatory basis. The Board disagreed, starting a long procedural process that culminated in a joint motion by SOC, the Staff and LILCO for Acceptance of a Stipulation Regarding SOC Contentions 3, 6(a)(i), 7(a)(ii),
8, 9, 12 (Part 3), 15, 16, 17 and 19 (Dec. 2, 1981). The issues concerning Regulatory Guides 1.26 and 1.29 were redesignated SOC 19(b). Id. at 13. The Board approved the parties' stipulation. Memorandum and Order Approving Stipula-tions, Deferring Rulings on Summary Judgment Pending Further I
(footnote continued)
~-
ls l
were heard together. ,
In order to focus the litigation more sharply, the Board' ordered the County and SOC to file their written direct testimony and be cross-examined on it before the filing of LILCO's and the Staff's written direct cases. Several results flowed from this process. First, it became clear that SC/ SOC believed LILCO and its contractors had used an inadequate meth-odology to classify structures,-systems and components at Shoreham because they did not (a) classify certain systems as
" safety related" and (b) use the category "important to safe-ty." Second, with respect to systems interactions, SC/ SOC's testimony expanded the focus. Contention 7B, as drafted and admitted by the Board, focused on whether systems interaction were adequately taken into account in the selection of Shoreham's design basis accidents. But the SC/ SOC testimony ranged far beyond DBAs to address the adequacy of LILCO's treatment of systems interactions in general, including whether (footnote continued)
Particularization, Scheduling a Conference of Parties and Setting an Estimated Schedule for the Filing of Testimony at 1 (Feb. 8, 1982).
t
_4
unresolved safety iscues A-17, " Systems Interactions in Nuclear Power Plants," and A-47, " Safety Implications of Control Syste,ms," were properly addressed.
Finally, SC/ SOC argued that LILCO's methodology for classifying systems and for considering systems interactions was inadequate beca'use the methodology was not rooted in certain analytical techniques such as an appraisal of Emergency Operating Procedures, probabilistic risk assessment, and depen-dency analyses.
- 1. Safety Clas'sification of Structures, Systems and Components at Shoreham SC/ SOC's claims to the contrary, the record indicates that an adequate classification methodology has been used for Shoreham, one that has resulted in classification of the plant's structures, systems and components in accord with NRC regulations.
- a. Shoreham's Classification Scheme LILCO and its principal contractors classify systems as
" safety related" or "non-safety related"5/ (Board Finding B-4).
) 5/ Within the safety related set, there are subclassifica-tions called Quality Groups that are specified in Regulatory Guide 1.26.
Safety related structures, systems and components must be able to withstand the Safe Shutdown Earthquake and remain capable of as sur,ing :
(1) The integrity of the reactor coolant pressure boundary.
(2) The capability to shut down the re-actor and maintain it in a safe shutdown condition, or (3) The' capability to prevent or miti-gate the consequences of accidents which could result in potential
. offsite exposures comparable to the guideline exposures of [10 CFR Part 100). ,
10 CFR Part 100, Appendix A, III(c). (Board Findings B-7, B-12). Thus, a structure, system, or component at Shoreham is
" safety related" if required to assure one of these three safe-ty related functions. Conversely, any structure, system or
- component that is not required to assure one of these safety related functions is classified as non-safety related (Board Finding B-8).
The use at Shoreham of " safety related" and "non-safety related" is consistent with the usage throughout the industry.
(Board Finding B-5). Representatives of both General Electric i
L
and Stone & Webster, who were on LILCO's witness panel, testified that the approach to classification at Shoreham is the same as that used for their other current plants. They also testified that, to their knowledge, it is the classifica--
tion scheme used consistently throughout the industry. (Board Finding B-5). The NRC Staff witnesses also testified that LILCO's use of " safety related" and "non-safety related" is consistent with industry practice. (See Board Finding B-188).
. b. Methodology for Classification The classification methodology used by LILCO is common to the industry, rooted in NRC regulations, and shown success-ful by years of experience. The methodology involves a number of elements: (a) reliance upon design and operational experi-ence, (b) use of systematic analyses, (c) use of regulations, and (d) use of NRC and industry guidance. All of these elements were employed by LILCO and its contractors to ensure that the " safety related" set of structures, systems and compo-nents at Shoreham is sufficient to satisfy Appendix A to Part 100. (See generally Board Findings B-16 to B-83).
1 (1) Design and Operational Experience As LILCO's witnesses testified, Shoreham was not desig'ned and classified in a vacuum. It is essentially a standard BWR-4. That standard design evolved, in turn, from previously licensed BNR models, drawing upon the experience gained from their development. At the time Shoreham was con-ceived, seven General Electric BWRs were operating and 23 others were in various stages of design and construction (Board 1
Finding B-30). There are currently 18 BWR-4s operating or l under construction and 18 BWR-1,-2 and -3s in operation (Board ,
Finding B-30). Similarly, Stone & Webster, the designer of Shoreham's balance of plant, has had substantial experience in the application of regulations to, and the classification of systems on, nuclear power plants, including other BWRs. (Board Findings B-35 to B-38). Thus, experience has played an impor-tant role in developing Shoreham's design, including the safety classification of its systems.
Classification begins with an analysis of the design of a plant so as to understand the precise nature and functions of all its structures, systems and components. Then, classifica-l tion matches the various functions and capabilities so t
er- - - - - , - , , , , - , , , , , , , . , --,-,-,-,--n, ,-m-,,,,--,e .-,--<,y, ---...-,---,-,-,-----,---..-g -----e
identified against the safety related functions of Part 100, Appendix A to define the safety related set of structures, systems and components. (Board Finding B-17). Experience with plant design is central to these classification steps. Equally important is a disciplined design process that is controlled by procedures and design guidance documents developed by an expe-rienced design organization. This makes it possible to bring the body of corporate knowledge about the design of nuclear power plants, including safety classification, to bear on the design of each structure, system and component in the plant.
(See Board Findings B-17, B-19 t6 B-39).
Experience is also important in providing feedback to verify proper classification. First, there is feedback from operating plants. Both General Electric and Stone & Webster have programs to feed information gained from operating plants back to the Shoreham project. Thus, if the safety related set was found insufficient at another plant, that information would be transmitted to LILCO for determination of its applicability to Shoreham. (Board Findings B-25, B-30 to B-32, B-35 to B-38). Moreover, LILCO has established its own extensive pro-gram to review operating experience from other plants, which
! _g_
further increases the likelihood that any classification inadequacies will be identified. (Board Findings B-314 to B-316).
Shoreham has also benefited from the combined operating experience of the BWR Owners' Group. In the process of developing guidelines for Emergency Operating Procedures (EOPs), the Owners' Group reviewed and analyzed extensively the classification of systems in the EOPs. (Board Findings B-401, B-402). No classification changes resulted from this review, thereby confirming that an adequate classification methodology had been applied to Shoreham (Board Finding B-402).
A second source of feedback is the design process.
Both General Electric and Stone & Webster are organized and have programs to ensure wide dissemination of design informa-e tion. If a classification problem is identified as a result of the design process on another plant or of a general design review, this information is transmitted to Shoreham. (Board Findings B-18, B-22, B-29, B-32, B-36).
For example, in 1979 General Electric conducted a complete review of the classification of structures, systems l
i and components withinlits scope of supply. The review considered the overall BWR design as well as the' design of individual plants,. including Shoreham. It resulted in the re-classification of only one component. (Board Finding B-27).
Reviews of this sort provide assurance that Shoreham's systems, structures and components are, in fact, properly classified, and that programs are in place to see that Shoreham benefits from design developments at all General Electric plants.
Reliance on disciplined design and experience, alone, does not constitute an adequate , classification methodology.
These facts are, however, important and significant elements of an adequate methodology. The record indicates that a disci-
.plined design' process was used and substantial experience was brought to bear on the classification of Shoreham's systems.
(See Board Findings B-19 to B-22, B-24, B-26 to B-29, B-32 to B-39).
(2) Systematic Analyses The second major element of the methodology for classi-fying systems at Shoreham was a program of systematic analyses to ensure that the necessary safety related systems, structures l'
, and components do exist. A Shoreham-specific design basis.
analysis was conducted, the results of which-are described in Chapter 15 of the FSAR. (Board Findings B-41 to B-43). The i
, analysis begins by selecting a set of anticipated operational transients and' hypothetical severe accident sequences that, consistent with'the NRC's regulations, bound all others (Board Findings B-43, B-46).p/ It must then be shown that the safety related structures, systems and components.will prevent the.
consequences of the specified accidents from exceeding the Part 100 limits. (Board Findings B-43, B-45). As Chapter 15 of the
, FSAR reflects, the safety related set at Shoreham meets these
- requirements. (Board Finding B-49). Thus, the design basis analysis for Shoreham demonstrates that-its structures,-systems and components have been properly classified.
The Applicant's witnesses described the Nuclear Safety Operational Analysis (NSOA) as a second sort of comprehensive,
, systematic review that was used in the classification process for Shoreham. The NSOAs are described in detail in Appendix 7A i
p/ The set of design basis accidents and transients is defined both by regulation and by experience. (See, e.g., 10
- CFR Part 50, Appendix A, Introduction'and GDC 4, 25, 26, 28; Board Finding B-44).
. . _ _ . , . . - _ _ , 4,. ... _ .. --. ._ _,__ . .
, .. . _ _ _ _ _ . , , . . . . . _-_,._,m__
I p-
% 9 4
%.s of the FSAR. .[B ard Finding B-60). They comprehensively addre %ss the roles of the various structures, systems, and com-x s l
, ponents in the safe operation of the plant. (Board Findings B-56 to B-60). The NSOAs, in conjunction with the design basis analyses, show that LILCO has an adequate set of safety related struc,ture s , systems and components (Board Finding B-60).
More-over, as explained below, NSOAs, as a generic, industry wide modeokanalysis, were used to develop industry guidance documents that helped shape the classification scheme for Shorehas.
(
(3) NRC Regulations The third element of LILCO's classification methodology is reliance on applicable NRC regulations. Appendix A to Part 100 has had central importance to Shereham's classification 1 scheme (Board Findings B-62 to B-64). As other pertinent regu-s
, lations have been promulgated, particularly 10 CFR Part 50, Appendices A and B, and 10 CFR 50.55(a), the classification of the plant's structures, systems and components has been reviewed to ensure continued compliance with Commission re-quirements (Board Findings B-65, B-67,B-68 to B-71).
o
(4) NRC and Industry Guidance Documents The fourth element in the-Shoreham classification meth-odolo'gy has been use of NRC and industry guidance in the clas-sification of structures, systems and components. In the early-1970s, the American Nuclear Society undertook to develop com-prehensive guidance for the design and classification of PWRs and BWRs. (Board Finding B-51). The BWR effort, involving representatives of General Electric, Stone & Webster, utilities and the NRC, resulted in ANS-22, " Nuclear Safety Criteria for the Design of Stationary Boiling Water Reactor Plants" (now ANS-52.1) (Board Finding B-51). NSOAs were also used in the development of ANS-22. Thus, this guidance document repre-sented not only the collective experience and knowledge of the industry and agency on systems classifications, but also the comprehensive, systematic approach of the NSOAs. (Board Find-ings B-50 to B-56). ANS-22 was used-in the design of Shoreham, including the development of the present classification scheme.
Shoreham's classification is consistent with ANS-22. (Board Finding B-50).
The NRC Staff has also published guidance on classifi-cation. Regulatory Guide 1.26 deale with the quality group a
classification of fluid systems for nuclear power plants.
Regulatory Guide 1.29 concerns structures, systems and compo-nents that must be classified as Seismic Category I. (Board Finding B-72). Shoreham is committed to comply with Revision 1 to both of these regulatory guides and does so comply (Board Findings B-75 to B-77). In addition, the plant also complies with their latest (third) revisions (Board Findings B-76, B-77).
Bhsed upon the record as a whole, we conclude that LILCO has applied an a,dequate methodology for the classifica-tion of structures, systems and components at Shoreham. Conse-quently, there is no need to apply the alternate classification methodologies suggested by SC/ SOC.7/
- c. No Evidence of Improper Classification Without regard to classification methodology, it bears emphasis there is no evidence that any structure, system or 7/ We conclude that there is no regulatory requirement that alternate classification methodologies such as PRAs, EMEAs, systems interaction analyses, dependency analyses and analyses of EOPs be used. Moreover, it is not clear that the techniques would be useful in the classification of systems. (Board Find-ings B-79 to B-83, B-336, B-418).
t component at Shoreham has been improperly classified. NRC witnesses testified that they have reviewed extensively the classification of the plant and found.it to be in compliance with NRC regulations. _LILCO witnesses also testified that structures, systems and components at Shoreham are classified in accordance with NRC regulations. (Board Finding B-68).
The witnesses' conclusions were based, in part, on a number of extensive classification reviews, as well as on their knowledge of the design control process and its product -- the Shoreham plant (see, e.g., Board Findings B-27, B-28, B-54, B-68, B-73). The design control procehs sees to the proper classifi-cation of design changes (see Board Findings B-29, B-39).
When SC/ SOC 7B was admitted for litigation, the Board directed Suffolk County and SOC to provide two detailed exam-ples to illustrate their claim that inadequate classification had been used. Instead, the SC/ SOC prefiled testimony alleged, with little supporting detail, a substantial number of classi-fication errors. These alleged errors were shown to lack merit by LILCO and the NRC Staff.
SC/ SOC claimed that the following systems or components were not classified as safety related but should have been:
Standby Liquid Control System, Rod Block Monitor, Reactor Core Isolation Cooling System, High Water Level (Level 8) Trip, and Turbi.ne Bypass System. In addition, SC/ SOC alleged a number of deficiencies in the FSAR's summary table of classifications (Table 3.2.1-1). (Board Findings B-85 to B-157). We disagree.
The Standby Liquid Control System provides backup to the control rod drives in the event of a multiple control rod drive failure. Because of the back-up nature of its function, SLCS does not need to perform a safety related function and, therefore, need not be classifie,d as a fully safety related system. (Board Findings B-85 to B-89). In any event, all of its components that are needed to inject boron are classified as safety related. (Board Finding B-86). Thus, we conclude that the system has been properly classified.
The Rod Block Monitor is designed to prevent erroneous control rod withdrawal and ensuing fuel damage. Failure of this system, however, would not result in more than minimal fuel damage and certainly would not exceed the radiation dose limits of 10 CFR Part 100. Consequently, the system is not needed to perform a safety related function and is not required to be classified as safety related (Board Findings B-90 to i
i l
l 1
B-93). In any event, the only acpect of the rod block function that is not classified safety related is the reactor manual control portion of the control rod drive system which is con-tinuously in use during reactor operation and very reliable (Board Finding B-98). We conclude that the Rod Block Monitor has been properly classified.
The Reactor Core Isolation Cooling System is a high pressure system that cools the core during certain reactor shutdown conditions. The system can also provide back-up capa-bility for the High Pressure Coolant Injection System. (Board Findings B-100, B-103). RCIC is not relied upon in the ECCS analysis, although it could provide cooling water in the event of a LOCA. Nor is credit taken for RCIC in the FSAR Chapter 15 accident analysis. (Board Findings B-102, B-103, B-1d6). RCIC is, however, considered a back-up to HPCI in the control rod drop accident. Thus, automatic operation in this event is RCIC's only safety function. (Board Finding B-107). All the components in the system necessary to perform this function are safety related (Board Findings B-108 to B-110). In fact, es-sentially the whole RCIC system is classified safety related (Board Finding B-101). Thus, we conclude that the RCIC system has been properly classified.
The Level 8 Trip System is designed to prevent water level in the reactor vessel from reaching a height at which it could flow through the steam lines to the turbine (Board Find-ing B-111). If the system failed, however, there would be lit-tle effect on the severity of the transients in which its operation is assumed, and its failure would not pose undue risk to the public health and safety (Board Findings B-112, B-113).
Consequently, the Level 8 trip does not perform a safety function. Nonetheless, it is a high quality system that is identical in design and manufacture to similar components which are safety related (Board Findi'ngs B-113 to B-117). The Board concludes that the Level 8 trip is appropriately classified.
The Turbine Bypass System is used during normal startup and shutdown to pass partial steam flow to th'e main condenser.
The turbine bypass valves also operate automatically following a turbine trip or load rejection event. (Board Finding B-119).
Failure of the bypass in these events would have a slight im-pact on the severity of the transient. Fuel damage, if any, would produce doses amounting to only a small fraction of the Part 100 limits. (Board Findings B-119-to B-121). Consequent-ly, the system does not perform a safety function and does not O
l need to be safety related. Turbine bypass is, however, a highly reliable system and one that has received extensive quality assurance and stringent quality standards. (Boarding Findings B-122 to B-130). Thus, the Board concludes that the Turbine Bypass System has been properly classified.
FSAR Table 3.2.1-1 summarizes the principal structures, systems and components for Shoreham. As LILCO's witnesses in-dicated, the table was not written as a detailed, component-by-component, listing of every structure, system and component in the plant. (Board Findings B-150 to B-152). Both LILCO and the Staff testified that a determination of the actual classification of particular structures, systems and components must stem from a review of the appropriate design documents (Board Finding B-152). In' addition, the level of de-tail in Table 3.2.1-1 is consistent with industry guidance and practice; for instance, Shoreham's table is at least as de-tailed as the corresponding tables for LaSalle and Susquehanna and other licensed BWRs. (Board Findings B-153 to B-156).
Thus, we find that the table is adequate for its purpose.
SC/ SOC also alleged that Table 3.2.1-1 revealed classi-fication errors because (1) Quality Group D of Regulatory Guide t
1.26 was treated as non-safety related by LILCO; (2) there were inconsistencies in the classification of components in the Re-actor, Water Cleanup System in that similar components were classified differently by GE and S&W; and (3) there were inconsistencies in the seismic and QA classifications in the table. Again, we disagree.
First, both the NRC Staff and LILCO concluded that, de-spite the somewhat confusing language in Regulatory Guide 1.26, Quality Group D is a non-safety related clacsification. This is consistent with industry and NRC practice.
(Board Findin'gs B-132 to B-134, B-136 to B-140). Also, an analysis of the functions of the systems and components within Quality Group D shows that they are properly classified as non-safety related (Board Findings B-134, B-135').
Second, with respect to the alleged inconsistency in classifying components in the Reactor Water Cleanup System, the NRC Staff and LILCO testified that the components in question were properly classified (Board Findings B-142 to B-144). Al-though all of these components met at least the minimum required classification (Quality Group C but non-safety relat-ed), some of them were purchased as safety related, thus exceeding the required minimum (Board Finding B-144).
Finally, SC/ SOC alleged that there were a number of inconsistencies in the table in that some items classified as safety related were not classified Seismic Category I and that other components classified as non-safety related were so clas-sified (Board Finding B-146). But LILCO and NRC Staff testimo-ny demonstrated that all of the items in question have, in fact, been properly classified (Board Findings B-147 to B-149).
- 2. Important to Safety NRC regulations make frequent use in 10 CFR Part 50, Appendix A and elsewhere of the term " structures, systems and components important to safety." See, e.g., 10 CFR Part 50, Appendix A, GDC 1. Against this background, SC/ SOC allege that LILCO's classificati,on methodology is inadequate because it does not include a category called "important to safety" (Board Finding B-1). SC/ SOC argue that this category is broader than LILCO's safety related category. And SC/ SOC argue that, by definition, LILCO cannot comply with GDC 1 unless Shoreham has an "important to safety" category 8/ (Board Finding B-1).
8/ Although the contention also lists a number of other GDCs, testimony focused almost exclusively on GDC-1.
LILCO's witnesses testified that neither LILCO, Stone &
Webster nor General Electric uses a separate classification category called "important to safety" (Board Findings B-4,B-158, B-160). As already explained, the classification scheme for Shoreham has only two categories, " safety related" and "non-safety related" (Board Findings B-4, B-11). Where the term "important to safety" does appear in LILCO's documents (for example, the FSAR), it is used synonomously with the term
" safety related" (Board Findings B-158, B-205). Similarly, where "important to safety" appears in the NRC regulations, it has been GE's, S&W's and LILCO's' view that the phrase referred to the safety related set of structures, systems and components (Board Finding B-205).
- Th'e NRC Staff agrees with SC/ SOC that important to safety, as used in the regulations, does refer to a set of structures, systems and components broader than the safety re-lated set (Board Finding B-169). But the Staff does not agree that LILCO's failure to use the term, as the Staff defines it, means that the classification methodology for Shoreham was in-adequate or that Shoreham does not meet the regulations (see Board Findings B-202, B-204, B-207, B-208, B-204A).
- The NRC Staff's position on the definition of impor-tant to safety was presented by James H. Conran.9/ Mr. Conran was the principal author of a memorandum signed by Harold Denton in 1981 giving Nuclear Reactor Regulation's interpreta-tion of various terms related to systems classification.
(Board Finding B-161). Of interest here are the Denton Memo-randum's definition of the terms " safety related" and "impor-tant to safety." In the Memorandum's scheme, safety related structures, systems and components are those needed to perform the safety functions specified in 10 CFR Part 100, Appendix A (Board Finding B-161). Thus, LILCO and the Staff agree on the definition of the term " safety related." The definition is consistent with industry and NRC practice.
The Denton Memorandum defined structures, systems and components "important to safety" as those "that contribute in
[an] important way to safe operation and protection of the pub-lic in all phases and aspects of facility operation. . . ."
9/ In Mr. Conran's initial testimony on this issue, he concluded that, despite the difference in interpretation of important to safety, LILCO had met the NRC's regulations for the design and construction of Shoreham. In an affidavit filed almost seven months after he testified, Mr. Conran changed his testimony. See section B.3.d below.
J
1 (Board Finding B-161). While this circular definition sheds little or no light on what "important to safety" concretely means,under the Denton Memorandum, the document does make clear that NRR views "important to safety" as a broad category
^
including as a subset " safety related" structures, systems and components (Board Findings B-161, B-174).
We turn now to this important and fundamental disagree-ment over the meaning of "important to safety."
- a. Pertinent Regulations and their History The term "important to safety" appears at least 20 times in the General Design Criteria and elsewhere in the regu-lations. See, e.g., 10 CFR Part 50, Appendix A, GDC 1, 2, 3 and 4; see also, e.g., 10 CFR S 50.59. The term is defined in the introduction to Appendix A as those structures, systems, and components that provide " reasonable assurance that the fa-
! cility can be operated without undue risk to the health and safety of the public." That definition, however, does not answer the question whether the class of important to safety is broader than that of safety related; the safety related set could easily be those needed to give reasonable assurance that
the facility can be operated without undue risk to the public health and safety.
The NRC Staff's testimony on the meaning of impor-
, tant to safety sounded two principal themes:
(1) the original intention of the NRC's regulations was to define "important to safety" as a broader category than " safety related" and (2) despite confusion over terminology, i in actual practice, the NRC Staff has always used the term "important to safety" in classifying systems in the broad sense. ,
This Board does not find either of these premises to be ultimately well founded. As we indicate below:
(a) A comparison of the proposed and final versions of Part 50, Appendix A shows that the term "important to safety" was substituted for a vari-ety of terms in the proposed ver-sion, all of which referred to features in the safety related set.
Since there was no indication in the preamble to the final version of the Appendix that the change in termi-nology involved a change in scope, it appears that "important to safe-ty" was intended to be a general term for safety related structures, systems and components.
(b) The regulatory history of Part 50, Appendix B does not indicate any intention to apply Appendix B to features beyond the safety related set. And there is reason to believe that the scope of GDC-1 is identical
, to the scope of Appendix B.
(c) The proposed version of Part 100, Appendix A clearly indicates that "important to safety" and " safety related" are synonomous. Although the former term does not appear in the final rule, nothing in its pre-amble indicates an intent to change the substance of the rule by remov-ing the term "important to safety."
(d) Other Commission regulations equate the terms "important to safety" and
" safety related."
Appendix A to Part 50, which contains the General Design Criteria for nuclear power plants, has numerous refer-ences to structures, systems and components important to safe-ty. Appendix B to Part 50 sets out the requirements for quali-ty assurance programs for nuclear power plants. Although Ap-pendix B does not use the term important to safety 10/ and applies only to safety related structures, systems and compo-nents (Board Findings B-182, B-183, B-196), it does provide in-sight in determining the scope of important to safety. Both 10/ Criterion II does use the term "importance to safety" in specifying the level of quality assurance to be applied to features within the scope of Appendix B.
the NRC Staff and SC/ SOC argued that the original intent of the Commission was to apply Appendix B to features important to safety. Thus, the regulatory history of Appendix B is rele-vant. Also, the relationship between GDC 1 and Appendix B provides insight into the respective meanings of safety related and important to safety. The origins of 10 CFR Part 100, Ap-pendix A are germane, of course, because it sets out the safety functions that must be assured by safety related structures, systems and components.
Part SO's Appendices A and B were developed contempora-neously. Appendix A was noticed as a proposed rule in 1967 and adopted in 1971. 32 Fed. Reg. 10,213 (1967); 36 Fed. Reg. 3255 (1971). Appendix B was noticed as a proposed rule in 1969 and adopted in 1971. 34 Fed. Reg. 6599 (1969); 35 Fed. Reg. 10,498 (1970). Part 100, Appendix A was noticed as a proposed rule in 1971 and adopted in 1973. 36 Fed. Reg. 22601 (1971); 38 Fed.
Reg. 31279 (1973).
(1) Part 50, Appendix A As proposed in 1967, Part SO's Appendix A did not use the term "important to safety." See 32 Fed. Reg. 10,213 (1967). In the version adopted in 1971, however, the term appeared in a number of places. The Federal Register notice adopt,ing Appendix A discussed the substantive changes between the proposed and final rules. Significantly, this discussion of substantive changes did not mention the addition of the term "important to safety." This strongly suggests that the drafters did not consider that the change in terminology made any difference in scope or substance. See 36 Fed. Reg. 3256 (1971). A comparison of the proposed and final rule reveals that "important to safety" was merely su'stituted b for a number of similar terms referring to fe'atures that are now known as
" safety related."
The principal instance of this exchange of equivalent terms was the substitution of structures, systems and compo-nents important to safety for engineered safety features.
Engineered safety features, as defined in Criterion 37 of the proposed Appendix A, are provided to further assure the safety provided by the core design, the reactor coolant pressure boundary, and thei r protection systems. At a minimum, engineered safety features are designed to cope with all reac-tor coolant pressure boundary breaks up to and including the a
circumferential rupture of any pipe in that boundary, assuming unobstructed discharge from both its ends. See 32 Fed. Reg.
10,216-17 (1967). In other words, engineered safety feature" T
in proposed Appendix A is very similar to the present terminol-
- ogy of 10 CFR Part 100, particularly S5 loo.2(b) and loo.10(a) and (d), and it clearly falls within the ambit of safety relat-ed as defined in Appendix A to Part 100.
Numerous examples of the substitution exist. Proposed GDC 3, which now applies to structures, systems and components important to safety, specifically referred to " critical" parts of the facility such as the containment and control room as engineered safety features. See 32 Fed. Reg. 10,215. And GDC 4, which also now applies to structures, systems and components important to safety, evolved from proposed GDCs 40 and 42, which dealt with engineered safety features. See 32 Fed. Reg.
10,217 (1967).
I By the same token, GDC 20 requires, in part, that protection systems be designed to sense accident conditions and to initiate the operation of systems and components important to safety. This portion of GDC 20 evolved from proposed GDC 15, which required protection systems to sense accident
, _ , . ., , - - - - --,e++-ww- ---'
situations and initiate the operation of necessary engineered safety features. See 32 Fed. Reg. 10,216 (1967).
GDC 44 requires a cooling water system to transfer heat from structures, systems and components important to safety to an ultimate heat sink. The cooling water system requirements in GDC 44 evolved from proposed GDCs 37, 38 and 39, which established the design basis of engineered safety features and stated the requirements for them. See 36 Fed. Reg. 10,216-17 (1967). Thus, the cooling water system referred to in GDC 44 is. in reality, the safety relat,ed engineered safety feature necessary to support other engineered safety features previous-ly discussed in the proposed Appendin A.
GDC 16 requires reactor containment and associated systems to assure that containment design conditions important to safety not be exceeded during postulated accident conditions. This GDC evolved from GDC 10 of the proposed Ap-pendix A, which required the containment structure to sustain the initial effects of grose equipment failures, such as a large coolant boundary break, without loss of required integri-ty and, together with other engineered safety features, to re-tain for as long as necessary the capability to protect the i
public. See 32 Fed. Reg. 10,215 (1967). In other words, the containment design conditions in the proposed GDC dealt with loss of coolant accidents. Structures, systems and components needed to deal with a LOCA are, of course, safety related.
A final example of the substitution of items important to safety for engineerad safety features involves GDC 17. It requires offsite and onsite electric power systems for struc-tures, systems and components important to safety. This GDC evolved from proposed GDCs 24 and 39, which required emergency power sources for protection systems and engineered safety features. See 32 Fed. Reg. 10,216-17 (1967).
In addition to substituting items "important to safety" for " engineered safety features," the final version of Appendix A also used the term in lieu of other phrases that appear to fall within the safety related set. GDCs 1 and 2 establish re-quirements for structures, systems and components important to safety. These criteria evolved from proposed GDCs 1 and S, and 2, respectively. Proposed GDCs 1 and 2 applied to systems and components essential to the prevention of accidents that could affect the public health and safety or to the mitigation of their consequences. This language is similar to that in 10 CFR
Part 50, Appendix B, which has been interpreted to mean safety related. (Board Findings B-182, B-183, B-196). Proposed GDC 5 appli,ed to records for " essential" components.
In light of this regulatory history, we conclude that the term "important to safety" was substituted in the final version of Appendix A for a number of terms which referred in the proposed version of the Appendix to features now considered safety related. The complete lack of any discussion of the substitution in the Commission's explanation of the final rule suggests strongly that no substantive change was intended.
. Indeed, lack of an explanation of the substitution does more than merely suggest no change in substance. As a matter of law, no substantive change can be inferred. The Administra-tive Procedure Act requires that notice and comment rulemaking be a meaningful process. Section 553(b)(3) of the APA provides that a notice of a proposed rule must be sufficiently detailed to give interested parties a realistic chance to understand and critique the would-be rule. United States v. Florida East Coast R. Co., 410 U.S. 224, 241 (1973); see also Connecticut Light and Power Co. v. NRC, 673 F.2d 525, 530 (1982).
1
One of the requirements of meaningful notice is an ob-ligation that the agency include in the notice all definitions essential to the proposed rule. PPG Industries v. Costle, 659 F.2d 1239, 1250 (D.C. Cir. 1981). And, although agencies may
-make changes between the proposed and final rules, the changes must be the " logical outgrowth" of the notice and comment process. Sierra Club v. Costle, 657 F.2d 298, 352 n.193 (D.C.
Cir. 1981); Connecticut Light, supra, 673 F.2d at 533. Thus, unless "important to safety" was -- as in fact it was -- equiv-alent to the terms it replaced, Appendix A was promulgated without adequate notice. We cannot assume _that the rule was adopted in disregard of the APA.
(2) Part 50, Appendix B All parties agree that Appendix B applies only to safe-ty related structures, systems and components (Board Findings B-182, B-183, B-196). Appendix B refers to " structures, systems and components that prevent or mitigate the consequences of postulated accidents that could cause undue risk to the health and safety of the public." 10 CFR Part 50, Appendix B, Introduction. Although some witnesses testified that the original intent was to apply Appendix B to a larger
,,-n.--
set of structures, systems and components, there is no support for this suggestion in the regulatory history. The scope of Appendix B has remained unchanged since its notice of proposed rulemaking in 1969. See 34 Fed. Reg. 6599 (1969). Moreover, both the proposed and final versions of Appendix B apply, by their terms, to activities affecting the " safety related" functions of structures, systems and components that prevent or mitigate the consequences of an accident.11/ 34 Fed. Reg.
6600 (1969); 35 Fed. Reg. 10,499 (1970). Thus, unless a struc-ture, system or component has a safety related function, Appen-dix B does not apply to it.
The notice of proposed rulemaking for Appendix B stated that its quality assurance criteria would supplement GDC 1 of proposed Appendix A, previously noticed in the Federal Register in 1967. 34 Fed. Reg. 6600 (1969). Although the precise meaning of this statement is not clear, it does appear that the intention was to specify, in detail, what the general provisions of GDC 1 meant. This interpretation is supported by 11/ The prevention and mitigation of the consequences of pos-tulated accidents, of course, are among the safety related functions of 10 CFR Part 100, Appendix A.
the fact that Appendix B was intended to " assist applicants (1) to comply with Section 50.34(a)(7) . . . . Section 50.34(a)(7) states that Appendix B " sets forth the requirements for quality assurance programs" (emphasis added); and presuma-bly "the requirements for quality assurance programs" include those of GDC 1. Thus, a reading of the regulatory history, first, does not reveal any intention to apply Appendix B to more than safety related features and, second, implies that Ap-pendix B is a more detailed specification of the requirements contained in GDC 1, thereby equating "important to safety" with
" safety related."
(3) Part 100, Appendix A The interchangeability of the terms " safety related" and "important to safety" is even more vividly illustrated by a review of the regulatory history of 10 CFR Part 100, Appendix A, which was proposed on November 25, 1971. 36 Fed. Reg.
22,601. ~The proposed rule included a number of passages that make absolutely clear (1) the category "important to safety" meant in 1971 what we now call " safety related" and (2) the terms are to be used interchangeably. Thus, in defining the
" Safe Shutdown Earthquake," the proposed rule stated:
9 (c) The " Safe Shutdown Earthquake" is that earthquake which produces the vibra-tory ground motion for which structures, systems and components important to safety are designed to remain functional.
These structures, systems and components are those necessary to assure:
(1) The integrity of the reactor coolant pressure boundary, (2) The capability to shut down the re-actor and maintain it in a safe shutdown condition, or (3) The capability to prevent or miti-gate the consequences of accidents which could result in potential offsite exposures comparable to the guideline expos'ures of 10 CFR Part 100.
36 Fed. Reg. 22,602 (1971) (emphasis added); see also id. at 22,604. This definition of the safety related functions is the same as that in the final (and current) version of the rule, which is recognized as providing the basic definition of the safety related functions. See 38 Fed. Reg. 31,281 (1973); 10 CFR Part 100, Appendix A, III(c).
Although the reference in paragraph (c) of the proposed rule, quoted above to " structures, systems and components im-portant to safety" was changed in the final version to refer to 9 , c.-__mrw,ww w gy -%- a r-=e- +- -- + -* v-~ v--~-- ' * -
"certain structures, systems and components," there was no indication in the Commission's discussion of changes between the proposed and final rules that this substitution represented a change in scope. See 38 Fed. Reg. 31,279 (1973). In fact, the final rule added a reference in its purpose section to GDC 2, which applies to structures, systems and components impor-tant to safety, thereby once again equating " safety related" and "important to safety."
In addition to giving "important to safety" the " safety related" definition, the proposed version of 10 CFR Part 100, Appendix A used the terms " safety related" and "important to safety" interchangeably.Section VI(a) of the proposed rule reiterated the definition of structures, systems and components important to safety quoted above and went on to say "[i]n addition to seismic loads, . . . loads shall be taken into
, account in the design of these safety related structures, systems and components." 36 Fed. Reg. 22,604 (1971) (emphasis added). Several other references to "~these safety related structures, systems and components" appeared within the para-graph dealing with equipment "important to safety." Id.
)
(4) Others .
The NRC's regulations contain other examples of the equat' ion of "important to safety" and " safety related." Part 72 of 10'CFR, adopted in November 1980, states that applica-tions for a license for an Independent Spent Fuel Storage In-stallati'on shall describe the quality assurance program for the ISFSI. "The description of the quality assurance program shall identify structures, systems, and components important to safety and shall show how the criteria in Appendix B to Part 50 of this chapter will be applied to those safety related components, systems and structures in a manner consistent with their importance to safety." 10 CFR S 72.15(a)(14) (emphasis added). Althoughnotdirectlyrelatedtonuclearpowerpl$nts, the language of this regulation again finds the NRC using "im-portant to safety" and " safety related" interchange, ably.
More recently, on January 10, 1983, the C$mmiision amended 10 CFR S 50.54 providing that "the NRC StIdf c6nducts ,
extensive reviews during the licensing process to ensure that the applicant's QA program description satisfies 10' CFR P55t
.s 50, Appendix B, . . . . Once the NRC has accepted it, the QA program description becomes a principal inspection and i .
s.
-c ,
enforcement tool in ensuring that the permit holder or licensee is in compliance with all NRC quality assurance requirements for protecting the public health and safety." 48 Fed. Reg.
1826 (1983) (emphasis added). In other words, implementation of a quality assurance program satisfying Appendix B constitutes compliance with all NRC quality assurance require-
, ments, including, necessarily, GDC 1. And, again, as all parties including the NRC Staff testified, Appendix B applies only to safety related structures, systems and components.
Thus, this January 1983 regulation equates the scope of " safety related" in Appendix B with " imp'rtant o to safety" in GDC 1.
For the reasons set out above, the Board finds that
,"important to safet~y" has traditionally been equated with
" safety related" in NRC ,regulat. ions.
- b. Industry and NRC Practice
/
.~
- A review of the record also leads us to conclude that .
M n M 'LILCO's understanding ~ of "important,to safety".is consistent
- .r'-
,- ^with industry and NRC application / ' LILCO witricsses
. repre-
, . /
'? senting both Stone & Webster mnd Gen'eral Electric testified
' a.
s / / -
f ,' that the terms safety fAlated and important to safety are l . ~
% yd
~
'~
, .; x ,,
af e L. ./ ,
.s
-l s
44s
_9
~
d synonomous (Board Findings B-11, B-158, B-159, B-160). General Electric and Stone & Webster have designed and/or built a large numbe,r of nuclear power plants licensed by the NRC (Board Find-ings B-30, B-31, B-35, B-37, B-38). LILCO's witnesses also testified that Shoreham's classification scheme and their view that important to safety is the same as safety related are con-sistent with industry practice (Board Findings B-5, B-31, B-159, B-160, B-162A, B-187, B-188; see also Board Finding B-194 (IEEE objections to "important to safety"), B-164 (Conran statement on TVA)). LILCO's witnesses also explained that their understanding is consistent with regulatory linkage of the terms " safety function" "important to safety." For exam-ple, GDC-1 requires " quality standards commensurate with the safety functions to be performed" for "important to safety."
These " safety functions," in turn, are defined in 10 CFR Part 100, Appendix A. Thus, if a safety function is to be performed, the structure, system or component performing it is safety related. (Board Finding B-205).
SC/ SOC witness Hubbard also admitted that it has been i industry practice to classify structures, systems and compo-nents as safety related and non-safety related, that the h
classification important to safety has not been used and, that various groups within the NRC have equated important to safety with safety related. (Board Findings B-14, B-165, B-167, B-168).
- In the view of NRC witness Conran, some Staff members have, at times, applied "important to safety" and " safety re-lated" inconsistently and incorrectly. (Board Findings B-166, B-172). It was his belief, however, that Staff practice in classifying structures, systems and components "either ' safety related' or 'important to safety, not safety related'
. . . has been consistent . . . ." (Board Finding B-162). But Mr.
Conran's testimony conflicts with the regulatory history de-scribed above, Staff guidance documents, and with the testimony in this proceeding of NRC witnesses Higgins, Narrow, and l Mattson. The NRC Staff has issued guidance documents defining important to safety to be equivalent to safety related. For example, Regulatory Guide 1.105 expressly defines important to safety in terms of the safety related functions of 10 CFR Part 100, Appendix A (Board Finding B-167). Similarly, the Staff i
witnesses acknowledged that it may be necessary to review and revise Regulatory Guides and the Standard Review Plan if they l
- , - . p --, -
-, , , , ----~-,,q
are to'be made consistent with the Denton Memorandum (Board Finding B-168).
- Mr. Conran's testimony also conflicts with the tes-timony of other Staff witnesses. Messrs. Higgins and Narrow, both from NRC I&E Region I, have had substantial experience
-inspecting nuclear power plants. Neither one of them had ever encountered the use of "important to safety" at any of the plants they had inspected. (Board Findings B-187, B-188). In fact, they testified that I&E Region I itself has not adopted the approach of the Denton Memorandum 12/ (Board Findings B-190, B-191, B-192).
- Dr. Mattson, Director of the Division of System Inte-gration of the Office of Nuclear Reactor Regulation, has substantial experience at the NRC. He candidly admitted that the Denton memorandum definition is new, that it had been ap-plied to only one other plant (TMI-1) and that the Staff was i
- 12/ Although Mr. Conran is very knowledgeable on the issue of 3 important to safety, his past familiarity with actual Staff and
- industry practice was limited. For example, in preparing the Memorandum, Mr. Conran did not review the ESARs of licensed plants. He also did not obtain any significant input from the nuclear industry about how systems have been, in fact, classi-fied. (Board Findings B-163, B-164; see also B-259Z).
i s
I 4
1.
insisting that LILCO adopt the definition because the Staff "had to start somewhere." (Board Findings B-162B, B-162C).
Dr. Mattson made it unmistakably clear that the Staff is now moving towards imposing the new definition systematically on other licensees and indicated that other licensees also were concerned about the Denton definitions. (Board Findings B-162B, B-162D).
- In addition to testimony that I&E does not use the term important to safety in its work, Staff witnesses frequently referred only to " safety related" and "non-safety related" on cross-examination. For instance, in the instrumentation and control area, the Staff does not use a category "important to safety." (Board Findings B-169, B-170; see B-162A).
- Other factors also indicate that the NRC Staff has sim-ply not, in most instances, interpreted "important to safety" to be something broader than " safety related." The NRC's al-most total lack of review of quality assurance programs for items they term important to safety, but not safety related, is telling. (Board Findings B-171, B-173, B-175, B-176, B-255).
It is not credible -- had the NRC's view always been what it is now -- that the Staff would so thoroughly have ignored QA for this category.13/ Indeed, Staff witnesses testified that, as a 13/ Testimony reflects that the Staff has not even defined with any clarity the scope of this category of important to (footnote continued) result of LILCO's prefiled and oral testimony, they knew more about LILCO's QA program for non-safety related features than they,did about the equivalent programs of other plants. (Board Findings B-256, B-258). In short, the Staff in the past has neither reviewed non-safety related QA programs, nor developed any guidance for them.
Despite the assertion in the Denton Memorandum that it was not intended to dictate new technical requirements or broaden the existing scope of NRC review, reality is to the contrary. If implemented, the Memorandum would expand the ambit of existing NRC regulations. Thus, there exists a body of Staff opinion that a graded quality assurance program for non-safety related items would have a substantial impact on the nuclear industry and the Staff. (Board Finding B-186, B-195).
Similarly, the Nuclear Power Engineering Committee of IEEE has considered the Denton Memorandum's definitions and been unable to accept them because they expand important to safety beyond safety related (Board Finding B-194).
(footnote continued) safety, but not safety related (Board Findings B-174, B-175, B-259S, B-259T).
In sum, this Board concludes that industry has consis-tently interpreted and applied "important to safety" as used in the NRC's regulations to be synonomous with " safety related."
As a result, structures, systems and components at nuclear power plants have either been classified as safety related or non-safety related. Notwithstanding the Denton Memorandum, the NRC has traditionally approved this approach and consistently applied it in its own activities and dccuments -- until re-cently.
- c. Need For Rulemaking If The Approach In The Denton Memorahdum Is To Be Adopted As explained by NRC witness Conran, the Denton Memoran-dum developed out of testimony that he submitted in the TMI-1 restart case. He testified there about the so-called " standard definitions." These definitions are similar to the ones that ultimately appeared in the Denton Memorandum.
These " standard definitions" were produced at a time when the NRC was being criticized severely as a result of the accident at TMI-2. A number of the reports analyzing that event cited the NRC's allegedly narrow focus on safety related.
structures, systems and components as a cignificant defect in 1
the regulations. The Kemeny Commission's QA task force concluded that " Quality Assurance Requirements apply only to a narro,w portion of the plant defined as safety-related to safety grade."14/ (Board Finding B-196). The criticism was directed at the absence of any NRC requirements for quality assurance for non-safety related structures, systems and components (Board Finding B-196). Mr. Conran responded to this criticism in his TMI testimony.
- NRC witness Mattson confirmed that the Denton Memoran-dum was also a response to this , criticism following TMI and other incidents. The memorandum was intended to " clarify" that Certain non-safety related structures, systems and components i
- were covered by the NRC's regulations. (Board Finding B-259I).
But, by imposing a new definition of a regulatory term, the S
memorandum did more than clarify, it imposed new require-ments.15/
14/ This statement is consistent with LILCO's view that GDC 1 i
applies only to safety related structures, systems and compo-
- nents.
l 15/ As LILCO explained, even under its interpretation of im-portant to safety, non-safety related structures, systems and components are within the scope of the NRC's regulations and do contribute to the safe operation of the plant. (Board Findings j B-210A, B-210B). Such a clarification would have been permis-(footnote continued) i
I The decision in the TMI-1 case accepted Mr. Conran's definitions. Metropolitan Edison Co. (Three Mile Island Nucle-ar Station, Unit No. 1), LBP-81-59, 14 NRC 1211, 1346 (1981).
In the TMI-1 case, however, the Board did not have the benefit of the testimony of the licensee on industry practice. Al-though the licensee did comment on safety classification, it did not squarely address the issue of important to safety, as has been done in detail by LILCO's witnesses. Instead, the
, TMI-1 witnesses described the quality standards for non-safety related equipment without ever directly stating an interpreta-tion of what "important to safety" means. Thus, we believe the Shoreham record has gone well beyond that in TMI-1, and the Shoreham record shows Mr. Conran's conclusions are not ulti-mately convincing.
- Althcugh wcil intended, Mr Ocnran'c conclucienc in the j Dcnten Mcmerandur and at TMI crount to ar attempt to change the 2
(footnote continued) sible. But, by re-defining a regulatory term, the Denton Memo-randum went far beyond a clarification, imposing specific requirements on non-safety related equipment every place the term important to safety appears in the regulations. (See Board Finding B-2590) .
,.. . - - - - - - - --- -r - - -
--- -~ ~
4 rulec ithout the benefit of ruicmchin~. Although the change in definition might have no immediate impact on Shoreham, the long term effects on LILCO and other licensees are not well defined. (Board Findings B-259N, B-2590, B-2590, B-259S). The Staff, while claiming the definition merely clarifies the existing regulations, is attempting to legitimize future regulatory actions with an internal memcrandum. By establishing the right to regulate an essentially undefined set of structures, systems and components for a wide range of activities and applications,16/ the NRC has given itself virtually unlimited regulatory a'uthority without benefit of rulemaking. Whatever might be the merits and demerits of such a change, there must first be a formal rulemaking if it is to occur. As previously detailed, we cannot disregard the reality that (1) for years the NRC and industry have used interchange-ably "important to safety" and " safety related" and (2) this usage is well rooted in the Commission's regulations.
16/ Every application of the term "important to safety" in the NRC's regulations is potentially affected by the new Denton
" clarification" of what constitutes the "important to safety" set.
I
- 3. Compliance with General Design Criteria As already noted, the thrust of SC/ SOC 7B is that LILCO t
- cannot demonstrate compliance with the NRC's regulations unless it has defined a category of structures, systems and components important to safety. Since we have concluded that LILCO's in-i terpretation of the term "important to safety" is correct,~ and 1
that LILCO has properly defined the safety related category,
- SC/ SOC 7B lacks merit. But even if we were to agree with the SC/ SOC and NRC Staff interpretation of important to safety, it does not necessarily follow that,LILCO has failed to meet the NRC's regulations. Precise guidance for compliance with the regulations is set out in NRC Staff documents such as the
! Standard Review Plan and regulatory guides. If an applicant l follows this guidance, the Staff can appropriately conclude i
that the NRC's regulations have'been met. This conclusion is based upon a comprehensive review of the plant in light of the applicable Staff guidance. (Board Findings B-203, B-204, B-205, B-207, B-208, B-254, B-259).
t
- The Staff has conducted a systematic review of Shoreham and determined that the plant meets the General Design Criteria with the exception of the remaining SER open items and a y - -,c,,, . . - , - - - - . -----m-..m- e-m,,--mw-y n-r-. --r,----,,---,w--..ewm- - --m . y.v:-u w r .- --m..,,, e w s , w -, , -
dispute over the future application of GDC 1 (E.g., Board Findings B-197, B-198, B-204A, B-205, B-259, B-259J).17/ SC and SOC have raised a number of contentions on issues related to specific GDCs; these contentions have or will be litigated or settled. When SC/ SOC 7B was admitted in this proceeding, it was not our intention to permit the litigation of the details of each GDC listed in the contention. We do believe it is appropriate, however, to focus on GDC 1 -- the criterion prin-cipally addressed by the parties during the hearings to indi-cate that the difference in interpreting "important to safety" has not, in this instance, had ahy significant effect on the design or construction of the plant.
Substantial portions of the testimony, both prefiled and oral, discussed "important to safety" in General Design Criterion 1. SC/ SOC attempted to illustrate their contention by showing that a failure to read important to safety their way would result in a failure to meet GDC 1. But even if important to safety means what SC/ SOC and NRC said it does, as LILCO and 17/ The implications of the differing interpretations of important to safety for the operation of Shoreham are discussed in section B.3.d. below.
I
the NRC Staff testified, Shoreham still has complied with the Staff's interpretation of GDC 1. (Board Findings B-197, B-198, B-200, B-202, B-206, B-254, B-259). We agree because, as noted below, LILCO has applied appropriate quality standards and quality assurance to all structures, systems and components at Shoreham.
- a. Quality Assurance for Non-Safety Related Structures, Systems and Components at Shoreham 1
General Design Criterion 1 states in pertinent part:
Structures, systems and components important to safety shall be designed, fabricated,
,, erected, and tested to quality standards commensurate with the importance of the safe-ty functions to be performed. . . . A quality assurance program shall be established and implemented in order to provide adequate as-surance that these structures, systems and components will satisfactorily perform their safety functions.
10 CFR Part 50, Appendix A, GDC-1.
If it is assumed, as we shall for the moment, that the category of structures, systems and components important to safety is broader than the safety related set, then this regu-lation requires quality standards and quality assurance to be applied to some non-safety related structures, systems and
l I
l l
components. At the threshold, it is important to note that the Staff has not defined the set of structures, systems and compo-nents,important to safety nor has it provided meaningful guid-ance on the level of quality assurance to be applied to this l yet undefined set. That, of course, is not surprising since it ;
! is only recently that at least portions of the Staff have stopped equating important to safety with safety related. l
- With respect to the scope of the important to safety set, no guidance at all exists (Board Findings B-173, B-174, B-175, B-176, B-178, B-180, B-18,1, B-255, B-259A, B-259L, B-259N, B-2590). There is no apparent consensus on the scope
-of the important to safety set at the NRC; the Staff's witnesses had-a wide range of views 1g/ (Board Findings B-173 to ;
i B-175). With respect to the determination of the level of
.; . quality assurance and quality standards to be applied, there is i
little guidance (Board Findings B-173, B-175, B-178). In the area of quality assurance, there is essentially no NRC pro-grammatic instruction to assist engineers in making their determinations 19/ (Board Findings B-176, B-178, B-180, B-181).
13/ The spectrum of opinions ranged from items included in the GDCs to everything but the toilets, washing machine and water fountain. (Board Finding B-174).
19/ There are isolated instances in which the Staff has made recommendations for QA programs for particular non-safety re-(footnote continued)
In the area of quality standards, the instruction -- while not wholly absent 20/ -- is still incomplete; design engineers must exercise substantial judgment in determining the quality standards to be applied (see Board Finding B-199). Thus, as observed by the Board during cross-examination, the Staff wants a category of important to safety but doesn't know what is in it and doesn't know what to do with it. (Board Findings B-173, B-174, B-175, B-180).
Rather than attempting to deal with these questions, LILCO simply applies an appropriate level of quality assurance and quality standards to all structures, systems and compo-nents. The extent and depth of the application depends upon the function of the particular feature in the safe and reliable operation of the p1'.nt. (Board Findings B-211 to B-247).
(footnote continued) lated structures, systems or components. For example, the Standard Review Plan specifies that quality assurance equiva-lent to the GE QA program for turbine generators (GEZ-4982A)
, should be applied to the turbine bypass systems. (Board Finding B-252).
20/ An example of NRC guidance on quality standards is Regula-tory Guide 1.26. Quality Group D specifies quality standards to be applied to non-safety related fluid systems (Board Find-ings B-132 to B-140).
4 Further, LILCO's approach utilizes, among other considerations, the available guidance in NRC regulatory guides and the Stand,ard Review Plan. This approach satisfies, and perhaps goes beyond, the Staff's current understanding of GDC l's re-qui rement:5.
There was extensive testimony in this proceeding about the details of the quality assurance and quality standards ap-plied to non-safety related structures, systems and components at Shoreham. We agree with the Staff that this testimony gives us a firm basis for concluding that quality assurance and qual-ity standards have been applied to all of the plant's struc-tures, systems and components in a manner commensurate with their function. (Board Findings B-204, B-206 to B-208, B-249 to B-252, B-254, B-256 to B-259).
Representatives of Stone & Webster and General Electric testified that elements of.the Appendix B quality assurance programs at their respective organizations were applied not only to activities affecting safety related features but also to many of the activities associated with all structures, systems and components within their respective scopes of sup-ply. (Board Findings B-211 to B-217, B-219 to B-220).
g 3 General Electric and Stone & Webster witnesses explained that the extent to which their Appendix B programs are applied to i any individual component, and the depth to which any particular i
element of the QA program is applied, depends upon the function i of the component in the safe and reliable operation of the I
- plant (Board Findings B-211, B-213 to B-217, B-219 to B-221, B-224, B-229 to E-232).
l For example, General Electric witnesses discussed the quality assurance program applied to essentially all struc-tures, systems and components within the' responsibility of General Electric's Engineered Equipment Procurement Department.
- This program designates components as QAR I (safety related) or QAR II (non-safety related). (Board Findings B-212, B-213).
General 11ectric witnesses testified that although this
.. particular quality assurance program has not been applied by
! every division with General Electric, each division did have I its own QA program comparable to the one described in the tes-timony in this proceeding. (Board Finding B-212). Full Appen-dix B treatment is given to the QAR I components. For QAR II components, the QA is guided by a program plan and includes, as appropriate, many or all of the elements of Appendix B.
{
l
-.~w.. . , ,,,_.%- . . _ ,.,.------_~#-,. . _ , _ , _.,,,m ,,m,,-7,,--,,.,m ~ - . , - . _ - ..,,_._----_.~r r__ .._r- _ . - ----- --.--,,,_-_,y- - - - -
1 (Board Finding B-214). Up to 90% of QAR IT components receive quality assurance very close to full Appendix B treatment !
i (Boar,d Finding B-214).
Several examples illustrated the program. Shoreham's non-safety related control rod drive pumps and the shroud head l and separator assembly were subjected to all 18 criteria of Ap-pendix B. The only reason that full Appendix B compliance can-not be claimed for these components is a lack of the material traceability typically required for Appendix B. (Board Finding B-215). Similarly the non-safety related dryer assembly received all 18 Appendix B criteria, lacking only some Appendix B traceability for sub-vendor components (Board Finding B-215).
As these examples indicate, structures, systems and components
' supplied by General Electric and properly classified non-safety related, have nonetheless been subjected to a thorough QA pro-gram (Board Findings B-211 to B-218).
Stone & Webster witnesses testified that a single qual-ity assurance program is utilized within the S&W scope of sup-ply. This program is designed to comply with Appendix B and is used for safety related activities. Elements of the program, however, are applied to non-safety related components. (Board i . - _ - _ - - . _
Findings B-219 to B-221, B-226 to B-230). Once again, the witnesses testified that the application of any particular element in the program, and the depth to which that element is applied, are based upon the function of the feature in question. (Board Finding B-224). The design engineer reviews the function of the equipment and determines whether it falls into pre-determined classification categories. At Stone &
Webster QA Category II contains non-safety related structures, systems and components that are essential for reliable power generation but not essential for safe shutdown of the reactor.
It also includes non-safety related systems that contain radio-i active material. (Board Finding B-221). All other non-safety related structures, systems and components fall into QA Catego-1 ry III. Stone & Webster has developed guidance for items in these QA categories, such as master specifications, to assist its engineers in selecting the elements of the Stone & Webster QA program to be applied. (Board Findings B-221, B-223).
The application of Stone & Webster quality assurance to non-safety related structures, systems and components at Shoreham can be aptly illustrated. Virtually all Stone &
Webster activities concerning non-safety related features are 4
- controlled by specifications (Board Finding B-222). These specifications are reviewed by the QA Department when appropriate to ensure that the specified QA requirements are appropriate (Board Findings B-223, B-234). The procurement of non-safety related equipment by Stone & Webster is done from an approved bidders list (Board Finding B-228). Engineering As-surance (EA), including design control programs, is applied to non-safety related items (Board Finding B-220).
Although LILCO does not apply its Appendix B quality assurance progr'am to all non-safety related structures, systems and components, some non-safety related aspects of Shoreham have been subjected to the program -- for instance, fire protection, plant security and emergency planning, non-stfety related concrete pours and document control, and the storage program for non-safety related equipment (Board Findings B-205, B-244, B-246). In addition to applying its Appendix B program to certain non-safety related structures, systems and components, LILCO also has quality assurance programs that apply to the rest of the plant's features (Board Finding l
B-236). For example, the Construction Site Inspection Program is governed by the Construction Site Inspection Manual. Many
of the procedures and inspection requirements used are the same as those in LILCO's Appendix B program. (Board Findings B-206, B-236,). The procedures are reviewed by the QA department to ensure that they are appropriate for the component er process (Board Finding B-236). Non-safety related structures, systems and components are also covered by LILCO's extensive preoperational and startup test program (Board Finding B-247).
Turning from questions of scope to those of depth, there was extensive testimony by the LILCO witnesses concerning the standards applied to non-safety related structures, systems and components. For example, systems such as the Standby Liquid Control and'the Rod Block Monitor, although not required to perform a safety function, are almost entirely safety relat-ed in recognition of their function (Board Findings B-86, B-93). Non-safety related systems such as the Level 8 Trip and the Turbine Bypass have been designed to significant quality standards (Board Findings B-113, B-122, B-125). Many other specific examples of the quality standards applied to Shoreham's non-safety related structures, systems and compo-nents appear in the record (See e.g. Board Findings B-225, B-237, B-242).
-so-
6 '
- b. NRC Staff Testimony on LILCO's Compliance with GDC 1
, As we have already noted, the NRC Staff testimony on LILCO's compliance with GDC 1, as interpreted by the Staff, was consistent with LILCO's testimony. The Staff concluded that LILCO has applied quality assurance programs and standards to structures, systems and components important to safety at Shoreham commensurate with.the safety function performed.
(Board Findings B-197, B-253, B-254). A few more observations are helpful.
Although the Staff interprets GDC 1 to require a quali-ty assurance program for non-safety related structures, systems and components, its witnesses admitted, again as we have al-ready noted, that there is no specific guidance on precisely what type of program is to be applied. Indeed, the Staff
- testified that it undertakes no review of the quality assurance programs for non-safety related structures, systems and compo-nents.21/ Despite the lack of prior review of the total quality 4
21/ Of course, to the extent the Staff has reviewed quality assurance programs for safety related structures, systems and components and those programs are applied to non-safety related features, then to that exten't the Staff has reviewed the QA program for non-safety related items.
assurance program for non-safety related structures, systems and components at Shoreham, the Staff was able to conclude that LILCO's work has been adequate based on testimony given during this proceeding, as well as the Staff's extensive review of Shoreham against regulatory guides and the Standard Review Plan. (Board Findings B-249 to B-259).
- Further, for syste.ns such as RCIC, SLCS, Turbine Bypass, Rod Block Monitor and Level 8 Trip, the Staff specifi-cally reviewed the quality standards applied to ensure that they were appropriate (Board Findings B-250, B-251). In fact, as a general matter, the Staff ensures that appropriate quality standards and other design requirements are applied to all non-safety related structures, systems and components considered by the Staff to be important to safety. In preparing an FSAR in accordance with Regulatory Guide 1.70 and complying with other regulatory guides dealing with non-safety related equipment, the applicant addresses the design and quality requirements for equipment considered to be important to safety. By conducting its review in accordance with the Standard Review Plan, the Staff ensures that appropriate quality standards and design requirements have been applied.
Consequently, even though LILCO did not use the term "important to safety" the way the Staff now uses it, there is adequate assurance that the Staff'o so-called "important to safety but not safety related" set of structures, systems and components have been designed and constructed properly by LILCO. (Board Findings B-203, B-204, B-204A, B-210C).22/ Dccpite the Staff'c conclucien that it: interprctation Of CDC 1 hac bcen caticfied during Sherchcr'c conctruction, the Et:ff c.xprecced concern about the Operational phacc.
!n the Staff'c view, /ithcut cermitment frcr LILCO tc cmbracc the Dcnten "cncrandur, there can be nc accurance that Shcrchah will continuc te mcct MRC regulationc. Mc dicagrec Firct, uc have previcucly hcid that 22/ In the reopened portion of this proceeding, Staff witness Conran did not disagree with these conclusions, but did suggest that further review be undertaken to confirm that the difference in terminology did not have any impact on the design or construction of Shoreham. (Board Finding B-259BB). The County renewed its request for a classification review (Board Finding B-259CC). Staff witnesses in the initial SC/ SOC 7B testimony disagreed with a similar County proposal (Board Finding B-258). The Staff reaffirmed its position in the reopened proceeding. (Board Finding B-259CC). Given the nature of Staff review in this area, we see no substantive difference between Shoreham and applicants that may have adopted the Denton definitions that would justify review in addition to the Staff's normal review and the review conducted on this record, we disagree with Mr. Conran and the County.
(See Board Findings B-259K, B-259GG).
the Staff'c interpretction Of import nt to cafety ic unfcunded, thuc, LILCC'c precent commit =cnt to mcct CDC 1 ic apprcpriate.
Second, cven if the Staff'c interpretation ucrc correct, LILCC will remain in ccmpliance uith CDC 1 if it continuec its cur-rent quality practice for non-cafety related item: thrcughcut the Opcration cf the plant.
- c. SC/ SOC Testimony on GDC 1 Although SC/ SOC alleged that LILCO had failed to comply with GDC 1 and that it had not applied quality assurance and standards to Shoreham's features'that are non-safety related but important to. safety, there was no substantive discussion of che basis for this allegation. Rather, the SC/ SOC claim relied upon the fact that LILCO did not define or use the term "impor-tant to safety" in a way that tracked SC/ SOC's view of the term. Indeed, SC/ SOC witnesses testified that they had not reviewed any LILCO quality assurance programs for non-safety related structures, systems and components (Board Finding B-156).
To summarize, LILCO and its contractors have applied quality assurance programs and quality standards to all
s i structures, systems and components at Shoreham commensurate with the importance of each to the safe and reliable operation of th.e plant. Even if SC/ SOC and the NRC Staff were correct in their interpretation of "important to safety," we would still conclude that GDC-1 has been met at Shoreham.
- d. Compliance with Regulations During Operations
- As we have already ruled, LILCO's interpretation of the term "important to safety" i's correct, and thus it follows that compliance with GDC 1 during operations will be achieved by application of LILCO's Appendix B Quality Assurance program.
Because this issue has not yet been considered by the Appeal Board and because we have had the benefit of an extensive record we believe that as a matter of good judicial practico it" is appropriate to address the implications of LILCO's refusal to acquiesce in the Denton definition of important to safety in the event the Staff and the County have correctly interpreted the NRC's regulations. Even in that event, there is sufficient uncertainty concerning the efficacy of the definition that the issue should be engaged by the Commission in rulemaking. Our
views might prove useful in that endeavor. Importantly, we conclude there is no compelling safety reason for changing LILCO's approach in the interim.
- When NRC Staff witnesses testified on this contention in July 1982, they agreed with LILCO that Shoreham had been designed and constructed in accordance with all regulatory re-quirements (with some SER open items still to be. resolved)
(see, e.g., Board Findings B-197, B-259, B-204A). This remains the view of the Staff and we agree. But the Staff did indicate that without a commitment from L,ILCO to embrace the Denton Mem-orandum, there could be no assurance that Shoreham would con-tinue to meet NRC regulations.23/ Subsequent to the initial litigation of SC/ SOC 7B, LILCO and the Staff did attempt to reach a resolution of this difference. In LILCO's view, reso-lution was achieved by making certain commitments in the FSAR and other LILCO documents that would ensure appropriate quality standards and quality assurance were applied to non-safety re-lated structures, systems and components. (Board Findings B-259B, B-259C, B-259F).
23/ This position was softened somewhat by Staff testimony that a commitment from LILCO to do in the future what had been done in the past would satisfy the Staff's interpretation of GDC 1 (Board Finding B-197).
_ ,.s, - , - - . . _ . . . . -
~ .
, s:c D. ~
s s.
N , s
~
, /N
- Then, in February 1983, Staff witness Conran filed nnL affidavit seeking to change his prior testimony on Unresolved Safet,y Issue A-17 and safety classification. As a result, and over LILCO's objection, therecordonSC/ SOC 7BItasreopenedto ';.
admit the Conran affidavit and hear further tes_timony on the issues it raised. The' Staff and Suffolk County submitted prefiled testimony generally reaffirming the positions taken in the prior litigation. LILCO did not submit any additional written testimony but, at the Board's request, made a panel of management level witnesses available for cross-examination. kJ (Board Finding B-3A).
v
~
- In the safety classification area, the reopened litiga-tion focused on two issues: (1) the effect of Mr. Conran's new testimony on conclusions concerning the design and construction of Shoreham, and (2) the implications for operation of Shoreham of the expanded Denton definition of the ~Eerm "important to safety." With respect to the former, the Staff confirmed that compliance with Regulatory Guide 1.70 and other Staff guidance h l and review in accordance with the Standard Review Plan was suf '
~
ficient to ensure LILCO's compliance with all regulatory re-w quirements during design and construction (BoardcFindirQ'y -,s e.
. s S
Na 1
i !. e I :w pr_ f, ,
W.
,/ n. .
- - %.z . m ,
~< .
p 4 s .
- ~ ,> e y 4 , ,
s .- .
N l ? .
B-204A). Indeed, even Mr. Conraki d15'not express any' serious Q,/
reservation % about'LILCO's compI ance with NRC regulations'dur-
. .i / .
ing the" design and construction.of Shoreham24/ (Board Findings
- 4. , B-259AM -B-259BB). TheCounth'S.testimonyinthisregardes-f,.
e sentially
. /
restates its prior pi:>,sition (see Board Finding
._ 1 .
~*B -2 59H ) and gives us no reason.to change our conclusion that
~. .
- e. .-
"?, LTLCO met GDC 1, as the-Staff inteFprets its rduring the design
.... / .-
~
[anddonstructionofShoreham. ._
,s ,
,' ,-
- With respe.ct to the operation'of Shoreham, Mr. Conran testified that LILCO',s, quality assurance and quality standards e ..
for non-safety related stiud:tures, systems and components were j 1nadequate and that the Denton definition must be imposed on
, , r, LILCO. (Board Findings B-259Y, B-259EE, B-2 5 9DD ) .,, The Staff ,
/ disagreed with the former conclusion but agreed with the latter
/ ,, .
- based on ' concerns regarding reporting and inspection require-ments (see Board Findings ~B-173C; B-259E). LILCO satisfied the w Staff's conc ^ erns'about compl.iance with GDC 1 during operations by, committing to make certain changes to the Shoreham FSAR and
- n. .
e 24/ As previously noted, we reject Mr. Conran's .and the Coun-ty's suggestion that additional review be undertaken to confirm that LILCO complies with all applicable requirements. See note
,. 22 above.
s 1 '#
ik
,.6
- d
- a. c .: .
y - /_;
i /
- y. . o
>C'
- -. ,- , -,w e ,
other LILCO documents that, in essence, ensure that the quality 1-standards and quality assurance applied to non-safety related-l struc,ture s , systems and components during operation will be 2 equivalent to that applied during design and construction. In
! addition, the commitment ensures that the role of the equipment in all phases of plant operation is considered in determining its treatment. (Board Findings B-173E, B-259A to B-259C). The
, Staff believes that this commitment will ensure that GDC 1, as the Staff interprets it, is met during operation.25/ (Board Finding B-173C).
- Mr. Conran disagreed, claiming that LILCO does not know i
what is " required minimally for safety in the operation of Shoreham" (Board Finding B-259Y). Cross-examination revealed, however, that the sole basis for Mr. Conran's conclusion is LILCO's refusal to admit that the Denton memorandum was correct and that structures, systems and components important to safe-ty, as interpreted by the Staff, are governed explicitly by the NRC's regulations (Board Findings B-259Y, B-259DD to B-259FF, i
25/ The County disagrees principally because it believes the quality standards and quality assurance applied during con-struction were inadequate (Board Finding B-259H). For reasons already stated, we disagree.
i 1 ',
~
- --,- ,-~.-.--~----.m-r-- ,-g -, y -- .o,>- , , - - , , - - - - - -
B-259II, B-259JJ). In his view, this LILCO postion reflects a safety philosophy that would affect LILCO's operating perfor-mance. But Mr. Conran presented no specific evidence to support his conclusion. (See Board Findings B-259BB, B-259GG).
Indeed, when asked to explain differences between LILCO and an applicant that accepted the Denton definition of "important to safety," he could give no example of an instance where the dif-ference had any substantive effect (Board Findings B-259GG, B-259HH). As a result, we find no merit in his vague notion that LILCO's safety philosophy is somehow deficient.26/ In fact, the evidence is to the contrary (see, e.g. Board Finding B-259MM).
- Mr. Conran confuses LILCO's legal argument with LILCO's understanding of substantive safety requirements. He confuses 26/ Moreover, we decline to accord any weight to Mr. Conran's opinion in this matter without regard to the lack of examples.
In contrast to Staff witnesses who draw on the collective knowledge and judgment of the agency, Mr. Conran presented his views as an individual. Mr. Conran has limited experience in safety reviews for nuclear power plants. Prior to these hear-ings he had not reviewed the Shoreham plant. Since the hear-ings began, he has conducted only a cursory review of portions of the Shoreham FSAR, and candidly admitted he did not have enough information to draw conclusions from it concerning LILCO's safety philosophy (Board Finding B-259Z; see B-259KK, B-259LL).
~.
a dispute over the construction of a regulatory term with the presence or absence of the knowledge, expertise and ability requi, red to design,' build and operate a safe plant. In princi-ple, a safe plant could be built and operated in the absence of any regulations at all. By contrast, agreement with the Staff on the definitions of regulatory terms is not in itself a valid test of understanding safe plant construction and operation (see, e.g., Board Findings B-173C, B-173E, B-210C, B-259G).
Actual practice and philosophy are more probative. Signifi-cantly, the record here shows that LILCO's practice and philos-ophy are wholly consonant with the philosophy underlying the Denton Memorandum -- namely that non-safety related structures, systems and components can be significant to safety and that a utility should recognize this in its programs for design, con-struction and operation. (Board Findings B-173B, B-210A to B-210E, B-234A, B-259G). In short, Mr. Conran is incorrect in concluding that a legal dispute over a regulatory term means that LILCO does not understand safety. The dispute is not over what is required for safety but over agency jurisdiction.27/
27/ LILCO does not assert that the NRC cannot exercise jurisdiction over non-safety related items as envisioned by Mr.
Conran. Rather, LILCO believes the NRC has not exercised such jurisdiction in the past and must proceed by rulemaking if it intends to do so in the future.
- - - ,-i, e. - - - -% .-. - - w ,
4
- Since we conclude that Mr. Conran's concern about LILCO's safety philosophy is unfounded, we need not consider at length his conclusion that LILc0 must prepare a list of struc-tures, systems and componentr, 2n.portant to safety. We do note, however, that the Staff, as well as LILCO, considers such a list unnecessary (Board Findings B-173, B-173A to B-173C, 4
B-173E, B-259D), that Mr. Conran thought it only marginally beneficial (Board Finding B-173F), and that the County witnesses were not unanimous in concluding it was necessary (Board Finding B-173D). Consequently, we would decline to order a list, even if we found some merit in Mr. Conran's posi-i tion.
- The Staff's reasons for urging the Board to impose the Denton definition are also not well founded. First, according
, to the Staff, LILCO's refusal to adopt the Denton definition a
would create communication difficulties because no common un-derstanding of the term important to safety would exist. How-ever, as LILCO witness Dawe aptly noted, the vagueness of the present Denton definition seems as likely to exacerbate potential confusion as to eliminate it. (Board Finding B-259L). As the record amply reflects, no clear definition of
the Staff's important to safety set exists (see Board Findings B-174, B-175, B-259L to B-2590). Consequently, even if the Board imposed or LILCO adopted the Denton definition, explana-tion would be needed each time important to safety was used to determine its scope and meaning in that context (see Board Tindings B-259K to B-259M).
- Second, the Staff asserts that I&E's inspection efforts might be hampered if LILCO does not accept the Denton defini-tions (Board Finding B-259K). We find no support in the record for this conclusion. LILCO made,it unmistakably clear that the .
Company has never and would not prevent NRC inspectors from inspecting non-safety related structures, systems or compo-nents. (Board Finding B-259R). In fact, there is evidence in this proceeding that NRC I&E has, on occasion, inspected non-safety related portions of the Shoreham plant (see, e.g.,
LILCO Ex. 64B (Item 4), Board Finding B-206). That LILCO might subsequently object to a citation as legally unfoundeu 1. of no moment.2p/ NRC regulations give licensees the right to contest 2g/ Even as LILCO interprets the concept "important to safe-ty," there can be legitimate violations of NRC regulations involving non-safety related equipment. Non-safety related equipment must function properly to meet various performance requirements, including 10 CFR Part 20 and Part 50, Appendix I.
(footnote continued) t
I
)
violations for whatever reasons deemed appropriate. 10 CFR
$ 2.201.
- Third, the Staff has expressed concern that without adoption of the Denton definition of important to safety LILCO would not fulfill its reporting requirements properly. This view is also without merit. Under 10 CFR Part 21, LILCO must report a defect in a basic component that creates a substantial safety hazard. The definitions pertinent to such a determina-tion do not turn in any significant way on the term important to safety.29/ See 10 CFR 6 21.3.
LILCO witnesses testified that any condition meeting the reporting requirements of Part 21 would be reported without regard to the classification of the structure, system, or component involved. (Board Finding B-259U). Similarly, under 10 CFR S 50.59, LILCO will perform the required evaluation for all plant modifications whether (footnote continued)
Also, in appropriate circumstances, non-safety related equip-ment that affects safety related equipment might well be the subject of a legitimate violation. (see Board Findings B-210A).
29/ "Important to safety" only appears in the context of
' design, inspection, testing, or consulting services important to safety." See 10 CFR SS 21.3(a)(3), 21.3(c).
safety related or non-safety related (Board Findings B-259V, B-259W). Consequently, we are not persuaded that any differ-ence ,in interpretation of important to safety wil.. have an im-pact upon LILCO's compliance with its reporting obligations, whatever the definition ultimately given to the term important to safety.
- Besides finding no persuasive reason for ordering LILCO to adopt the Denton definition of "important to safety," we agree with,LILCO there are strong reasons not to adopt it in this context. Importantly, the Denton memorandum asserts that it was not intended to modify existing requirements, dictate new technical requirements or broaden the scope of existing NRC review. This stated intent is appropriate for, as already noted, it would be an impermissible circumvention of rulemaking to dictate new technical requirements and broaden the scope of NRC review on the basis of an internal memorandum. Yet such a broadening would be precisely the result of imposing the memo-randum because past NRC and industry practice and construction equated the term "important to safety" with the term " safety related." Yet the Denton memorandum's definition of important to safety is clearly broader than that of safety related, and 1
I it is clearly incorrect in its assertion that its definition was consistent with past interpretation and practice. As al-ready noted, even Staff witnesses used the term "new" to de-scribe the Denton definition (Board Finding B-162B). Put sim-ply, the Denton memorandum, contrary to its terms, broadens the scope of the regulations by asserting a "new" broader defini-tion without the benefit of rulemaking.
- In addition to its legal difficulties, the Denton defi-nition raises a number of practical problems. Although LILCO and the Staff agreed that imposition of the Denton definition of important to safety would have no immediate impact on Shoreham, there is a significant potential for future impact (Board Finding B-2590). The root of the problem for operations, of course, is the excessive vagueness and breadth of the definition (see, e.g., Board Findings B-174, B-175, B-259N to B-259Q). Unlike the definition of safety related, the Denton definition of important to safety is not founded on any functional criteria (see Board Findings B-259M, B-259N).
Even if a common definition could be agreed upon for GDC 1 purposes alone, it would be plagued with problems.30/ First, 30/ One definition suggested during the hearings for important to safety for GDC 1 purposes would include the non-safety re-(footnote continued) the definition might well be subject to excessive change be-cause it is not embodied in any regulation. Indeed, Staff witne,sses confirmed that they were unable to tell LILCO or the Board what the ultimate scope of the "important to safety" set might be.31/ (Board Findings B-259S, B-259T).
- The second, more significant problem, is the effect of a broad definition in contexts other than GDC 1. For example, GDC 2 (seismic design) applies by its terms to structures, systems and components important to safety; but it has been ap-plied by industry and the Staff , exclusively to the safety re-lated set (see Board Findings B-72, B-74, B-76). Consequently, if this Board were to impose a broad definition of important to safety that might be appropriate for GDC 1 purposes, the Staff would be free to expand seismic requirements at any time in the (footnote continued) lated equipment or processes mentioned in the FSAR, the technical specifications and the emergency operating procedures (see Board Finding B-259P).
31/ It is not unusual that some uncertainty exists with a reg-ulatory definition. Even a well understood definition such as
" safety related" may be subject to some interpretation at the margin. But the complete lack of functional guidance in the Denton definition, however, sharply distinguishes it from safe-ty related and makes it objectionable.
future without resorting to rulemaking. In fact, LILCO (or any other licensee) could face the prospect of seismically quali-fying virtually everything but the toilets and garages, if some Staff witnesses' views on the scope of important to safety were to prevail (see Board Finding B-174).
To avoid such an undesirable and unintended result, the definition of important to safety must ultimately have different scope or content in different contexts. GDC 4 involving, inter alia, environmental qualification of items im-portant to safety provides a useful example. The Commission, in a recent rulemaking resulting in promulgation of 10 CFR S 50.49, has defined the scope of GDC 4 for electrical equipment to inc.lude safety related equipment and a limited set of non-safety related equipment.32/ (Board Findings B-259X).
32/ We note in passing that it would be inappropriate to conclude that the Commission, in promulgating the environmental qualification rule, intended to define important to safety for all contexts. The rulemaking stated no such intention. More-over, it would be inconsistent with other recent Commission rules (see pages 39-40 above). In any event, if 10 CFR S 50.49 were a definit've statement of the meaning of important to safety, it would be the equivalent of safety related for LILCO (see Board Finding B-259X). It should also be noted that the Commission chose to alter the scope of GDC-4 by rulemaking rather than informal memorandum. Prior to promulgation of S 50.49, GDC 4 had been historically construed to apply only to safety related electrical equipment. (See LILCO Proposed Find-(footnote continued)
Clearly, this definition of important to safety is far different from "everything in the FSAR, technical specifica-tions, and emergency operating procedures" that the Staff now seems inclined to adopt for GDC 1. Again, a different defini-tion of important to safety would seem appropriate for environ-mental qualification matters. It thus appears any workable definition of important to safety might have to vary from context to context throughout the regulations.
- To summarize, the Board declines to impose the Denton definition of important to safety on LILCO for a number of reasons:
(1) The legislative history of the NRC's regulations leads us to conclude that the terms "important to safety" and
" safety related" were intended to be equivalent (see pages 25-39).
(2) NRC and industry practice, though not ,
wholly uniform, largely confirms and l supports the same conclusion (see pages 40-46).
(3) The Denton definition is unnecessarily vague, leading to an undefined scope of (footnote continued) ings EQ-4, EQ-8). Thus, the EQ rule is instructive procedur-ally as well as substantively.
regulatory authority and a definition with different content in different contexts (see pages 76-79).
(4) The Denton definition, being new, cre-ates confusion rather than avoids it; commitments and documents reflecting the past practice of equating important to safety with safety related will be un-clear (see Board Findings B-259L, B-2590).
(5) The vagueness of the Denton definition results in a regulatory scheme that can-not be audited effectively by the Staff or LILCO (Board Finding B-259T).
- 4. Systems Interactions One of the' principal issues raised by SC/ SOC 7B was whether LILCO used an adequate methodology for the considera-tion of systems interaction in the classification of systems, structures and components for Shoreham. As a result of SC/ SOC's testimony, this issue expanded beyond the use of systems interaction for classification purposes to considera-tion of systems interaction generally in the design of Shoreham. Based on our review of the extensive record, we conclude that LILCO has adequately taken account of systems in-i teraction for Shoreham. In so doing, LILCO has employed certain state-of-the-art techniques in searching for systems interaction.
, _ , , - . . . . - - , , _ , . . - . . , - , , . . ,. _ . . _ _ , , . . ~ . , , - , . . _ _ - _ . _ . _ . . - --
The term " systems interaction" has become shorthand for a wide range of phenomena. The SC/ SOC testimony defined the
, " systems interaction issue" as "the lack of systems interaction analysis, the lack of multipl'e or ' common cause' failure analysis, and the tendency of the ' single failure criterion' to exclude a large number of potential accident-causing events."
According to the NRC Staff, the general systems interaction concern involved "the possibility of one reactor plant system.
acting on one or more other systems in a way not consciously intended by design so as to adversely affect the safety of the plant." (Board Finding B-350).'
LILCO witnesses pointed out that a number of defini-tions of systems interaction have been advanced. LILCO witness a
Burns used a Brookhaven National Laboratory study as an exam-i ple; it defined a systems interaction as "a situation where the likelihood of an undesired event is increased due to the rela-tionship between two or more components." (Board Findings B-351, B-352). LILCO witness Joksimovich defined systems in-l teraction as a subset of the broad category of dependent fail-ures (Board Finding B-349).
It must be noted, of course, that the issue is not merely the existence of systems interaction, since the plant operates by virtue of such interaction. Rather, the real concern is whether the interactions, if they occur, can ad-versely affect the safety of the plant. This concept of ad-verse impact on safety was an important element in the defini-tions of systems interaction discussed in the testimony on this subject. (Board Findings B-352, B-353). Thus, in reviewing the adequacy of LILCO's methodology for systems interaction it is necessary to look at the methods used for identifying potential interaction as well as'the adequacy of the design for coping with it.
- a. Consideration of Systems-Interactions at Shoreham The record reflects that LILCO and its contractors gave extensive consideration to systems interaction in the design and construction of Shoreham. Moreover, LILCO has programs in place that will continue to consider systems interaction during the startup and operation of the plant. Interaction was con-sidered (1) as a result of the structure and experience of the design organizations (Board Findings B-262 to B-270; see also Board Findings B-17 to B-39), (2) as a result of the design
process itself (Board Findings B-260 to B-261), (3) in the various systems interaction studies conducted by LILCO and its contr. actors during design and construction (Board Findings B-271 to B-308), (4) in the preoperational and startup test program for Shoreham (Board Findings B-309 to B-313) and (5) in the programs LILCO has in place to analyze systems interaction during operation (Board Findings B-314 to B-316). While no single methodology has yet been developed for the comprehensive treatment of systems interaction, the combination of methods used by LILCO was adequate to prevent undue risk to the public health and safety (Board Finding'B-319).
- In the design process for Shoreham, LILCO and its con-tractors were sensitive to systems interaction. By identifying a safety related set of structures, systems and components early in the design process, interaction between safety related and non-safety related systems was avoided or taken into account, as was interaction between safety related systems.
(Board Findings B-234A, B-260 to B-261).
General Electric and Stone & Webster, Shoreham's 4
principal designers, have organizational structures and design
! process controls that ensure consideration of systems
_L--
interaction. (Board Finding B-268). Both organizational structures ensure communication of information among the various design divisions (Board Findings B-262, B-263, B-267, B-269; see also Board Findings B-21, B-22, B-32, B-33). The
, design process is also closely controlled through the use of formal procedures and extensive technical guidance developed from years of experience (Board Findings B-20, B-30, B-33 to B-35, B-262, B-263). Design reviews provide a check on the ad-equacy of systems interaction considerations (Board Finding B-265; see also Board Findings B-26, B-28, B-39), and feedback from other plants being designed'or previously designed by General Electric and Stone & Webster supplies another source of information about potential systems interactions (Board Find-ings B-25, B-27, B-30, B-31, B-33, B-35 to B-38).
Systems interaction has also been taken into account through conservatism in the design of Shoreham. Because it is impossible to identify every conceivable adverse interaction that could occur, conservative design requirements are imposed
-- redundant systems, physical separation criteria and the like, to minimize the potential for adverse consequences from unexpected systems interactions (Board Findings B-40, B-317).
w x - , , - , , - , - _ - - ~___,.--__-ry
In addition to structuring and controlling the design process, a number of specific studies on systems interaction were, conducted for Shoreham. These studies addressed all of the major " types" of interactions -- functional, spatial and human.33/ (Board Findings B-270 to B-308).
The spatial systems interaction studies conducted for Shoreham, either plant specific or generic, include: Pipe Failure and Internal Flooding (Board Findings B-272 to B-275),
Missiles (Board Finding B-276), Fire Hazards (Board Findings B-277 to B-279), Cable Separation (Board Findings B-280 to B-285), High Energy Line Break (Board Findings B-294, B-295),
Heavy Loads (Board Finding B-298) and Water Level Studies (Board Finding B-307). Functional systems interaction was con-sidered in: Failure Modes and Effects Analysis (Board Findings B-286, B-287), Electrical Bus. Failure (Board Finding B-288),
Control System Failure (Board Findings B-289 to B-293),
Protection System (Board Findings B-299 to B-301), Scram 33/ As already noted, there is no common definition of systems interaction. Similarly, there is no standard way to categorize it (Board Finding B-351). We believe that the functional, spa-tial and human interactions described by LILCO witness Burns are useful. We will use these categories.
_~
Reliability (Board Findings B-302 to B-305), Common Mode Failure (Board Finding B-306), Water Level (Board Finding B-307), other BWR PRAs (Board Findings B-296, B-297) and TMI-2 '
Implication studies (Board Finding B-308). Human interaction was considered in: Fire Hazards (Board Findings B-277 to B-279), Scram Reliability (Board Findings B-302 to B-305) and TMI-2 Implication studies (Board Finding B-308). Some of these studies considered more than one type of systems interaction.
I Another comprehensive search for systems interaction is being conducted during the preoperational and startup testing for Shoreham. The program starts with the testing of individual components and systems and proceeds to comprehen-sive, integrated tests of many plant systems. In the course of these tests, various normal and accident conditions are simu-lated to test integrated system operation. These tests also look for potential human interactions by observing the use of operating procedures. Shoreham also has an extensive startup or power ascension test program which allows LILCO to look for systems interaction under actual operating conditions. (Board Findings B-308 to B-313).
Another important factor in our determination that systems interaction at Shoreham does not present an undue risk to the health and safety of the public is LILCO's program to conduct a continuing review of systems interaction issues. The programs will be conducted by the Independent Safety Evaluation Group (ISEG) at Shoreham. ISEG's members are permanently assigned to the site to investigate, on a full-time basis, issues that bear upon the safe and reliable operation of Shoreham. A number of the activities to be conducted by ISEG deal with systems interaction. ISEG has established a program to review in detail LERs from a 'surregato plant, Fitzpatrick,-
~
to look for systems interactions. Fitzpatrick, specifically, was selected because it is similar in design to Shoreham, it was designed by GE and S&W, and it has been in operation for several years. The ISEG engineers have received training in the recognition of potential systems interactions. (Board Findings B-314, B-315). ISEG will also be familiar with the Shoreham PRA so that it can be used in their work and will conduct system walkdowns (Board Finding B-316).
l
- b. Staff Requirements and Review
- The NRC Staff witnesses testified that, in their view, the requirements already contained in the regulations, some of T
which include the studies discussed as part of LILCO's testimo-ny, form an adequate basis for concluding that systems interac-tion has been adequately addressed for the plant. (Board Find-ings B-317, B-318, B-318D). We agree.
- c. Examples of Systems Interaction At the time Contention 7B was admitted for litigation,
- the Board permitted SC/ SOC to give two examples to illustrate its argument that LIlOO had employed an inadequate systems in-teraction methodology. In the County's prefiled testimony, the only example cited was a concern identified at the Pilgrim Plant involving flashing of the reference legs for the reactor pressure vessel water level indication. In the course of cross-examination, SC/ SOC raised a second example of adverse systems interaction, this one concerning the effect of breaks in the reference legs of the reactor pressure vessel water level indicator. For the reasons stated below, these examples do not demonstrate any inadequacies in LILCO's methodology for systems interaction.
Drawing on an event at Pilgrim,34/ the SC/ SOC prefiled testimony cited the reactor pressure vessel water level system as an example of a safety related system that could be ad-versely affected by the failure of a non-safety related system.
The precise concern involved the potential for flashing in the reference leg under conditions of low reactor vessel pressure and high drywell temperature. Under these conditions, either with or without a concurrent steam line break, failure of the non-safety related drywell cooler could cause reference leg flashing, resulting in the operator's receiving a false indica-tion of RPV level. (Board Findihgs B-319 to B-320).
The testimony on this issue showed that (1) even if the event were to occur at Shoreham, it would be highly unlikely that there would be any adverse impact on plant safety and (2)
Shoreham has been designed with features that take this potential system interaction into account.
34/ The Pilgrim event involved a shutdown of the plant during which the containment coolers did not operate at full capacity.
The resulting low RPV pressure and high drywell temperature caused the reference legs to flash. (Board Finding B-319).
4 l
. i
)
- - - - - - , , _ ~ . . _ _ . . _ _ . . - _ . . . ___. _ _ ._. _
General Electric has performed an analysis to determine the worst case scenario involving loss of the plant's drywell coolers coupled with a steam line break (Board Finding B-320).
Using_this worst case scenario, General Electric found that uncovering the core would be extremely unlikely (Board Findings B-320, B-321). GE's conclusions were based upon the remote likelihood of the combination of events involved, the multiple operator errors that would have to occur, and the conservative assumptions made in the analysis (Board Finding B-324). The NRC Staff agreed with these conclusions (Board Finding B-320).
We agree that this potential systems interaction does not pose an undue risk at Shoreham.
In addition, the interaction between the drywell cool-ers and the RPV level instrumentation was considered in the original design of Shoreham. The plant has an improved drywell cooler system, powered from an onsite source to minimize the potential for interaction. (Board Finding B-322). Drywell temperature is monitored in the control room and governed by the technical specifications (Board Finding B-323).
For these reasons, we conclude that Shoreham's design process adequately considered the potential for systems
interaction between the non-safety related drywell coolers and the RPV water level instrumentation.
During cross-examination of the SC/ SOC witnesses, an issue raised in an NRC study entitled " Safety Concern Associ-ated with Reactor Vessel Level Instrumentation in Boiling Water Reactors" was mentioned as a potential adverse systems interac-tion. This study suggests that a leak or break in the RPV water level instrumentation reference leg, combined with a single active failure, may result in an unacceptable plant condition. (Board Finding B-325).
Both NRC Staff and LILCO witnesses testified'that, al-though this is a systems interaction, it does not adversely affect plant safety. Analysis shows that in all cases the re-actor would scram automatically and there would be ample time for the operator to take appropriate actions prior to core uncovery. (Board Findings B-326 to B-330, B-332). In addition, special circumstances would be necessary to even require operator action (Board Finding B-327). Based on the testimony presented by the NRC Staff and LILCO we conclude that the design of Shoreham is adequate to deal with this potential system interaction.
I It is also well to note that this potential system in-teraction was considered by General Electric. GE correctly concluded that the Shoreham design is adequate to deal with this type of interaction since it would not i.mpair protective functions (Board Finding B-331).
To summarize, our review of the record indicates that the Shoreham design process has adequately considered the potential system interaction from a break in the RPV level in-strumentation reference leg.
- d. Shoreham Probabilistic Risk Assessment (PRA)
In addition to the methodologies on prior pages, LILCO has hired qualified consultants to perform a PRA for Shoreham (Board Findings B-333, B-340, B-341). LILCO took this step voluntarily in an effort to improve the safety of the Shoreham plant (Board Findings B-336 to B-339). A PRA is a comprehen-sive and systematic methodology for identifying and assessing possible ways in which.a nuclear power plant may fail. There was considerable testimony in this case concerning (1) whether PRAs in general, and the Shoreham PRA, in particular, consider systems interaction, and (2) whether PRA is the best method for considering systems interaction. (See generally Board Findings B-333 to B-398). The Board concludes that probabilistic risk asses,sment, if properly performed, is an effective way to ana-lyze systems interactior. for a nuclear power plant. (Board Findings B-394 to B-398). Although we need not decide whether other methodologies may be better or more comprehensive in identifying such interaction, the weight of the evidence does show that the PRA technique is the most well developed of the currently emerging methodologies for identifying systems inter-action (Board Finding B-348). Finally, we conclude that the 1
Shoreham PRA does consider systehs interaction at Shoreham in a detailed and comprehensive manner. Though still a draft, it has not identified any unexpected or abnormal systems interac-tion. The witnesses testified that they do not expect signifi-cant changes between the draft and final versions. (Board Findings B-394, B-396).
LILCO presented two highly qualified experts in the PRA field, Dr. Edward T. Burns and Dr. Vojin Joksimovich. Dr.
Burns was the principal analyst for the Shoreham PRA, and Dr.
Joksimovich is a member of the peer review committee established by LILCO to review the Shoreham PRA. (Board
Findings B-340, B-341). Both LILCO witnesses testified that PRAs are an effective means of considering systems interaction.
(Board Findings B-395 to B-398). Moreover, the LILCO witnesses testified that, in their professional opinions, PRAs are the best method currently available for assessing it. Their con-clusions were based in part on the facts that other systems in-teraction techniques are not yet fully developed, have not been accepted by the NRC, and have not been applied extensively to nuclear power plants. Also, many other systems interaction techniques identify the interactions but do not provide a i method for assessing their importance. (Board Finding B-348).
l PRAs, on the other hand, are better developed, have been ap-i plied to nuclear power plants, are acceptable to the NRC, and l do provide a means for assessing the significance of systems interactions. (Board Findir3s B-348, B-397).
SC/ SOC's testimony on the use of PRAs for systems.in-teraction was not extensive. It seemed to be their view that PRAs, supplemented by other methodologies to identify systems interactions, could be fruitfully used. The SC/ SOC witnesses concluded that the best methodology for resolving the systems interaction issue "is a combined approach, using dependency l
l 1
analysis /PRA, balanced by a walkdown study." (Board Finding B-384).
The testimony of the NRC witnesces was not entirely .
L consistent. Mr. Ashok Thadani generally agreed with LILCO's .-
witnesses that PRAs are an effective way to l analyze systems in- ,
teractions. (Board Findings B-374 to B-378). By contrast, Staff witness Conran expressed doubt concerning the use of PRAs for studying systems interactions. (Board Findings B-379, B-381). Mr. Conran testified at length about so-called systems interaction studies. The NRC Staff has made a number of at-tempts to develop a comprehensive systems interaction methodol-ogy. This work has included studies by National Laboratories as well as several " pilot" programs. (Board Finding B-373). ,
It was Mr. Conran's view that the methodologles in the NRC's pilot programs are superior to PRAs in assensing interac-tion.35/ (Board Findings B-379, B-381).
35/ The Board does not believe Mr. Conran's testimony in this regard deserves significant weight. First, its materiality is marginal. Whether there exists today or may exist in the fu-ture better techniques for considering systems interactions than PRAs does not mean than PRAs are ineffective,in doing so.
Second, Mr. Conran is not well qualified to sponsor the testi-mony he offered. By his own admission, his experience in the actual conduct of PRAs is limited. He also testitied that-his conclusions were at odds with those of his own experts, on whom he relied heavily. (Board Finding B-380).
n i, -
V
, Neither the Staff nor SC/ SOC witnesses'had significant familiarity with the Shoreham PRA. Although 6he Staff declined
~
to comment on the specifics of the study, SC/ SOC witnesses con-cluded that, based on their brief review, it did not include systems interaction. (Board Finding B-383). Those' views, how-ever, are not. supported by the record. (Board Findings B-384 to B-392). They were also in direct confligt with the views of Dr. Robert Budnitz, a consultant for the County in the emergen-cy planning area. - (Board Finding B-383). '
LILCO's experts presented comprehensive testimony on
'the Shoreham PRA. It is a state-of-the-ar,t st6dy~using the latest PRA guidelines and subject to peer revie'w~by a panel of
' independent experts. (Board Findings B-341, B-343 to B-346).
The Shoreham PRA gives extensive consideration to systems in-teractions. Theconstructionandquankificationofitsevent trees and fault trees considered a wide variety of potential functional and human interactions. (Board Findings B-354 to B-367). The process also considered intersystem and inter-component dependencies between the so-called front line systems and the support systems. Construction of the fault trees was supported by dependency matrices, a technique for identifying f
-., . , , . , y y ,__, . , .%. __ _. .-.,p
systems interaction' recommended by both SC/ SOC and NRC Staff witnesses. (Board Finding B-356). The Shoreham PRA also con-sider,ed selected spatial systems interaction (Board Finding B-358).
In order to identify systems interaction for inclusion in the event trees and fault trees, techniques such as systems walkdowns, review of operating experience at nuclear power plants, review of previous studies, dependency matrices, and identification of commonalities were used (Board Findings B-359 to B-367). .
Based on the extensive testimony of LILCO's witnesses, we conclude that Shoreham's PRA assessed multiple component failures, system dependencies, and potential systems interac-tion that could affect multiple systems, and the study evalu-ated their impact on plant safety through the use of fault tree / event tree techniques. (Board Findings B-395, B-396). At the time of the testimony on this issue, no risk outliers due to hidden systems interaction had been identified. (Board Findings B-394, B-396). Moreover, while the Shoreham PRA has resulted in several minor design changes to improve plant safe-ty, it has not identified any need to alter the classification n
1 1
of any structure, system or component (Board Findings B-369, B-396). In short, the Shoreham PRA indicates that the plant is well protected against adverse systems interaction. It also confirms that the design process for Shoreham has adequately taken into account systems interaction. Further, the PRA gives assurance that systems interaction will be considered throughout the plant's life, in light of LILCO witness Kascsak's testimony that the study will be updated and recon-sidered when design modifications.are made. (Board Finding B-370).
- e. Unresolved Safety Issue A-17 36/
- The County claims that under the standards set out in Virginia Electric and Power Co. (North Anna Nuclear Power Station, Units 1 and 2), ALAB-491, 8 NRC 245, 248 (1978), there is insufficient evidence to justify the operation of Shoreham in the face of Unresolved Safety Issue A-17. The Appeal Board decision in North Anna set the standard for consideration of 36/ The first four paragraphs of this section originally ap-peared in essentially the same form on pages 63-66 of LILCO's Reply to Suffolk County on SC/ SOC 7B. Because Mr. Conran's af-fidavit focused attention on USI A-17, LILCO believes this dis-cussion should be included in the . Board's opinion.
generic unresolved safety issues (USI's) prior to. issuance of an operating license.37/ The Appeal Board concluded that:
, these " unresolved issues" cannot be disre-garded in individual licensing proceeding.7 simply because they also have generic appli-cability; rather, for an applicant to suc-ceed,.there must be some explanation why con-struction or operation can proceed even though an overall solution has not been found.
Id. The Appeal Board noted several independent reasons that
.will support going forward at the OL stage despite the exis-tence of'USIs: "a solution satisfactory for the particular fa-cility has been implemented; a restriction on the level or na-ture of operation adequate to eliminate the problem has been imposed; or the safety issue does not arise until the later years of plant operation." Id. A more comprehensive list was provided by the Licensing Board in Pacific Gas and Electric Co.
(Diablo Canyon Nuclear Plant, Units 1 and 2), LBP-81-21, 14 NRC 107, 118 (1981):
(1) the problem has been resolved for the re-actor under study, (2) a resolution can reasonably be expected before operation, (3) there will be no safety implications until 37/ The Appeal Board's earlier decision in Gulf States Utility Co. (River Bend, Units 1 and 2), ALAB-444, 6 NRC 760, 774.(1977), discussed similar considerations for construction permit applications.
after years of operation and alternative means will exist to avoid undue risk to the public, (4) current standards are adequate but confirmatory studies are desirable while licensing continues,- (5) a problem is so un-likely to occur as to be an incredible event, (6) the task is for the purpose of resolving unclear, conflicting, or impractical require-ments of the regulations or, (7) presently adequate criteria can be improved.
- Unlike North Anna, where the unresolved safety issues were uncontested, A-17 has been litigated within the context of SC/ SOC Contention 7B. Thus, there.is substantial evidence in the record showing that, for a number of the reasons listed above, Shoreham may operate despite the pendency of A-17.
- As noted by the Staff, the purpose of A-17 is to confirm the adequacy of current systems interaction design and review requirements by evaluating the potential for undesirable systems interactions. (Board Finding B-318F ; Staff Proposed Finding 7B:176). In other words, the working premise of A-17 is that the present regulatory regime does adequately protect plants from systems interactions. Although the occurrence of some systems interaction events prompted the Staff to undertake Task A-17, the Staff explicitly concluded, in the initial and in recent testimony on this issue, that existing NRC require-ments and the existing NRC review process ensure that systems
-100-
interactions do not unduly risk the health and safety of the public. (See, e.g., Board Findings B-317, B-318, B-318D, B-318,E, B-377, B-378; Staff Proposed Findings 7B:175, 7B:176, 7B:188 to 7B:190; see also pages 82-87 above and related find-ings.)
- There are other bases for concluding that the North Anna requirement is met here. The evidence shows that LILCO has taken extra measures to address systems interactions at Shoreham. In some respects, LILCO's deterministic systems in-teractions studies and programs exceed traditional regulatory requirements. (See, e.g., Board' Findings B-280 to -285 (cable separation study), B-314 to -316 (ISEG systems interaction pro-gram); see also B-318C, B-318G, B-318J). LILCO has also performed a probabilistic risk assessment to confirm the ade-quacy of the existing regulatory and design processes. See e.g., Board Finding B-396. Although the Staff has not taken a position on whether PRAs are the best method to deal with systems interaction in a comprehensive manner (see Staff Pro-posed Finding 7B:224), Staff witnesses agreed that PRAs are useful in identifying and assessing systems interactions. (See Board Findings B-374, B-376; Staff Proposed Findings 7B:226, 7B:230). Thus LILCO has gone well beyond existing requirements
-101-
-- adequate in themselves -- to address systems interactions.
Consequently, in the terms of the North Anna standard, USI A-17 has been resolved for Shoreham.
- The basis for positive conclusions concerning A-17 was questioned by James S. Conran, Sr., one of the Staff's original witnesses on SC Contention 7B, in an affidavi-t filed on February 9, 1983, which asserted that the schedule for resolu-tion of Unresolved Safety Issue A-17, Systems Interaction, had been deferred in a manner not consistent with its perceived initial importance. (Board Findings B-318A, B-318B). In Mr.
Conran's view, as a generic matter, further reactor licenses should not be granted until more tangible progress is made to-l ward resolution of USI A-17. (Id.).
i a
l
- Mr. Conran's affidavit also took issue with LILCO's use 1
of systems classification terminology. Mr. Conran acknowledged that LILCO had performed numerous systems interaction studies and a PRA for Shoreham. (Board Finding B-318C). As a result, he would not have had any opposition to issuance of an operating license to Shoreham, despite the pendency of USI A-17, except for LILCO's safety-classification terminology, which led him to question whether LILCO's studies would adequately account for structures, systems and components not classified a
as safety related. (Board Finding B-318C).
i
-102-
- As noted earlier, the Board permitted the other parties to file responsive testimony and in April 1983 commenced four days of hearings on this matter, at which Mr. Conran and witnesses for the Staff, Suffolk County 33/ and LILCO (which had-not filed testimony but furnished management level witnesses at the Board's request) testified. (Board Finding B-3A).
- The testimony established that USI A-17, while not an unimportant task, has been and still is considered confirmatory in nature (Board Findings B-318D to B-318G). The Staff restated previous testimony that current licensing standards are adequate to support licensin'g (Board Finding B-318D) and that LILCO has met them (Board Findings B-318E, B-318F). Thus, as reaffirmed by the Staff witnesses, the licensing of Shoreham does not depend on a schedule for the resolution of USI A-17 because it is a confirmatory issue, a permissible ground for a positive North Anna finding. (Board Finding B-318J). As a result, Mr. Conran's concerns about the likelihood of meeting 3g/ The County submitted direct testimony and proffered witneses who generally supported Mr. Conran's arguments. These arguments, while containing independent supporting material, are similar to Mr. Conran's and are reasonably disposed of in the framework of Mr. Conran's arguments. (See Board Findings B-318K to -318N).
+
-103-
the Staff's current schedule (Board Finding B-318I) are irrelevant.39/
- Moreover, the testimony in the reopened proceeding also confirmed that a wide variety of systems interactions studies including a PRA, which go beyond-the Commission's basic regula-tory requirements, have been conducted for Shoreham. (Board Findings B-318G). These studies include structures, systems and components that are non-safety related as well as those that are safety related, and do not discriminate among them on the basis of classification. (Board Finding B-318H). Thus, as noted by Staff and at least one County witness, the validity of LILCO's studies is not affected by systems classification no-menclature, and Mr. Conran's concern about " synergy", based as it is on the premise that such issues may affect the validity of these studies, is therefore unfounded. (Board Finding B-318H). In sum, we conclude that nothing in Mr. Conran's or the County's supplemental testimony on USI A-17 dissuades us 39/ There are other reasons why Mr. Conran's concerns are unfounded. Changes in reactor design in recent years, and other types of analyses, including systems interaction analyses and PRAs, have tended to fill in gaps in the Staff's knowledge and thus diminished its concerns pending ultimate resolution.
(Board Finding B-318F).
t
-104-
from our conclusion that the North Anna finding can be made and that Shoreham can receive an operating license during the pen-dency of A-17.
- f. SER Open Item 47 One of the systems interaction studies conducted by LILCO involved Control System Failures (Board Findings B-289 to B-293). This study was conducted at the request of the NRC Staff and was designated as SER Open Item No. 47. The Staff testified that.the study must be completed, reviewed and approved prior to fuel load. Th'e study has been completed and approved by Staff. "NRC Staff Position on Resolution of SER Open Item #47," at 7 (January 3, 1983) (Staff Position). The NRC Staff, however, did not close out the issue because it believed LILCO's report had not fully addressed the SER Open Item.
As described by LILCO's witnesses, the report studied the effects of the failure of power supplies to non-safety re-lated control systems. The Staff has requested that LILCO ex-pand the study to include the effects of failures caused by common sensors, hydraulic headers and impulse lines. This t
supplemental report has not yet been submitted.
-105-
Tha lack of a final report on SER Open Item No. 47 raises two questions: (1) whether the record cn1 SC/ SOC 7B can be closed in its absence and (2) whether completion and approv-al'of this study should be a condition for fuel load. These questions were addressed in the Staff Position.
With respect to the first issue, Staff counsel conclud-ed that the record on SC/ SOC 7B could be closed. We agree.
The principal concern of 7B was the adequacy of Shoreham's methodology for the consideration of systems interaction. In our view, there is ample evidence in the record to draw conclu-sions concerning that methodology. In fact, the study in question is entirely consistent with the methodology used in the identification of systems interaction. It is intended to confirm, once again, the adequacy of the design process. Thus, we believe the record can be closed absent the additional report requested by the NRC Staff for SER Open Item No. 47.
We turn now to the issue of whether the additional report must be completed, reviewed and approved by the Staff prior to fuel load. The NRC Staff believes Open Item No. 47 should be closed prior to fuel load. Staff Position at 7. The Staff has indicated, though, that later resolution of the item may be acceptable if adequate justification can be provided.
-106-
4 While the Board believes it is desirable to fully re-solve Open Item No. 47 before fuel load, we do not believe it is essential for the following reasons:
(1) As-already indicated, the record shows that the design and review processes for Shoreham have taken into account systems interaction. The results of the systems interaction studies conducted for Shoreham have confirmed the adequacy of these processes.
(2) Also as indicated above, the portion of the Control System Failure study already conducted by LILCO was accepted by the NRC Staff. -
(3) Shoreham's PRA has ,given. extensive con-sideration to systems interaction. Pre-liminary results from the PRA do not in-dicate that failure of non-safety relat-ed control systems is a dominant contributor to risk. (Board Findings B-394, B-396).
(4) ' General Electric conducted a generic study of control system failures very similar to the one requested by the NRC Staff. The GE study showed that control systems interaction had been adequately 45 considered in the BWR design. (Board Findings B-290 to B-292).
(5) The NRC Staff knows of no specific control systems failures at Shoreham or any other plant that would lead to undue risk to the health and safety of the public. (Board Finding B-289).
(6) The analysis requested by the Staff for Shoreham has been done for Grand Gulf, a BWR-6, and no changes to the plant
-107-
design were needed as a result. Staff Position at 7.
Accordingly, we will not make complete closure of Open Item No.
47 a condition of fuel load.
- 5. SOC Contention 19(b)
SOC Contention 19(b) alleged that:
The NRC Staff has not required LILCO to incorporate measures to assure that Shoreham conforms with the standards or goals of safety criteria contained in re-cent regulatory guides. As a result, the Staff has not required that Shoreham structures, systems and compo-nents be backfit as required by 10 CFR 9 50.55a, 5 50.57, and 5 50.109 with regard to:
(b) Regulatory Guides 1.26 and 1.29. --
LILCO's general list of quality group and seismic design classifications listed in FSAR Table 3.2.1-1 is not in compliance with 10 CFR Part 50, Appendix A, Criteria 1 and 2, 10 CFR S 50.55a, and 10 CFR Part 100, Appendix A in that:
(1)the quality group classifications contained in FSAR Table 3.2.1-1 do not comply with the~regula-tory position of Revision 3 of Regulatory Guide 1.26 for safety-related components containing water, steam or radioactive materials; (2)the seismic design classifications contained in FSAR Table 3.2.1-1 do not comply with the regula-tory position of Revision 3 of Regulatory Guide 1.29 with regard to control room habitability and radioactive waste systems; (3)LILCO has not revised the FSAR Table 3.2.1-1 to expand the list of safety-related equipment as reflected in NUREG-0737 and as a result of the NRC
-108-
Staff. review of the Q-List as set forth in Supplement 1 of the SER on page 17-1; and (4)LILCO's list of safety-related equipment contained in FSAR Table 3.2.1-1 does not include equipment upon which the plant operators will rely in response to accidents outlined in the Shoreham emergency operating procedures.
Regulatory guides-simply give licensees and applicants guidance on how to meet the NRC's regulations; they are not re-quirements. Thus, failure to comply with them is not a viola-tion of NRC regulations. In any event, Shoreham is committed to meet Revision 1 of the Regulatory Guides 1.26 and 1.29 (Board Findings B-72, B-75, B-76). ,
Both Staff and LILCO witnesses testified that Shoreham does, in fact, meet this com-mitment (Board Findings B-73, B-77). With the exception of SC/ SOC testimony on Quality Group D (see page 19 above), the LILCO and NRC Staff testimony on this matter was uncontroverted. Since we have already concluded that LILCO properly classified Quality Group D as non-safety related, we find that Shoreham does comply with Regulatory Guides 1.26 and 1.29, Revision 1.
In addition, LILCO and the NRC Staff also submitted uncontroverted testimony that the current versions of these j regulatory guides, Revision 3 in both instances, differ only
-109-a -_-- - - - - - - r__-
slightly from the respective initial revisions. Both Staff and LILCO agree that-Shoreham also meets Revision 3 of Regulatory Guide,s 1.26 and 1.29. (Board Findings B-75 to B-77). There-fore, we conclude parts (1) and (2) of SOC 19(b) lack merit.
With respect to parts (3) and (4), neither of these alleged deficiencies is addressed in the Regulatory Guides.
Thus, even if true, they would not indicate failure to comply with the guides. Moreover, evidence in this proceeding showed that neither claim has merit. .
Both the NRC Staff and L'ILCO testified that, pursuant to the Staff's request, LILCO has added items to Table 3.2.1-1 to reflect plant changes made as a result of NUREG-0737. After an exchange of information, LILCO and the Staff reached agree-ment on the extent to which the table should be revised.
Therefore, part (3) of SOC 19(b) is wrong. (Board Finding B-399).
Finally, in addition to there being no provision in Regulatory Guides 1.26 and 1.29 for the classification of systems relied upon in emergency operating procedures, the sug-gestion is otherwise without merit. In testimony sponsored t
-110-
principally by:SC/ SOC witness Harwood, SC/ SOC argued in a fashion similar to SOC 19(b)(4) that all equipment mentioned in an emergency operating procedure should be classified as safety related or considered for some additional quality standards.
(Board Finding B-400). The County attempted to illustrate-its point by analyzing a selection of EOPs to demonstrate that they called upon the operator to rely upon certain non-safety relat-ed systems and components. We do not find the argument persua-sive.
Rather, we conclude that (1) there is substantial evi-dence in the record that the analysis suggested by the County is not an appropriate classification methodology (Board Find-ings B-401 to B-418), and (2) the analysis included in the SC/ SOC's prefiled testimony was flawed.40/ LILCO witness McGuire, a consultant to LILCO and a former Pilgrim plant manager with substantial experience in the operation of nuclear power plants, testified that the methodology selected by SC/ SCC 40/ The SC/ SOC analysis merely copied down the components listed in the EOPs without any analysis of the functions performed. Thus, it is not meaningful. In addition, its author was not well qualified for the task. (Board Findings B-419 to B-426).
-111-
was inappropriate (Board Findings B-411 to B-418). In his view, the purpose of EOPs is to provide guidance to the opera-tor in dealing with abnormal conditions. The procedures should take advantage of the full capabilities of the plant, not just the safety related set. (Board Findings B-409, B-410). Thus, if a non-safety related system can perform a function that can be used to mitigate or prevent an accident, it is entirely appropriate to include that system in an EOP regardless of its classification. So long as safety related equipment is avail-able to perform a function, there is no need to upgrade other systems that can perform the same function.41/ Moreover, many of the systems called upon in the EOPs are used in the normal operation of the plant, and thus, have adequate quality measures applied to ensure their reliable operation. (Board Finding B-414). Further, many of the non-safety related items included in the EOPs are mentioned only to protect the equip-ment itself, independent of accident mitigation (Board Finding B-422).
41/ In other words, the safety related set, by itself, is suf-
) ficient to prevent and mitigate accidents.
-112-
Witness McGuire testified that LILCO's EOPs have been carefully developed from generic Emergency Procedure Guidelines (EPG) developed by General Electric and the BWR Owners' Group.
In the course of developing the EPGs, the system classification of BWRs in. general, and Shoreham in particular, was reviewed and analyzed, and found to be adequate. (Board Findings B-401 to B-408). In addition, McGuire conducted his own analysis of the procedures used in the SC/ SOC analysis to demonstrate (1) that LILCO, indeed, had properly classified its systems and (2) the SC/ SOC analysis was flawed. (Board Findings B-415, B-419 to B-426). It follows that part'(4) of SOC 19(g) is also with-out merit.
- 6. Conclusion Based on our review of the substantial record compiled on SC/ SOC Contention 7B and SOC 19(b), we conclude that:
(1) LILCO did use an adequate methodology for the classification of structures, systems and components at Shoreham; (2) LILCO has properly interpreted the meaning cf "important to safety" in the NRC's regulations as being equivalent to
. " safety related";
h
-113-i
(3) LILCO has applied quality standards and quality assurance to all structures, systems and components at Shoreham commensurate with their function; and (4) LILCO has used an adequate methodology for considering systems interaction at Shoreham.
Accordingly, we find that Shoreham is not in violation of General Design Criteria 1, 2, 3, 4, 10, 13, 21, 22, 23, 24, 29, 35, and 37; 10 CFR $$ 50.55(a), 50.57 and 50.109, as alleged by these contentions.
O
-114-
4 III. FINDINGS OF FACT
,B. SAFETY CLASSIFICATION AND SYSTEMS INTERACTIONS B-1. Suffolk County /Shoreham Opponents Coalition Con-tention 7B reads as follows:
LILCO and the Staff have not applied an adequate methodology to Shoreham to ana-lyze the reliability of systems, taking into account systems interactions and the classification and qualification of
. systems important to safety, to deter-mine which sequences of accidents should be considered within the design basis of the plant, and if s'o, whether the design basis of the plant in fact adequately protects against every such sequence'.
In particular, proper systematic method-ology such as the fault tree and event tree logic approach of the IREP program or a systematic failure mode and effect analysis has not been applied to Shoreham. Absent such a methodological approach to defining the importance to safety of each piece of equipment, it is not possible to identify the items to which General Design Criteria 1, 2, 3, 4, 10, 13, 21, 22, 23, 24, 29, 35, 37 apply, and thus it is not possible to demonstrate compliance with these criteria.
B-2. Shoreham Opponents Coalition Contention 19(b) reads as follows:
, \
i l
-115- l 1
SOC contends that the NRC Staff has not required LILCO to incorporate measures to assure that Shoreham conforms with the standards or goals of safety criteria contained in recent regulatory guides. As a result, the Staff has not required that Shoreham structures, systems and components be backfit as required by 10 CFR S 50.55a, 5 50.57, and S 50.109 with regard to:
(b) Regulatory Guides 1.26 and 1.29. --
LILCO's general list of quality group and seismic design classifications listed in FSAR Table 3.2.1-1 is not in compliance with 10 CFR Part 50, Appendix A, Criteria 1 and 2, 10 CFR S 50.55a, and 10 CFR Part 100, Appendix A in that:
(1) the quality group classifications contained in FSAR Table 3.2.1-1 do not comply with the regulatory position of Revision 3, of Regulatory Guide 1.26 for safety-related components containing water, steam or radio-active materials; (2) the seismic design classifications contained in FSAR Table 3.2.1-1 do not comply with the regulatory position of Revision 3 of Regulatory Guide 1.29 with regard to control room habitability and radioactive waste systems; (3) LILCO has not revised the FSAR Table 3.2.1-1 to expand the list of safety-related equipment as reflected in NUREG-0737 and as a result of the NRC Staff review of the Q-List as set forth in Supplement 1 of the SER on page 17-1; and (4) LILCO's list of safety-related equipment contained in FSAR Table 3.2.1-1 does not include equipment upon which the plant opera-tors will rely in response to accidents
-116-
~ . --
outlined in the Shoreham emergency operating procedures.
B-3. LILCO, the NRC Staff and Suffolk County / SOC testified on SC/ SOC Contention 7B. Only LILCO and the NRC Staff submitted testimony on SOC 19(b), but some of the issues in the contention were addressed in the SC/ SOC 7B testimony.
The Applicant's prefiled testimony was submitted by Mr. Robert M. Kascsak of LILCO, Messrs. George F. Dawe, George Garabedian and Paul W. Riegelhaupt of Stone & Webster, Messrs. Pio W.
Ianni and David J. Robare of General Electric, Mr. Paul J.
McGuire of United Energy Service's Corp., Dr. Edward T. Burns of Science Applications and Dr. Vojin Joksimovich'of NUS Corpora-tion. Burns et al., ff. Tr. 4346.42/ Mr. William J. Roths of General Electric also testified on behalf of the Applicant.
See Tr. 4563 (Professional Qualifications--William J. Roths).
Prefiled testimony was submitted on behalf of the NRC Staff by Drs. Themis P. Speis of the Division of Systems Integration and C. E. Rossi of the Instrumentation and Controls System Branch, and Messrs. Walter P. Haass of the Quality Assurance Branch, 42/ Suffolk County moved to strike portions of LILCO's testi-mony. LILCO agreed to strike certain portions of its testimony and the balance of the SC motion was denied. See Tr. 4330.
-117-
Marvin W. Hodges of the Reactor Systems Branch, James H.
Conran, Jr. of the Reliability and Risk Assessment Branch and Rober,t Kirkwood of the Mechanical Engineering Branch. Speis et al., ff. Tr. 6357. Mr. Conran submitted rebuttal testimony for the NRC Staff. Conran ff. Tr. 6366.43/ Ashok Thadani, Chief of the Reliability and Risk Assessment Branch also appeared for the Staff. See Tr. 6453 (Ashok C. Thadani--Professional Quali-fications). The Suffolk County and the Shoreham Opponents Co-alition testimony was filed by Ms. Susan J. Harwood and Mr.
Marc W. Goldsmith of Energy Research Group and Messrs. Richard B. Hubbard and Gregory C. Minor'of MHB Technical Associates.
Goldsmith et al., ff. Tr. 1114.44/
"B-3A. On February 9, 1983, Mr. James H. Conran sub-mitted an affidavit amending and/or supplementing his prior testimony. Subsequent to the filing of Mr. Conran's affidavit, and over LILCO's objection, the record on SC/ SOC contention 7B 43/ LILCO moved to strike portions of the NRC Staff's rebuttal testimony. The Staff agreed to strike certain portions of the testimony. See Tr. 6366-67. The Staff and the County also agreed that certain other portions would be deleted. See Tr.
6360.
44/ LILCO moved unsuccessfully to strike portions of the
.SC/ SOC testimony. See Tr. 1017.
-118-
was reopened'and the Board gave the Applicant, Staff and ,
Intervenors the opportunity to submit additional testimony. On behalf of Suffolk County, supplemental testimony was submitted by Marc W. Goldsmith, Richard B. Hubbard and Gregory C. Minor.
Goldsmith et al., ff. Tr. 20,903. Supplemental testimony was submitted on behalf of the NRC Staff by Roger J. Mattson, Director of the Division of System Integration, Richard H.
Vollmer, Director of the Division of Engineering, Charles E.
Rossi of the Instrumentation and Control System Branch, Ashok C. Thadani, Chief of Reliability and Risk Assessment Branch, and Franklin D. Coffman, Jr. of the Systems Interaction Section. Mattson et al., ff. Tr. 20,810. LILCO did not submit supplementa'l prefiled testimony. Both the Staff and LILCO sub-mitted motions to strike the County's Supplemental Testimony, these motions were granted in part. Tr. 20,370, 20,386, 20,882-885 (Judge Brenner). Four additional days of hearing.
were held during which Mr. Conran, the NRC Staff panel and Suffolk County panel testified. At the Board's request, LILCO provided a management level witness panel, which included Messrs. Millard Pollock, James Rivello, William Museler and Brian McCaffrey of Long Island Lighting Company and Mr. George Dawe of Stone & Webster.
-119-
- 1. Safety Classification of Structures, Systems and Components at Shoreham
- a. Shoreham's Classification Scheme B-4. -Structures, systems and components at Shoreham are classified in two categories, safety related and non-safety related. Burns et al., ff. Tr. 4346, at 28; Tr. 4452 (Dawe),
4786 (Robare).
B-5. The use of two categories, " safety related" and "non-safety related," is a consistent application used throughout the industry. Tr. 4472 (Dawe). Shoreham's classi-fication in these categories is consistent with other BWR plants. -Tr. 4488-92 (McGuire), 4883 (Robare).
- B-6. Having a well-defined group of safety related structures, systems and components allows the applicant to con-centrate its effort on plant features most important to achiev-ing critical safety-functions in the case of an accident or emergency. Speis et al., ff. Tr. 6357, at 7; See Tr. 20,838 (Mattson).
B-7. LILCO classified as safety related those struc-tures, systems and components necessary to perform the specific I -120-
safety related functions set forth in Appendix A to 10 CFR Part 100. Safety related structures, systems and components are those,necessary to ensure:
(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the re-actor and to maintain it in a safe-shut-down condition; and (3) The capability to prevent or miti-gate the consequences of accidents which could result in potential offsite expo-sures comparable to the guideline expo-sures of this part.
10 CFR Part 100 Appendix A; Burn,s et al., ff. Tr. 4346, at 51-52; Speis et al., ff. Tr. 5357, at 9-10.
B-8. Structures, systems and components which are not necessary, not actually required, to assure these functions are not required to be classified as safety related. Speis et al.,
ff. Tr. 6357, at 22.
B-9. The basic conceptual designs for Shoreham were in place for the construction permit application. Extensive engi-neering and design continued beyond that time. Through the early history of the project, the method of classifying struc-tures, systems and components evolved. Tr. 4358 (Dawe).
1
-121-
B-10. The early classification methodology involved identifying the seismic Category I structures, systems and com-ponents. To accommodate new regulations, such as 10 CFR 50 Appendices A and B,-10 CFR 50.55a, and 10 CFR 100 Appendix A, a more detailed classification scheme was used to delineate more information such as QA requirements, seismic requirements, and code requirements. This process was initiated prior to issu-ance of the construction permit. Tr. 4358-61 (Garabedian);
Burns et al., ff. Tr. 4346, at 38-39.
B-11. For Shoreham, the, term "important to safety" is used as equivalent to the term " safety related." There is no category of equipment that is important to safety but not safe-ty related. Burns et al., ff. Tr. 4346, at 50-55; Tr. 4423 (Dawe), 4790 (Robare).
B-12. The safety related set of structures, systems and components is a sufficient set with which to achieve cold shutdown under any design basis event. Tr. 4490 (McGuire),
4882 (Dawe).
- B-13. Although the NRC Staff could not identify a specific methodology for classification of structures, systems, t -122-
l - .
e and components as being required by regulation, a well-developed, systematic process for classification is
- embodied in the Regulatory Guides and Standard Review Plan.
Tr. 6563-65, 6583-84, (Rossi, Conran); 20,825-26 (Rossi).
B-14. SC/ SOC witnesses also testified that it is the industry practice to classify systems, structures and compo- -
nents as safety related and non-safety related. Tr. .1513 l (Hubbard). They also stated that quality assurance programs have not " addressed the broader category of' items important to safety." Tr. 1345 (Hubbard). ,
j B-15. The NRC Staff is satisfied that at Shoreham, l
LILCO has used an adequate methodology for classifying a suffi- '
cient set of safety related systems. Tr. 7603--(Speit).
l l
- b. Methodology for Classification
.~
B-16. The methodology used for classification of ,
structures, systems and components at Shoreham involved the ap-l ~
l plication of experience, design basis evaluations, industry standards, NRC regulations and regulatory guides. Burns et al., ff. Tr. 4346, at 27.
l I -123-
y (1) Design and Operational Experience B-17. The design process must ensure that the safety c
related set of structures, syst$ms and components is sufficient to perform all of the safety related functions. Burns et al.,
ff. Tr. 4346 at 51-52. Thus, it is important to understand the design of a nuclear power plant in determining what systems must be classified as safety related. As LILCO witness Dawe explained, the process is complicated:'
You. start by looking at the prime systems; for example, the ECCS systems, they must, in turn,'be supported.
J ECCS systems with motor-driven valves and motor-driven pumps require power supplies. Those power supplies are also
, within the safety-related set . . . .
[Y]ou have to go right down the list of functions you need and . . . decide how you are going to' perform that function . . . then you have to look at those systems for support require-ments. . . .
For example, if I have ECCS pump motors
. running in an area and they have temper-
,' ature limits on them, I need ventilation systems. Those ventilation systems that are required for the proper operation of the ECCS pumps are,themselves safety-related . . . .
L Tr. 4942-43 (Dawe). Consequently, a disciplined design process 4
-124-1 s
l 1 i and an experienced organization are important in ensuring proper system classification.
B-18. Although Stone & Webster and General Electric ,
are responsible for establishing and reviewing classifications of their own supplied equipment, interface documents are ex-changed that keep eacn organization aware of the activities of
.the other. Tr. 4612-13 (Ianni).
J (a) General Electric B-19. General Electric ,e'm ploys a disciplined design process to control the design of structures, systems and compo-nents. Part of this process includes measures to ensure that design requirements are defined and design activities are car-ried out in a planned, controlled and orderly manner. Burns et al., ff. Tr. 4346, at 9; Tr. 4579-80 (Ianni).
l B-20. Our example of the disciplined design process at i
General Electric is utilization of the Product Safety l
Standarda, which establishes a consistent and accurate basis for meeting regulatory guides, regulations and industry standards. Tr. 4618 (Robare).
-125-
=--.- -. - . - - - . - _ - _ . - -
B-21. The General Electric design process also provides for design interface control. That is, procedures are in place to ensure that interfaces with other systems are con-sidered to minimize the possibility of adverse systems interac-tions. Burns et al., ff. Tr. 4346, at 10.
B-22. General Electric employs the system design concept. Design specifications and data sheets for a specific plant are developed early in the life of a project. These design documents provide the basis for classification of struc-tures, systems and components. , Lead systems engineers are assigned to each system to ensure that all design aspects, including classification, have been properly considered. Burns et al., ff. Tr. 4346, at 10-11.
B-23. General Electric installed lead systems engineers in their organization about 1973 or 1974. At that time, these lead systems engineers reviewed all plants under design, including Shoreham. This review included equipment classifications under then current requirements. Tr. 4608-10 (Robare, Ianni).
-126-
B-24. The design verification process at General Electric requires independent peer review of designs to confirm that the designers' methods and conclusions, including classi-fication, are consistent with requirements. Burns et al., ff.
Tr. 4346, at 12. All designs, including standard design speci-fications, are verified. Tr. 4633-34 (Ianni).
B-25. Shoreham also receives the benefit of verifica-tions and reviews done at other plants. If such a review uncovers a problem with one plant design, the lead systems engineers must determine whether,the issue applies to their system in general. Necessary changes must be implemented through General Electric's change control procedures. Tr.
4633-34 (Ianni); see also Tr. 5218 (McGuire) (feedback of operating information).
B-26. General Electric also employs a program of team design review. A team design review is a broad, formal, inde-pendent evaluation of designs by persons other than those di-rectly responsible for the design. These reviews are ongoing, and verify that General Electric's design meets functional, contractual, safety and regulatory standards, industry codes and corporate requirements. Burns et al., ff. Tr. 4346, at 13.
l
-127-l l
l
In addition, such reviews consider, among other things, the classification of the structure, system or component involved.
Id.
B-27. As part of this design review process, in 1979 General Electric conducted a complete review of the classifica-tion of equipment within the General Electric scope of supply.
This review considered both safety related and non-safety re-lated systems. Tr. 4628 (Ianni). The process involved a review of design documents and drawings to ensure that General Electric's design had been carri,ed out in accordance with the specifications. The specifications were also analyzed to confirm that they had called for the proper classification and level of quality assurance. Tr. 4609-23 (Ianni, Robare). Only one change resulted fr'om this review. Tr. 4631 (Ianni).
B-28. Another example of the design review process in-volved the containment design reviews started in the mid-1970's. As a result of phenomena discovered in the devel-opment of the Mark III containment, as well as developments in the state of the art and regulatory changes, General Electric undertook an extensive review of containment design. This review included a reevaluation of the Mark II containment,
-128-
which is utilized at Shoreham. The review consisted not only of reanalysis of the adequacy of the containment design but also ,a reanalysis of the entire nuclear steam supply safety systems. As a result of this reanalysis, General Electric con-cluded that the existing classification of equipment continued to satisfy applicable regulatory criteria. Tr. 4584-93 (Ianni, Robare).
B-29. General Electric has implemented a disciplined design change procedure to ensure that such design changes are
' adequately reviewed. Part of th,is review would include a check to ensure that the proper classification had been applied to
?,he equipment. In addition, complex design changes are reviewed and approved by a standing change control board con-sisting of senior engineering personnel. Burns et al., ff. Tr.
4346, at 13-15.
B-30. An important aspect of systems classifications is the experience of the design organization involved. General Electric research, development, and testing programs have covered all features of the BWR. Burns et al., ff. Tr. 4346, at 17. Shoreham was not designed in a vacuum, but rather was built.in accordance with a standard BWR 4 design. Tr. 4621-22
-129-
(Ianni). Thus General Electric was able to draw on the experience gained in designing the 18 BWR 4's operating or under, construction as well as the 18 BWR 1, 2, and 3's in operation. At the time the Shoreham design work started, General Electric had designed and placed into operation seven nuclear power plants. In addition, General Electric was de-signing 23 more nuclear power plants, both domestic and foreign. Burns et al., ff. Tr. 4346, at 15-19, 40.
B-31. General Electric has over 25 years of experience in the design of nuclear power plants.
This experience, including operating experience, has been brought to bear in the classificatien of equipment for Shoreham. These classifica-tions are very similar to those used in prior General Electric exper'ience. Tr. 4933 (Robare).
(b) Stone & Webster B-32. In order to ensure proper consideration of safe-ty classification, the Stone & Webster Engineering Corporation (SWEC) project is structured to promote the following:
(1) Effective communication of all the technical information being developed for the project; 1
-130-
(2) Effective organization to use and implement the flow of technical informa-tion; (3) Availability of information from other plants that shed light on classi-fication and systems interactions; and (4) Maintenance of written procedures that are audited to ensure systematic utilization of the three preceding elements.
Burns et al., ff. Tr. 4346, at 20-21.
B-33. Stone & Webster is organized in such a fashion that experience gained from previous projects is effectively transferred to new projects and so that multiple disciplines required for complex nuclear projects can be brought to bear on each individual project. The Stone & Webster engineering department is divided into 14 technical divisions, each of which provides expert engineers to individual projects such as Shoreham. These engineers are guided in their work.through the use of procedures and guidelines covering all aspects of the design process, including consideration of systems
-131-
classification. Burns et al., ff. Tr. 4346, at 21-22. The engineers assigned to a particular project such as Shoreham are aided in their work by specialists. The licensing division of Stone & Webster-provides regulatory information to ensure that regulations and regulatory guidance are correctly interpreted and applied. It also ensures consistency between the applica-tion of regulatory requirements for Shoreham and other Stone &
Webster projects. Id. at 22.
B-34. Technical specialists and technical consulting engineers in the areas of' heat e,xchange, steam plant heat bal-ance, system standards, shielding, nuclear safety, vibration analysis, piping, valves, pumps, HVAC, radwaste chemistry and processing, and others provide expertise to assist project engineers in carrying out their responsibilities. Included among such responsibilities are the classification of struc-tures, systems and components for a particular project. Burns et al., ff. Tr. 4340, at 23.
B-35. In designing the Shoreham plant, including systems classification, Stone & Webster drew upon many years of.
experience in the design of a variety of nuclear power plant types. Stone & Webster has participated in the design of PWR,
-132-
BWR, heavy water pressure tube, high temperature gas reactor (HTGR), and liquid metal fast breeder reactor (LMFBR) nuclear power plants. Nuclear power plants designed by Stone & Webster have demonstrated their safety and reliability, which tends to confirm the adequacy of Stone & Webster's classification of structures, systems and components. Burns et al., ff. Tr.
4346, at 23-24;-Tr. 4901 (Dawe).
B-36. Shoreham benefits from information developed at other Stone & Webster plants by various means. The problem report system, run by SWEC's Engineering Assurance Division, receives information on problems from all Stone & Webster projects, develops initial notification to all projects, and requires response from all projects to which the problem is ap-plicable. Tr. 4902 (Dawe). The various divisions within Stone
& Webster have periodic meetings to exchange information that may be of interest to several different projects. Tr. 4902-03 (Dawe).
B-37. During the time period that Shoreham was going through the classification processes, Stone & Webster had over 20 nuclear units going through the process. Tr. 4411 t'
(Riegelhaupt).
-133-
B-38. Shoreham was not the first or only BWR plant for which Stone & Webster had provided services. Stone & Webster provided construction services for Nine Mile Point Unit 1 and was the architect-engineer for the Easton and Fitzpatrick projects. Shoreham design benefited from Stone & Webster's ex-perience in these projects, as well as from its knowledge of many contemporary BWR projects. Tr. 4393-95 (Garabedian).
B-39. Through its project organization Stone & Webster reviews classification on a continuous basis through the use of the' classifications in everyday work. Further, classification would be reviewed if some new requirement were placed on a particular component. Tr. 4623-26 (Dawe).
(2) Systematic Analyses (a) Design Basis Analyses B-40. The nuclear power industry has been guided by a philosophy known as " defense-in-depth" since its beginning. In nuclear power plant design, defense-in-depth is applied through three levels of safety. These can be stated as follows: (1) provide a well-engineered plant that operates reliably; (2)
. provide protection against operat'ional transients due to
-134-
equipment failures or malfunctions; and (3) notwithstanding the protection provided by levels 1 and 2, provide multiple back-ups such that no undue risk is presented to the public as a result of postulated, unlikely accidents. Burns et al., ff.
Tr. 4346, at 27; Speis et al., ff. Tr. 6357, at 18-19.
B-41. The defense-in-depth concept is applied in the design basis approach. The Loss of Coolant Accident (LOCA),
which is used to determine site suitability in accordance with 10 CFR 100, exemplifies this fact. The Emergency Core Cooling Systems (ECCS) are designed to satisfy the requirements of 10 CFR 50.46, which limits fuel damage, and thus radioactive releases from the reactor core, in the event of a LOCA. Not-withstanding this ECCS design, the LOCA effects are assessed assuming the much larger radioactive source term specified in 10 CFR'100. These source terms could only result from an accident beyond that prevented by the ECCS design. Thus, the design of the containment system and its supporting systems have an added inherent margin of safety. Burns et al., ff. Tr.
4346, at 29-30.
B-42. Design basis accidents were evaluated to deter-mine the functions that had to be performed by the structures,
-135-
systems and components to ensure that the guidelines of 10 CFR 100 were not exceeded. Burns et al., ff. Tr. 4346, at 28-30.
Analy,ses of anticipated operational occurrences and accidents are used to verify that the proper structures, systems and com-ponents have been identified as safety related. Speis et al.,
ff. Tr. 6357, at 15.
B-43. A specific set of anticipated operational occur-rences and accidents are analyzed and documented in Chapter 15 of the FSAR to ensure that plant equipment will maintain consequences within specified, acceptable limits.
Speis et al., ff. Tr. 6357, at 16. It would not be possible to analyze or even define all possible accident sequences for any nuclear power plant. However, the transients (anticipated operational occurrences) and accidents analyzed are representative of classes of events that have been judged to be of significant severity and sufficient likelihood to require consideration.
The associated analysis methods and acceptance criteria are also conservative representations of actual or expected conclu-sions. Id. at 17-18.
B-44. Many of the transient and accident sequences, or 1
their effects, evaluated in Chapter 15 of the FSAR are
-136-
j identified in the General Design Criteria. The proposed GDC published in 1967 identified the following: loss of coolant accidents, loss of power to recirculation pumps, turbine gener-ator trip, reactor isolation from the heat sink, losc of offsite power, continuous rod withdrawal, rod drop, cold water addition, and fuel handling events. 32 Fed. Reg. 10213. In its present form, 10 CFR 50, Appendix A, includes all of these as well as stuck rod, steam line rupture, and reactor coolant temperature and pressure changes. 10 CFR 50, Appendix A.
B-45. The analyses in Chapter 15 of the FSAR assume 1
conservative initial plant conditions, core physics parameters, equipment availability, and instrumentation setpoints. Conser-vative core parameters (for example, heat fluxes, temperatures, pressures, and flows) are also assumed. Among the specific set 1
of transients and accidents analyzed are the limiting events resulting from both mechanistic and non-mechanistic equipment and system failures. The conservative bounding analyses performed are used to demonstrate that thec potential consequences to the health and safety of the public are within acceptable limits for a wide range of postulated events even though specific actual events might not follow the same
?
-137-
assumptions made in the analyses. In addition, the analyses performed are used to demonstrate that the potential conse,quences to the health and safety of the public are within acceptable limits (i.e., offsite exposures are less than the guideline exposures of 10 CFR Part 100) when only safety relat-ed equipment and systems are used to mitigate the consequences of the postulated events. Sufficient safety related equipment is provided to assure that essential safety functions will be performed even with the most limiting single failure. The definition of single failure is given in 10 CFR 50, Appendix A.
Speis et al., ff. Tr. 6357, at 1B-17.
B-46. The design basis accidents for Shoreham were de-termined through investigation of a spectrum of possible events. For each case, an evaluation was made to establish the highly unlikely accident to be used as the design basis in order to establish engineered safety features required to maintain the consequences of the accident within the limits of 10 CFR 100. These hypothetical enveloping accidents are essen-tially the same for all BWR plants, even though analyses unique to Shoreham were performed. Tr. 4938-40 (Garabedian, Robare).
-138-
r.
l B-47. In evaluating the design basis accidents, the r . 1
( safety related functions identified in 10 CFR 100, Appendix A must be assured. These Appendix A functions are refined into l more functional definitions, for comparison with system i
l l functions, to establish those systems that must be relied upon.
l This includes not only the systems performing the required functions, but also the systems necessary for supporting the operation of those primary systems. This process of function identification establishes the structures, systems and compo-nents included in the safety related set for the prevention and mitigation of design basis accidents. Tr. 4941-43 (Dawe).
B-48. Design basis accidents, as analyzed in Chapter 15 of the FSAR, utilize only safety related equipment for miti-gation. With a few exceptions, transients generally use safety related equipment for mitigation. In the few exceptions, non-safety related equipment would be considered active mitiga-tors of the transient. However, there are no transients that require non-safety related equipment for mitigation to prevent I
unacceptable accident consequences. Tr. 4437-38 (Robare).
B-49. An example of a transient analysis that uses i non-safety related equipment is the Feedwater Controller
-139-l t
_ _ . _ _ _. . _ _ . . . . . _ - , . . _ ___- . . _ . _ , _ . _ . .-,_______a.--._ _ . . , - . . _ . . _ _ _ . . - . _
l l
l l
l Failure (Maximum Demand) transient. The high water level l (Level 8) trip and the turbine bypass system are used to miti-gate the transient. The equipment used for these functions is not classified as fully safety related. Use of this equipment in mitigation of the transient is based on the consideration that the equipment is of high reliability and subject to peri-odic surveillance requirements in the technical specifications.
Furthermore, the Feedwater Controller Failure event with as-l sumed failure of the Level 8 trip and turbine bypass system would result in only very limited, if any, fuel failure and,
- thus, would not result in an undue risk to the health and safe-ty of the public. Speis et al., ff. Tr. 6357, at 23-24. There are no accidents or transients analyzed in FSAR Chapter 15 that lead to consequences exceeding 10 CFR 100 limits. Tr. 4803-04 (Robare).
(b) ANS-22 and Nuclear Safety Operational Analysis (NSOA)
B-50. ANS-22, " Nuclear Safety Criteria For the Design of Stationary Boiling Water Reactor Plants," establishes a dis-ciplined and systematic method for defining nuclear safety re-l l quirements for a BWR. It sets out functional safety l
l -140-l l _ . _ .. , ._. , - -
requirements for design, is responsive to NRC regulatory requirements and industry technical requirements, and provides a uniform basis for design safety requirements to be reflected in licensing documents. ANS-22 was used in establishing the classification of structures, systems and components for Shoreham. The equipment classification table in the Shoreham FSAR (Table 3.2.1-1) was structured to provide a description of these classifications with content and format similar to the presentation in ANS-22. Burns et al., ff. Tr. 4346, at 30-31.
B-51. ANS-22 evolved from a similar ANS standard developed for BWRs. In 1965, the AEC approached industry with the request that industry develop criteria to implement the AEC draft General Design Criteria soon to be issued for the first time. There were a number of objectives. Key among these was obtaining industry-wide agreement and providing a method for uniform assessment of the level of protection afforded the pub-lic. An important guide for development of the standard was to consider the complexities and interactions in relating various systems and components to one another. In 1970, the American Nuclear Society began to develop the standard for BWRs. The PWR standard formed the basic structure for the BWR standard
-141-
(ANS-22), but the BWR standard was expanded so as not to be limited to pressure sustaining components. By 1972, the draft standard ANS-22 was available and in use. ANS-22 has since been approved by the American National Standards Institute, and is identified as ANSI /ANS-52.1. As stated in each ANSI standard, "an American National Standard implies a consensus of those substantially concerned with its scope and content." The NRC (formerly AEC), General Electric, and Stone & Webster have been active in the development of this BWR standard from its inception. Burns et al., ff. Tr. 4346, at 31, Attachment 2.
B-52. ANS-22 discusses the safety functions to be performed, defines the safety related systems in terms of the safety functions, and discusses the design criteria for those systems in such areas as industry codes and quality assurance to be applied. ANS-22 provides this information for all of the typical BWR plant systems, but is not a substitute for the required plant specific studies to support classification. Tr.
4952-53 (Dawe).
B-53. ANS-22 and subsequent versions through the 1978 version (ANS 52.1) have addressed each of the General Design Criteria of 10 CFR Part 50, Appendix A for the BWR plant. The
-142-
applicability of the criteria is identified, and requirements specified, for plant structures, systems and components in the body,of the standard. Tr. 4953-54 (Garabedian).
B-54. In 1972, the draft of ANS-22 was utilized as part of an in-depth review of classification of structures, systems.and components. Regulations and regulatory guides were also used in the review. Classification was reviewed again in 1974 when ANS-22 was reissued. Such classification reviews are part of the engineering process when design changes are made.
Tr. 5504-05 (Garabedian). ,
B-55. ANS-22 and Regulatory Guides 1.26 and 1.29 are compatible documents that establish classification schemes and associated terminologies. Although the terminologies differ between the documents, the level of subgroup breakdown is con-sistent. LILCO, in the Shoreham FSAR, has generally used the terminologies of the Regulatory Guides but is consistent in categorization with both the Regulatory Guides and ANS-22. As indicated in the Standard Review Plan, either the ANS terminol-ogy or the Regulatory Guide terminology is acceptable to the NRC Staff. The use of this recognized terminology gives clear meaning to individuals using or reviewing the information. Tr.
-143-L. . . .
1 1
4948-52 (Dawe, Garabedian). This is true even.though the NRC has not endorsed this standard in a Regulatory Guide. Tr. 7755 (Conran).
B-56. During the period of the development of ANS-22, General Electric performed a comprehensive examination of the safety aspects of a BWR. This effort, called the Nuclear Safe-ty Operational Analysis (NSOA), systematically identified the sequences of events that must be considered for a BWR and those systems and components that must operate. By application of the NSOA and of previous design and operating experience, the ANS-22 Subcommittee was able to identify and classify systems that are safety related. Burns et al., ff. Tr. 4346, at 32.
1 B-57. The nuclear safety operational analysis is an event sequence diagram that assumes sequence initiating tran-sients and accidents and identifies the mitigating and backup equipment needed to terminate the events. Tr. 5414 (Robare).
B-58. The NSOA is utilized to identify and establish the requirements, restrictions and limitations that must be observed during plant operation by relating plant systems and components to the needs for their actions in satisfying the
-144-
nuclear safety operational criteria. The operating states in which each event is applicable are first indicated. Then, for each, event, a block diagram is presented showing the conditions and systems required to achieve each essential safety action.
The block diagrams show only those systems necessary to provide the safety actions such that the nuclear safety operational criteria are satisfied. The total plant capability to provide a safety action is generally not shown, only the minimum capa-bility essential to satisfying the operational criteria. Thus, the diagrams depict all essential protection sequences for each event. Once all of these protec' tion sequences are identified in block diagram form, system requirements are derived by con-sidering all events in which the particular system is employed.
The. analysis considers the following conceptual aspects:
(1) The BWR operating state; (2) Types of operations or events that are possible within the operating state; (3) Relationships of certain safety actions to the unacceptable results and to specific types of operations and events; (4) Relationships of certain systems to safe-ty actions and to specific types of operations and events; (5) Supporting or auxiliary systems essential to the operation of the front-line safe-ty systems; and
-145-
. - _ . = . _ - - _ _ - - - . ..
(6) Functional redundancy (the single failure criterion applied at the safety action level).
Burns et al., ff. Tr. 4346, at 32-33.
B-59. Each block in the sequence diagrams represents a finding of essentiality for the safety action, system or limit under consideration. Essentiality in this context means that the safety action, system or limit is essential to satisfying the nuclear safety operational criteria. Essentiality is de-termined through an analysis in which the safety action, system or limit being considered is completely disregarded in the analyses of the applicable operations or events. If the nucle-ar safety operational criteria are satisfied without the safety action, system or limit, then the safety action, system or limit is not essential, and no operational nuclear safety re-quirement would be indicated. When disregarding a safety action, system or limit results in violating one or more nucle-ar safety operational criteria, the safety action, system or limit is considered essential, and the resulting operational nuclear safety requirements can be related to specific criteria and unacceptable results. Thus, the system or component would be classified safety related. Stated differently, a system or
-146-1
--s -.m y . -- --
component needed to fulfill a safety action would be classified safety related. With the information presented in protection sequence block' diagrams, auxiliary diagrams and commonality of auxiliary diagrams, it is possible to determine the functional and hardware requirements for each system. This is done by considering each event in which the system is employed and deriving a limiting set of operational requirements. This limiting set of operational requirements establishes the lowest acceptable level of performance for a system or component, or the minimum number of components or portions of a system that must be operable in order that plant operation may continue.
Burns et al., ff. Tr. 4346, at 34. Attachment 3.
i B-60. The NSOA is a methodological approach to determining the number of systems required to achieve safety related objectives such as shutdown and emergency core cooling.
It was undertaken to provide an organized approach to identi-fying all the situations in which the safety related systems would be called upon. It is a comprehensive, systematic analysis. Tr. 5497 (Ianni). The NSOAs are described in detail in FSAR Appendix 7A. Burns et al., ff. Tr. 4346, at 32.
I
-147-
, . .- - - - . - . , _ . . _ , . - . , ~ .,m - , ,. ,__.,w.-__w . ,. - . . _ , - _ - _ . . _ , - n
B-61. The comprehensive, systematic analysis used in the NSOA formed one of the bases for ANS-22 and both, in turn, formed part of the methodology for classification of systems at l Shoreham. Burns et al., ff. Tr. 4346, at 34.
(3) NRC Regulations B-62. The guideline radiological dose levels provided in 10 CFR Part 100 were utilized to establish the adequacy of engineered safety features provided at Shoreham to mitigate the radiological effects of accidents that were postulated for site suitability considerations. Burns et al., ff. Tr. 4346, at 38.
B-63. The functions of the various structures, systems and components were identified and analyses performed to veri-fy, in the PSAR, that 10 CFR 100 limits would not be exceeded.
Tr. 4394-96 (Garabedian).
B-64. The criteria provided in 10 CFR 100, Appendix A for specifying those structures, systems and components that needed to be designed to remain functional under safe shutdown earthquake ground motion were applied in designating which structures, systems and components needed to be classified as seismic Category I and safety related. Burns et al., ff. Tr.
4346, at 38-39, 51-52.
-148-
__ . . _ _ . . _. _ _ .. = _ _ . _. _ _ - _ . .- . . - - _ _ - _ .
I i
r i
l i.
B-65. The General Design Criteria in 10 CFR 50, Appen-dix A were utilized to develop the safety criteria and standards applied to the design of Shoreham. These criteria are satisfied, in part, through the joint industry and AEC/NRC effort in establishing overall safety criteria for boiling water reactors. Burns et al., ff. Tr. 4346, at 39.
B-66. The General Design Criteria of 10 CFR 50, Appen-dix A can apply, in specific areas, to plant features that are r not safety related as well as those that are safety related.
An example is the offsite power system. ,
The criteria have been viewed in this way for-the Shoreham plant, and the philosophy of the General Design Criteria has been applied to the plant as a whole, as appropriate. Tr. 4485 (Dawe).
B-67. The General Design Criteria were considered ex-a plicitly for Shoreham. Plant structures, systems and compo-nents were specified in accordance with the preliminary criteria available in 1967. After 1967, when the GDC were embodied in 10 CFR 50, Appendix A, the Shoreham design was reviewed for conformance. Tr. 4954 (Garabedian).
1
- -149- t 1
l B-68. The Shoreham Preliminary Safety Analysis Report (PSAR) was first filed in 1968. The General Design Criteria of 10 CF,R 50, Appendix A, were not in the Code of Federal Regula-tions until 1971. However, the Shoreham PSAR did address draft versions of the General Design Criteria which were available in the late 1960s. The final and draft versions were compared for Shoreham in 1973 and the results used in assessing the status of Shoreham relative to current regulations. Tr. 4368-69 (Dawe).
1 B-69. The criteria of 10 CFR 50, Appendix B, were uti-lized to develop the quality assurance pregrams applied to all activities affecting the structures, systems and components of Shoreham that prevent or mitigate the consequences of postu-lated accidents that could cause undue risk to the health and safety of the public. The appendix is applicable to all activities that affect the safety related functions of such structures, systems and components. Burns et al., ff. Tr.
4346, at 39.
B-70. When GE classified an item as seismic Category l
I, 10 CFR 50, Appendix B, QA requirements were generally ap-r plied to that item. The exception to this is for items
-150-l i
l
i purchased or designed prior to the issuance of Appendix B. In those cases, however, the quality assurance applied' generally met all requirements subsequently embodied in Appendix B. Tr.
4375-76 (Robare).
B-71. 10 CFR 50.55a specifies the codes and standards to be used for components of the reactor coolant pressure boundary, inservice inspection requirements and the plant protection system. In addition, guidance is provided for ap-plicable code editions and addenda. This regulation was uti-lized for determining applicable codes and standards for the design of Shoreham. Burns et al., ff. Tr. 4346, st 39.
(4) NRC and Industry Guidance Documents B-72. The methodology and criteria specified in Regu-latory Guide 1.26, Revision 1, was used for determining quality group classification and design and fabrication requirements for fluid system components. Similarly, Regulatory Guide 1.29, Revision 1, was used for designating which structures, systems and components were required to be seismic' Category I. Burns et al., ff. Tr. 4346, at 35; Speis et al., ff. Tr. 6357, at 11, 12; Tr. 4869 (Dawe); FSAR Section 3.2.2 at 3.2-1.
I
-151- l l
l
I
, B-73. Although the design of Shoreham had commenced before these regulatory guides were available, they reflected a consi,deration of the same elements that went into the classifi-cation of systems at Shoreham. Thus, in large measure, when the guidas were issued, Shoreham was in compliance with them.
Efforts were then made to conform fully the Shoreham classifi-cation scheme to the regulatory guides. Burns et al., ff. Tr.
^
4346, at 35.
B-74. In accordance with the revisions of Regulatory Guides 1.26 and 1.29 applied to Shoreham, the determination of the classification of systems containing radioactive material (i.e., safety related or non-safety related) was based on
~
offsite dose upon failure. Items were classified non-safety
' related unless their failures would result in a dose exceeding 500 millirem at the site boundary. Tr. 4973, 4976 (Dawe).
B-75. Revision 1 of Regulatory Guide 1.26 was used by LILCO since this was the revision in effect at t.he time the FSAR was docketed. The current revision of Regulatory Guide 1.26 is Revision 3, which is not substantially different from Revision 1. As there are no changes in Revision 3 that would cause a change in the system quality group classifications of
-152-I t
{
the water, steam and radioactive waste containing components at Shoreham, the use of Revision 1 is acceptable. Speis et al.,
ff. Tr. 6357, at 12; Burns et al., ff. Tr. 4346, at 36-38.
B-76. Revision 1 of Regulatory Guide 1.29 was used by LILCO since this was the revision in effect at the time the FSAR was docketed. The current revision of Regulatory Guide 1.29 is Revision 3, which is not substantially different from Revision 1. As there are no changes in Revision 3 that would cause a change in the seismic classification of the structures, systems and components at Shoreham, the use of Revision 1 is acceptable. Speis et al., ff. Tr. 6357, at 11; Burns et al.,
ff. Tr. 4346, at 36-38.
B-77. NRC staff comparison of the classification of structures, systems and components of Shoreham to Regulatory Guides 1.26 and 1.29 indicates that these classifications are in conformance with the guidance contained in Revisions 1 and 3 of these regulatory guides. Speis et al., ff. Tr. 6357, at i 11-13.
l i
-153-1 l
I l
l (5) Ooerating Experience l
B-78. Shoreham is a BWR 4, a member of the fourth gen-eration of General Electric BWRs. There are 18 BWRs of earlier design (BWRs 1, 2 and 3) that are and have been safely l
l operating for some years. Moreover, there are 18 additional BWRs of the same design as Shoreham that are and have been operating safely for some time. In total, there are over 400 reactor years of safe operating experience at 41 General Electric BWRs. All of this operating experience has been brought to bear on Shoreham and serves to validate and confirm the design and classification of systems at Shoreham. Also worth noting is that Shoreham's systems classification is es-sentially similar to that of the LaSalle Nuclear Plant, one of the most recent plants to obtain an operating license. The l classification of Shoreham's structures, systems and components is comparable to-that of the 18 BWR 4s now licensed and operating and of all previous designs as well. Burns et al.,
ff. Tr. 4346, at 40.
(6) Alternate Methodologies B-79. New techniques such as probabilistic risk
-154-
assessment, failure modes and effects analyses, systems interaction analyses, and dependency analyses are not required by ei,ther the regulations or staff practice in the safety clas-sification of structures, systems and components. These tech-niques have, however, been used in some cases to look for weak points in plant systems designs or to evaluate the risk of particular event sequences. The techniques have been used to identify failure modes and the need for equipment changes, in-creased surveillance, additional testing, and improved proce-dures to reduce the risk of particular event sequences. Speis et al., ff. Tr. 6357, at 31-32. '
B-80. To date, there is no systematic method for using such techniques as probabilistic risk assessments (PRAs), fail-ure mode and effects analyses (FMEAs), interactions analyses or l
i dependency analyses for the purposes of safety classification of structures, systems and components. These techniques have very limited benefit and usefulness in determining either the safety related set, or the relative importance to safety of any plant feature. Tr. 6570-73 (Rossi).
B-81. There is reluctance among a large part of the NRC Staff to utilize PRA methodology for classifying safety
-155-
i i
systems. The methods that have been used have been proven by time, having worked successfully for 20 years or more. In the syste,m now in place, the design and design bases of the plant I are determined from conservative analyses, using conservative assumptions and conservative input parameters. Tr. 7600-01 (Conran).
B-82. With respect to classification, the main usefulness today for the newer methodologies is as a check on t
l what has been done in the past. At the time the plant was l
being designed, these methodologies were not as developed as they are-today. Even had they been, at the early stages of design, there would be insufficient design available to warrant their use. Tr. 4918 (Dawe).
- B-83. There is a connection between system classifica-l tion and systems interactions analyses. By classifying systems as has been done, and clearly identifying those that are safety l related, adverse interactions can be avoided. Although the NRC l Staff's program to develop alternate methods for systems inter-
! actions analyses is incomplete, work completed to date has not identified anything requiring reclassification as a result of systems interaction effects. In other words, in Denton t
-156-i L
Memorandum terminology, there has been no required reclassification from not important to safety to important to safety. Tr. 6518-20 (Rossi, Speis), 0020 ' C e . . c. ) , 6642-44 (Thadani).
- c. No Evidence of Improper Classification B-84. In its prefiled direct testimony, the County identified five systems that it asserted had been improperly classified by LILCO. Goldsmith et al., ff. Tr. 1114, at 38-39, 48-51. As explained in more detail below, the Board finds that LILCO has appropriately classified the components of each of the five systems targeted by the County. Those components that are appropriately safety related have been so classified, and the remaining components have been classified commensurate with their safety function.
(1) Standby Liquid Control (SLC) System e-B-85. The SLC System provides a backup to the control rod drives in the event of a multiple control rod drive fail-ure. The SLC System at Shoreham is not required to mitigate the consequences of accidents or to achieve safe shutdown from postulated accidents as required in 10 CER Part 100, Appendix I
-157-
A. The system performs only a backup reactivity control function. Therefore this system is not required to be fully safety related. Tr. 4880-83 (Robare, Dawe), 4887 (Robare);
Speis et al., ff. Tr. 6357, at 24-25.
B-86. In the event that not enough control rods could be inserted into the reactor core to shut down the reactor, the SLC system, pursuant to its design basis, would be operated to shut the reactor down from rated power' operation to the cold condition by injecting a boron solution into the reactor.
Burns et al., ff. Tr. 4346, at 159-60; Tr. 4889 (Robare). All of the SLC equipment essential for injecting boron solution into the reactor is classified as safety related equipment.
The SLC system provides redundant loops of safety related active equipment necessary for boron injection. The system can therefore survive a-single active failure. Nonessential compo-nents of the system are isolated from the main loops by Catego-ry I isolation valves to assure integrity of the main loops.
The redundant loops are powered by separate power sources capa-ble of being connected to the standby AC power for operation during a station power failure. Burns et a l,. , ff. Tr. 4346, at 160; Tr. 4888, 4890 (Robare); Speis et al., ff. Tr. 6357, at 24-25.
-158-1
B-87. Those portions of the SLC system that are not safety related are designed to high standards and appropriate steps are taken to ensure reliability of operation. For exam-ple, the temperature of the boron solution is maintained at an adequate level by a variety of features. The tank heater system, although not safety related, is highly reliable. It consists of redundant heaters--one automatically controlled by the tank temperature monitoring system, the other a larger man-ual heater to back up the automatic heater. Moreover, the heaters are used as a back up to the ambient heat in the reac-tor building, which will generally be at least 70 degrees Fahr-enheit in the SLC system area during reactor operation. Even with failure of all heaters and the ambient heat source, the tank solution will not precipitate immediately. Instruments are provided to monitor the tank solution temperature. Should i
the temperature drop below a pre-set temperature (11 degrees Fahrenheit above the maximum saturation temperature), an alarm would alert the operator-to take corrective action. Finally, the tank solution contents, concentration, and temperature are monitored at least once per 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> in accordance with Shoreham proposed Technical Specifications 4.1.5. Burns et al., ff. Tr. 4346, at 160-61; Tr. 4897-900 (Robare, Dawe).
f l
-159-
B-88. With redundant active components, the SLC system meets single failure criteria for single active failures.
Since, single passive failures of mechanical components are only required by application of NRC rules to be considered in the long term, and since the SLC system has no function in the long term, the system also meets the criteria for single passive failures of mechanical components. Tr. 4890-92 (Robare, Dawe).
B-89. The SLC system is properly classified in light of its function and design basis. Burns et al., ff. Tr. 4346, at 161.
(2) Rod Block Monitor (RBM)
B-90. The Rod Block function is designed to prohibit erroneous withdrawal of a control rod so that local fuel damage does not occur. The RBM at Shoreham is not required to be classified as safety related because it is not needed to meet the criteria of 10 CFR Part 100, Appendix A. In particular, the RBM is not needed to mitigate any accident, including a control rod drop accident. Burns et al., ff. Tr. 4346, at 141
- n. 38, 142-43; Tr. 4787-95, 4798 (Robare, Dawe). The principal
{ objective of the RBM is to lengthen fuel life by minimizing 4
-160-
local flux peaking. The RBM will initiate a rod block signal to the rod drive control system to stop rod drive motion, thus preventing local fuel damage. Burns et al., ff. Tr. 4346, at 141.
B-91. The RBM operates to prevent an operator from continuing the erroneous withdrawal of a rod. Because of the speed at which rod withdrawal occurs, such an event would be a mild transient. Tr. 4792-95 (Robare, Dawe).
B-92. There are three components of the rod blocking function:
(a) The signals that the RBM receives from the reactor; (b) The RBM itself (the electrical de-vices that determine that the rod should not be withdrawn farther); and (c) The rod drive control system, which initiates and terminates the rod drive motion.
Burns et al., ff. Tr. 4346, at 141 n. 37, 142.
B-93. Though not required to be classified as safety related given its function and design basis, both the signals j the RBM receives to make the determination to halt a further i rod withdrawal and the RBM itself are fully safety related.
-161-l I
Burns et al., ff. Tr. 4346 at 142; Tr. 4796-98 (Robare). Thus, all components necessary to determine a need to stop further l rod withdrawal are safety related.
B-94. The following features are included in the RBM design and construction at Shoreham:
(a) Redundant, separate, and isolated RBM channels; (b) Redundant, separate, isolated rod selection information, including iso-lated contacts for each rod selection push button, are provided directly to each RBM channel; I
(c) Separate, isol'ated Low Power Range Monitor amplifier signal information is provided to each RBM channel; I
l
- (d) Separate and electrically isolated l recirculation flow inputs are provided to the RBM's for trip reference signals; (e) Independent, separate, isolated Av-erage Power Range Monitor reference signals are provided each RBM channel; l
(f) Independent, isolated RBM level readouts and status displays are provid-ed from the RBM channels; (g) There is a mechanical barrier between channel A and channel B of the manual bypass switch; l
(h) Independent, separate, isolated rod block signals are provided from the RBM
- channels to the manual control system l
circuitry; and f
-162-l l
l
(i) Loss of power to the RBM will cause a rod block.
Burns et al., ff. Tr. 4346, at 142.
B-95. The RBM is redundant and has two channels. Ei-ther channel in a trip condition will prevent rod withdrawal.
Both channels of information must agree before rod motion is permitted and only one of the RBM channels-is required to trip to prevent rod motion. Burns et al., ff. Tr. 4346, at 142.
Tr. 4803-05 (Robare, McGuire).
B-96. The RBM also has a self-test feature. Burns et al., ff. Tr. 4346 at 143. Moreover, the technical speci-fications will require that operability of the RBM function as well as its self-testing feature be demonstrated periodically.
Burns et al., ff. Tr. 4346, at 143, Attachment 8; Staff Exhibit 2A (SER), paragraphs 7.6.4, 7.6.11.
B-97. The Shoreham RBM, though not fully safety relat-ed, was nonetheless reviewed by the Staff (NRR) pursuant to the acceptance criteria contained in the Standard Review Plan. Tr.
4782 (Speis). As the SER reflects, as a result of this review and on the basis that the technical specifications will require periodic operability verification of the self-test feature, the
-163-L...., .. . . . .
Staff concluded that the RBM design and the classification of its various components at Shoreham was acceptable. Tr. 7482-85 (Speis, Kirkwood); Shoreham Staff Exhibit 2A (SER), paragraphs 7.6.4, 7.6.11.
B-98. The only aspect of the rod block function that is not safety related is the Reactor Manual Control System (rod drive control system), which receives the signal from the rod block monitor to stop rod motion. Burns et al., ff. Tr. 4346, at 142-43; Tr. 4796-97 (Robare). Although the Reactor Manual Control System (RMCS) is not designed to full safety system standards, it has been proven to be a high quality system as evidenced by successful operating experience. Moreover, plant operators continuously use the rod drive system during normal plant operation. Burns et al., ff. Tr. 4346, at 143; Tr. 4798 (Robare).
B-99. The quality standards applied to the RBM systems are commensurate with the safety function performed. Tr.
5440-41 (Robare).
t
-164-
(3) Reactor Core Isolation Cooling (RCIC) System B-100. The RCIC system is a high pressure system that provides core cooling during reactor shutdown in case of a loss of flow from the main feedwater system. Burns et al., ff. Tr.
4346, at 143. The RCIC system is also available to back up the High Pressure Coolant Injection (HPCI) system by providing coolant makeup at high pressure conditions. The RCIC system is not designed for emergency core cooling. Rather, it is used to provide makeup water following a containment or reactor isolation under normal conditionh, not under accident conditions. Tr. 4806 (Robare).
B-101. The RCIC system is virtually fully safety re-lated and this is reflected in the FSAR Table 3.2.1-1. Those portions of RCIC required for injecting coolant into the vessel are all safety related. Tr. 4813-16 (Robare), 7129 (Hodges);
Burns et al., ff. Tr. 4346, at 144. There is good assurance that it is a high quality system. Tr. 7129 (Hodges). The me-chanical aspects of the RCIC system are constructed to the same quality standards as the ECCS; it is a Quality Group B system
) constructed to Section 3, Class 2 of the ASME Code, seismic
-165-
-category I, and with the scope of the Appendix B program. Tr.
7131 (Kirkwood).
B-102. Because the RCIC system is not part of the ECCS, it_is not required or relied upon in FSAR Chapter 15 accident analysis. Tr. 4806, 4813 (Robare); Burns et al., ff.
Tr. 4346, at 144.
B-103. While the RCIC system is available to back up HPCI, RCIC is not designed or required to serve as a backup to HPCI during a loss of coolant accident as part of ECCS. The RCIC system capacity is approximately 11% of the HPCI system capacity and therefore is not a backup for ECCS accident miti-gation. Tr. 4810-11 (Robare, McGuire).
B-104. The HPCI system is the high pressure system that is relied upon in the ECCS accident analysis. No credit is taken for RCIC in this analysis. In the ECCS accident analysis, if the HPCI system fails and the line break is small and does not itself'depressurize, the Automatic Depressuriza-tion System (ADS) system is used to depressurize the system so that low pressure injection systems can be used. The ADS
) system, coupled with the low pressure systems, but not RCIC,
-166-
provides the redundancy and accident mitigation backup for HPCI. Tr. 7130, 7132 (Speis, Hodges), 4807-13 (Robare, Dawe, McGui,re).
B-105. RCIC is a backup for HPCI only in the sense that it is available to perform a cooling function if HPCI fails. Tr. 4807-13 (Robare, Dawe, McGuire), 7130, 7132 (Speis, Hodges). This function of RCIC is not a safety function. Tr.
4806, 4813 (Robare).
B-106. While LILCO neither takes credit for nor relies upon the RCIC system in FSAR Cha'pter 15 accident analysis, it is condsidered a backup for HPCI in the control rod drop accident. This is the only possible safety function for RCIC.
For this RCIC function, the RCIC is fully safety related. Tr.
4813-15 (Robare); Burns et al., ff. Tr. 4346, at 144.
B-107. The RCIC system was reviewed by the Staff (NRR) pursuant to the acceptance criteria contained in the Standard Review Plan. Tr. 7482 (Speis). As a result of this review, the Staff (NRR) concluded that all portions of the system that are required to perform a safety function are safety related
) and that the RCIC system is an acceptable backup to the HPCI
-167-
system'for core cooling subsequent to a control rod drop accident. Tr. 7485-87 (Kirkwood, Hodges); Speis et al., ff.
Tr. 6357, at 25; Staff Exhibit 2A (SER), paragraph 7.4.1.
B-108. Almost all of the RCIC system is classified as safety related. The only significant area in which the system is not fully safety related is in its control and instrumen-tation. Even there, many aspects are safety related. The system components that provide the safety functions of detecting low water level and injecting water into the vessel are qualified for safety related operations. Tr. 4813-14 (Robare); Burns et al., ff. Tr. 4346, at 144. The safety functions of the control and instrumentation are also designed in accordance with safety system criteria. Moreover, the RCIC system is separated in a completely different electrical divi-sion from the HPCI system. Burns et al., ff. Tr. 4346, at 144.
B-109. The components of the RCIC that are not safety related include the barometric condenser, whose failure would not preclude systems operation, and four control room indicators, whose failure would not affect the automatic operation of RCIC. The only other aspect of the RCIC design that does not meet full safety criteria is the single channel
-168-ni e iiiii i - i --i----
high level trip, which prevents overfill of the reactor vessel.
This does not affect the operation of any safety function the system might perform. Burns et al., ff. Tr. 4346, at 144.
B-110. Based on the foregoing, the Board finds.that RCIC is virtually a fully safety related system and that it is fully safety related for any safety function it might perform.
The RCIC system is appropriately classified and designed commensurate with the functions it performs. Tr. 5439 (Robare).
(4) High Water Level (Level 8) Trip of Main Turbine and Feedwater Pumps B-111. The Level 8 Trip system is desianed to prevent the water level in the reactor vessel from reaching a height at which it could flow through the steam lines into the turbine.
The system provides a signal to shut down both the main turbine and the feedwater pumps, thus terminating a high level distur-bance. Should the Level 8 Trip fail to operate in a high level scenario, the feedwater system would not trip and the plant would experience a transient equivalent to the feedwater con-troller failure (analyzed in FSAR Chapter 15) with a concurrent Level 8 Trip failure. Water level would continue to rise until
-169-
either manual operator action or main turbine vibration provided a subsequent automatic trip. Burns et al., ff. Tr.
4346,,at 145.
B-112. A Level 8 Trip failure would not have a signif-icant impact.on the transient event severity, nor would it result in an undue risk to the health and safety of the public.
Burns et al., ff. Tr. 4346, at 145; Speis et al., ff. Tr. 6357, at 24.
B-113. The Level 8 Trip is not required to be safety related because it does not perfbrm a safety function. Tr.
4820 (Robare). Though not required to be safety related, the Level 8 Trip is nonetheless a high quality designed and manufactured system that meets the single failure criteria.
Tr. 4819-20 (Robare); Burns et al., ff. Tr. 4346, at 145-46.
The vessel water level-differential pressure transmitters and other instrumentation and' control components associated with the Level 8 Trip, though not classified safety related, are identical in design and manufacture to the fully safety related components associated with the ECCS and RPS low vessel water level trips. Id.; Tr. 4820-21 (Robare). The quality standards applied to the Level 8 Trip are commensurate with any safety function performed. Tr. 5440 (Robare).
-170-t __ . _
B-114. The Level 8 Trip includes redundant level sensors and trip circuits with electrical isolation between the redundant portions. Speis et al., ff. Tr. 6357, at 27. There are'three trip channels with independent power supplies, two on battery busses and one on an instrument buss so that any single electrical failure will have no effect on system functions.
Burns et al., ff. Tr. 4346, at 145; Staff Exhibit 2A (SER),
paragraph 7.6.11.
B-115. The time period during which portions of the Level 8 Trip may be inoperable will be controlled in the technical specifications. Speis et al., ff. Tr. 6357, at 27.
Moreover, periodic surveillance of the operability of the Level 8 Trip will also be included in the technical specifications.
Staff Exhibit 2A (SER), paragraph 7.6.11; Burns et al., ff. Tr.
4346, at Exhibit 8.
B-116. The Level 8 Trip signal is assumed to operate in the Chapter 15 transient analysis in the feedwater control-ler failure event. During this transient, it is assumed that the feedwater controller loses its function and erroneously in-itiates a maximum feedwater flow. The higher feedwater flow increases the reactor water level. Neutron power will also
-171-
increase and settle at a higher level but will remain below scram initiation point. Water level would then continue to rise until it reached-the high water level (level 8) trip setpoint. Normally, the level 8 signal would trip the turbine and shut down the feedwater pumps to terminate the disturbance.
Should the Level 8 Trip fail, there would be a delay in the trip of the turbine until either manual operator action is taken or until wet steam begins to enter the turbine producing-a trip on increased vibration. Analyses show that the effect of level 8 failure does not have a significant impact on the
. transient event severity. Burns'et al., ff. Tr. 4346, at 145.
B-117. The Level 8 Trip was-reviewed by the Staff (NRR) pursuant to the acceptance criteria contained in the Standard Review Plan. Tr. 7482-83 (Speis). Based'on that review and the technical specification requirement relating to operability, the Staff has approved the design and classifica-tion of the Level 8 Trip. Tr. 7482-85 (Speis); Speis et al.,
ff. Tr. 6357, at 9-11.
B-118. For the foregoing reasons, the Board finds that the Level 8 Trip is appropriately classified given that it does I
not perform a safety function and given its high quality, single failure criterion capability.
-172-
(5) Turbine Bypass System B-119. The turbine bypass system is used during normal start'up and shutdown to pass partial steam flow to the main condensor. Burns et al., ff. Tr. 4346, at 146; Tr. 4766 (McGuire), 4824 (Dawe). The turbine bypass valves also operate automatically following a turbine trip or load rejection. Fol-lowing a turbine trip or a generator load rejection, the tur-bine stop valves or the turbine control valves will close imme-diately to stop the steam flow to the turbine. The accumula-tion of steam in the vessel pressurizes the reactor. ,
The tur-bine bypass valves are designed to open automatically under such conditions in order to reduce the pressurization rate by directing some steam (25% of full power) to the condensor.
Should the bypass valves fail to open, reactor vessel pressure would be somewhat higher, and the transient impact on the fuel would be increased. Analysis at full power conditions shows, however, that bypass failure would increase the change in Crit-ical Power Ratio (CPR), an index relating to the reactor fuel heat transfer capability, by less than 0.08. The overall effect is a slight reducton of the fuel heat transfer capabili-ty. Nonetheless, the majority of the fuel is still maintained
-173-
well above the CPR limit criteria. The resulting dose effect (if any) does not approach a small fraction of the 10 CFR 100 criteria. Burns et al., ff. Tr. 4346, at 146-47.
B- 12 0. . At normal power (100%), the turbine bypass valves will not prevent operation of the safety relief valves (SRV's) following a turbine trip or load rejection. Tr.
4757-58, 4825 (McGuire). The only effect of the operation of t'he turbine bypass system in these circumstances is to permit the SRV's to close sooner. Tr. 4758, 4825 (McGuire). Thus, the turbine bypass is not chiefly used to prevent challenges to the safety relief valves but rather for normal operations functions, particularly startup and shutdown. Tr. 4765-66 (McGuire),-4824 (Dawe).
B-121. While there may be some circumstances in which the operation of the turbine bypass system would prevent chal-lenges to the SRV's, this is not a safety function. Tr. 4769 (McGuire).
B-122. The classification of the turbine bypass system is in full accord with the requirements of Regulatory Guide 1.26, Revision 1 and 3, including footnote 5, and with the
-174-
Standard Review Plan and Branch Technical Position incorporated therein relating to the turbine bypass system. Burns et al.,
ff. Tr. 4346, at 148, Attachment 7. Accordingly, some portions of the turbine bypass system are appropriately safety related and others are not. Those portions not required to be safety related still meet quality standards commensurate with their function. Burns et al., ff. Tr. 4346, at Attachment 7; Tr.
5441 (Dawe).
B-123. The turbine bypass system, described in ESAR Section 10.4.4, consists of two steamlines from the main steam header to the bypass valve chest, four bypass valves, and four steam leads-to the condenser, each including a pressure reducer at the condenser connection. The bypass valves are controlled by the turbine generator electro-hydraulic control (EHC) system. The power supply to the control system is from 120 VAC uninterruptible instrument and control power for high reliability and plant availability. This power source, al-though not safety'related, is available following loss of offsite power. In addition, an alternate power source is pro-vided from a shaft driven permanent magnet generator supplied with the main turbine. Burns et al., ff. Tr. 4346, at 147.
-175-l Y
t
-m n--, ,, a;mi- _
3.-,, ,- -
B-124. The steam lines up to, but not including, the turbine bypass valves are safety related (Quality Group B, QA Category I, Seismic Category I). The turbine bypass valves are Quality Group D, QA Category II, Seismic Category NA. The tur-bine bypass valves are, however, subject to the extensive qual-ity assurance program of the supplier, General Electric, Large Steam Turbine Generator (GE-LSTG). This program is documented in GE-LSTG publication GEZ-4982A, " General Electric Large Steam Turbine Generator Quality Assurance Program." The EHC system l is also subject to GEZ-4982A. The bypass system piping down-stream of the bypass valves is n'ot safety related. It is designed, inspected, and tested in accordance with ANSI B31.1.
Burns et al., ff. Tr. 4346, at 147-48.
B-125. The quality standards and quality assurance program applied to the turbine bypass system is documented in j the General Electric publication GEZ-4928A entitled, " General Electric Large Steam Turbine Generator Quality Assurance Pro-gram." Burns et al., ff. Tr. 4346, at 148. This document is endorsed by the Staff in the Standard Review Plan 3.2.2. Tr.
7475-81 (Kirkwood, Haass); Burns et al., ff. Tr. 4346, at At-l tachment 7 (3.2.2-11, 12).
-176-
B-126. GEZ-4982A describes the practices and proce-dures employed in design, manufacture, procurement, and testing of the turbine generator system to ensure products of high quality and reliability. As stated by GE-LSTG in GEZ-4982A (marked as LILCO Exhibit 15 for identification), the standards l
and procedures used were based on sound, documented analysis.
and test results, along with substantial experience, and are more suitable to the specialized components of this system than existing codes and standards for products intended for more i general service. The program outline in GEZ-4982A includes such measures as detailed design' procedures, material certifi-cation, subvendor inspection, in process quality control, audits, and recordkeeping. The program also includes t
nonconformance documentation and engineering disposition. The turbine bypass system was field erected under the supervision l
of GE-LSTG, received quality control under the Shoreham Con-struction Site Inspection Program, and is subjected to a preoperational test program as opposed to acceptance tests.
Burns et al., ff. Tr. 4346, at 148-49.
B-127. The turbine bypass system, in addition to receiving the GEZ-4982A quality standards and quality assurance 1
-177-l 1
program, is also subjected to the preoperational test program and the startup test program. Burns et al., ff. Tr. 4346, at 149.
B-128. Substantial operating experience exists with respect to the turbine bypass system and this experience confirms its reliability. Tr. 5433-34 (Dawe, McGuire); 7128 (Hodges); Staff Exhibit 2A (SER), paragraph 7.6.11.
B-129. The Staff (NRR) reviewed and approved for Shoreham the classification of the turbine bypass system and the commitment to a quality standards and quality assurance program for_the turbine bypass system as embodied in GEZ-4982A.
Tr. 7474-82 (Kirkwood). The classification and quality re-quirements relating to the turbine bypass system were reviewed to the criteria set forth in Standard Review Plan 3.2.2. Id.
B-130. In addition to being subjected to the Staff approved quality program (GEZ-4982A), the turbine bypass system will also be subjected to periodic surveillance to confirm its operability as set forth in the technical specifications.
Speis et al., ff. Tr. 6357, at 27. In addition, the turbine bypass system has also been reviewed by the Staff (NRR) in
-178-W W ~ *
- - ~ ~?
connection with the role this system plays in the fe'edwater controller failure event. Based on this review and based on the technical Lpecification surveillance requirements, the Staff has approved the classification and design of the system.
Staff Exhibit 2A (SER), paragraph 7.6.11; Tr. 7482-85 (Speis, Kirkwood).
(6) Alleged Inconsistencies in FSAR Table 3.2.1-1 B-131. In its testimony on this contention Suffolk County alleges that there were inconsistencies and errors in i the classification of structures, systems and components- shown in FSAR Table 3.2.1-1. Goldsmith et al., ff. Tr. 1114, at 22-30. These alleged errors or inconsistencies can be summa-rized as (1) alleged improper' treatment of Quality Group "D" in l
Regulatory Guide 1.26 as non-safety related; (2) alleged incon-sistent classification of components in the reactor water clean-up system; (3) alleged inconsistencies between'the quali-ty assurance classification and the seismic classification of i
some structures, systems and components; and (4) the alleged l inadequate level of detail contained in Table -3.2.1-1. Id.
1 i
L l
l -179-l
s lry l i l' -
H (a).Use of. Quality Group D as Non-Safety Related B-132. Regulatory Guide 1;26, " Quality Group Classi-fications and Standards for Water, Steam, and Radioactive Waste Containing Components of Nuclear Power Plants," Revision 1, dated September 1974 (LILCO Exhibit No. 3) specifies one means approved bysthe NRC Staff for classification of fluid system components for a nuclear power plant. LILCO has committed to comply with.the guidance. contained in Revision 1 of the Regula-C tory Guide. Burns et al., ff. Tr. 4346, at 35.
B-133. Paragraph C.3 of Regulatory Guide 1.26, Revi-sion 1 describes ' Quality Group D components as those which are not Quality Group A, B or C, but part of systems that contain or ma'y contain radioa'ctive; material.
Burns et al., ff. Tr.
l 4346, at 162; LILCO Exhibit 3, ff. Tr. 1487-A, at 1.26-3. Al-l though some of the introductory language in the Guide might give the , impression that Quality Group D is a safety related category, when read in the overall context of the Guide, it is not. Tr. 4867,(Dawe).
B-134. As indicated in Table 1 of the Regulatory y Guide, the quality standards that apply to Quality Group D I
- e -180-l
I I
components are general industry standards. Burns et al., ff.
Tr. 4346, at 162; Tr. 1490 (Goldsmith). In contrast, the recognized nuclear code at the time Revision 1 of Regulatory l Guide 1.26 was issued, was the ASME Boiler and Pressure Vessel Code, Soction III. Burns et al., ff. Tr. 4346, at 162.
B-135. A comparison of paragraph C.3 of Regulatory Guide 1.26, Revision 1 to paragraphs C.1 and C.2 indicates that l
the components within Quality Group D are not necessary to per-form safety related functions. Burns et al., ff. Tr. 4346, at.
, 162.
l s l B-136. The NRC Staff has always interpreted Quality l Group D classification in Regulatory Guide 1.26, Revision 1 to be a non-safety related classification. This is evident by the fact that the NRC in its latest standard review plan l
,, (NUREG-0800, Revision 1, July 1980), Section 3.2.2, equates the classification scheme contained in the Regulatory Guide with that contained in corresponding American Nuclear Society (ANS) classification systems. ANS-22, " Nuclear Safety Criteria for i the Design of Stationary Boiling Water Reactors," (and ANSI /ANS 52.1 which superceded it) has three safety-related categories j (SC-1, SC-2, SC-3) which correspond to Quality Groups A, B and
-181-
l l
i C contained in the Regulatory Guide. The fourth category in the ANS standard called "Other Systems, Structures and Compo- !
nents,(OSSC)" corresponds to Quality Group D of the Regulatory Guide. Moreover, Appendix B to SRP 3.2.2 further indicates i
that Quality Group D is not a safety related classification in that it shows Quality Group D components to be non-seismic cat-egory I. Burns et al., ff. Tr. 4346, at 163.
l l
- B-137. NRC Staff testimony on this issue also indi- ;
t cated that the Staff does not consider Quality Group D to be a safety related classification. Speis et al., ff. Tr. 6357, at 14.
I B-138. On cross-examination, at least one of SC's witnesses agreed that, based on his. experience, it had been in-l dustry and NRC practice to consider category D as non-safety related. Tr. 1486 (Goldsmith). The County's belief that an i
inconsistency existed was based solely on a reading of the lan-guage in the regulatory guide. Tr. 1482-83 (Minor). But the witness admitted that there would be no inconsistency if it had been Staff and industry reading to treat category D as l non-safety related. Tr. 1499-1500 (Minor).
-182-
B-139. LILCO's use of Quality Group D as a non-safety related category is consistent with classification schemes used in other license applications submitted to and reviewed by the Nuclear Regulatory Commission. Burns et al., ff. Tr. 4346, at 163-64.
B-140. The NRC Staff has reviewed the classification scheme for structures, systems and components at Shoreham, including the use of Quality Group D, and has concluded that LILCO complies with guidance contained in Regulatory Guide 1.26, Revision 1. Speis et al., ff. Tr. 6357, at 12. In the Shoreham Safety Evaluation Report, the Staff stated:
We have reviewed the classification of the pressure-retaining components of those fluid systems identified in Tables 3.2.1-1 and 3.2.1-3.of the Shoreham Final Safety Analysis Report and on the l system piping and instrumentation dia-grams in Sections 5, 6, 9, 10, and 11 of the Shoreham Final Safety Analysis Report and we find them to be accept-l able.
The basis for acceptance in our review has been the conformance of the pressure-retaining components of fluid systems important to safety with General Design Criterion 1, the requirements of I
the codes specified in Section 50.55a of the 10 CFR Part 50, and to Regulatory Guide 1.26.
t i
-183-I
?
I i
4
i i
Staff Exhibit 2A (SER), 3.2.2 at 3-2.
(b) Reactor Water Cleanup (RWCU) System B-141. SC/ SOC alleged that inconsistencies exist between Quality Group and Quality Assurance categories in FSAR Table 3.2.1-1. Three instances were noted in the RWCU where Quality Group C (safety related) and Quality Assurance Category l II (non-safety related) and Seismic Category N/A (non-safety related) are applied with apparent inconsistency. Goldsmith et
! a_1., ff. Tr. 1114, at 25.
I 1 .
B-142. RWCU classifications in Table 3.2.1-1 are con-sistent with industry standard ANS-22 not requiring that RWCU components outside the reactor coolant pressure boundary (RCPB) l be safety related. The ANS designation would normally be the l
l equivalent of Regulatory Guide 1.26 Quality Group D. Burns et I
al., ff. Tr. 4346, at 165.
B-143. The RWCU system also qualifies as Quality Group C in Regulatory Guide 1.26 since a portion is connected to the l
RCPB. However, since no safety function is performed by the l RWCU, components outside the RCPB need not be safety grade.
l Hence, the minimal classifications required are "C," "II,"
"NA." Burns et al., ff. Tr. 4346, at 165.
-184-l
B-144. Thus, the apparent inconsistencies in Table 3.2.1-1 are justified since the minimum standards have been met or exceeded for all RWCU components. Burns et al., ff. Tr.
4346, at 165.
B-145. Suffolk County's testimony that an inconsisten-cy existed was based on a review of Table 3.2.1-1 and not a review of other sections of the FSAR. Tr. 1501 (Minor). The County also did not determine whether the items in question had any safety related function, and thus should have been given safety related treatment. Tr. 1502-04 (Minor).
(c) Alleged Inconsistencies Between Quality Assurance Classification and Seismic Classification B-146. .As noted above, one group of the alleged inconsistencies in LILCO's classification scheme for struc-tures, systems and ccmponents at Shoreham was related to the quality assurance category and the seismic category assigned to particular items in table 3.2.1-1. Goldsmith et al., ff. Tr.
1114, at 27. The suffolk County testimony did not contain any analysis of whether alleged inconsistencies were in violation of any NRC regulations or NRC Staff regulatory guidance. In
-185-
i fact, on cross-examination it became clear that the witnesses had not done an investigation beyond a review of the table to deter,mine whether the components in question were, in fact, properly classified. See, e.g., 1509, 1522 (Minor), 1525 (Goldsmith).
B-147. In at least one instance (relating to SPDS items) the SC/ SOC witnesses were aware that the LILCO classifi-cation was consistent with NRC guidance. The SC/ SOC concern was not that the items should have been safety related but that (a) the table did not reference the appropriate guidance and (b) the table did not indicate the level of quality assurance provided beyond the fact that the items are QA Category II.
Tr. 1535-37 (Minor).
B-148. LILCO's prefiled testimony addressed each of the alleged inconsistencies between the QA and seismic class-ifications that had been cited in the Suffolk County testimony.
The analysis presented by LILCO demonstrated that the struc-tures, systems and components in question had, in fact, been classified properly. Burns et al., ff. Tr. 4346, at 165-69; Tr. 4871-72 (Dawe).
i l -186-l l
l L
B-149. The NRC Staff concluded that classification of structures, systems and components at Shoreham was consistent with Regulatory Guide 1.29, Revision 1, dealing with seismic design classification and Regulatory Guide 1.26, Revision 1, dealing with the classification of fluid systems. Speis et al., ff. Tr. 6357, at 10-13.
(d) Level of Detail in Table 3.2.1-1 B-150. The purpose of FSAR Table 3.2.1-1 is to provide "a summary of the classificaton of Shoreham's structures, systems and components." It .s hot intended to be a detailed component list for Shoreham. Burns et al., ff. Tr. 4346, at 170-71; Tr. 10,200 (Muller).
B-151. The table does not establish or record detailed classification for all structures, systems and components in the plant. Nor is the table used as the controlling document for quality assurance activities. Burns et al., ff. Tr. 4346, at 171; Tr. 10,200-02 (Muller, Kelly, Museler).
B-152. In order to determine the classification of equipment at Shoreham, engineering and quality assurance per-sonnel use design documents and specifications. Tr. 10,200 (Muller).
-187-
l-B-153. FSAR Table 3.2.1-1 is comparable in detail to-t Table A of ANS-22, " Nuclear Safety Criteria for the Design of l
Stati,onary Boiling Water Reactor Plants." Burns et al., ff.
Tr. 4346, at 170.
B-154. It is also consistent with the level of detail t
provided in the classification tables contained in FSAR for comparable boiling water reactors including LaSalle and Susquehanna. Burns et al., ff. Tr. 4346, at 170; Speis et al.,
ff..Tr. 6357, at 11.
l B-155. Since Table 3.2.1-1 is a summary table for systems, structures and components, it contains items in addition to those addressed in Regulatory Guides 1.26 and 1.29.
In fact, there have been discussions between the NRC Staff and LILCO concerning the addition of certain items to the table.
As a result of those discussions, certain items were added to Table 3.2.1-1. Burns et al., ff. Tr. 4346, at 171-72; Speis et al., ff. Tr. 6357, at 15.
I B-156. Many of the issues raised by Suffolk County regarding the classifications contained in Table 3.2.1-1 in-
! volved a lack of understanding of the purpose of the table.
l
-188-
The County witnesses, in a number of instances, expressed the desire to see more detail in the table, Tr. 1550, 1689 (Minor),
inclu, ding the explanation of the reasons for the classification and the exact nature of the QA applied. Tr. 1535-37, 1752-53 (Minor).
B-157. The County's witnesses incorrectly believed that Table 3.2.1-1 was used by engineers to decide the appropriate level of QA to apply to purchased parts and that it would be used to determine maintenance activities. Tr. 1829 (Hubbard). Table 3.2.1-1 is not used to control quality activities, rather it only provides a summary of system classi-fication. Burns et al., ff. Tr. 4346, at 172; Tr. 4616 (Robare).
- 2. Important to Safety
- B-158. LILCO has interpreted weed the terms important to safety and safety related interchangeably in the Shercher THEMR, as being equivalent to the definition of safety related embodied in 10 CFR 100 Appendix A. This is the usage of the terms in the FSAR. Tr. 4420-22 (Dawe), 21,051, 21,072 (Pollock).
-189-
1 l
l 1
1 B-159. LILCO witnesses testified they disagreed with l the Denton Memorandum characterization of the definition of im-portant to safety as being a definition that has been applied in the past. They believe the LILCO usage is that which has been used throughout the industry in the past. Tr. 4419-23, 4470 (Dawe); Burns et al., ff. Tr. 4346, at 51-55.
B-160. For example, General Electric, in its designs, applies only two categories, safety related and non-safety re-lated. Tr. 4457-58 (Robare). This is also the case for Stone
& Webster. See, e.g., Tr. 4418-23 (Dawe).
B-161. NRC witness Conran was the principal drafter of the Denton Memorandum. Conran, ff. Tr. 6368, at 3; Tr. 7731 (Conran). The Denton Memorandum defines safety related struc-tures, systems and components as being those required to per-form the 10 CFR Part 100, Appendix A safety related functions.
It defines structures, systems and components important to safety as those "that contribute in [an] important way to safe operation and protection of the public in all phases and as-pects of facility operation. . . ." Goldsmith et al., ff. Tr.
1114, Exhibit 1.
l
-190-l l
l l
i B-162. NRC witness Conran testified that "Although individual members of the Staff . . . have in the past used the terms,'important to safety' and ' safety related' incorrectly and inconsistently . . . , Staff practice in classifying struc-tures, systems and components either ' safety related' or 'im-portant to safety, not safety-related,' and in specifying qual-ity standards and quality assurance measures appropriate to those classifications has been consistent. . . ." Conran ff.
Tr. 6368, at 5-6.
- B-162A. The LILCO witn, esses testified that, in their extensive experience with the NRC Staff, the term "important to I
safety" was not generally used or was used synonymously with the term " safety related." Discussions with the Staff were
! solely in terms of safety related and non-safety related. Tr.
l 21,081-82 (McCaffrey, Museler). Moreover, the witnesses had never encountered the term "important to safety but not safety related" in documents or discussion with the Staff. Tr. 21,082 (Dawe, Museler).
l
- B-162B. Other Staff witnesses admitted that the Denton memorandum definition of "important to safety" is a new development, alternately calling it a new definition and a i
l
-191-l
I clarification. Dr. Mattson acknowledged that the Denton definition is new. He indicated that other stations besides Shoreham will probably need this classification. He also char-acterized the Denton memorandum as something that is " meant to be followed as Staff practice," and that Shoreham is just a place to start. Tr. 20,853, 20,857 (Mattson).
- B-162C. The Denton memorandum is recent, and has only been required in the case of TMI. The Staff expects to subscribe to the definition in the future so that, in the Staff's expectation, future regulators and operators will have less difficulty communicating. While the Staff believes appli-cation of the Denton definition will improve performance, Staff witnesses conceded there is no historical basis to prove that it makes a difference. Tr. 20,835-36 (Mattson).
- B-162D. Dr. Mattson stated that the Staff is headed towards systematically applying the distinction between safety related and important to safety embodied in the Denton memoran-dum to plants in the future. Likewise, he indicated that this distinction will be embedded in regulatory language, and, that, therefore, LILCO should be required to head in this direction as the Staff heads in this direction. Tr. 20,849, 20,853 (Mattson).
-192-
I l
9 i
l B-163. The majority of Conran's effort in preparing l
l the Denton Memorandum was interaction within NRC, the intent l being to get the NRC house in order before NRC began to get
" picky with the industry." His discussions with the industry l were not significant. These consisted of meetings with PASNY and an AIF subcommittee on systems interaction concerning the Indian Point 3 systems interaction program. The memorandum and definitions were not the specific purpose of the meetings. Tr.
7741-43, 7750 (Conran).
B-164. Mr. Conran did n6t review FSARs of licensed l
l plants in the course of preparing the Denton Memorandum. Tr.
l L 7772-3 (Conran). He was aware of one utility (TVA) which equated the terms important to safety and safety related in what he understood to be a draft manual. He indicated this to the ACRS to demonstrate that the terminology problem was not just internal to the NRC. Tr. 7769-72 (Conran).
! B-165. SC witness Hubbard stated that there are groups within the NRC who, for their work, have defined important to ,
safety the same as safety related. Tr. 15,427 (Hubbard).
r I
t
-193-i
l l
l l
l l
I l **B-166. NRC witness Conran testified that the NRC Staff l
was aware that both Staff and industry used the terms i
"important to safety" and " safety related" interchangeably.
Tr. 7734-35, 20,422-23 (Conran); see Tr. 20,485 (Conran). e4ee indicatcd that coac sczbcrc of thc "nC Otaff-havc cquatcd the t o uu m u..gortent tv sefety &nd sefety cel&ted, end used them in-tcrchongcebly The technical staff is responsible for imple-menting, not interpreting, the language of the regulations. To help them implement the regulations, a vast body of regulatory guidance has been put together to lay out practice which is followed consistently. Tr. 7734'-5 (Conran). However, the definitions promulgated in the Denton Memorandum were never in-corporated in a Regulatory Guide or Standard Review Plan, which is the typical means of interpreting regulation for application by the Staff. Tr. 7765 (Conran). Nevertheless, Mr. Conran believes the staff uses the concept, if not the term, consis-tently. Tr. 7736-7 (Conran).
B-167. The record shows the Staff does not use the term important to safety consistently as defined in the Denton Memorandum. In Regulatory Guide 1.105, Revision 1 dated November 1976, the NRC has defined the term important to safety
-194-L
to be synonomous with safety related as that term is defined in the Denton Memorandum. Tr. 15,429 (Hubbard). Likewise, Regu-latory Guide 1.118, Revision 2, June 1978, subscribes to the same definition for important to safety as Regulatory Guide 1.105, Revision 1, dated November 1976. Tr. 15,431-32 (Hubbard). Both. regulatory guides are examples of Staff usage of the term important to safety in a manner inconsistent with the definitions in the Denton Memorandum and consistent with the LILCO interpretation and usage of the term.
B-168. NRC witness Conran noted that revisions may be required to the NRC's Regulatcry Guides and Standard Review Plan to assure terminology is used consistently with the Denton Memorandum. The Denton Memorandum itself directed recipients to review regulatory guidance documents in this regard and recommend changes. The Staff witnesses were not aware of the status of any effort-to review and revise these guidance documents. It is not a high priority item for the Staff. Tr.
7768-9 (Conran); Goldsmith et al., ff. Tr. 1114, Attachment 1, at 2.
B-169. Although the NRC witnesses stated on numerous occasions that they agree with the Denton Memorandum, their
-195-1
testimony was often inconsistent with this position. The NRR Instrument and Control Systems Branch reviews the classifica- ,
tion,used by licensees and applicants. Although the review starts with the statements made in the FSAR, reviewers rely very heavily on review of drawings and other, more detailed, design information, along with meetings with applicants. A major portion of the work is determining that proper instrument and control systems are classified safety related and properly separated from those which are non-safety related. Tr. 6505-7 (Rossi). It is apparent that in.its review process, the In-strumentation and Control System's Branch does not use the term important to safety as defined in the Denton Memorandum.
B-170. NRC witness Rossi stated that in the area of instrumentation and control systems, the Staff does not consider the terminology critical. It is adequate and suffi-l cient to have two categories, safety related and non-safety re-lated, though he also stated that within the non-safety related category the relative importance to safety of the systems may differ depending upon the system. Tr. 7782-3 (Rossi).
B-171. The Quality Assurance Branch does not review l the correctness of classification of plant features. That
-196-i 4
n . - - - , _
review is performed by knowledgeable technical reviewers who know better what the function of a particular structure, system, or component is with regard to safety. The review does >
not determine, however, whether there are items important to safety but not safety related. The review is to establish that the identification of safety related items is correct and complete. Tr. 6933-35 (Haass).
B-172. From the time of NRC testimony in the TMI-1 proceeding, the development of the standard definition in the Denton Memorandum took more than a year.
Conran, ff. Tr. 6368, at 3. This was the result of a combination of several problems: there was a great deal of inconsistency among the Staff on the everyday usage of the terms; it was not a high priority task; and, it was a complicated task, including a pre-sentation to ACRS required by NRC management. Tr. 6955-57 (Conran). This is not consistent with the idea of well under-stood, consistently construed and applied regulatory language.
B-173. There has been nc formalization of items impor-tant to safety by the Staff. There has not been nor is there now a requirement to compile a list of items important to safe-ty but not safety related. It is not a licensing requirement.
-197-
Only one such' list has been requested (from the TMI Unit I licensee in the context of the restart review) as part of new staff, activities to identify such a list. Although there is no regulatory requirement for a list, the Staff is conducting ex-tensive studies which could lead to implementing a requirement, but no decisions have been made. In the absence of a Staff po-sition, the Staff witnesses expressed varied, personal opinions on the necessity or benefit of a list of items important to safety but not safety related. Tr. 7064-74 (Haass, Conran, Speis); 7725-26 -(Haass, Speis); 7837-38 (Speis).
- B-173A. The Staff's original prefiled testimony confirmed that there has not been, nor is there now, a require-ment to compile a list of items important to safety but not safety related. Speis et al., ff. Tr. 6,357, at 9. Staff witnesses Mattson, Vollmer and Rossi, more than eight months later, confirmed that this Staff testimony and position were not changed by Mr. Conran's February 9, 1983 affidavit or for any other reason. See Mattson, et al., ff. Tr. 20,810, at 8-9.
- B-173B. Staff witnesses Mattson, Vollmer and Rossi
, testified that the Staff is satisfied that LILCO understands what is minimally required for safety and that a listing of
-198-
non-safety related plant items is not necessary to demonstrate an understanding of what is minimally required for safety.
Moreover, Staff witnesses stated, a mere listing would not dem-onstrate such an understanding. Mattson et al., ff. Tr.
20,810, at 10-12. Staff witness Vollmer also testified that the generation of such a list and the Staff review of it in the abstract io not an important enough task to warrant expenditure of resources. Tr. 20,842-43 (Vollmer).
- B-173C. Staff witnesses testified that a list of im-portant to safety is not what is important.
What is important is that the utility have reflected an understanding of the need to treat equipment commensurate with its importance to safety by offering a demonstration that preventive maintenance pro-grams and engineering programs in operation pay attention to the equipment's importance to safety. Tr. 20,840-44 (Mattson, Vollmer). The Staff requested that LILCO make such a demon-stration, and LILCO did so in a form and content requested and considered satisfactory by the Staff. Mattson et al., ff. Tr.
20,810, at 11-12; see Staff Exs. 14-15; LILCO Exs. 70-71; Tr.
21,134 (Pollock).
-199-l l
- B-173D. County consultant Goldsmith testified in the reopened proceedings that, in his original testimony, he had not s,tated whether a list of important to safety equipment was appropriate. At the time of the reopened proceedings, he could not state whether such a list of important to safety is feasi-ble or appropriate. Tr. 20,957 (Goldsmith). Mr. Goldsmith (
also stated his opinion that it is not necessary to use the im-portant to safety but not safety related category to design and construct a plant properly. He stated that he based his deci-sion, in pcrt, on the existence of significant regulatory guid-ance for design and construction'that outlines the standards to be met for both safety and non-safety related equipment. Tr.
20,958-59, 20,966-67 (Goldsmith). In sharp contrast with this testimony and contrary to Staff and LILCO testimony, County witnesses Hubbard and Minor asserted that LILCO must compile a list of structures, systems and components important to safety for the design, construction and operational phases. They contended that without such a list it is impossible for LILCO to demonstrate that the proper safety significance and quality assurance controls are being applied. Goldsmith et al., ff.
Tr. 20,903, at 39; see also Tr. 20,970-71, 21,022, 21,028 (Hubbard, Minor). County consultant Goldsmith did not sponsor this testimony. Goldsmith et al., ff. Tr. 20,903, at 2.
-200-l l
l
- B-173E. LILCO Vice President Pollock testified that a list of certain non-safety related equipment would inappropri-ately limit the application of quality assurance to certain non-safety related equipment, whereas LILCO's current approach of evaluating every piece of equipment in the plant is the more appropriate, inclusive and definitive approach. Tr. 21,066 (Pollock). LILCO witness Dawe expressed essentially the same view. Tr. 21,133-34 (Dawe). LILCO witness Pollock also testified that in the development of its maintenance program, LILCO has evaluated every piece of equipment relative to its function within the plant, its impact on safety, its reliability, its operability and its maintainability. In this fashion, appropriate programs have been developed and will con-tinue to be developed. Tr. 21,148 (Pollock). ,
- B-173F. Mr. Conran stated that he had never thought that it was absolutely necessary to have a list of important to safety because those items are already identified in the Staff review documents. Tr. 20,668 (Conran). He stated that he did not consider such a list necessary for understanding what is required,45/ though he recommends that such a list be put 45/ Note that this testimony appears to be contradictory to Mr. Conran's affidavit testimony. See Conran ff. Tr. 20,401 at 32 (list should be a prerequisite to a license).
l
-201-1
together by the Staff and reviewed, approved and commented on by industry. In Mr. Conran's view, such a list is, in general, a Sta,ff function. Tr. 20,669-70 (Conran). A Shoreham-specific list would be made up of the structures, systems and ccmponents in the Standard Review Plan and the regulatory guidance documents that have been applied to Shoreham. Tr. 20,671 (Conran). Mr. Conran also confirmed that the Staff does not require other utilities to prepare or submit such a list. Tr.
20,673 (Conran). Mr. Conran would not have thought it neces-sary for LILCO either, but he believes it would be a vehicle for developing mutual understand'ing. Tr. 20,673-74 (Conran).
l B-174. The Denton Memorandum does not identify or define the class of structures, systems and corcponents that are important te safety but not safety rel'ated, except by the question-begging definition "anything that contributes in [an) important way to safety." Staff witnesses acknowledged the vagueness and potentially great breadth of this definition.
l Staff witness Conran testified that the only examples he could think of that might be excluded from the important to safety category were garages and administrative buildings. Tr. 7795 (Conran). A second Staff witness, in response to a similar
! -202-l
l 1
inquiry, suggested toilets, washing machines and water fountains might be examples of items not important to safety.
Tr. 6523 (Speis). This witness then acknowledged that these examples might exaggerate the scope of what is included in the category of important to safety. He indicated that he was sure other systems existed that play no role in the overall safety of the plant, but significantly he was unfamiliar with any of those systems. Tr. 6529-30 (Speis). As if to confirm the lack of definition of the Denton Memorandum category of important to safety, Staff witness Rossi testified that it might be impor-tant not to define the category precisely because to do so would remove regulatory control. Tr. 6531 (Rossi).
B-175. In addition to the absence of any reasonably precise definition of what is' included in the category of im-portant to safety, the Denton Memorandum is wholly silent on what quality standards and quality assurance should be applied to that category of structures, systems and components. Burns et al., ff. Tr. 4346 at 55 n. 5; Tr. 6976, 7063, 7480 (Haass);
7862-63 (Conran).
B-176. Staff witness Haass agreed that the following characterization of the situation by the Board was correct:
-203-
What troubles me or what puzzles me is l if you had an applicant--say, I
LILCO--that used the term "important to
- safety" exactly the way the staff in-
, tended it to be used . . . . It is merely that commitment that is being relied on in the staff's concept of the audit type review--that you could have that commitment and their agreement that they are using your definition. And yet, the staff still doesn't have the slightest idea as to what level of QA is being applied for different components.
It is still the same old ad hoc approach.
And if you get into a disagreement later as to what QA was to apply, you are not going to have any help by the fact that they agreed with your definition, be-cause within that d'efinition there are all of these gradations as depending upon the importance of the structure, system or component. So what is the big hullabaloo all about?
Tr. 6979-80 (Haass). ,
B-177. The adoption of the definition of important to safety set forth in the Denton Memorandum would only matter in the extreme case where a utility does not want to apply any QA whatsoever to a particular item. Tr. 6982 (Haass).
B-178. NRC witness Conran testified that although there is much detail in the standard review plan regarding quality standards that apply non-safety related items, there is
-204-
l no guidance in the SRP or the regulatory guides that relate to j details of important to safety but not safety related QA pro-grams. Tr. 7862 (Conran).
B-179. Although this may generally be true, there are exceptions. It is an NRR position that fire protection systems are not safety related and, therefore, do not fall within the i
l scope of Appendix B. However, since the Brown's Ferry fire, l
l NRR has required licensees to apply some measure of quality as-
- surance to fire protection systems. The standard review plan l
specifies what type of quality assurance thep should receive.
Tr. 17,392 (Higgins).
B-180. NRC witness Haass stated that Appendix B to 10 l
CFR 50, in Cr,iterion II, allows the grading of quality assur-ance applied to safety related items consistent with an item's importance to safety. Although it could be used to provide criteria to judge QA programs which are applied to items impor-tant to safety but not safety related, it is not so used or ap-
- plied. The Staff believes greater guidance would be provided to the user by starting with some other level of QA. The Staff is attempting to develop this approach but the effort is not l yet complete and the Staff is not sure of the outcome. The
-205-l I ,- . . - - , _ ~ . .. . . - - - . .-. . - _ . --
intent is to develop new requirements, analogous to Appendix B, l
l but starting at some lower level. Ir. 6993-98 (Haass).
l l
- B-181. The Staff has embarked on the effort to define this new level of quality assurance even though it was not the intention, in the Denton Memorandum, to dictate new technical requirements, or to broaden the existing scope of NRR licensing review. Goldsmith et al., ff. Tr. 1114, Attachment 1 at A-2; 1 Tr. 7763-64 (Conran); 20,840 (Mattson).
I 1
B-182. It is the Staff's position that Appendix B as written and interpreted applies 'only to safety related items.
Tr. 7829 (Speis).
B-183. SC witness Hubbard concurred, stating that con-sist'nt e with the regulations, the NRC practice and construction l
l has been to apply Appendix B only to the safety related set as a regulatory requirement. Tr. 15,422 (Hubbard).
B-184. The term safety related as it appears in Appen-dix B to 10 CFR 50 is the same term, with the same unique meaning, as the term safety related which appears in 10 CFR 100, Appendix A, and that is how it is now applied. In addition to the previous staff efforts discussed, the Staff is
-206-
- - - - ~ __ _ ~ . . . __ ,
l also considering, but has not noticed, a rulemaking to replace the term safety related with important to safety in Appendix B.
Using the definitions of the Denton Memorandum, this would 1
I change the applicability of Appendix B and make it a regulatory l
requirement for all items covered by GDC-1 of 10 CFR 50, Appen-dix A. Tr. 7826-29, 7856-57 (Conran, Haass).
B-185. The Staff characterizes this contemplated rule change to make 10 CFR 50, Appendix B, applicable to items im-portant to safety as a clarification or additional guidance.
They do not consider it an added requirement, but rather guid-ance on how an applicant would apply, and the Staff would review, the general requirement under GDC-1. Tr. 7858 (Haass, Conran). But given the Staff's' admission that Appendix B is applicable only to the safety.related set'of structures, systems and components, extending Appendix B criteria to the non-safety related set or any portion of it would doubtless be a new requirement, not additional guidance. As such, the result would be contrary to the stated intent of the Denton Memorandum not to create new requirements.
B-186. In preparing such a graded QA rule, the Staff had to evaluate the impact of the rule. Some members of the
-207-m-
s Staff questioned NRC's ability to estimate impact since QA programs important to safety but not safety related had never been , reviewed. Others felt there would be little impact if li-censees were doing what the Staff thought they should. Since the impact might be greater than anybody knew, the Staff insti-tuted the effort to develop guidance before it opened a "can of worms" and caused "all sorts of alarm and heartburn." Tr.
7862-63 (Conran).
B-187. In addition to the inconsistency among the Staff on the overyday usage of the terms, there were also inconsistencies between members of I&E and NRR. NRC witness Higgins has conducted inspections at numerous plants in addition to Shoreham. These include Calvert Cliffs Units 1 and 2, Oyster Creek, Salem Units 1 and 2, Peach Bottom Units 2 and 3, Three Mile Island Units 1 and 2, Beaver Valley Unit 1, Susquehanna Unit 1, Indian Point Units 2 and 3, Ginna, Fitzpatrick, Nine Mile Point Unit 1, Connecticut Yankee, Mill-stone Units 1 and 2, Yankee Row, Pilgrim, Vermont Yankee and Maine Yankee. Tr. 17,077 (Higgins). In his experience of in-spection over the last six years, Mr. Higgins has not observed a plant that uses the classification important to safety to
-208-
apply to structures, systems and components that are not safety related. Tr. 17,284 (Higgins).
B-188. NRC witness Narrow has also inspected plants other than Shoreham. Tr. 17,080 (Narrow). Likewise, he does not recall having encountered the term important to safety in use in the quality assurance program of any plant which he has inspected. Tr. 17,285 (Narrow).
B-189. Unlike quality assurance programs for Appendix B items, I&E does not systematically look at applicants' QA programs for non-safety related equipment. I&E only covers areas where there has been specific NRC interest in the con-struction program. Tr. 17,349-50 (Gallo).
B-190. I&E Region I has not applied the types of categorizations -- safety related, important to safety and so forth -- promulgated in the Denton Memorandum. To the knowledge of NRC witness Higgins, the memorandum was never for-mally transmitted to the I&E Regions. Tr. 17,362, 17,471 (Higgins).
B-191. I&E has never really inspected the programs for non-safety related items as a whole. It was I&E's position
-209-
that the applicant has no firm commitment to the NRC to provide specific quality programs in this area and therefore, from a progr,ammatic standpoint, the NRC has no regulatory commitment to bind the applicant to it. Tr. 17,290 (Higgins).
B-192. In addition to the contradictions between I&E and NRR noted above, there was also testimony that the Denton Memorandum was not promulgated in a formal manner to industry, although it has become known to the industry. Tr. 7741 (Conran).
B-193. The American Nuc' lear Society, in its standards relating to classification of systems (ANS 51.1 and 52.1), has recently attempted to address the terminology of the Denton Memorandum through draft standard revisions. Although this indicates that the industry is working with the Staff to at-tempt to resolve the definitions, the Staff witnesses were not aware of the status of adoption of any proposed standard revi-sions. There has been disagreement within the ANS committee pursuing this issue. Tr. 7738-41 (Conran).
B-194. IFEE, through its Nuclear Power Engineering Committee, has objected to the use of the term important to
-210-
safety to mean more than safety related, citing the common usage equivalence of these terms in the past and the confusion it creates for the future. The IEEE has.been attempting since the mid 1970s, as yet unsuccessfully, to develop a methodology to assign design criteria based on a system's level of impor-tance. However, the IEEE recommendation is that the term im-portant to safety not be used until it has a commonly under-stood meaning. Burns et al., ff. Tr. 4346, Attachment 4; Tr.
6720, 7757-60 (Rossi).
B-195. In addition to industry objections, there has been some reluctance on the part of the NRC to proceed with a scheme, such as that being attempted unsuccessfully by IEEE, to rank electrical and control systems in a class called important to safety. This caution has been due to concern for the expan-sion of NRC review effort which could result. This concern exists even though the Staff believes items important to safety are covered by the General Deuign Criteria and are part of the NRC review responsibility in the Standard Review Plan. Tr.
6722-24 (Rossi). This Staff concern is an acknowledgment of the fact that use of the term "important to safety" as defined in the Denton Memorandum could, contrary to the express terms
-211-
of that memorandum, broaden the existing scope of NRR licensing review.
B-196. The Kemeny Commission's QA task force concluded that the NRC's regulations only require the application of quality assurance to safety related equipment. They stated that " Quality Assurance requirements only apply to a narrow portion of the plant defined as safety-related or safety grade." Hubbard, SC Exhibit 89B, Attachment 6, at 6-4. Sig-nificantly, the Kemeny Commission did not identify or construe NRC regulations, including GDC-1, as applying to other than the safety related set.
- B-197. The NRC witnesses stated that a commitment by LILCO to do in the future what it has done in the past with regard to quality assurance for (in Denton Memorandum terms) the important to safety but not safety related set wculd be sufficient to satisfy the Staff's interpretation of GDC-1. Tr.
7711-1-7 _15 (Haass, Ge#w-an-) . Thus, what has been done in the past meets the regulation as interpreted by the Staff. Tr.
7712 (Haass), $9'7, 'd91-5 'Cenran). See also Tr. 7709-10 (Conr:n, Haass). The reviews performed by Staff technical re-viewers indicated that the Shoreham non-safety related plant
-212-
items considered important to safety by the Staff in accordance with the Denton Memorandum satisfied the Staff's acceptance criteria and quality standards outlined in the Standard Review Plan. Tr. 6974-75 (Cenren, Haass).
-B-198. Thus, although.LILCO witnesses object to the term "important to safety" as being a class larger than safety related, LILCO is achieving the objective which could be attributed to the Denton Memorandum. Tr. 4468 (Dawe, Ianni);
see Tr. 7815 (Speis).
B-199. In the Staff's review, in order to comply with GDC-1, "the engineering people [must] identify what the safety function is [and the] QA people decide what kind of QA controls are appropriate . . . ." Tr. 6981 (Haass).
- B-200. Since non-safety related structures, systems and components are accorded quality standards and assurance treatment commensurate with their function, the absence of a distinct, separate category of structures, systems and compo-nents that are important to safety but not safety related leads to essentially the same result as that suggested in the Denton Memorandum. Burns et al., ff. Tr. 4346, at 53. The only
-213-
difference.in results is the absence of a list of structures, systems and components called important to safety. Tr. 4451 (Dawe). The regulations do not require such a list. Tr. 7837 (Speis), 7064-74 73 (Haass, Conran, Speis), 7725-26 (Haass, Speis).
B-201. The rationale for accepting less stringent, but still rigorous, standards for the non-safety related set of structures, systems and components than for the safety related set is based upon the reduced consequences that result from failure of these systems. In the event these non-safety relat-ed structures, systems and components fail, they are backed up by fully safety grade structures, systems and components capa-ble of mitigating or preventing the resulting event. Only safety related equipment is relied upon for design basis accident analysis as set forth in Chapter 15 of the FSAR.
Burns et al., ff. Tr. 4346, at 53.
- S-202. There is obvious disagreement between LILCO and the NRC Staff with regard to terminology employed in the safety classification of structures, systems and components (important to safety vs. safety related). However, there appears to be close agreement between most important aspects of the positions
-214-
and conclusions of the Staff and LILCO regarding adequacy of I safety classification of Shoreham plant features, particularly as to the substantive technical safety classification consider-ations at issue. The substantive technical issues involved are the relative safety importance in view of the function to be performed and the perception of consequences if a component fails, and from these the selection of the appropriate quality standards and quality assurance measures to be applied.
Conran, ff. Tr. 5250, at 2, Tr. 595S 50, 5073 1, 7195-5 (Cc-r="); Mattson et al., ff. Tr. 20,810, at 9.
- B-203. Using the Denton Memorandum terminology, the NRC Staff determines which systems, structures and components are important to safety but not safety related using judgment and experience gained from past history and plant operation.
These determinations are embodied in the Standard Review Plan.
The Standard Review Plan, and Regulatory Guide 1.70, identify systems which are not safety related but are still required to be discussed in the FSAR. These are the standards by which the NRC judges applicants' submittals., The Staff stated that com-pliance with the Standard Review Plan demonstrates correct classification and compliance with regulation because implicit
-215-
in the criteria set forth therein are the importance of the system and the quality standards to be met. Tr. 6574-81 (Rossi, Conran).
- B-204. The Staff review of the design of Shoreham de-termined that a systematic methodology is used to identify systems, structures and components that are important to safety but not safety related. The Staff systematically reviews the design using the Standard Review Plan. This has assured the Staff that the applicant has properly addressed the non-safety related items that the Staff considers important to safety.
Tr. 7093-96 (Rossi, Conr2n); Mattson et al., ff. Tr. 20,810, at 9-10.
- B-204A. Following the submittal of Mr. Conran's affi-davit, the NRC Staff reaffirmed its conclusion that LILCO complies with the substantive regulatory requirements for structures, systems and components important to safety. The Staff reached this conclusion despite LILCO's different use of the term "important to safety" because the Shoreham FSAR was prepared in accordance with the Regulatory Guide 1.70, Revision 1, " Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants," and other applicable regulatory guides.
-216-
The Staff reviewed the Shoreham ESAR in accordance with the Standard Review Plan. This review did not reveal any substan-tive differences between the Staff and LILCO on the treatment accorded equipment the Staff considers important to safety.
This conclusion was confirmed by LILCO's testimony on SC/ SOC 7B concerning specific systems. LILCO demonstrated to the Staff's satisfaction that LILCO had properly treated, qualified and ap-plied appropriate quality standards and quality assurance re-quirements to the specific systems discussed. Mattson et al.,
ff. Tr. 20,810, at 9-10.
B-205. As LILCO's witness observed, the term important to safety as it appears in the General Design Criteria is, in almost all cases, tied to the term safety function. This leads to the conclusion that the term important to safety is tied to the safety related functions described in the regulation. The General Design Criteria are of different types, some applying to a philosophy of design and others applying to specific systems or system functions. In applying the GDC, LILCO's com-mitments made for the term important to safety are commitments made for the agreed upon term safety related, which LILCO considers synonomous. All of the GDC are applied, however,
-217-
w whether the term important to safety appears or not. Thus, the application of the GDC to specific systems has not been affect-ed by the terminology. The plant design has been reviewed by the NRC and meets the regulations. Tr. 4470-73 (Dawe).
B-206. At Shoreham, quality assurance under the Appen-dix B program does have involvement in several specific areas that are non-safety related such as fire protection, radwaste, emergency planning and security. There is no single quality control or quality assurance manual that defines for all non-safety related items what the quality assurance program is. ,
But Shoreham does have procedures or activities similar to Ap-pendix B that are done for items that are non-safety related such as design control, procedure control, inspection and testing. There are various programs that control such things as construction and testing from a procedural standpoint for non-safety related items. There are installation and inspec-tion procedures for non-safety related structures, systems and components. Tr. 17,288-90 (Higgins).
B-207. The NRC, industry and the organizations in-volved in the design of Shoreham have developed guidance documents and standards that establish specific criteria for
-218-m i
specific features of the plant. These guidance documents interpret the regulatory requirements for application. Al-though there is confusion in terminology as discussed in the Denton Memorandam, the essence of the guidance documents used for the design of Shore' am by the applicant and the review of Shoreham by the Staff were well known to all involved. The plant has been the subject of long technical review. The Shoreham FSAR and the Staff SER demonstrate that the criteria were known, addressed and satisfied in the Shoreham plant. Tr.
4474-5 (Dawe).
- B-208. No member of the NRC panel is aware of any area in which the difference in usage of the definition of important to safety has made a substantive difference in the design, con-struction or quality assurance at Shoreham. Tr. 7815 (Speis);
20,834 (Mattson).
- 3. Compliance with General Design Criteria B-209. Each of the principal organizati'ons involved in the design and construction of Shoreham, General Electric, Stone & Webster and LILCO, has applied quality standards and quality assurance to all plant systems commensurate with the
-219-
function of the system in the reliable and safe operation of the plant. Burns et al., ff. Tr. 4346, at 41; Tr. 5429-30 (Dawe,) .
B-210. The major non-safety related systems are de-scribed in the Final Safety Analysis Report, which documents the result of the considerations noted above. For example, Chapter 3 of the FSAR discusses major plant structures; Chapter 7 discusses instrumentation and controls; Chapter 8 discusses electrical powe systems; Chapter 9 discusses auxiliary systems; Chapter 10 discusses steam and power conversion systems; Chapter 11 discusses radioactive waste management systems. In each of these chapters, non-safety related por-tions of the plant are described, including their respective design bases. The FSAR contains information regarding tne con-siderations employed during the design process for the proper integration of the non-safety systems into plant design. Burns et al., ff. Tr. 4346, at 41; Tr. 4956-57 (Dawe). As described above, each of the principal organizations involved in the design and construction of Shoreham had methods and programs in place to ensure that quality standards and quality assurance were applied to all structures, systems and components
-220-
commensurate with their function in the safe and reliable operation of the plant.
- B-210A. LILCO witnesses acknowledged in general that NRC regulation and inspections may extend beyond the safety re-lated area. LILCO witness Dawe cited 10 CFR Part 20, and 10 CFR Part 50, Appendix I as examples of NRC regulation beyond the safety related set. Mr. Dawe also noted that even with respect to those regulations, which LILCO interprets as appli-cable only to safety related items, such regulations can extend to non-safety related equipment if there is any non-safety re-lated equipment that affects or impairs the ability of the safety related set to meet these regulations. Tr. 21,139-40 (Dawe, Pollock).
- B-210B. LILCO's use of the term non-safety related does not imply that an item in that category has no safety sig-nificance. Tr. 21,052-53 (Dawe).
- B-210C. LILCO believes that for the future, as in the past, appropriate quality standards and quality assurance should be applied to all structures, systems and components in the plant and to the activities affecting them. For things
-221-
outside the set identified by the term safety related, LILCO believes it is not a regulatory requirement under GDC 1 but rather, a matter of conventional quality assurance and good en-gineering and operational practice. Tr. 21,078-79 (Dawe). To its knowledge, LILCO has resolved any and all differences that may have existed between the Staff and LILCO as to what the Standard. Review Plan, NUREG documents, regulatory guides or other guidance documents indicated should be done. Tr.
21,080-81 (Dawe).
- B-210D. LILCO believes the basic philosophy of the Denton memorandum definition of the term "important to safety" is that non-safety related equipment can have a safety signifi-cance in certain instances. Therefore, appropriate considera-tion should be given to the design, construction and mainte-nance of that equipment during the design, construction and operation of the plant. LILCO agrees with, and believes that it has implemented, that philosophy. Tr. 21,151 (Pollock).
- B-210E. If "important to safety" as a set was defined as all safety related equipment and that non-safety related equipment whose failure could prevent the accomplishment of a safety related function, the design philosophy of Shoreham is
-222-
such-that nothing would need to be included in the set "important to safety" that is not already classified as " safety related."- The design philosophy is to preclude that type of design interaction. Tr. 21,157-59 (Dawe).
- a. General Electric B-211. Within the General Electric scope of supply, each structure, system and component is evaluated and receives quality _ assurance commensurate with its intended safety or power generation reliability function. Tr. 4434, 4457, 4964 (Robare); 13,788 (Long). General Electric has one overall quality assurance program applied to both safety related and non-safety related activities. The degree of applicaton depends upon the overall function of the item involved. Tr.
10,169 (Long).
B-212. Although different organizations within General Electric may use different nomenclature, the application of quality assurance to non-safety related features is essentially the same as that applied in the Engineered Equipment Procure-ment Department, which supplies most major equipment for the General Electric portion of a nuclear power plant. Tr. 4960-61 (Robare), 13,865-6 (Long).
-223-
B-213. The QA designations and practices in the Engineered Equipment Procurement Department were discussed at length in the hearings. In that division, the designation QAR I applies the requirements of 10 CFR 50 Appendix B to safety related structures, systems and components. QAR II applies quality assurance requirements to non-safety related struc-tures, systems and components based on their function, complex-ity and importance to reliable power generation. Burns et al.,
ff. Tr. 4346, at 42; Tr. 4960 (Robare). This program for non-safety related equipment is described in General Electric's QAR II plan. Tr. 5619 (Robare).'
B-214. The quality assurance requirements for procure-ment and manufacture of structures, systems and components in QAR II (or equivalent category for non-safety related equipment in other General Electric divisions) are specified by design and quality control engineers based on an evaluation of the function, complexity and importance to reliable power genera-tion. Tr. 4962, 5513-14, 5619-21 (Robare). Thus, for most structures, systems and components in QA Category II, the General Electric program addresses most of the Appendix B criteria to a level of detail commensurate with their
-224-
importance to safety and reliability. Burns et al., ff. Tr.
4346, at 42-43. Approximately 90% of General Electric's non-safety related structures, systems and components receive quality assurance that is_very close to full Appendix B treat-ment. Tr. 4962 (Robare). This was verified by a sampling of Shoreham equipment in a study conducted June 19-30, 1982. Tr.
5518 (Robare).
B-215. The General Electric witnesses discussed the quality assurance requirements imposed by General Electric on non-safety related components. The non-safety related control rod drive pumps were subject to all 18 criteria of Appendix B.
Tr. 5516 (Robare). The non-safety related shroudhead and sepa-rator assembly also had all aspects of Appendix B applied. The only reason that full Appendix B compliance for these compo-nents could not be claimed was a lack of material traceability usually required for full Appendix B compliance. The non-safety related dryer assembly, purchased by General Electric from a vendor, also was given quality assurance treat-ment covering all 18 criteria of Appendix B. Again, the only reason full Appendix B compliance could not be claimed was lack of material traceability for sub-vendor components. Tr. 5517 (Robare).
-225-
B-216. Similarly, General Electric requires an ecsen-tially identical program of engineering design and engineering quali,ty assurance for all structures, systems and components regardless of the safety classification. Burns et al., ff. Tr.
4346, at 42. In fact, the engineering quality assurance pro-gram is the same throughout General Electric's nuclear division without regard to whether safety related or non-safety related activities are involved. Tr. 4969 (Robare).
B-217. The level or degree of application of the pro-gram depends on the importance of the equipment to the safe and reliable operation of the plant. Tr. 4969 (Robare). Thus, design activities such as analyses, documentation, review, ver-ification, change-control, and records are applied, in large measure, to non-safety related structures,. systems and compo-nents at General Electric. Burns et al., ff. Tr. 4346, at 42-43; Tr. 4970 (Robare). All structures, systems and compo-nents designed by General Electric are subject to design review and design verification. It is the level of detail that varies with the function of the equipment. Less important equipment may get, for example, three design reviews instead of four.
Tr. 4969-72 (Robare, Ianni).
I
-226-
B-218. As verified specifically for the control rod drive pump, purchase specifications are utilized that generally describe the design requirements, quality assurance and appli-cable code requirements. Tr. 5620 (Robare).
- b. Stone & Webster B-219. Stone & Webster has one Quality Assurance Department and one Quality Assurance Program. That program meets the requirements of Appendix B to 10 CFR 50. As applied by Stone & Webster, the differences in quality assurance ap-plied to safety related and non-safety related would more result from differences in the quality standards as opposed to programatic differences. Although the quality assurance activities applied to non-safety related items may differ from those for safety related items, they do not always differ. Tr.
4922-25 (Dawe).
B-220. Stone & Webster has one engineering and design control process that is applied to all engineering work, safety related and non-safety related. Similarly, in procurement, Stone & Webster applies the same procurement program to both non-safety related and safety related equipment commensurate
[
with the item's importance. Tr. 10,167-68 (Eifert).
-227-
B-221. Stone & Webster applies quality standards and quality assurance to each structure, system and component comme,nsurate with its intended' function. Stone & Webster uses three quality assurance categories with Stone & Webster Quality Assurance Category I being applied to safety related struc-tures, systems and components and Stone & Webster Quality As-surance Categories II and III being applied to non-safety re-lated structures, systems and components. Stone & Webster Quality Assurance Category II applies to structures, systems and components that are essential for the reliable generation of electric power but are not es'sential for safe shutdown of the plant. d It also inclu'es equipment or systems which contain radioactive material, but whose failure could not release quantities sufficient to endanger publ'ic safety. Stone &
We' ster Quality Assurance Category III applies to those struc-tures, systems and components that do not fall within Categories I or II. Burns et al., ff. Tr. 4346, at 44-45.
B-222. Activities affecting virtually all Stone &
Webster designed non-safety related structures, systems and components at Shoreham are controlled by specifications. These specifications clearly identify the assigned quality assurance
-228- I
category (II or III). As part of the preparation of a specification, the responsible engineer selects the appropriate quali,ty assurance category based on the function of the struc-ture, system or component involved. Burns et al., ff. Tr.
4346, at 45-46, Tr. 4977 (Dawe). The engineer also specifies in detail the quality assurance requirements for the activities controlled by the specification.
B-223. The specification is reviewed by the responsi-ble engineer's supervisors as well as the quality assurance department. The quality assuran,ce department reviews the qual-ity assurance requirements for certain specifications. Guid-ance for the appropriate level of quality assurance is provided in master specifications which have been developed by Stone &
Webster specialists over the years based on experience, regula-tion, industry standards and the function of the equipment.
Burns et al., ff. Tr. 4346, at 45-46; Tr. 4978 (Dawe). In addition to quality assurance requirements, Stone & Webster specifications also designate the codes, standard, and design and construction practices to be applied to non-safety related structures, systems and components. Burns et al., ff. Tr.
4346, at 46-47.
-229-
B-224. Although the 18 criteria of Appendix B need not be applied to non-safety related structures, systems and compo-nents,, Stone & Webster does apply these principles to equipment within Quality Assurance Categories II and III. The level and extent of the application depends on the function of the equip-ment or activity covered by the specification.
B-225. Significant quality requirements are applied to non-safety related structures, systems and components. All of these structures, systems'and components are designed, fabri-cated and constructed to high in,dustrial quality standards, including applicable codes and requirements. Burns et al., ff.
Tr. 4346, at 25. For example, non-safety related piping is built to the quality standards in the piping code B-31.1. And in using this code, Stone & Webster applies strict standards for testing and examination. Tr. 4919 (Dawe). The shop fabri-cation specification applies to the' procurement of all piping.
The same materials are required for Stone & Webster Quality As-surance Category I (safety related) and Category II (non-safety related) piping. Both categories receive the same tests and inspections. Tr. 4920 (Dawe). In some cases, Stone & Webster has decided to build non-safety related components to the
-230-l
ASME-3 code, a code usually applied to safety related equipment. This was done based on Stone & Webster's judgment that this higher standard was appropriate given the function of
'the equipment involved. Tr. 4461 (Dawe).
B-226.The l evel of quality assurance for non-safety re-lated structures, systems and components depends on Stone &
Webster's assessment of the function of the equipment in the safe and reliable operation of the plant. Tr. 4441-42, 4927 (Dawe).
B-227. Stone & Webster plhees engineering requirements on the purchase of non-safety related equipment, and these re-quirements specify the level of quality assurance to be ap-plied. Compliance with these requirements is frequently monitored by the same procurement QC inspectors who inspect safety related equipment. Tr. 4926 (Dawe).
B-228.All Stone & Webster controlled procurement of non-safety related equipment (Categories II and III) is done from bidders on an approved bidder's list. Tr. 4979 (Dawe).
B-229.The Stone & Webster witnesses testified that the determination of what quality standards to apply to non-safety
-231-
related structures, systems and components is part of the normal engineering process. The standards are selected to en-sure,that the equipment can perform its design basis function.
Tr. 4928 (Dawe). In addition, the operation of that non-safety related system under abnormal conditions is also taken into consideration. Tr. 4431-32 (Dawe, Garabedian), 4434 (Robare).
B-230.For non-safety related features of the plant, the determination by Stone & Webster of quality standards commensurate with function is an engineering decision. The non-safety related systems are d,esigned for the service conditions in which their functions are intended to be performed. Transient operation, as well as normal operation, can be part of the service condition of the equipment as in-tended to be called upon. Generally, for non-safety related equipment, the service conditions for transient and normal operation would not differ. The standards applied result in design margin. Tr. 4428 4431, 4440 (Dawe).
B-231.Non-safety related equipment is designed to avoid or prevent failures which will cause transients. The plant is, however, designed to withstand such transients without progres-sion to the hypothetical, severe accidents for which the safety
-232-
related systems are designed. Not hll equipment, the failure of which defines a transient, or which is needed to prevent the occur,rence of a transient, need be safety related. Further, non-safety related systems are designed not to interact in an adverse manner with safety related systems in accident conditions. Tr. 4432, 4440-41 (Dawe).
B-232.The industry standards applied to non-safety re-lated plant features by Stone & Webster are strict and conser-vative standards for the intended application of the compo-nents. This is done to ensure t, hat components will reliably perform their functions. Stone & Webster recognizes that a re-liable plant is a safe plant. Standards applied have been reviewed by NRC and compare favorably to NRC guidance documents. Tr. 4919-22 (Dawe).
B-233.All of the systems for the plant are examined for their function and interrelationship to the whole plant. This includes the non-safety related systems, most of which are de-scribed in the FSAR. The conclusions of the evaluatiens of these systems are also included in the FSAR. Stone & Webster has corporate technical guidelines and procedures for the eval-uation of non-safety related systems as well as safety related systems. Tr. 4955-58 (Dawe).
-233-
B-234.For non-safety related items provided by Stone &
Webster, the extent of quality assurance to be applied is de-termi,ned by engineering within the specification for the item.
The Quality Assurance Department implements the requirements of the specification. The Quality Assurance Department provides input to or reviews those specifications which require quality program audits or test and inspection documentation. Tr.
4977-78 (Dawe).
- B-234A. LILCO witness Dawe testified that as designed, analyzed and evaluated, there are no non-safety re-lated components in the Shoreham plant that can defeat the safety functions of protecting the pressure boundary, achieving and maintaining safe shutdown, and mitigating accidents. Tr.
21,132-33 (Dawe).
- c. LILCO
- B-235. LILCO applies quality standards and quality as-surance to all systems, structures and components at the Shoreham plant commensurate with their importance to the safe and reliable operation of the plant. Burns et al., ff. Tr.
4346, at 50; Tr. 21,147-48 (Pollock). In the development of
-234-
- . ~ -. . . .. . . _ - - .-
N' L A .
s t
i t
( N its programs, and maintenance to b'e' applied, every piece of equipment is looked at relative to 1ts function in the plant and its impact of safety, reli' ability , operability and maintainability. Tr. 21,148 I (Pollockl.
B-236. Up until 1978, Stone & Webster field quality
' control performed first line inspections on ndn-safety related equipment at Shoreham. Field quality control (FQC) is'the'same organization that performs the inspections for safety related items. Tr. 10,103-04 (Arrington). In 1978, sole responsibili-ty for non-safety related inspections was assumed by UNICO, .the s t s-construction management organization. 'Pheviously UNICO and FQC had been performi'ng those inspections. Tr. 10,104 (Arrington).
The inspection requirements that are used by the UNICO con-struction management personnel are the same ones that were used by FQC for safety related' work. 'In fact the procedures and in- -
~
spection requirements that are used for the non-safety related equipment are reviewed by the"quylity assurance department to ensure that the inspections are appropriate for the component or process involved. Tr. 10,104-05 (Museler). The non-safety
~
related quality assurance program, known as the Construction l Site Inspection Program, is contained,in the Construction Site
~
-235-
\
~
- w. - .- .. - --__--,_
m ,
v
\
Inspection manual. Tr. 10,085, 10,105-06 (Museler).
Essentially all componente at Shoreham are inspected. Tr.
13,780 (Museler).
B-237. In the : piping area, non-safety related piping systems are designed in'accordance with industry codes. The installation of this piping is verified by construction inspec-tions. Burns et al., ff. Tr. 4346, at 49.
, B-238. Welding procedures have been developed for all plant piping systems. Welder qualification, training and
, ; testing are also required as part of the quality program for non-safety related welding on piping systems. Moreover, all weld filler material is Quality Assurance Category I. Burns et al., ff. Tr. 4346, at 49.
B-239. Where deemed appropriate, non-safety related welds are radiographed. Radiographing is generally required on all pipe with wall thicknesses over three quarters of an inch.
These inspections are done by FQC. Visual inspections by qual-
-ifiid construction supervisors are also used to assess the ade-quacy of non-safety related welds. Burns et al., ff. Tr. 4346, at 49; Tr. 10,090, 13,780 (Museler).
/
ob"
-236-J 3
s l
S
B-240. Where a particular manufacturer supplies both non-safety related and safety related valves, the LILCO Quality Assurance program audits those facilities and inspects both the non-safety and safety related types. Tr. 13,781 (Museler).
B-241. In the electrical area, construction inspec-tions on non-safety related equipment and components are required in many instances for significant components such as electrical panels. The inspections verify proper installation and proper functioning. Burns et al., ff. Tr. 4346, at 49.
B-242. All cable installed in the Shoreham plant is bought and inspected to Quality Assurance Category I require-ments. In the installation of cable, the same cable pulling criteria and termination procedures are used for both safety related and non-safety related work. The qualification re-quirements for electricians are also the same for safety relat-ed and non-safety related work. Burns et al., ff. Tr. 4346, at 49-50.
s B-243. Non-safety related control panels and switchgear, including General Electric circuit breakers, are y subject to LILCO engineering QA audits. Tr. 13,781 (Museler).
-237-
B-244. In the structural area, controls are used for the placement of non-safety related concrete, including the evaluation of samples for each concrete pour. Concrete inspec-tions are conducted by FQC. Burns et al., ff. Tr. 4346, at 50; Tr. 12,780-81 (Museler). The Construction Inspection Program also covers non-safety related installation of structural steel, insulation and painting. Id. at 50.
B-245. The main condenser and the condenser tubes were inspected by LILCO's engineering Quality Assurance Organization and Stone & Webster's procurement quality assurance at the re-quest of LILCO's project management. Tr. 13,780 (Museler).
B-246. Many of the non-safety related activities at Shoreham are inspected by the construction management organiza-tion. Activities such as concrete pours, the equipment storage program, and the document control system, including non-safety related activities, are inspected and audited by LILCO's Field i QA and Stone & Webster's Field QA organizations. Tr.
10,086-87, 13,781 (Museler).
B-247. The preoperational and startup test program for Shoreham covers non-safety related as well as safety related
-238-
structures, systems and components. Tr. 3522 (Kascsak).
"[T]hese tests evaluate the performance of components, system or systems that are involved in the plant and through the initiation of those tests we exercise the component and systems to evaluate if the component, system or systems meet the design requirements." Tr. 5520-21 (Kascsak). The quality assurance organization does perform inspections of non-safety related test activities. Tr. 10,090-92 (Youngling).
B-248. LILCO had its quality assurance organization review a number of non-safety related specifications in order to comment on the inspection and quality assurance requirements contained in those specifications. The comments of the quality assurance organization were taken into consideration, and in a significant number of cases were incorporated into the specifi-cations. Tr. 13,781-82 (Museler). The list of examples in-cluded the condensate demineralizer, transformers (including the station service transformers), the motor specification (both the 4,000 volt and the 460 volt motors), feedpump tur-bines, instrument air compressors, the main turbine generator, the radwaste solidification system, the level controllers and transmitters, and control instrumentation. Tr. 13,782-83 (Museler).
-239-
- d. NRC Staff Review of Non-Safety Related Structures, Systems and Components
- B-249. Although the NRC Staff does not conduct a complete review of quality assurance and quality standards ap-plied to non-safety related structures, systems and components, design criteria and quality standards for many structures, systems and components are found in regulatory guides, the Standard Review Plan and other regulatory guidance documents, and are required to be addressed in the Final Safety Analysis Report. Thus, these design criteria and quality standards are reviewed in the course of the NRC Staff's safety review. Speis et al., ff. Tr. 6357, at 9, 18-19; Mattson et al., ff. Tr.
20,810, at 9-10.
B-250. Thus, for systems such as the RCIC system'and the Standby Liquid Control System, which are not classified as fully safety related systems, the NRC was aware of the extent to which those systems received safety related treatment. As demonstrated in the Staff's testimony, the Staff knew that the portions of the RCIC system necessary for automatic injection were safety related and had the requirements of Appendix B ap-plied to it. They also knew that all portions of the Standby
-240-
Liqttid Control System at Shoreham necessary for the injection of sodium pentaborate are safety related. Again, this means that,the quality assurance requirements of Appendix B are ap-plied. Speis et al., ff. Tr. 6357, at 24-25.
B-251. For systems such as the rod block monitor, the feedwater control system high water level trip (Level 8 trip) and the turbine bypass system, the Staff has reviewed and approved the design features applied to these systems to ensure their safe and reliable operation. Speis, et al., ff. Tr.
6357, at 27.
B-252. In addition to reviewing specific design features and quality standards, in some instances, the NRC specifies particular quality assurance requirements to be ap-plied to non-safety related structures, systems and components.
For example, SRP 3.2.2 requires certain quality assurance standards to be applied to the turbine bypass and associated equipment. The guidance also exists that requires certain levels of quality assurance be applied to the non-safety relat-ed fire protection and security systems, and to non-safety re-lated activities such as emergency planning. Tr. 6980-81 (Haass).
-241-
B-253. LILCO is aware of the need for appropriate quality assurance to be applied to non-safety related items and has i,mplemented such a program. Tr. 6981 (Haass).
B-254. The NRC Staff has reviewed the quality standards applied to non-safety related items, as described in the FSAR, and was satisfied that they met the acceptance criteria of the Standard Review Plan. Tr. 6974-75 (Haass).
B-255. The Staff does not normally review the quality assurance program for non-safety related items. The Staff does not have criteria to be used in' preparing or reviewing such a program, and the applicant is not required to describe his specific program. Tr. 6976, 7063, 7480 (Haass); 7862-63 (Conran).
- B-256. The Staff has much more extensive knowledge of the quality assurance program applied to non-safety related items at Shoreham than it has about most other plants. The quality standards and quality assurance program for non-safety related systems, structures and components at Shoreham are commensurate with the functions to be performed and comply with the Staff's interpretation of GDC-1. Tr. 6074-78, 7909-10
-242-
(Haass, Conran), 7850 (Speis), 7124 (Haass); see 20,423, 20,428-29 (Conran).
- B-257. Thocc rccponcibic for Shcrchar were cuarc Of the cafcty cignificancc cf the itcr.c in thc cct of non-safety rel?ted structurer, syste r and co~ponent: 2t Sh0 Fehar . T r, 7700 'Conran), It is the Staff's judgment that the proper design and construction, coupled with LILCO's programs for operating the facility, demonstrate that LILCO understands what is minimally required to operate the facility without undue risk to the health and safety of the public.
Mattson et al.,
ff. Tr. 20,810, at 11.
B-258. No re-review of the Shoreham application is needed as a result of the different usages of the term impor-tant to safety. Tr. 7121-23 (Rossi, Hodges, Haass, Kirkwood).
B-259. The Staff has conducted a systematic examina-tion of the Shoreham application and determined that Shoreham meets the General Design Criteria. The two exceptions in the Staff's determination are open items still to be reviewed and a future commitment to GDC-1 for items important to safety but not safety related. Tr. 7850-51 (Speis).
4
-243-
- 4. Compliance with Regulations During Operations
- B-259A. LILCO met with the Staff to resolve the concerns that had arisen over the Denton memorandum definition of the term "important to safety." LILCO believed the wording in the Denton memorandum was too vague to determine the scope of any commitment made using such terminclogy. LILCO's intent was to provide a commitment to the NRC that would convey LILCO's functional understanding of the intent of the Denton memorandum in a way that would provide well-defined objectives to be met. LILCO did this even 'though the Company believes that in the regulatory scheme, the terms "important to safety" and " safety related" are the same. LILCO's commitment to the Staff was to accord to the non-safety related portion of the plant essentially the same quality standards and quality assur-ance approach during operations as it has during construction.
Tr. 21,045-52, 21,069 (Pollock), 21,056-58, 21,161-62 (Museler). ,
- B-259B. LILCO's' commitment to the Staff was made by letter on March 2, 1983. LILCO Ex. 69, ff. Tr. 20,654. The commitment was followed by a letter dated March 8, 1983, which '
-244-
provided revisions to the Shoreham ESAR which LILCO intends to incorporate by amendment. These revisions are typical of the FSAR, changes LILCO antends to make to meet its commitment.
LILCO-Ex. 70, ff. Tr. 20,654.
- B-259C. By its commitment, LILCO has agreed to maintain during operation, as a minimum, the safety signifi-cance accorded to non-safety related structures, systems, com-ponents and plant computer software in the FSAR, technical specifications and emergency operating procedures. Under this agreement, the charters of the Review of Operations Committee, Nuclear Review Board and Independent Safety Engineering Group will reflect these considerations. Various programs such as maintenance, design change control, procurement and modifica-tion programs as well as applicable portions of the Quality As-surance program will assure this commitment is met. The deci-sions of the Manager, Quality Assurance will also consider the safety significance of this equipment and software given it in the specified documents. LILCO Ex. 69, ff. Tr. 20,654, LILCO Ex. 70, ff. Tr. 20,654.
- B-259D. NRC witness Vollmer testified that for both safety related and non-safety related equipment, it is
-245-
important to have a system or process for identifying the important attributes of a structure, system or component and a mechanism to preserve that attribute through the life of the plant. For items that are important to safety as defined by the Denton memorandum, such a process is more important than a list. Tr.'20,840-41 (Vollmer). Mr. Vollmer indicated that this process consists of programs such as the preventive and corrective maintenance program, see Tr. 20,842 (Vollmer). Dr.
Mattson also indicated that, given that the equipment is proper today, the question becomes one of future maintenance, surveil-lance, replacement and design changes as well as operating ex-perience, see Tr. 20,872, 20,874-75 (Mattson).
- B-259E. The Staff does not consider LILCO's commit-ment al'one, without an additional commitment to adopt-the defi-
~
nition of "important to safety" from the Denton memorandum, to be an acceptable basis for licensing. Tr. 20,850-51 (Mattson).
The Staff is concerned that in the absence of agreement, there would be unnecessary confusion, improper reporting of events and interference with the NRC inspection process. Tr.
20,851-52 (Mattson). LILCO, on the other hand, did not interpret its agreement with the Staff as requiring adoption of
-246-
the Denton definition. LILCO understood its commitment to be an alternative to resolve its concerns with the definition while, providing the assurances the Staff felt it needed. Tr.
21,046-49 (Pollock).
- B-259F. LILCO believes it has agreement with the Staff as to how non-safety related equipment should be treated.
With respect to acceptance of the Denton memorandum definition for important to safety, LILCO believes the definition is ill-defined and contrary to past interpretation. If-that interpre-tation is to be applied to regul,ation, LILCO believes it should be properly pursued and determined. Then LILCO and the indus-try can be expected to abide by it. Tr. 21,067-68 (Pollock).
- B-259G. LILCO does not believe proper performance during operation is a matter of terminology, but rather of pro-grammatic control to maintain what has been achieved. LILCO has established and documented the pertinent programs and has committed to maintain those programs. The programs are defined such that someone from outside LILCO could understand them and, with knowledgeable effort, determine whether or not they were being complied with. Tr. 21,051-52, 21,151-52 (Pollock),
21,068-71 (Pollock, Rivello, McCaffrey); see Tr. 21,106-07
-247-
(Dawe, McCaffrey), 21,145 (McCaffrey). Thus, contrary to the County's assertions, Goldsmith et al., ff. Tr. 20,903, at 30-32,, LILCO's quality programs for operations are documented.
- B-259H. The County considers the Staff's proposed resolution of the safety classification issue inadequate. The County contends that the Board's issuance of an edict requiring LILCO to adopt the Staff's definition of "important to safety" during the operation phase would not address or remedy potential deficiencies in classification and quality assur-ance/ quality control implementat, ion resulting from the design and construction phase. Goldsmith et al., ff. Tr. 20,903, at 24-26. The County also asserts that LILCO's FSAR commitments are inadequate for a similar reason. LILCO relies on the safe-ty significance of equipment as reflected in the FSAR, Technical Specifications and Emergency Operating Procedures.
The County contends that these underlying documents do not sys-tematically document safety significance. Id. at 27, 28, 38.
In addition, the County argues that there is a potential for confusion given LILCO's views on the equivalence of safety re-t lated and important to safety. Id. at 28-29.
-248-
- B-259I. The Staff attributed the motivation for the Denton memorandum to the belief there was a need to clarify that there is equipment, other than safety related equipment, requiring consideration of its importance to safety. The Staff witness stated that licensees at TMI and other, unspecified plants had failed to recognize this. Mr. Denton decided to clarify that point and instructed the Staff to implement it.
Tr. 20,857-58 (Mattson). The Denton definition was written to address confusion that existed. Tr. 20,835 (Mattson).
- B-259J. The Staff wants the Denton definition of the term "important to safety" to be applied by LILCO. According to Staff testimony, LILCO's lack of use of the term in the way it is defined in the Denton memorandum has not had any practical effect on LILCO's performance to date. The Staff's concern is for future operation by LILCO. Tr. 20,833-34, 20,872 (Mattson). The Staff believes there is a potential for confusion in the future as new people become involved and the plant has to be maintained. Tr. 20,848-50 (Mattson).
- B-259K. Staff witness Mattson stated that the confu-sion problem as a practical matter was in the area of licensee reporting requirements and NRC inspection. The Staff believes
-249-
the use of "important to safety" is necessary to ensure the licensee reports important information to the NRC for safety reasons. The NRC inspection process, after the Three Mile Is-land accident, will more and more be directed to the equipment the Staff is identifying as "important to safety but not safety related." The Staff believes use of the Denton definition will provide a common basis for communication that will lead to a decrease in confusion and to better performance by the licens-ee, that is, it will make the relationship with the licensee more efficient and better from the Staff's point of view. Tr.
20,851-53 (Mattson). The Staff witness further stated that adoption of the term "important to safety" as defined in the Denton memorandum would preclude the need to go through reviews of examples in the future to conclude the licensee had made correct judgments in areas such as plant testing or reporting to the NRC. The terminology would guard against confusion.
Tr. 20,855-56 (Mattson). Despite this position, Dr. Mattson agreed the Staff has the same problems with an applicant who accepts the definition as with one who does not. In either case, the future treatment of an item to be called "important to safety but not safety related" becomes an ad hoc determina-tion. The Staff has not required any specific commitments as
-250-
to how those items would be treated or how the quality assurance would be graded. Tr. 20,857-58 (Mattson).
- B-259L. LILCO witnesses agreed that there would be confusion between the utility and the Staff if the two continue to use the term "important to safety" in different ways. Tr.
21,127 (Pollock). But adoption of the Denton definition would do nothing to avoid confusion. Without more specific guidance than has been provided by the Denton memorandum, confusion would still arise using the new definition of "important to safety." If it were stated that all items "important to safe-ty" were to be treated a certain way, it still would not neces-sarily be clear precisely what was meant. Tr. 21,127-28 (Pollock, Dawe). In any event, LILCO does not believe that the confusion in either case would affect the safe operation of Shoreham. LILCO believes it currently has in place the pro-grams to assure safe operation. Tr. 21,128-29 (Pollock).
- B-259M. LILCO witness Dawe stated that he believed the NRC could ask a utility to define a set of equipment subject to NRC requirements that would be necessary for the utility to maintain a safe plant. However, he stated that to provide what the Commission wanted to see, one would have to
-251-
I know quite specifically what the NRC intended by the request in terms of such things as functions, relationships and interac-tions. Tr. 21,133 (Dawe).
- B-259N. The definition of the term " safety related,"
as-set forth in the Denton memorandum, is straightforward with guidance given in the regulations to establish its boundary.
The boundary of the term "important to safety" as defined in the Denton memorandum is not clear. Tr. 20,845 (Mattson). It could encompass most of the plant, see Tr. 20,842 (Vollmer);
LILCO Proposed Finding B-174. ,
- B-2590. LILCO is concerned because the boundary of the "important to safety" set, as defined in the Denton memo-randum, is unclear, resulting in unclear requirements. See Tr.
20,845 (Mattson), 20,842 (Vollmer). Though current guidance documents may establish the current limits of the requirements such that adoption of the definition would have no immediate impact, the guidance documents are subject to change without rulemaking. Thus, because of the lack of definition in regula-tion, changing guidance documents could change established backfit rules. This is significant because the term "important to safety" appears in the regulations in many places. GDC-1
-252-
was discussed extensively as a context of the term "important to safety." The other regulations, including other GDC's, where,the term "important to safety" appears have not been fully considered. LILCO witnesses testified that "important to safety" has been used in many places, and has been interpreted by LILCO and other applicants to mean safety related. LILCO believes the term "important to safety," if not interpreted to be the safety related set, would become a variable set from regulation to regulation, depending on the context in which the term is used. Despite LILCO's belief that a broad interpreta-tion of "important to safety" wa's not intended by the NRC's regulations, LILCO does in practice what the Denton memorandum tries to achieve. Tr. 21,060-61 (Dawe); 21,102-05 (Pollock, Dawe, McCaffrey). Therefore, the change in terminology alone could result in significant change in regulatory requirements in the future.
- B-259P. LILCO does not believe'the identification of an item and the criteria applied (e.g., GDC 1, 2, 4) can be discussed separately. A definition of important to safety that y includes everything in the FSAR, technical specifications and emergency operating procedures might be appropriate in the
-253-
context of GDC 1, as the Staff interprets it, but it would not be appropriate everywhere the term "important to safety" appea,rs. Tr. 21,118-19 (Pollock), 21,125-27 (Pollock, Museler, Dawe).
- B-259Q. LILCO is concerned that the Denton definition of "important to safety" would be subject to varied, changing judgments on the part of NRC reviewers and inspectors. Without further criteria or clarification, there could be extensive, unproductive dialogue as to what is important to safety and what criteria are applied. Ther,e are current agreements on the treatment of non-safety related equipment. With a vague term imposed in regulations, there would be concern that individuals in the regulatory process would impose their own definition.
Tr. 21,064-65 (Museler), 21,108 (McCaffrey).
- B-259R. LILCO believes that NRC inspectors have a right to inspect areas that are non-safety related. Mr.
Pollock testified that he has never, and will not, discourage NRC inspectors from looking at any area in the plant or from raising questions on the basis that an area is not covered by a regulatory requirement. If a violation is premised on a basis that is not covered specifically by a regulation, LILCO can
-254-1 l
1
challenge it and there are proper procedures for LILCO to pursue to resolve any argument. As a legal matter, LILCO believes that there is a difference between " safety related" areas specifically covered by regulation, and non-safety relat-ed areas. A violation can be challenged on a regulatory basis or a factual basis. Tr. 21,137-38 (Pollock), 21,140-42 (Pollock, Museler).
- B-259S. The Staff acknowledges that the regulation of non-safety related equipment is an evolving process, and believes that the proper thing to do at this time is adopt the definition of the Denton Memorandum. The Staff also says that as it learns more about what is needed for equipment that is important to safety but not safety related under this defini-tion, additional requirements will be issued. Tr. 20,858-59 (Mattson).
- B-259T. The Staff thinks there are probably two concerns on the part of LILCO when faced with the request to adopt the Denton Memorandum definitions. One is practical, the other philosophical. The practical concern is the cost in-volved. Even though changes to equipment are not expected, documentation changes are involved which are costly. Tr.
-255-
_ ~ . . , - . .- .-- -- --_ --
20,871-76 (Mattson). In LILCO's case, commitments have already been made for the non-safety related equipment, so LILCO has already incurred this particular cost. LILCO witness Pollock noted that LILCO already had the programs to satisfy its FSAR commitment. Modifications to procedures will not be a signifi-cant item. Tr. 21,055 (Pollock). The philosophical concern of LILCO, and other licensees and applicants, is the question of where regulation ends once the Denton definitions are adopted.
That is a difficult question, which the Staff is not in a posi-tion to answer. Tr. 20,871-76 (Mattson). Mr. Pollock confirmed that his engineering staff was unable to predict what might happen from such a wide open commitment. It could lead to extensive consequences. Also, the commitment to the defini-tion would be too open-ended and ill-defined to audit for conformance. Tr. 21,053-56, 21,083, 21,129-32 (Pollock).
LILCO believes there is insufficient explanation for anyone to form an opinion on whether the regulations, embodying the Denton definition, were met or not. See Tr. 21,058 (Museler).
- B-259U. LILCO witness Museler testified that LILCO
, and the industry approach the reporting requirements in 9 50.55(e) and Part 21 by including in the evaluation systems and
-256-
!I i
equipment that could have an adverse effect on safety whether or not that equipment is clacrified as safety related or non-s,afety related. If the requirements of Par *, 21 are found I
to be applicable, the system or ' 'ipment is reported. Mr.
Museler stated that in his opinion, LILCO's and industry's approach, which includes an evaluation of the effect on safety j by non-safety related structures, systems and components, would not be improved by the imposition of the vague Denton defini-tion. Tr. 21,063-64 (Museler).
- B-259V. LILCO witness ,Dawe testified that the term "important to safety" as used in 10 CFR $ 50.59(a)(2) is interpreted by LILCO to be " safety related" but that this in-terpretation does not mean that LILCO does not consider whether modifications to non-safety related components should be reported if it could affect a safety related function as a result of the modification. On the contrary, Mr. Dawe testified that LILCO's interpretation does consider whether a 4 modification to a non-safety related component could affect a i safety related function as a result of that modification. Mr.
i Dawe testified that using LILCO's interpretation, a $ 50.59 review must be done on every plant modification, whether safety
-257-n.
related or non-safety related, to determine whether there is an unreviewed safety question involved. Tr. 21,136 (Dawe).
- B-259W. LILCO witness Dawe testified that an analysis to determine the applicability of the reporting requirements of 6 50.59 does not begin from a predetermined notion that the answer is dictated by whether something is safety related or not safety related. Every plant modification must be analyzed or evaluated under 5 50.59. The evaluation tells you whether a modification should be reported before the modification is made or after, but the modification is reported one way or the other. Tr. 21,146-47 (Dawe).
- B-259X. 10 CFR 50.49 addresses the environmental.
qualification of electric equipment important to safety for nu-clear power plants. The scope of this regulation, in Section 50.49(b)(2), includes non-safety related electric equipment whose failure under postulated environmental conditions could prevent satisfactory accomplishment of the safety functions specified in 10 CFR 100, Appendix A. 10 CFR 50.49, 10 CFR 100, Appendix A. LILCO witness Dawe testified that 10 CFR 50.49, issued in early 1983, was a recent regulatory change. Prior to that time, the regulatory requirement on environmental
-258-
qualification was found in GDC-4. GDC-4 is stated in terms of equipment "important to safety" and, to Mr. Dawe's knowledge, had been consistently construed both by industry and the NRC to apply only to safety related equipment. Mr. Dawe believes the new regulation, 10 CFR 50.49, is the first instance of a dif-ferentiation between "important to safety" and " safety related" in the regulations. The rule was developed in rulemaking, but Mr. Dawe also testified that in his view, while this rule is l l
specific for its own purpose, it would not assist in defining the term "important to safety" wherever else.it appears in the regulations because 10 CFR S 50.49 is specific in its context.
He also noted that the rule would achieve the same result if the term "important to safety" did not even appear in the rule.
Tr. 21,060, 21,094-96, 21,152-56, 21,163 (Dawe). Mr. Pollock contrasted the approach of 10 CFR S 50.49 with the definitions contained in the Denton memorandum and expressed his view that definition or specificity similar to that in Section 50.49 would be needed for the term "important to safety" to be intelligibly applied in the varying contexts of other regula-tions, see Tr. 21,097-98 (Pollock).
-259-
- 5. Conran Testimony
- B-259Y. At the time of his original testimony, Mr.
Conran stated that he did not believe any substantive differ-ence existed between the Staff and LILCO due to the difference in the use of the term "important to safety." Conran ff. Tr.
20,401, at 28. He also testified during the original SC/ SOC 7B litigation that LILCO did understand what is required for safe-ty. Tr. 7,749 (Conran). In an affidavit dated February 9, 1983, however, Mr. Conran changed his testimony, concluding that LILCO's failure to use the term important to safety as defined in the Denton memorandum indicated that there was a defect in LILCO's "true understanding of what is really required minimally to protect public health and safety."
Conran, ff. Tr. 20,401, at 31. During cross-examination Mr.
Conran explained that this meant that LILCO did not acknowledge that non-safety related equipment was covered by the NRC's reg-ulations. He did not mean that LILCO had failed to meet any specific requirement or Staff guidance. See, e.g. Tr.
20,619-20 (Conran). Indeed, Mr. Conran conceded that a fairer statement of his concern is that he is not sure whether LILCO accords non-safety related structure, systems and components the appropriate safety significance. Tr. 20,674 (Conran).
-260-
- B-259Z. Mr. Conran has little personal knowledge of the Shoreham plant. By his own admission, he is not an " expert reviewer" who could determine whether appropriate quality standards had been applied at Shoreham. Tr. 20,430 (Conran).
He was not an FSAR reviewer for Shoreham. Although Mr. Conran has started to review some of the questions and answers gener-ated during the Staff review process, his knowledge of them was limited. See Tr. 6,396, 20,418-19, 20,515-17, 20,527 (Conran).
He is not familiar with the quality assurance testimony given by LILCO witnesses, Tr. 20,801-02 (Conran), which included a description of quality assurance' measures applied to non-safety related equipment. He has not reviewed LILCO procedures relat-ed to the procurement of non-safety related equipment. Tr.
20,802 (Conran). In addition, Mr. Conran's experience in re-viewing any ESARs is limited to reviewing some changes made to four plants after TMI. He has never been involved in a normal plant review. Tr. 20,620-21 (Conran). With respect to operation, Mr. Conran has no personal knowledge about the Shoreham operators. Tr. 20,623 (Conran).
- B-259AA. Mr Conran's principal concern about the lack of agreement in the definition of the term "important to
-261-
safety" involved the potential impact on the operation of the plant. Conran, ff. Tr. 20,401, at 32; Tr. 20,448, 20,514 (Conran). With respect to the design and construction of Shoreham, Mr. Conran generally conceded that the plant most likely was constructed in compliance with regulations. Tr.
20,514, 20,520 (Conran).
- B-259BB. Mr. Conran could not identify a single exam-ple of a non-safety related structure, system or component at Shoreham that did not receive the appropriate quality assurance or quality standards during construction.
Tr. 20,434-36, 20,481, 20,509 (Conran). He also could not give an example of a regulatory guide that Shoreham does not meet. Tr. 20,523 (Conran). Mr. Conran testified that even given the differences in understanding of the definition, as he perceived them, it was likely that Shoreham was designed and constucted in accor-dance with the requirements and regulatory guidance. Tr.
20,434 (Conran). Mr. Conran's use of the word "perhaps" in his affidavit, where he stated that the "SRP and Regulatory Guide information can perhaps provide a "' safety net' or ' backstop',
to mitigate misunderstandings," Conran, ff. Tr. 20,401, at 32, principally reflects his lack of detailed knowledge of the
-262-
=. .
., , . - - _=. -- -
,. 7 , .
g % 4 3
\ y *,i w
- v s
% \ -
n : ~
C, . .c A .
review process. Tr. 20,430 31 (Conran). He did, however, 3 indicate that additional review might be appropriate to confirm that,no substantive differ'ences exist. Tr. 20,437-38 (Conran).
1, But Mr. Conran admitted,he was not an expert staff reviewer, Tr. 20,430 (Conran), and was not familiar with many details of ,
the SRP. E.g., Tr. 20,467 (Conran), Thhs, he does not have a strong basis'-for concluding that additional' review is needed.
s In addition, it is Unclear how i:his review would be any different than the revi w of non-safety related equipment S.
conducted during the lice'nsiqq proceeding. When asked whether -
the review would be the same sor't of review, Mr. Conran stated:
Now, not necessarily scenarios. Looking at additional parts of the plant and verifying by actual review and give and take'with the [ licensee] that the quali-ty standards that were mean,t to apply to .
that part of the plant act.uall .
met, actual]y compli~ed with[ y were ,
g .
s x\, .
Tr. 20,438-39 (Conra:5) A,1litough MS Cc . j' hg$n ans'Jer;s is un-?
h\ -
L clear, it certainly sounds '
.like what' w'as dcne dti:-ihg the liti-gation of SC/ SOC 7B.) 'q
- y' '[L % ;
s
~
. ., 2
- , 7 .,- ,
y -
w
- B-259CC. In addition to Mr. Conran's suggehtiori that .
further review be undertaken, the County has urged a couplete Y s_
. 't .-. ,
safety classificatien review. Goldsmith et'al., ff. Tr. -
o -
\
s' v
-263- -
f %
~ .
4
\s ,
N
-4 %
- 3- 6 ,
20,903, at 41-42. The Staff, however, testified that they have found no instances in which LILCO has not accorded the appro,piiate quality standards or attributes to non-safety re-t lated equipment. The Staff also testified that the review done on the record is precisely the type of review Mr. Conran seems to be advocating and the type of review the Staff, if requested to do so by the Board, would direct, but that any additional review of non-safety related structures, systems and components would not be worth the small benefit that might be gained. In Mr. Mattson's view, there is sufficient evidence to reach the findings needed to license Shoreham. Tr. 20,859-61 (Mattson);
see Board Finding B-258.
. *B-259DD. Mr. Conran stated that he was not concerned that LILCO used a different deNInition of important to safety than the Staff. The language difference has not been a problem in tbc past with other licensees.
His real concern is that LILCO does not acknowledge that there-are certain requirements under the regulations for non-safety related structures, systems and components. Tr. 20,453-54, 20,456 (Conran). Mr.
Conran believes the difference in terminology represents a dif-ference in safety philosophy. Tr. 20,455, 20,460 (Conran).
-264-1
- B-259EE. According to Mr. Conran, the difference in t
safety philosophy means that LILCO did not attach enough safety significance to a structure, system or component to concede that it was within the scope of the regulations. Tr. 20,464-65 (Conran). dut'Mr. Conran was unable to show how this asserted failure to accord adequate safety significance would have any impact on the design, construction or operation of the plant.
For example, when asked whether the safety significance of the turbine bypass could be determined by reviewing the quality i
standards applied to it, Mr. Conran stated:
Thrt'would tell you'whether or not you ihad' met requirements. That would not tell me how much safety significance you attributed to that component, s
Tr. 2C J 465 (Con,ran). He was then asked whether the Staff writes down how much safety significance should be attributed to the turbine bypass and he testified:
They [NRC] tell the public and the world that the turbine bypass has enough safe-ty significance that we cover [it] under our regulations.
3 Id. Yet when asked whether any regulation dealt specifically with what should be done to a turbine bypass, he did not know is of any. Tr. 20,466 (Conran).
-265-s 4
- ).
l l
l
- B-259FF. In Mr. Conran's view, a licensee could provide a very high level of quality for a component and still not think it was necessary for safety. The licensee could be doing it just to meet the requirements for a license. Tr.
20,470 (Conran). Mr. Conran is bothered because a licensee might not concede something is covered by the regulations, regardless of whether all appropriate measures have been ap-plied. Tr. 20,476-77 (Conran).
- B-259GG. Despite Mr. Conran's insistence that there is an important difference between utilities that accept the Staff's definition and those who do not, he provided no basis I for concluding any actual difference existed. With respect to l
quality assurance, he conceded that the Staff would not have any different information about what a licensee meant by l " appropriate quality assurance" whether or not that licensee accepted the Denton definitions. Tr. 20,499 (Conran). With respect to quality standards, Mr. Conran felt the Staff would l
[ know more about utilities that did accept the Denton defini-tions. He reasoned that the Staff does have quality standards guidance for structures, systems and components important to safety, that the Staff would know they are being applied and
-266-
that the Staff would know they were being applied because they were important enough to be required by regulation. Tr. 20,501 (Conr,an). But since the quality standards guidance Mr. Conran referred to consisted of the standard review plans and the reg-ulatory guides and LILCO was, in fact, reviewed to that guid-ance, there does not appear to be any subste.ntive difference between utilities that adopt the Denton definition and those that do not. Tr. 20,503 (Conran). Mr. Conran stated that he is concerned that given LILCO's lack of commitment to GDC 1 as the Staff understands it, the NRC Staff audit review process might not pick up any difference's in approach. Tr. 20,503 (Conran). Mr. Conran agreed, however, that the same criticism is applicable to the review of utilities that accept the defi-nition, though he did place significance on the fact that these utilities had committed to meet NRC requirements. Tr. 20,503, 20,519-20 (Conran). Mr. Conran failed to note that LILCO has committed to Regulatory Guide 1.70 and other regulatory guides and was reviewed to the SRP. See, e.g., LILCO Ex. 11 (FSAR),
Appendix 3B; Mattson et al., ff. Tr. 20,810, at 10. When_ asked a series of questions concerning hypothetical applicant A that accepted the Denton memorandum definitions and LILCO that did not, the answers were the same. See Tr. 20,769-75 (Conran).
-267-
The only difference Mr. Conran could identify was that Applicant A would concede certain actions are done because they are r,equired by the regulation, whereas LILCO would take the same actions without that acknowledgement. Tr. 20,778 (Conran). To illustrate his concern, Mr. Conran used as an ex-ample a piece of important to safety equipment that had to be replaced during operations. He believes that LILCO might not properly assess its safety significance and, therefore, might not use an adequate replacement. Tr. 20,777 -(Conran) . Mr.
Conran, however, failed to realize that LILCO has committed to replace all equipment with equip' ment that is equal to or better than the original. The installation and testing of these re-placements also must be equivalent to the original require-ments. LILCO Proposed Rindings QA-763 to -765, -767 to -769,
-773 to -776.
- B-259HH. In attempting to describe the difference between a plant that accepted the Staff definition of GDC 1 and LILCO, Mr. Conran agreed that GDC 1 contained no objective re-quirements, Tr. 20,512 (Conran). He also agreed that acknowl-j edging that GDC 1 covers any particular non-safety related l
L piece of equipment does not, by itself, result in the
-268-
application of any specific quality standard. Tr. 20,545-46 (Conran). The Staff's guidance documents, which, according to Mr. Conran, derive their authority from GDC 1, do specify specific requirements and so, in a sense, they are requirements under the regulations. Mr. Conran believes LILCO does not ac-knowledge that the guidance derives from the regulations.
Therefore, he believes this would affect LILCO's safety philos-ophy and, consequently, the safe operation of the plant. Tr.
20,512-13 (Conran).
- B-259II. Mr. Conran's only basis for concluding that LILCO may not operate Shoreham safely is LILCO's failure to concede that structures, systems and components irportant to safety, as defined by the Staff, are explicitly covered by the NRC's regulations. Tr. 20,524-25 (Conran). But to Mr.
Conran's knowledge, this difference in so-called " safety phi-losophy" has not resulted in any difference in performance.
Tr. 20,526 (Conran).
- B-259JJ. Even though Mr. Conran has expressed concern regarding the operation of Shoreham, he testified that he was not concerned about the substance of LILCO's proposal for non-safety related quality assurance for operations. Tr.
-269-
20,574, 20,770 (Conran). The nature of Mr. Conran's concern is, again, LILCO's failure to concede that certain items fall withi,n the NRC's regulations. In testifying concerning LILCO's commitments (see LILCO Ex. 69, 70, ff. Tr. 10,654), his very preliminary view was that he would like to see LILCO commit to accord non-safety related equipment the " minimum safety signif-icance given to them by the Staff as evidenced by 'the Staff view that they are covered under the regulations.'" Tr. 20,656 (Conran). While these may not be the precise words Mr. Conran would use, the recommendation does not require any substantive change to what LILCO has propose'd.
- B-259KK. In Mr. Conran's view, a system, structure or component should be classified as important to safety if, for some undefined and unknown reason or scenario in the future, it might be needed for some unknown purpose. Tr. 20,666 (Conran).
But as Mr. Minor, a Suffolk County witness whose prefiled tes-timony largely supported Mr. Conran, testified, one needs to know, among other things, the function of equipment in order to determine its classification and the quality standards to be applied. Tr. 21,012 (Minor).
-270-
- B-259LL. Though Mr. Conran criticized LILCO for not recognizing the proper safety significance of non-safety relat-ed equipment, he did not know how other utilities determined the safety significance of non-safety related equipment. Tr.
20,676 (Conran). Mr. Conran did qualify his answer by saying that "no other utility gave me an indication that they did not regard it with a certain minimum level of significance." Id.
This clarification is meaningless since Mr. Conran had already testified that he did not know one way or another whether other utilities agreed with LILCO. E.g., Tr. 20,622 (Conran).
- B-259MM. The only explanation Mr. Conran could offer for the complete lack of evidence of any negative effect on LILCO's performance to date because of LILCO's so-called " safe-
' ty philosophy" was that LILCO might only be taking actions sim-ply to get a license. Tr. 20,780 (Conran). This statement is inconsistent with other evidence that LILCO has gone beyond re-quirements in many areas. See, e.g., Board Finding B-339 (PRA); LILCO Proposed Findings QA-83 to -120 (extra programs);
QA-674, -675 (Torrey Pines).
-271-
- 6. S'ystems Interactions
- a. Consideration of Systems Interactions for Shoreham (1) Stone & Webster / General Electric Design Process B-260. LILCO Witness Dawe described the role of systems interactions in the design of a nuclear power *lant, particularly with respect to systems classification.
Early classification of systems and knowledge of classification systems are particularly useful for the designers for the interactions between systems that would be accep' table. And in fact, I think that it is true that functional interactions are particularly well-defined and avoidable by knowledge of the initial classifications of your systems.
Tr. 5021 (Dawe). Thus, systems interactions are considered in the design process. See, e.g., Tr. 5035 (Ianni) (separation of safety related and non-safety related systems in design process); 5077-78 (consideration of missi.les in design process); Tr. 5094 (human interactions considered in fire protection design); Tr. 5281 (non-safety system impact consid-ered in design of safety related scram discharge system); Tr.
7519-29 (Conran, Thadani, Kirkwood) and LILCO Ex. 11 (FSAR) ff.
-272-l 1
)
Tr. 7526 (consideration of non-safety related systems in seismic design process); Tr. 5171 (Dawe) (consideration of heavy loads).
B-261. Concern for potential systems interaction is an integral part of General Electric's and Stone & Webter's process for the design, manufacture and installation of systems, structures and components for Shoreham. Burns et al.,
ff. Tr. 4346, at 8, 20, and 56; Tr. 5020, 5037 (Kascsak), 5033 (Ianni); Tr. 5085-86 (Dawe).
B-262. The design of st'ructures, systems and compo-nents at General Electric is controlled by formal practices and procedures that establish the responsibilities of and relation-ships among each organizational unit to assure that design activities are carried out in a planned, controlled and orderly manner. Burns et al., ff. Tr. 4346, at 9; Tr. 4579, 4607 (Ianni).
B-263. Similarly, Stone & Webster employs a systematic approach to the design process to ensure appropriate considera-tion of systems interactions. As noted by the Stone & Webster witnesses, " administrative and technical procedures and
-273-
guidelines . . . cover-virtually every phase of project organization and operation. . . . Specific guidelines are is-sued on design methods, regulatory guide positions and many other licensing issues." Burns et al., ff. Tr. 4346, at 21-22.
B-264. General Electric has established a program of design interface control to provide assurance that structures, systems and components are properly designed to preclude unacceptable systems interactions. Design documents are distributed and reviewed for interface compatability by individuals both within General Electric and the plant owner and/or his agents. These documents describe what the interfacing organize.tions must know to ensure system function and avoid unacceptable systems interactions. Burns et al., ff.
Tr. 4346, at 10.
B-265. Both General Electric and Stone & Webster use design _ verification, a process of independent peer review of designs against design requirements to confirm the designers' methods and conclusions. This process specifically considers, among other things, the potential for adverse systems interac-tion in a particular design. Burns et al., ff. Tr. 4346, at 12, 24: Tr. 4632 (Ianni).
-274-
B-266. General Electric also has a program of team design review which is a broad, formal, independent evaluation of de, signs by persons other than those directly involved in a design activity. This is another process in the design process in which systems interactions are considered and addressed.
Burns et al., ff. Tr. 4346, at 13; Tr. 4635 (Ianni). Witness Ianni cited a number of examples of potential systems interac-tions identified in interdisciplinary design reviews. See, e.g., Tr. 5034-35, 5487, 5488-92 (Ianni).
B-267. General Electric, employs formal, disciplined design change procedures which help to ensure that potential adverse systems interactions as a result of design modifica-tions are identified and properly evaluated. Burns et al., ff.
Tr. 4346, at 14.
B-268. The organization of both Stone & Webster and General Electric is designed to facilitate the identification of systems interactions during the design process. Burns et al., ff. Tr. 4346, at 8, 20-21.
-275-
B-269. General Electric employs the concept of system design. This means that a group within General Electric is re-spons,ible for the design of a particular system for all BWR's.
'The organizational structure provides for control of internal interfaces b'etween General Electric systems as well as interfaces with the utility. A lead system engineer is assigned responsibility for all aspects of the design of the system, including design interfaces. Burns et al., ff. Tr.
4346, at 10-11.
B-270. Experience in designing reactors is an impor-tant factor in identifying systems interactions. By designing the same or similar plants, there is greater assurance that the design process will identify potential systems interactions.
By the same token, the operation of many similar plants also f
increases the likelihood that systems interactions are identi-fied. See Tr. 5033-36 (Ianni).
(2) Soecific Systems Interactions Studies l
l B-271. Suffolk County has alleged that LILCO has not adequately studied systems interactions at Shoreham, especially during transients and accidents. LILCO in its prefiled direct
-276-
l l
l testimony, identified a number of studies and programs that are either specific to Shoreham or pertinent to Shoreham. As discussed in more detail below, each such study or program con-
- sidered systems interactions to some extent. That some changes were made as a result of these studies does not belie the va-lidity of the design process because these studies are, in effect, a part of the design process. Tr. 5086 (Dawe). More-over, these studies are not_the only studies of system interac-l tions done as part of the design process. See Tr. 5243-45
-(Robare, Ianni) (study of-the.ECCS system). See also Tr. 5141 i
(Dawe).
[ (a) Pipe Failure and Internal Flooding l
l B-272. Stone & Webster performed these studies in the early 1970's. Tr. 5040-43 (Dawe). The effect of pipe failures i
in both safety related and non-safety related piping were stud-ied inside and outside the primary containment. The studies covered all areas of the plant. Tr. 5042 (Dawe). The dynamic and environmental effects, including flooding, that result from high energy line breaks and moderate energy cracks were deter-mined and shutdown capability demonstrated. These were studies of spatial ~ interactions. Burns et al., ff. Tr. 4346, at 56; Tr. 5043-44, 5032-53 (Dawe).
-277-
l B-273. These studies have been updated and checked as design changes on Shoreham occurred. Tr. 5041, 5061 (Dawe).
The p,ipe break study involved-the development of shutdown models. As part of the modeling, consideration was given to the automatic protection and anticipated operator actions fol-lowing a pipe break. In order to ensure that the information relied upon in the plant shutdown models would be available, walkdowns of instrument lines were conducted. Tr. 5043-44 (Dawe). The walkdowns involved engineers familiar with instrument design who gained information about the shutdown models from the systems engineer's. Tr. 5044 (Dawe).
B-274. Walkdowns were also used in evaluating potential pipe break locations. Tr. 5049 (Kascsak). General Electric conducted walkdowns within its scope of supply. Tr.
5057 (Robare).
B-275. As a result of the pipe failure studies, LILCO implemented, among others, the following modifications: a steel plate was added to the back of the concrete wall adjacent to the steam tunnel parallel to the control building to prevent spalling; in the main steam tunnel the motor operator on the RCIC injection valve was replaced with an operator qualified
-278-m m e am- -- , - - - . ~ w ,. , y -- - -
for a 340-degree steam environment; additional temperature detectors were placed in the steam tunnel to isolate main steam line drains; and safety related water-level detection was
, enhanced at the 8-foot elevation of'the Reactor Building. Tr.
5059-60,_5065 (Dawe).
(b) Missiles B-276. General Electric and Stone & Webster have stud-ied the potential for and effects of both internal and external missiles at Shoreham. These spatial interaction studies, which were conducted throughout the pe'riod from approximately 1973 to the present, were designed to demonstrate containment in':egri-ty, shutdown capability, and prevention of loss of coolant accidents given the dynamic effects associated with missiles.
Burns et al., ff. Tr. 4346, at 57; Tr. 5073-74 (Dawe, Robare).
The Stone & Webster turbine missile study was both a probabilistic and deterministic study. Tr. 5076 (Dawe). These studies did not reveal a need for any engineering or design changes. Tr. 5077-79 (Dawe).
4
-279-
(c) Fire Hazard Analysis B-277.. This spatial interaction study was conducted by Stone & Webster in 1976 and 1977 to consider plant fire areas and the consequences of fires with and without active fire protection. Burns et al., ff. Tr. 4346, at 57; Tr. 5087-5104 (Dawe). The first part of the study covers specific fire
-protection concepts such as the use of low combustible materials, fire fighting equipment, fire suppression systems, fire detection systems and the type of fire protection avail-able in various plant areas. T r,. 5089 (Dawe). The second part of the study examined specific areas of the plant, considering combustible fire loadings, area access, potential types of fires, potential indications of fire (e.g., smoky fire, hot fire), and the type of detection equipment needed. The study.
then assured that the fire detection and suppression capability that existed was adequate for the area. Tr. 5089-90 (Dawe).
B-278. The study looked at the effect of a common event, a fire, on all the equipment in a given fire area, hence the spatial interaction. It also considers whether a fire in one area would cause an interaction beyond the fire boundaries.
The study also considers human interactions in that it
-280-
i l
i l
l l
addresses the potential for plant personnel temporarily l increasing the fire loading of a particular area. Tr. 5095-98 1
d 4
(Dawe,, Kascsak).
B-279. As a result of this analysis, several minor i
changes were implemented. For example, the number of hose reels was extended in length to ensure that there would be
} double one hundred percent coverage within an area. Tr. 5100 (Dawe). In addition, an additional fire wall was installed on Elevations 43 and 63 in the Control Room Building.
Tr. 5102 (Dawe). ,
(d) Cable Separation l
B-280. Stone & Webster performed this spatial interac-tion study in 1978. Tr. 5104, 5110.(Dawe). The study demon-l strated that a fire that disabled all cables and raceways in an entire designated area would not prevent safe shutdown even as-suming a concurrent loss of offsite power. Burns et al., ff.
Tr. 4346, at 57; Tr. 5104-09 (Dawe).
B-281. The study was a comprehensive analysis of cable location and routings, and the interaction between safety re-lated cable and other components, all in the context of a
-281-
shutdown model that demonstrated how to go from hot operating conditions to cold shutdown. It utilized an " advanced," " pow-erful" and " comprehensive" methodology. Tr. 5105, 5567-69 (Dawe). Using Stone & Webster's shutdown model, a network or logic, identifying particular functions, was developed to take the plant from hot operation to cold shutdown. Once the neces-sary functions were known, the systems performing those functions were identified. The study also identified the aux-iliary systems supporting the primary systems performing the required functions. Next, each system was studied in detail to identify every component needed for the proper functioning of the system, including providing information to operators. This effort resulted in a shutdown equipment list. Using elementary drawings, raceway drawings, and computer cable schedules, all necessary cabling and its location was identified. This infor-mation was coded and put into a computer. Tr. 5106-09, 5567-69 (Dawe).
B-282. Once the information was stored in the com-puter, segments of the reactor building, both inside and outside the containment, were totally eliminated. In other words, the use of every component affected by that segment was
-282-
l assumed to be lost. Then, it was confirmed that the plant could be taken from normal operation to cold shutdown with the l remaining equipment. Tr. 5107 (Dawe). This procedure was re-peated for overlapping segments covering all parts of the reac-tor building and primary containment. Tr. 5108, 5569-70 (Dawe).
l l
l l
B-283. The methodology used in the cable separation study was also used to study instrument lines, small bore piping and a combination of cables, instrument lines and small bore piping. Tr. 5109 (Dawe). .
l B-284. Although the cable separation study and the re-l lated studies mentioned above were primarly spatial interaction l
studies, the system modeling work done as part of the studies was a functional interaction study. Tr. 5106-09, 5570-71 l
l (Dawe).
1 B-285. No plant changes were necessary as a result of this analysis. Tr. 5109 (Dawe).
-283-
(e) Failure Mode and Effects Analyses (FMEAs)
B-286. Stone & Webster conducted these analyses from 1974 through 1976, and has maintained and updated the analyses since 1976. Tr. 5113 (Dawe). These FMEAs assess interactions between redundant trains of safety related systems. An FMEA was performed on each balance-of-plant safety related control circuit. Each analysis identified all control circuit compo-nent failures that could defeat the system's function, assured that each failure mode is detectable, and assured that the single failure criterion was met. ,
Burns et al., ff. Tr. 4346, at 58; Tr. 5114-15 (Dawe). Although this study involved only safety related systems, it did cover the interfaces between safety related and non-safety related systems. Tr. 5113-14 (Dawe). Two changes were made as a result of the FMEAs: (i) the capability of a valve in the Reactor Building closed loop cooling water system was enhanced; and (ii) a redundant damper and some additional duct work was added to the ventilation system in the relay room. Tr. 5116-17 (Dawe).
B-287. General Electric has also conducted FMEA's.
See Tr. 5132 (Ianni).
L
-284-
(f) Electrical Bus Failures B-288. Stone & Webster completed this analysis in 1981 and demonstrated that, following the loss of any safety related or non-safety related electrical bus supplying power to safety or non-safety related instruments and control systems, safe shutdown could still be attained. Tr. 5121 (Dawe); Burns et al., ff. Tr. 4346, at 58. Stone & Webster looked at the entire design and at the methods available for safe shutdown and the instrumentation and control necessary for safe shutdown. Stone
& Webster looked at the power so,urces of all such equipment and showed that the failure of neither any safety nor non-safety related bus would result in insufficient instrumentation and controls and systems availability to achieve cold shutdown.
Tr. 5123 (Dawe). No changes in the plant resulted from this study. Id. at 5126.
(g) Control System Failures B-289. Stone & Webster and General Electric are conducting an ongoing Control System Failure functional inter-action study. It will identify the interactions from power sources to supplied components by looking at non-safety related
-285-
control systems that control components which then affect significant parameters of the reactor system, such as reactor press,ure, reactor level, and reactivity control. Tr. 5129 (Dawe); Burns et al., ff. Tr. 4346, at 59. The analysis looks at each power supply feeding more than one control system at a time, catalogs such power supplies, and then fails them one at a time in a cascading effect back to the main bus. Tr. 5130 (Dawe). These failures are then analyzed to determine whether the failure of the non-safety related control system sensors or power supplies will have an impact in excess of the events ana-lyzed in Chapter 15 of the FSAR.' Tr. 5131 (Dawe). The NRC Staff knows of no specific control system failures that would lead to undue risk to the public health and safety. Speis et al., ff. Tr. 6357, at 44-45.
B-290. General Electric has also conducted an analysis of BWR control system failures in the form of control system FMEA's. This analysis studied the effects of various failure modes of the pressure control system, the feedwater control ,
system and the recirculation control system. The purpose of this study was twofold: (1) to identify any transients more !
i severe than those already analyzed in Chapter 15, and (2) to l l
-286-
determine the impact of the failures on the Chapter 15 accident analyses. Tr. 5132 (Ianni).
B-291. As a result of the General Electric control system FMEA, a few significant transients were identified and are now included in Chapter 15. Tr. 5132-33 (Ianni). The study also showed that, for transients, there was always a safety system backing up the non-safety related control system.
Id. With respect to the Chapter 15 accident analyses, the failures did not have any impact. See Tr. 5133 (Ianni).
B-292. The control systsm FMEA study conducted by General Electric is similar to the Control System Failure Study being conducted by Stone & Webster. The new study will be plant specific instead of generic, but the basic BWR control system design for BWR's is essentially the same as Shoreham's control system. Tr. 5133-34 (Ianni).
B-293. The Control Systems Failure Study is not the first analysis of'non-safety related. control systems performed by Stone & Webster. Engineering analysis of these systems is done as part of the design process. For example, the instru-mentation system, the pneumatic equivalent of an electrical
-287-
control system, was-analyzed throughout the engineering process. Tr. 5140-42 (Dawe).
(h) High Energy Line Break B-294. General Electric and Stone & Webster are conducting this ongoing spatial interaction study. The High Energy Line Break study is focusing on the same set of non-safety related control systems that were assessed in the Control System Failures analysis, except that the initiating events for this latter analysis are postulated breaks in high energy lines rather than a loss 'of power source or loss of sensor. Tr. 5144-45 (Dawe, Robare); Burns et al., ff. Tr.
4346, at 59-60. This analysis looks at both the dynamic effects of the pipe break as well as the environmental effects on non-safety related components. Tr. 5146 (Dawe). The non-safety related components are not required to function; rather, General Electric and Stone & Webster are looking at their failure mechanisms, the timing of the failure mechanisms, and the effect on the recovery from the pipe break event. Tr.
5146 (Dawe).
-288-
B-295. The applicable acceptance criteria for the study allow non-safety related components to fail so long as safe shutdown may thereafter ise safely achieved without incur-ring effects more significant than the transients in Chapter
- 15. Burns et al., ff. Tr. 4346, at 59-60; Tr. 5146-47 (Dawe). ?
(i) Probabilistic Risk Assessment B-296. Although not specific to Shoreham, PRAs have been performed by General Electric at Limerick on a BWR4/ Mark.
II plant and for GESSAR, a BWR/6 standard plant with a refer-ence Mark III containment. Tr. 5147-48 (Robare); Burns et al.,
ff. Tr. 4346, at 60. These PRAs include consideration of systems interactions. Because of the generic similarity between the Limerick and GESSAR plants to Shoreham, the posi-tive results of these PRAs are generally applicable to Shoreham in that no generic changes were needed as a result of these PRA's. Burns et al., ff. Tr. 4346, at 60; Tr. 5149-53 (Robare), 5154, 5164-65 (Ianni), 5161 (Dawe). Moreover, since there were no atypical or unusual systems interactions i
s contributing significantly to overall risk in the Limerick PRA, it is an indication that the General Electric design process adequately considered systems interactions. Tr. 5154 (Ianni),
5798-803, 5805-07 (Kascsak), 6002-04 (Joksimovich).
-289-
- . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ J
B-297. The methodology for the Limerick PRA was very similar to that of the Shoreham PRA. Tr. 5771 (Burns). Al-though.LILCO did not do a detailed comparison of all aspects of the Limerick and Shoreham PRA's, a number of the witnesses were generally familiar with the Limerick PRA. See, e.g., Tr. 5149 (Robare), 5150 (Ianni), 5154-60, 5526 (Kascsak). In addition, other LILCO personnel have reviewed the Limerick PRA and met with personnel from Philadelphia Electric to discuss the results. Tr. 5526-27 (Kascsak).
(j) Heavy Loads ,
B-298. Stone & Webster conducted this spatial interac -
tions study to ensure that there is no unacceptable impact on safety related equipment if a heavy load is dropped. Tr. 5171 (Dawe); Burns et al., ff. Tr. 4346, at 60. -The Heavy Load study involved the compilation of engineering and design data already available to Stone & Webster in a report that can be matched directly to NUREG-0612. Tr. 5171 (Dawe). At the time of the hearings on this issue, no changes had been made to the i plant as a result of this study, nor did Stone & Webster antic -
ipate that any changes would be made upon completion of the study in August 1982. Tr. 5172 (Dawe).
-290-
,e l 's %
- [ t.
, t r ~?
s w
(k) Protection SystemsL*~ ' ah i ,. ~ N a 2 B-299. GeneralElectricc}onductedthisstudyin1970. %
I O
It ev'aluated the BWR 4 reactor protection system, ECCS, a,nd'rea 4 -
t actor isolation system--in other words, all of the major safety systems in the nuclear steam supply--to ensure that the design k
complies with the Oequirements of IEEE-279.
s Burns et al., ff.
Tr. 4346, at 63; Tr. 5227-28 (Robare). The Protection Systems study, which used FMEA's, also considered any interactions that might occur between safety systems and the control grade systems. Tr. 5228-l'h,.-(Robare) . , The study focused primarily on q, ,
s
- g functional syskems inthrActions', ith significant emphasis on ,
human interac'tions. T r.,. 52'30 ( Rob are ) ,.,(
,, , 7, -
a
' % t. 'y B-3OO. IEEE-279 sis a primary ' design requirdaent tool -
t
- g r k \
utilized in designing /'hase, protection system.s.
i t Whene,ver i 4*
. s.
system design changes are considered, continued compliance with IEEE-279 is reviewed. Tr. 5232 (Robare).
B-3Ol. Although the Protection Systems study was a ge-neric study, it is directly applicable to Shoreham and is ref-erenced in the Shoreham FSAR'I,7{n. 5230 (Robare).
. - Individual k N T.-
plant differences are addressed in k.herreport. . , .
Tr. 5232 a
(Robare).
w s
Y
% u ,
-% % s ,
, -291- N 1
'5 Fa ,
t (1) Scram Reliability B-302. General Electric studied the effects of both rando'm and common cause failures on scram reliability for the BWR 4 using a. failure modes and effects analysis of all contributing components. Scram Reliability is a study of func-tional interactions among the components and systems that affect the ability to scram. Burns et al., ff. Tr. 4346, at
- 63. Human interactions were also considered. Tr. 5249 (Robare).
3-303. Although generic' ally prepared for the ATWS concern, the studies and resulting conclusions of this report are directly applicable to Shoreham since the reference plant utilized b.g ounded the Shoreham ATWS situation. Tr. 5248 l _. %
s S;
.< ~
(Robare), "
t
'y ;\
^
t
\ 3, % x,
.B-304. There was extensive cross-examination on the
\
validity of this study in light of the partial failure to scram
\-
event at Brow;1h Ferry. Tr. 5248-5318. As a result of that cross-examination, it became apparent that (a) it has not been established that tile Browns Ferry event involved dependent s
, s.
s f ailures', Tr. 5270-71-[?dcGuire); (b) the Browns Ferry event
, s 3 -292-p y
- i t,
a
?w t s
w I
t (i.e., scram discharge volume failure) was considered in this study, Tr. 5266, 5285 (Robare); and (c) the study did not recommend changes to reduce the Browns Ferry event because of its 10w probability, Tr. 5266-67 (Robare).
B-305. The Browns Ferry event does not mean the meth-odology/used in this study was' invalid. Tr. 5285-86, 5302
~ /
( Robare ) ..' The studies do'not show that no possible common mode failure exists but rather that the probability of such failure t o is quite low. Tr. 5286-87, 5266 (Robare). The principal reason-that the study underestimated the Browns Ferry event was due to a lack of data, not failure of the methodology. Tr.
5311 (Robare).
(m) Common Mode Failures in Protection and Control Instrumentation B-306. General Electric studied the BWR 4 response to various op.erational transients and accidents in the presence of common mode failures that result in loss of the primary protection system initiation signals. The Common Mode Failures in Protection and Control Instrumentation study utilized the systematic methodology of the Nuclear Safety Operational Analysis to evaluate potential systems interactions. Burns et
-293-
l a l ._ , ff. Tr. 4346, at 64. This study is a systems interaction i study since it evaluated the consequences and sensitivity of l
l multiple systems signal failures (common mode failures) on the reactor protection system. Tr. 5325 (Robare). Although gener-ically prepared, this study is directly applicable to Shoreham since it evaluated a typica', worst case plant, thus bounding the consequences for the Shoreham-type design. Tr. 5321 (Robare). No changes were necessary as a result of this study.
Tr. 5329 (Robare).
(n) Water Level Instrumentation B-307. General Electric studied the systems interac-l tions relative to Shoreham reactor dater level measurement.
l This study systematically addressed both the causes and effects of potential water level measurement errors due to heatup of l the water level sensing lines. Burns et al., ff. Tr. 4346, at
- 64. The study concluded that the water level instrumentation l
- system at Shoreham had been adequately designed for this type of interaction and that no design or procedure changes were necessary. Tr. 5336 (Robare).
-294-
9 I. -
(o) TMI-2 Implications B-308. General Electric performed this study in con-nection with the BWR owners group shortly after the TMI accident in 1979. The TMI-2 Implications study focused on BWR 4 system performance following accidents and operational tran-sients in light of the TMI-2 experience. Tr. 5384 (Robare);
Burns et al., ff. Tr. 4346, at 64. This study included numerous specific systems interactions analyses, including a loss of feedwater transient with degradation of coolant injec-tion system, a loss of feedwater,with a stuck-open relief valve, a loss of feedwater and stuck-open relief valve with auto RCIC only, a loss of feedwater and stuck-open relief valve with a manual HPCI and manual RCIC only, and a loss of feedwater with stuck-open relief valve with HPCI and RCIC unavailable. Thus, the study analyzed numerous combinations of multiple failures, operator errors, and consequences of those
! multiple failures, including the interactions. The basic tech-nique utilized was the computer simulation of vessel parameters similar to that performed in Chapter 15 accidents and tran-sients. Tr. 5385-86 (Robare). No changes resulted from this study, which demonstrated the adequacy of the Shoreham protection systems. Tr. 5400 (Robare).
-295-
(3) Preoperational Testing B-309. LILCO's comprehensive preoperational and startup test program will, among other things, verify that ad-verse systems interactions will not occur. The program defini-tion and methods are Shoreham specific. The preoperational and startup test programs are described in detail in Chapter 14 of the ESAR. Burns et al., ff. Tr. 4346, at 61; Tr. 5206 (Kascsak).
B-310. The Shoreham testing program starts with the checkout and initial operation tbsting, which includes detailed checks of components, wiring, instruments, motors, valves and pumps. Tr. 5206 (Kascsak). In addition, individual preoperational system tests evaluate whether the system meets performance requirements and was constructed in accordance with design documents. Supporting systems are also evaluated, including adverse interactions. System operating procedures are evaluated, including their human aspects. Tr. 5207 (Kascsak). Integrated tests evaluate the overall performance l
of the plant. Tr. 5207-08 (Kascsak).
-296-
B-311. The integrated electrical test is an example of this type of test that will be performed before fuel load. It will verify that Emergency Core Cooling Systems and the emer-gency power sources perform their design functions in various degraded modes of electrical power distribution. A LOCA signal is simulated, and the test verifies that ECCS and diesel gener-atore perform their design functions in various electrical lineups. Another example is the test that assumes a loss of offsite power and verifies that, with the loss of non-safety related electrical buses and their associated systems and controls, the Reactor Protection' System will prevent violation of neutron flux and thermal power limitations. Burns et al.,
ff. Tr. 4346, at 62.
B-312. Following preoperational testing, LILCO will perform a power ascension test program under which major testing will be done at approximately 25, 50, 75 and 100 percent power. This program will verify the behavior of the various interacting plant systems during integrated operation under various conditions of power and flow. Burns et al., ff.
Tr. 4346, at 62-63.
-297-t
B-313. Consideration of systems interactions is an in-tegral part of this testing program. Test engineers consider spatial, functional and human interactions. See, e.g., 5207, 5210-11, 5520-21 (Kascsak), 5215-16 (Ianni).
(4) Continuing Review of Systems Interactions for Shoreham B-314. LILCO has established a full-time, on-site In-dependent Safety Engineering Group (ISEG), which will perform in-depth reviews of plant operating characteristics, programs and experiences at Shoreham and at other nuclear power plants.
These will include a review of Licensee Event Reports (LER) generated at Shoreham, and Significant Event Reports (SER) and Significant Operating Experience Reports (SOER) developed as a result of the Institute of Nuclear Power Operations (INPO)
SEE-IN program. This program, which was endorsed by the NRC (see Generic Letter No. 82-04), provides a mechanism for central collection and screening of all events from both U.S.
and foreign nuclear plants. ISEG review of the SER and SOER will identify any incidents involving systems interactions.
These will be evaluated for applicability to Shoreham and for assessment of whether any corrective action is appropriate for
-298-
Shoreham. Burns et al., ff. Tr. 4346, at 61; Tr. 14,450 (Alexander).
B-315. ISEG also has established, at the recommenda-tion of the Shoreham PRA peer review committee, a program to review and evaluate LER's for a surrogate plant. Tr. 5201 (Kascsak). The Fitzpatrick plant was selected as this surro-gate plant for a number of reasons: it is a General Electric BWR-4, it was designed by Stone & Webster, and it has been in operation for a number of years. Tr. 5203 (Kascsak). LILCO witness Kascsak testified that L,ILCO would implement a program to promote ISEG's sensitivity to systems interactions as part of this LER review program. Tr. 5524 (Kascsak), 14,477 (McCaffrey).
B-316. ISEG has other activities which will make it effective in identifying and analyzing systems interactions.
The ISEG Group Leader attends the PRA review meetings and has had discussions with Dr. Joksimovich of NUS to develop a sensi-tivity to systems interactions. Tr. 14,383 (McCaffrey). ISEG will review a wide range of activities or items which could affect the safe or reliable operation of the plant. The scope of ISEG's work will not be limited to " safety-related"
-299-
l l
l l
4 l
equipment. Tr. 14,477 (Alexander). ISEG performs plant walk-throughs to determine, among other things, if there are potential systems interactions. Tr. 14,537 (Alexander).
- b. Staff Review and Requirements
- B-317. The Staff position is that, within the existing regulatory framework, the systems interaction concern is addressed by evaluating plant designs against well-established deterministic requirements and criteria embodied in existing regulatory guidance documents (e.g., Regulatory Guides and the 1
Standard Review Plan). These cu'rrent requirements are founded on the principle of " defense in depth;" and they include l
l provisions for design features such as physical separation and functional independence of redundant safety systems, as well as other measures that provide protection against hazards such as pipe ruptures, missiles, seismic events, fires and flooding.
Also, the Quality Assurance program that is applied during the design, construction and operational phases for each plant provides additional assurance in this regard by helping to prevent inadvertent introduction of adverse systems interac-tions contrary to approved design. Thus, although there is no explicit requirement for a dedicated, comprehensive systems
-300-
interaction analysis of plant designs, and although there currently exists no well-defined, documented methodology for systematic analysis of plant designs for systems interactions, the existing regulatory framework provides reasonable assurance against many types of potential systems interactions. Speis et al., ff. Tr. 6357, at 35-36; Mattson et al., ff. Tr. 20,810, at 3-5.
- B-318. The current Staff position with regard to systems interactions is reflected in a recent letter (dated February 12, 1982) from William ,J. Dircks, Executive Director for Operations to Paul Shewmon, Chairman, Advisory Committee on Reactor Safeguards (ACRS), regarding an ACRS recommendation that some additional systems interaction requirements be im-posed immediately on licensee /appliqants:
NRR continues in the confidence that current regulatory requirements and pro-cedures provide an adequate degree of public health and safety.
l In addition, a program has been initiated to address these questions and has progressed significantly over the past few years. However, The NRC Staff has affirmed repeatedly on numerous occasions (such as the one noted above) its view that,
-301-
until the generic program is completed and provides the basis for making an orderly decision regarding the possible need for additional systems interaction requirements, reasonable assur-ance of public health and safety is provided by compliance with current requirements and procedures. Speis et al., ff. Tr.
6357, at 36-7; Mattson et al., ff. Tr. 20,810, at 3-4.
- B-318A. On February 9, 1983, James H. Conran, Sr.,
one of the Staff's witnesses on Suffolk County Contention 7B, submitted an Affidavit (Conran ff. Tr. 20,401) modifying his views, expressed in the Staff's earlier testimony on Contention 7B (Speis et al., ff. Tr. 6357), regarding Unresolved Safety Issue A-17, Systems Interaction. In the Staff pre-filed testi-mony, Mr. Conran had concurred with the views of the other Staff witnesses that USI A-17 was confirmatory in nature and that, pending completion of an ongoing generic program for its resolution, reasonable assurance of adequate protection of the public health and safety was provided by the Commission's cur-rent regulatory requirements and procedures. Speis et al., ff.
Tr. 6357, at 36-37. That testimony had also outlined the Staff's program to resolve USI A-17, and the means by which ex-isting regulatory structures and requirements accounted for many types of potential systems interactions. Id. at 34-42.
-302-
l l
l 1
l l
- B-318B. Mr. Conran's affidavit expressed his concern l that the Staff's efforts at resolution of USI A-17 were neither suffi,cient to resolve the issue on the schedule currently pro-posed nor consistent with his view of the importance or '. I A-17. Mr. Conran believes that both the deterministic analyses required by current regulatory requirements and use of I
l Probabilistic Risk Analysis (PRA) require supplementation by i more systematic systems interaction analysis before they "can be applied with the improved confidence sought in reactor li-censing today." Conran, ff. Tr. 20,401, at 26. See also Tr.
20,781.
i *B-318C. Mr. Conran's expressed concern about the res-l j olution of USI A-17 was generic to all plants and was not Shoreham specific or unique. Tr. 20,696-97. He agreed that j systems interaction studies had been conducted on numerous l
safety-related systems at Shoreham, though with only one ex-l ception he had not reviewed them, along with a PRA. Tr.
20,700-04 (Conran). He stated that he would not have reserva-tions about issuance of an operating license to Shoreham in the i
face of the unresolved status of USI A-17, except for a "possi-ble synergistic-type consideration" arising from LILCO's
-303-
treatment of safety classifiction terminology. c onran, ff. Tr.
20,401, at 26-27; see also Tr. 20,704-08. Solely because of this, Mr. Conran expressed reservations about whether LILCO had satisfactorily analyzed potential interactions between safety related and other structures, systems and components, and thus a
whether Shoreham met the tests for licensing under the North Anna case 46/ as long as USI A-17 remained outstanding. Tr.
20,782-83. He acknowledged that if his concerns about LILCO's safety classification terminology were resolved, LILCO had performed sufficient additional systems interaction studies that, in combination with the PRh, LILCO would have satisfacto-rily addressed his generic concern about USI A-17. Tr.
20,782-84.
- B-318D. The other Staff witnesses did not share Mr.
Conran's reservations. They testified that they believed that the Commission's current regulatory structure provided an adequate basis for licensing, that USI A-17 was confirmatory in nature, that a program and schedule existed for its resolution, that satisfactory progress was being made under i and that in i
46/ Virginia Electric and Power Company (North Anna Nuclear Power Station, Units 1 and 2), ALAB-491, 8 NRC 245, 248 (1978).
-304-
the meantime an adequate basis existed under the Commission's regulations for continued licensing of reactors. Mattson et al.,,ff. Tr. 20,810 at 8; see also Tr. 40,813-14. They explic-irly confirmed the Staff's previous testimony on this matter, originally sponsored by Mr. Conran alone (Speis et al., ff. Tr.
6357, at 35-42), and stated that it had not been altered by Mr.
Conran's affidavit or for any other reason (Mattson et al., ff.
Tr. 20,810, at 3; see also Tr. 20,815-17).
- B-318E. The Staff also testified that LILCO had used Regulatory Guide 1.70, " Standard, Format and Content of Safety Analysis Reports for Nuclear Power Plants" and other applicable Regulatory Guides in the preparation of its FSAR. Mattson et al., ff. Tr. 20,810, at 10. They also stated that their review, based on the Standard Review Plan, satisfied them that despite differences in systems classification terminology, systems had been properly treated and qualified, that appropriate quality standards and quality assurance require-ments had been applied to those systems, and that no substan-tive difference exists between the Staff and LILCO on these l
issues. Id. Thus, fulfillment of the Staff's normal regulato-ry requirements provides a basis for licensing while USI A-17
-305-
is pending. Id. at 12-13. See also Tr. 20,822-23 (Rossi),
20,831-32 (Mattson).
- B-318F. The Staff witnesses reaffirmed that USI A-17,
'though not unimportant, was confirmatory in nature. Tr.
20,862-63 (Thadani). As the Staff witnesses explained, one as-pect of its confirmatory nature was that it entailed review of a nuclear plant as a whole, by contrast with other USIs which involve review of a specific area, such as water hammer or control systems interaction. Tr. 20,862, 20,880 (Thadani). In addition, in the time since the identification of USI A-17, other regulatory requirements and various analytical efforts (systems interactions studies, PRAs) have led the Staff to l
conclude that most significant interactions have been identi-fied. Tr. 20,862 (Thadani). In addition, while the generality of the systems interaction issue has hampered direct evaluation l
of it, various developments, such as changes in design, in the contents of the Standard Review Plan and other regulations, and in analytical techniques, have "[ begun] to fill in the concern." Tr. 20,863-64 (Mattson). The upshot, as Dr. Mattson noted, is that:
-306-
Another way of saying it is that it is easier today to make the North Anna finding [than]
when the North Anna decision was first made because there's progress in each of these areas, and the question becomes for the unresolved issue when do they cease to become unresolved simply because other changes have fixed the problem, while the grappling was going on, trying to get ahold of the thing in j all of its ramifications for all of the designs sort of big picture level.
Tr. 20,864-65.
- B-318G. A wide variety of systems interaction analyses have been performed for Shoreham, including a PRA.
Board Proposed Findings B-271 to,-308. These analyses go be-yond the minimum requirements of the Commission. E.g., Tr.
20,869 (Thadani).
- B-318H. Properly designed systems interaction studies do not, and LILCO's did not, arbitrarily discriminate between safety related and non-safety related structures, systems and components in their analysis of potential interactions. Tr.
20,828-29 (Thadani); see Board Proposed Findings B-260 (systems interactions generally), B-368 (PRA). As a result, the potential effect of safety systems classification on the results of such studies is eliminated. Suffolk County witness Goldsmith also agreed that valid systems interaction studies
-307-5
could be perfomed without reference to systems classification taxonomy, and that adoption of the "Denton Memorandum" on "im-portant to safety" terminology was not necessary for this result. Tr. 20,927-28 (Goldsmith). Thus, Mr. Conran's concern about potential " synergy" between the systems classification issue and the systems interaction issue is without basis at Shoreham. Tr. 20,828-29 (Thadani).
- B-318I. The length of time expected to be required for resolution of USI A-17 varied among the witnesses. The Staff's prefiled testimony estimated completion by October 1984. Mattson, et al., ff. Tr. 20,810 at 7.
Mr. Conran testified that he expected resolution of USI A-17 to slip from the current schedule despite good faith efforts and the conceded absence of intentional misestimates and that he ex-pected it to require another four to five years. Tr. 20,789, 20,791. Staff witness Thadani testified that satisfactory progress was being made toward resolution of USIA-17, espe-cially in recent months (Tr. 20,813-14).
- B-318J. Staff witnesses do not believe that being able to make the North Anna findings for Shoreham requires being able to adhere to the current schedule for resolution of
-308-
USI A-17.- Tr. 20,868 (Thadani). In the case of Shoreham, given the extra analyses performed by LILCO which go beyond the NRC's, requirements, witness Thadani would not be troubled if USI A-17 were not resolved for five years after Shoreham received an Operating License. Tr. 20,877-78 (Thadani).
Witness Coffman, without dissent from the other Staff witnesses, went even further and stated unequivocally that safe operation of Shoreham "pending the unresolved nature of A-17 is not tied to the schedule of the resolution of A-17." Tr.
20,878-79 (Coffman).
- B-318K. .Suffolk County filed testimony which supported Mr. Conran's position on systems interaction. Gold-smith, et al, ff. 20,903, at 1-22. First, that testimony supported Mr. Conran's arguments that USI A-17, even if confirmatory in nature, is not unimportant and that "inade-quate" progress has been made to date toward its resolution.
Id. at:1-16. Second, the testimony also asserted that " weak-nesses" -- failures to cover various potentially adverse systems interactions -- have been identified with respect to the SRP by plant-specific systems interaction studies, and that therefore the Staff's normal licensing review does not
-309-
adequately assure plant safety pending final disposition of USI A-17. Id. at 16-20. Finally, the County argued that further systems interaction studies need to be done at Shoreham prior to licensing. Id. at 20-22.
- B-318L. The County's first argument, concerning the nature, significance and history of USI A-17, presents nothing significantly different from the material in Mr. Conran's affi-davit. See Board Proposed Findings B-318A, -318B. It is sus-ceptible of resolution in the same fashion as Mr. Conran's arguments on this subject. ,
- . *5-318M. The County's second argument, asserting deficiencies in the normal licensing process attributable to the pendency of USI A-17, is also similar to material presented to Mr. Conran, and is susceptible of analysis in much the same fashion. See Board Proposed Findings B-318D to -318F. In addition, the Watts Bar (Sandia) study, primarily discussed by the County, is for a PWR, and is thus not directly applicable to a BWR or the BWR SRP. In any event, the Sandia/ Watts Bar study concluded that the plant was adequately protected for li-l l censing. Tr. 1683-84 (Minor), 20.925 (Goldsmith). Thus, the County's argument based on one existing study is not
-310-
necessarily probative of any weaknesses in the standard BWR SRP as applied to Shoreham.
- B-318N. The County's final argument, that individual-plant systems interaction studies need to be performed for Shoreham, is largely answered by the studies including the PRA, that LILCO has had performed. Board Proposed Findings B-318G,
-318H. Suffolk County witness Goldsmith agreed that those studies together could display functional interactions though he did not personally know whether they had been so constructed. Tr. 20,975-77, 20,979-80 (Goldsmith). ,
Thus, the upshot of the County's testimony appears to be that LILCO's studies to date could largely satisfy its concerns and the County's witnesses were not sufficiently knowledgeable to assert that their concerns had not, in fact, been met.
- c. Examples of Systems Interactions Cited by Suffolk County (1) Water Level Instrumentation (Pilgrim)
B-319. The SC/ SOC testimony cited the reactor water level system as an example of a safety related system that could be adversely affected by the failure of a non-safety re-lated system. Goldsmith et al., ff. Tr. 1114, at 42-47.
-311-
SC/ SOC cited an event that occurred during a plant shutdown at the Pilgrim Nuclear Power Station. Low RPV Level coupled with high drywell temperatures caused by inadequate drywell cooling resulted in reference leg flashing. Id. at 46. The water level system at Shoreham has been adequately designed so that interactions of this type will not jeopardize plant safety.
Burns et al., ff. Tr. 4346, at 150. The water level indication system is classified as safety related. Tr. 4841 (Robare).
B-320. General Electric has conservatively evaluated the loss of drywell coolers and many steam line break accidents to establish the worst case scenario that could cause water level instrumentation errors from reference leg boil-off. The worst case postulated scenario would be a small break LOCA, an automatic depressurization and scram, followed by an operator error of turning off the ECCS system. Even for this worst unacceptable case, resulting in the maximum level error, the operator would have sufficient time to reinitiate ECCS and prevent core uncovery. Burns et al., ff. Tr. 4346, at 156-57; Tr. 4834, 4856 (Robare); Speis et al., ff. Tr. 6357, at 28.
-312-
B-321. It is highly unlikely that the operator would allow this situation to develop since it would require that he erron,eously turn off the ECCS and also violate operating proce-dures that require him to maintain reactor level in the normal indicated water level range. Burns et al., ff. Tr. 4346, at 157.
B-322. The potential for reference leg boil-off was considered in the original design for Shoreham; both Stone &
Webster and General Electric were aware of the so-called
" Pilgrim" concern before it occurred. ,
Tr. 4836-38 (Dawe).
The water level instrumentation system was judged to be fully adequate since that interaction was of minimal safety signifi-cance. Tr. 5581 (Robare). Additionally, the drywell cooling system has been improved extensively at Shoreham to reduce greatly the probability of high drywell temperatures that could affect water level instrumentation errors. Tr. 5584 (Dawe).
The drywell coolers are provided with on-site power supplies to ensure operation in case off-site power is lost. Tr. 4945 (Robare).
-313-
B-323. The equipment in the drywell that is required for safety related functions is designed to tolerate much higher temperatures than could result from improper operation 4 of the drywell coolers. Tr. 4840 (Dawe). Drywell temperature is monitored in the control room and is governed by technical 1
specifications. Burns et al., ff. Tr. 4346, at 153.
B-324. Considering the limited number of events that can cause such water level instrumentation errors, the number of operator errors that must be made and the conservative analysis assumptions in evaluating the consequences, the Shoreham design is adequate to deal with reference leg boil-off concerns. Burns et al., ff. Tr. 4346, at 158.
(2) Water Level Instrumentation (Michelson)
B-325. A January 20, 1982 NRC memorandum from Carlyle Michelson to Harold R. Denton transmitted a study entitled
" Safety Concern Associated with Reactor Vessel Level Instrumen-tation in Boiling Water Reactors." Suffolk County Ex. 1, ff.
Tr. 5373. The memorandum suggests that a leak or break in a water level system reference leg combined with an additional active single failure might result in a plant condition with
-314-
inadequate protection system availability. The memorandum ,
states that "although we do not consider the postulated control system or protection system interaction an immediate concern, we do consider that the safety concern and associated problems need to be addressed." Id.
B-326. A subsequent memorandum from Harold R. Denton to Carlyle Michelson, dated October 30, 1981, LILCO Ex. 13, ff.
Tr. 5496, in response to a draft report on the subject, stated in part that, "the unaffected protective channels are suffi-cient to provide all protective functions. On this basis, we determined that the concern raised in the report does not require any immediate licensing action." Id.
B-327. The Shoreham plant has been specifically ana-lyzed by General Electric for a reference leg break or leak and a concurrent worst case single active failure. In all cases, the plant would scram automatically, and in the worst case it would be necessary for the operator to initiate RCIC 10 minutes after the break. Tr. 5360, 5368 (Robare). There is no fuel failure for this scenario. Tr. 4849 (Robare). This worst case scenario makes some conservative assumptions: the break must occur outside containment, no credit is taken for operator
-315-
~
l action for 10 minutes, and maximum boiloff rates and no other water sources are assumed. Tr. 5365-66 (Dawe).
B-328. The water level reference legs are safety grade. Tr. 7694 (Kirkwood). i B-329. Upon evaluation, the NRC did not consider the Michelson scenario to be extremely significant since an auto-matic reactor trip occurs and the operator has a sufficient amount of time to act prior to core uncovery. Tr. 6866 l (Hodges).
B-330. In this situation the operator has been trained to take the proper action and is not'likely to be confused.
Tr. 7844 (Hodges). Even for this worst case, the core would still be covered with two feet of water when the operator ini-tiates RCIC. Tr. 5363 (Robare).
B-331. General Electric considered this possible system interaction in the original water level design effort in the sixties and made a conscious decision to implement the Shoreham type design since protection functions would not be significantly impaired. Tr. 5582 (Robare).
-316-i I
i B-332. The Michelson scenario is not a safety concern for any SWR. Tr. 4851 (Robare). Although a reference leg break would cause a systems interaction, it would not be an ad-verse interaction since protective functions are available to prevent an unsafe condition. Tr. 4845 (Robare).
- d. Systems Interactions Methodologies and the Shoreham Probabilistic Risk Assessment (1) Background B-333. Long Island Lighting Company has initiated a probabilistic risk assessment (PRA) of the Shoreham Nuclear Power Station to provide added assurance that the health and safety of the public are protected. The FRA has numerous ap-plications, including the evaluation of potential systems in-teractions. Burns et al., ff. Tr. 4346, at 86.
B-334. The PRA methodology is a systematic approach to the identification of postulated accident sequences and the failures which can cause these accident sequences. The tech-nique used in the Shoreham PRA to evaluate system response dur-ing postulated accidents is event tree / fault tree methodology.
The PRA involves the assessment of the plant far beyond the design basis, and is used to assess the ultimate capability of
-317-
the plant to protect the public. Burns et al., ff. Tr. 4346, at 87.
Tr. 4346, at 100. There is no other formalized methodology in use today or projected by the NRC to be available in the near future in order to address systems interactions issues in a comprehensive manner. Speis et al., ff. Tr. 6357, at 42.
Burns et al., ff Tr. 4346 at 100; Mattson et al.,
ff. Tr.
20,810, at 6-8.
B-336. There is no regulatory requirement that an ap-plicant for an operating license perform a PRA. Nor are PRAs routinely required by the NRC Staff. Speis et al., ff. Tr.
6357, at 31-32.
B-337. The NRC Staff policy on PRAs was described by NRC witness Thadani. The basic policy docuuent is SECY 81-25,
" Performance of Probabilistic Risk Assessment or Other Types of Special Analyses at High Population Density Sites." This document classified 93 reactor sites as a function of the
-318-
i t
3 T s i {, ?
\' . >
-- L '. t 5 %
3 ,
^
]
4 pctentially exposed populatica. as average, ,cheve' average,
% g
',x i ,
T .
substantially above ave r a03., below hverage ahd substantially s <
below average. Shoreham was one of the sites in the above av-erage category. Tr. 6454-55 (Thadank). ,Nevertheless,.the NRC Staff did not ask or require LILCO tC' do a PRA for Shorcham. -
i %
Tr. 6455-56 (Thadani). ; 7' .
j y
B-338. The NRC Staff' believes that PRAs are not needed to demonstrate compliance with regulations. Tr. 6464-65 (Thadani). ,
'g .
l LILCO voluntarily decided to conduct the PRA s B-339. ,
( '
for the Shoreham plant in order to (a) assess the Shoreham -
emergency plan, (b) perform an independent design verification ,
,,to ensure that there were no elements of the Shoreham design
\
that contributed disproportionately to risk, and (c) develop -
s reliability / risk analysis capability within LILCO. Burns g s
\ ..
~
al., ff. Tr. 4346, at 120: Tr. 5811, 5635 (Kascsak); see Tr. '
s<
6455-58 (Thadani). -( ,
s s
. B-340. The'part of the Shoreham PRA pertinent.to -
s ; .
systems interactione pas performed for LILCO by Scien'ce Appli- i' cations, Yrp . (SAI). LILCO witness Dr. Edward T. Burns.tas the
\' i 4._,
s 5 -319- A s % t i
j % **
9
.g s
\
\ ,
s
' s.
'i ,
\
lead analyst for SAI on the Shoreham PRA. Both SAI and Dr.
s jBurns have cubetantial . r experience in conducting PRAs. Burns et tal., f f. Tr.-'4?4$, at Attachn. ant 1 (Professional Qualifications Edward T.' Burns). ,
B-341. The methods bsed for the FRA and the results obtained have been subjected to geer review by a group consist-
. i.
ing of\l.hree recognized experts,1Drs- No pan Rasmussen (MIT),
) Walton Rodger (Nuclear Safety Associateo,'6 , and Vojin ty ,
Joksimovich (NUS). Burns et al., ff. Tr. 4346, at 122. Dr.
- . \'T , Jonsimovich, who has over 15 yeaps of experience in PRA, was a T '
LILCO witness in this proceeding. Id. at Attachment 1 i-
, (Professional Qualifications -- Vojin Joksimovicn). Dr.
Y J'oksimovich's profiled testimony was reviewed and endorsed by Dr. Rasmussen. Tr. 5933 (Joksimovich). The peer review process has become an integral part of the PRA process to en-f sure that the evaluation is performAd u' sing state-of-the-art techniques and that the scope, linktations' and assumptions are ,
treated adequately and credibly. Tr. 6223-24 (Joksimovich).
l k
N
-320-t I
s 4
1
(2) Shoreham PRA Methodology B-342. PRA quantifies the probabilities and conse'quences associated with accidents and malfunctions by ap-plying probability and statistical techniques as well as in-and ex-plant consequence evaluation methods deemed acceptable by the practitioners. Burns et al., ff. Tr. 4346, at 66.
B-343. The Shoreham PRA is a " state-of-the-art" study conducted in a fashion consistent with the latest draft guidelines for PRA, the PRA Procedures Guide (A Guide to the Performance of Probabilistic Risk Assessment for Nuclear Power Plants, NUREG/CR-2300, September 1981). Burns et a1., ff. Tr.
4346, at 88. Suffolk County consultant Budnitz agreed that the Shoreham PRA was a state-of-the-art effort. Motion to Admit Portions of Deposition of Robert Jay Budnitz as Evidence, at 3 (January 6, 1983) ["Budnitz Motion"].E /
M/ The Board had not ruled on this motion as of the date these proposed Findings were filed, but permitted LILCO to include references to the Budnitz materials in the Findings.
-321-
3-344. The PRA Procedures Guide is the nationally recognized guidance for the conduct of PRAs, although this guide has not yet been formally endorsed by the NRC. Burns et al., ff. Tr. 4346, at 66. The guide identifies three levels of PRAs based on the scope of the study. Burns et al., ff. Tr.
4346, at 74-75.
B-345. The Shoreham PRA will be a Level 3 PRA when it is completed. At the time of the hearings on this issue, SAI had submitted a draft PRA to LILCO, which was equivalent to a Level 2 PRA. Burns et al., ff. Tr. 4346, at 78. In addition to the work done by SAI, LILCO has also commissioned a study of the consequences of radioactive releases to the environment from the accident sequences analyzed in the SAI PRA. This work is being conducted by another contractor. Id. at 96.
B-346. The PRA methodology is a systematic and compre-hensive method of identifying and assessing the possible ways in which a nuclear power plant may fail. Burns et al._, ff. Tr.
4346, at 66, 89-90.
-322-
..- __ ._______-___.._______-____________J
(3) Consideration of Systems Interaction in the Shoreham PRA B-347. FRA techniques are among a number of tools that are now being applied to assess " systems interactions" in nu-clear power plants. Other techniques include failure modes and effects analyses, systems interaction analyses, dependency analyses and plant walkdowns. Burns et al., ff. Tr. 4346, at 65, 94-95; see Tr. 6209 (Burns), 6355 (Conran), 6466 (Thadani).
The Shoreham PRA includes elements of all these techniques within its framework.
B-348. LILCO has chosen the PRA methodology in con-junction with elements of the other methods to assist in iden-tifying systems interactions which could conceivably compromise the public safety. While other methodologies have been discussed in the literature, these methodologies have not been completely formalized, accepted by the NRC, or applied to the evaluation of a nuclear plant. Burns et al., ff. Tr. 4346, at 100. In addition, the alternative methodologies are weakened by the fact that they do not have clear or explicit criteria which can be applied to discriminate among, L. prioritize systems interactions. Id. at 95; Tr. 6684 (Thadani).
-323-l I
B-349. In addition to a number of emerging techniques for the analysis of systems interactions, there also exists a numbe,r of definitions or understandings of what constitutes a systems interaction. Burns et al., ff. Tr. 4346, at 69-71; Tr.
6543-47 (Rossi, Conran). There does not appear to be a regula-tory definition of the term, systems interaction, or any asso-ciated regulatory requirements. After a discussion of the various definitions, LILCO witness Joksimovich defined systems interactions as a subset of dependent failures (common mode or common cause failures). It was his view that dependent fail-ures were adequately defined in 'the PRA Procedures Guide, which classifies various categories of dependencies. The definition was set out in Attachment 5 to LILCO's prefiled testimony.
Burns et al., ff. Tr. 4346, Attachment 5.
B-350. The NRC Staff broadly defined systems interac-tions as "the possibility of one reactor plant system acting on one or more other systems in a way not consciously intended by design so as to adversely affect the safety of the plant."
Speis et al., ff. Tr. 6357, at 34. The SC/ SOC witnesses
! defined the " systems interaction issue" as "the lack of systems interaction analysis, the lack of multiple or ' common cause'
~324-
failure analysis, and the tendency of the ' single failure criterion' to exclude a large number of potential accid,ent-causing events." Goldsmith et al., ff. Tr. 1114, at 52.
B-351. LILCO witness Burns agreed that there was no single accepted definition of systems interactions. Dr. Burns classified systems interactions in the following general categories:
functionally coupled systems interac-tions result either,from the sharing of components between systems or through physical connections between systems including electrical, hydraulic, pneu-matic and mechanical.
Spatially coupled systems interactions result from the proximity of systems to one another within the plant. . . . In-herent to a spatial coupling is the concept of spatial domain. Typical spa-tial couplings involve water, steam, fire, explosion, radiation, or pipe whip. . . .
Human coupled systems interactions are special since the operators could influ-ence all systems in the plant. . .
Systems interaction review will assume the operator follows procedure when interacting among systems and the proce-dure is correct. The focus is a fault within one system that induces the oper-ator to influence another, otherwise in-dependent system in the unsafe direction. . . .
-325-
Burns et al., ff. Tr. 4346, at 93-94.
B-352. In addition to the concept of classifying types of sy' stems interactions and trying to define them, various '
experts have attempted to include the notion that to be of in-terest in the regulatory context a systems interaction must be
" adverse." Tr. 6543 (Rossi). For example, Dr. Burns quotes a Brookhaven National Laboratory (BNL) report that defines a systems interactions as a situation where the likelihood of an undesired event is increased due to the relationship betwee'n two or more compo-nents.
Burns et al., ff. Tr. 4346, at 92-93 (emphasis added). The BNL definition also includes a consideration of "the consequence of the interaction in terms of its impact on the overall level of risk." Id. at 93.
l B-353. Similarly, Dr. Joksimovich's discussion of systems interactions definitions describes a number of NRC-sponsored studies that include some notion of adverse consequences as part of the definition of systems interactions.
A common thread seems to be the idea that interaction between
-326-
systems or components, to be worthy of consideration, must cause some failure to perform a safety function. Burns et al.,
ff. Tr. 4346, at 69-71.
B-354. Whatever the definition used, testimony of LILCO's witnesses made it clear that systems interactions were appropriately considered in the Shoreham PRA. The construction and quantification of the plant event / fault trees included the treatment of common-cause initiating events, intersystem dependencies.(functional, shared equipment, physical and human interactions) and intercomponent, dependencies. Burns et al.,
ff. Tr. 4346, at 75, Tr. 6223 (Burns).
B-355. The event trees used in the Shoreham PRA pro-vided a formal means for evaluating functional dependencies among systems for the postulated accident sequences. The PRA evaluated 19 plant event trees and five containment event trees. Burns et al., ff. Tr. 4346, at 76, 106, and Attachment 6.
B-356. Shared equipment dependencies were examined in the system level fault trees. Burns et al.. ff. Tr. 4346, at 106. Identification of the dependence of front line systems on
-327-
common support systems is a principal result of fault tree analysis. Burns et al., ff. Tr. 4346, at 108. These fault trees,were supported by dependency matrices. The Shoreham PRA examined 10 system level fault trees. Id. at 76, 106, and At-tachment 6.
B-357. Human interactions or human couplings were also treated within the framework of the development of event trees and fault trees. The human errors modeled in the Shoreham PRA included: (a) maintenance errors, (b) manual initiation fail-ures, (c) instrument miscalibrat, ion and (d) maintenance errors and/or unavailabilities. These operator actions were incorpo-rated directly into the fault tree and event tree construction.
Burns et al., ff. Tr. 4346, at 76, 106, and Attachment 6.
B-358. A number of spatial interactions were consid-ered in the Shoreham PRA including (a) flooding in the reactor building, (b) interfacing LOCA sequenccs, (c) containment leak-age during degraded core conditions and (d) repair effec-tiveness. This consideration of spatial interaction was in addition to a number of other deterministic evaluations that LILCO had performed in the past. These deterministic evalua-tions provide assurance that spatial dependencies are not
-328-
dominant contributors to adverse systems interactions. Bur.is et al., ff. Tr. 4346, at 76, 107, and Attachment 6.
B-359. Intercomponent dependencies were assessed in the Shoreham PRA through a review of operating experience data.
This analysis identified instances where similar components might have higher multiple failure probabilities than would be predicted by virtue of random independent failures. This ef-fort for the Fhoreham PRA was a step forward in the modeling of
. component dependencies. Burns et al., ff. Tr. 4346, at 106, Attachment 6. .
B-360. In order to assess the types of systems inter-actions noted above, the Shoreham PRA effort incorporated a number of additional techniques that have been recommended for use in identifying and evaluating the systems interactions, some of which are listed below.
B-361. System walkdowns are useful means of identi-fying spatial interactions among the systems. Burns et al.,
ff. Tr. 4346, at 102. System walkdowns were performed as part of the Shoreham PRA. These walkdowns were conducted by trained analysts who (a) prepared for the walkdowns by reviewing the
-329-
FSAR, systems descriptions, P& IDS and operating procedures; (b) prepared checklists to be filled out during the walkdoins to assess potential adverse interactions; and (c) specifically looked at system dependencies for interfaces that could cause multiple safety or non-safety system failures. Id. at 102. In the opinion of LILCO witness Burns, the extent of the walkdowns performed at Shoreham were " adequate and appropriate for the use of walkdown techniques in a PRA analysis." Id. at 103.
B-362. The Shoreham PRA took advantage of a technique not employed in other systems in,teraction methodologies.
Through the use of containment event trees, the interaction of the plant systems and their operation with the containment and the containment failure modes under degraded core conditions were considered. Burns et al., ff. Tr. 4346, at 103.
B-363. Another technique used in the Shoreham PRA to enhance the systems interaction identification was a review of a number of studies that had examined the potential for common cause or systematic interactions in nuclear power plants. This review ensured that previously identified systems interactions and dependencies were incorporated into the Shoreham PRA via the plant logic models. Burns et al., ff. Tr. 4346, at 103-04.
-330-
B-364. In addition, operating experience data was used to formulate, update and evaluate the Shoreham specific logic model.s. The logic models cannot be used in a vacuum but must be applied in light of operating experience. Tr. 5650-51 (Burns).
B-365. Dependency analyses were used in the Shoreham PRA. Thic analysis, in the form of dependency matrices, supported the event tree / fault tree construction and was in-cluded as an appendix to the PRA. Burns et al., ff. Tr. 4346, at 80, 113-14; Tr. 6223 (Burns).,
B-366. Failure modes and effects analyses were conducted as part of the construction of system level fault trees for the Shoreham PRA. Burns et al., ff. Tr. 4346, at 114.
B-367. Although the Shoreham PRA did not use graphical representations of commonality diagrams, the fault tree logic models incorporated commonalities. Thus, the analysis did in-corporate the same logic used in developing commonality dia-grams. Burns et al., ff. Tr. 4346, at 114.
-331-1
B-368. The PRA methodology used in the Shoreham PRA goes well beyond the single failure criterion and considers multi,ple failures of systems, both dependent and independent.
Additionally, FRA methodology treats all systems regardless of whether systems or components are safety related or non-safety related. Burns et al., ff. Tr. 4346, at 73-74. Consequently, the analysis considers interaction between safety related and non-safety related systems as well as the interactions between safety related systems. Id. at 100; Tr. 5897-98 (Kascsak).
B-369. The Shoreham PRA has had a positive impact on the safety of Shoreham in that:
(1)Several design changes have been im-plemented or are under serious consider-ation (e.g., strengthening the contain-ment portals, adding " black start" capa-bility to the on-site gas turbines, mod-ifying ECC3 initiation logic on low water level);
(2) Operational personnel became involved l
in the evaluation of accident sequences, enhanci,ng realism of the sequences and providing feedback to the operating pro-cedures; and (3) Interpretation of significant LERs as determined by INPO and/or the LILCO ISEG can use the PRA as a yardstick for meas-uring the importance of these operation-al experience items.
-332-
Tr. 6188-94 (Burns), 6199-200 (Kascsak).
B-370. In addition to these items identified for LILCO revie'w, the continuing LILCO review will search for additional items of potential systems interactions that can be treated.
In addition, since the PRA will be used as an ongoing tool to feed back operating experience, it will become a "living" document for use throughout the operating life of the plant.
Burns et al., ff. Tr. 4346, at 125; Tr. 5862-68, 5871-72 (Kascsak).
(4) Staff Testimony on the Use of PRAs to Consider Systems Interactions
- B-371. The principal conclusions and insight to be reached regarding systems interactions issues from the NRC Staff testimony are as follows:
--Safety classification and measures taken to assure reliability consistent with commercial nuclear power practice and to assure the health and safety of the public have been adequately addressed by LILCO for Shoreham. Speic ct cl., ff. Tr $357, at 35, 46; Tr.
6369-71, 7603 (Speis); Mattson et al.,
ff. Tr. 20,810, at 9-10.
--The NRC deterministic licensing re-quirements are adequate to identify any unacceptable systems interactions. Tt .
-333-
5371-75 (Cenran). Mattson et al., ff.
Tr. 20,810, at 405. PRA is a useful tool to augment systems interactions analyses as currently addressed in the NRC-required deterministic licensing evaluations. Sp;ic ct al., ff. Tr.
5357, at 12; Tr. 6464-68, 6592-94 (Thadani).
--There is no presently developed alter-native for the evaluation of systems in-teraction beyond that done by LILCO.
Speis et al., ff. Tr. 6357, at 35, 40; Tr. 7140 (Conran).
--The Shoreham PRA will be reviewed by the NRC for insight into the systems in-teraction/ system classification issue.
Tr. 6456-59, 6644-53, 7647-49 (Thadani).
--Witness Thadani's' preliminary judgment is that there is not likely to be a change in system classification result-ing from the Shoreham PRA. Tr. 6641-44 (Thadani).
--The only criticism of PRA by the NRC Staff, Attachment 1 to the Staff's prefiled testimony, appears to be a for-mulation of judgments by Staff witness Conran, which was not supported by the NRC PRA expert Thadani or NRC consul-tants. Tr. 6508-15 (Conran), 7549-55 (Conran, Thadani), 7637-46 (Thadani).
B-372. The NRC Staff agreed with LILCO witnesses that the methodology for comprehensive systems interactions analyses was still under development. Speis et al., ff. Tr. 6357, at 35-36; Tr. 6209 (Burns), 6355 (Conran); Burns et al., ff. Tr.
4346, at 100.
-334-
B-373. The NRC Staff has undertaken a number of studies in order to determine the most efficient means of iden-tifying and assessing systems interactions. These studies include those done by three national laboratories and programs conducted at the Diablo Canyon and Indian Point nuclear power plants. Speis et al., ff. Tr. 6357, at 36-40.
B-374. Although the Staff has not reached any conclu-sions concerning the optimum methodology for systems interac-tions studies, Tr. 6375 (Conran), 6745-62 (Conran, Thadani),
Staff witnesses did concede that,PRAs can be useful in identi-fying and assessing systems interactions. In fact, the Staff stated that:
[P]erformance of systems interaction de-pendency analyses in combination with current PRAs will better ensure that PRA results will provide adequate insight regarding the possible need for improve-ment in safety and reliability.
Speis et al., ff. Tr. 6357, at 41; see Tr. 6465-66 (Thadani).
B-375. Witness Thadani testified that probabilistic risk assessments are probably one of the approaches that can be used to look at the plant in an integral manner. In his opinion:
-335-
It is a unified look at the plant and not one section or piece or system at a time. . . . It is . . . a very logical framework for looking at the plant and trying.to identify if there are any weaknesses in that design or operation of that plant. . . . [F]or the present and for the near future, I can see probabilistic risk studies are used as an adjunct to our current deterministic requirements. It is yet another look to see if there are any things we can learn, and something we can do something about. We do believe our deterministic requirements are adequate.
Tr. 6459-60 (Thadani). -
B-376. According to Mr.'Thadani, the NRC Staff did not disagree with LILCO's conclusion that PRAs could be used to assess systems interactions. He testified that:
There are a number of methods which can be used to assess dependencies including the use of fault tree / event tree logic models. The only open question which l
the NRC has is degree of efficiency of each method.
Tr. 6463 (Thadani).
B-377. He also made it clear that.although PRAs pro-vided valuable information, they are not necesssary to ensure adequate protection from systems interactions:
-336-
It is my opinion that our current re-quirements are sufficient, but it is also my belief that conduct of probabilistic risk assessments is most valuable to the utility operating plant because that is where they get addition-al information that could be utilized --
training of the operators, looking at procedures. They go way beyond what deterministic criteria do; potentially, the so-called low probability accidents which could result in core damage. I do think there is an advantage to doing risk studies.
Tr. 6464-65 (Thadani).
B-378. And again he stated:
My personal view, again is that LILCO has gone beyond what they are required to do and thus it seems to me that they would have or should have identified some systems interactions which may or may not have been important. But the key point there is that they in my opinion went beyond the current require-ments.
Tr. 6621 (Thadani).
B-379. The NRC Staff submitted, in evidence, a report criticizing the use of PRA as a methodology for addressing systems interaction. Speis et al., ff. Tr. 6357, at Attachment 1.4g/ The NRC Staff criticism of the PRA methodology heavily 4@/ Letter, dated February 12, 1982, from W. J. Dircks, EDO, to Paul Shewman, ACRS, re: Systems Interaction (Conran memo).
-337-
relies on the testimony of Staff witness Conran. Tr. 6353-55 (Conran). Mr. Conran acknowledged, however, that he has had no exper,ionce in the performance or review of PRA. Tr. 6509, 6380, 6398 (Conran). The substance of the conclusions in the "Conran memo" on the adequacy of PRA for doing systems interac-tion studies was not formulated by anyone intimately familiar with the use of PRA, but rather was based upon judgments made by this NRC Staff member. Tr. 6511 (Conran).
B-380. Mr. Conran noted that he depended upon consul-tants for most of the input in t,his regard. Tr. 6509-12 (Conran). On cross-examination, however, he indicated that the consultants that he relied upon believed that event tree / fault tree methodology was adequate for systems interactions studies.
Thus, many of the statements in the meeting summary authored by Conran and forwarded by the Dircks to Shewman letter of February 12, 1982, seem to be contrary to the views of the experts allegedly relied upon. Tr. 6553 (Conran). This conflict places the validity of the conclusions in this memo in doubt since its author does not have the qualifications to support such conclusions on his own. See, e.g., Tr. 6508-09 (Conran).
-338-
B-381. In addition, Mr. Conran indicated that the walkdown evaluation performed for the Indian Point systems in-teraction analysis 49/ was much more extensive than that performed for the Shoreham PRA. However, since the NRC review of the Indian Point walkdown study was not complete, nc conclu-sion can be drawn regarding the adequacy or efficiency of the more extensive walkdown method for identifying unacceptable systems interactions. Tr. 7505, 7507 (Conran). In fact, the present Staff position is that no assessment has yet been made of whether a resource intensive undertaking like Indian Point should be required because the benefits, if any, are not clear.
Tr. 6508, 7509 (Thadani, Conran). The Indian Point walkdown does not address many aspects of intersystem dependencies which may be important in the determination of adverse systems inter-actions but which are addressed through the use of event tree / fault tree techniques. Tr. 7550-53 (Thadani, Conran).
B-382. Moreover, NRC witnesses indicated that there has not been a review of the plant specific Shoreham PRA by any of the NRC witnesses or the Staff in general. Tr. 6398 49/ The Indian Point walkdown was not performed as part of the Indian Point PRA.
-339-
1 (Conran, Speis, Rossi, Haass, Kirkwood), 6393 (Reis), 6476-77 (Thadani).
(5) Concerns About the Shoreham PRA Raised in the Intervenors' Contention B-383. In its prefiled testimony, Suffolk County crit-icized the Shoreham PRA.because, in its view, it did not take into account systems interactions. Goldsmith et al., ff. Tr.
1114, at 66. On cross-examination,'however, the witnesses ad-mitted that they had only conducted a brief review of the PRA.
Tr. 1685 (Minor). Thus, the cri,ticism was based on a lack of a detailed knowledge of the plant specific Shoreham PRA and meth-odology that was used to identify and assess systems interac-tions. Moreover, this testimony conflicts with the statements of the County's own PRA expert, Dr. Budnitz, who stated that the.Shoreham PRA did consider systems interactions. Budnitz Motion at 3-4.
B-384. Suffolk County witnesses concluded that "a PRA which uses the results of dependency analysis could be valuable in increasing plant safety and reliability. Such a PRA could successfully identify potential systems interactions which ;
could result from system dependencies." Goldsmith et al., ff.
1
-340-L.
Tr. 1114, at 67. The County's witnesses also concluded that dependency analyses in PRAs should be complemented by the use of pl, ant walkdowns. Id. at 67.
B-385. As noted above, LILCO witnesses testified that a Shoreham PRA did, in fact, use dependency analyses to supplement the PRA, did include systems walkdowns, and the walkdowns did explicity search for and identify potential systems interactions. Burns et al., ff. Tr. 4346, at 75, 76, 101-105.
B-386. The County's wit'nesses also alleged that the current draft version of the Shoreham PRA has excluded quantification of so-called external events (e.g., seismic initiators, tornadoes). Goldsmith et al., ff. Tr. 1114, at 66.
At the time that the original Shoreham PRA was contracted for, published PRAs had generally concluded that external events were not a dominant contributor to risk. Tr. 5653-56 (Burns, Joksimovich); Burns et al., ff. Tr. 4346, at 82-83. LILCO was looking for the areas in which they could make the greatest contribution to public risk reduction. And at that time it ap-peared that in-plant systems interactions were the potentially largest contributors to public risk determination. Tr. 5654 (Burns, Jokcimovich); Burns et al., ff. Tr. 4346, at 83.
-341-
B-387. This original decision was also in part based
~
upon the fact that the ability to assess seismic effects and other,externalities was a developing technique and had not been demonstrated to be manageable at the time of the initiation of the Shoreham PRA. Tr. 5653-55 (Burns, Joksimovich); Burns et al., ff. Tr. 4346, at 82.
B-3S8. There have been recent attempts to incorporate external effects. However, the uncertainties associated with those events from the probabilistic standpoint are very large.
Therefore, the conclusions that ,one can draw from the evalua-tions have to be tempered with these large uncertainties. Tr.
5657-59 (Burns, Joksimovich); Burns et al., ff. Tr. 4346, at 82.
B-389*. The Shoreham PRA is comparable to what the NRC has set out to do in the IREP program which focuses on those things that WASH-1400 identified as potential major contributors to risk. Tr. 5653-54 (Burns, Joksimovich).
B-390. Suffolk County also assumed that the Shoreham PRA did not adequately treat systems interactions based on one statement made in the PRA: "The results of this analysis are
-342-
valid to the extent that the systems have been successfully designed as independent and redundant. "Probabilistic Risk Assessment, Shoreham Nuclear Power Station, Preliminary Draft,"
- p. 1-18, as quoted by Goldsmith et al., ff. Tr. 1114, at 66.
As.LILCO's witnesses testified, this sentence, taken from the preliminary draft of the Shoreham PRA, was misinterpreted.
Burns et al., ff. Tr. 4346, at 111.
B-391. The County also claimed that "[i]nteractions were excluded [from the Shoreham PRA) because they have not been systematically identified at Shoreham. . . ." Goldsmith et al., .ff. Tr. 1114, at 66. The County's witnesses, however, conceded that they had not reviewed the PRA in detail and con-sequently did not have a basis for the conclusion. Tr. 1685 (Minor). Moreover, LILCO's testimony made it clear that, be-cause systems interactions have been systematically identified in the Shoreham PRA, the effects of multiple failures have been assessed. Burns et al., ff. Tr. at 4346, at 111.
B-392. The County's witnesses contended that
"[a]lternative methods exist which would supplement and improve the existing design basis /SRP approach and thus reduce the likelihood of adverse systems interactions." Goldsmith et al.,
-343-(
t
ff. Tr. 1114, at 63. One of the alternatives suggested was dependency analycis. As described by the County's witnesses:
" Dependency analysis looks at the various ways that components and systems depend upon one another. Some examples of this approach are binary matrices, failure modes and effect analyses (FMEA's), and auxiliary safety systems commonality diagrams."
Id. at 64. The Shoreham PRA did employ these techniques. Burns et al., ff. Tr. 4346, at 113-14.
B-393. Finally, the County suggested that "the best method of resolving the systems interaction issue at any given plant is a combined approach, using dependency analysis /PRA, balanced by a walkdown study." Goldsmith et al., ff. Tr. 1114, at 68. Once again, LILCO did assess potentially adverse systems interactions through the recommended techniques. Burns et al., ff. Tr. 4346, at 116.
(6) Conclusions Pegarding the Use of PRAs for Systems Interaction Identification and Evaluation B-394. LILCO, its consultant:, and the PRA Peer Review Group have spent a significant amount of time in the formula-tion, assessment, and comparison of the FRA to determine if
-344-
there are any risk outliers due to hidden systems interactions.
Tr. 5933 (Joksimovich). No such risk outliers were identified.
Tr. 5807, 5822, 5929 (Joksimovich), 6335 (Burns, Joksimovich);
Burns et al., ff. Tr. 4346, at 109. In addition, the Shoreham-specific PRA has not to date identified any unacceptable systems interactions that might affect systems classification. Tr. 5940 (Burns, Joksimovich). No significant changes are anticipated between the preliminary and final ver-sions. Burns et al., ff. Tr. 4346, at 107.
B-395. LILCO witnesses Burns and Joksimovich both con-cluded that the Shoreham PRA went a long way towards systematic analysis of systems interactions. Dr. .Joksimovich stated:
In my opinion, the Shoreham PRA approach provides a meaningful and efficient, if not the only, framework, for examining the safety significance of the " Systems Interactions or Interactions" issue.
Burns et al., ff. Tr. 4346, at 81. He also noted that his con-clusions were in accord with the result of an NRC-sponsored study by Lavrence Livermore Laboratory that concluded that probabilistic risk assessment analysis was an effective tool for analyzing systems interactions if detailed emphasis is given to dependent failures including consideration for support systems, shared environmental conditions, and human error. Id.
-345-
B-396. LILCO witness Burns concluded that:
[F]ault tree / event tree methodology is the best available technique for aug-menting the existing deterministic eval-uations and NRC regulations to ensure that systems interactions are exposed and potential areas of concern are iden-tified.
Burns et al., ff. Tr. 4346, at 97; see Tr. 5651-52 (Burns, Joksimovich). Dr. Burns also concluded that the Shoreham PRA systematically identified systems interactions. Burns et al.,
ff. Tr. 4346, at 111. Considering the state-of-the-art in the evaluation of systems interactions, LILCO has made a reasonable attempt to augment current specialized deterministic methods by employing event tree / fault tree methodology to identify subtle systems interactions which may occur during postulated accideat sequences. The Shoreham PRA has not disclosed any unacceptable systems interactions which would compromise plant safety or would affect system classification. Tr. 6335 (Burns, Joksimovich), 5940 (Burns).
B-397. These witnesses base their conclusions in part on the successful application of the PRA technique in the past to nuclear power plants. This technique, augmented by the types of tools used in the Shoreham PRA, such as system
-346-
\
,p ~
- s'Vq>k'1 k'% IMAGE EVALUATION - # /%
\k// $/ TEST TARGET (MT-3) ((N/ f'M 4 E / W sp f>$ . ///// s
+ <> -
a 1.0 5* a i= na ll;;iu b :n l.! b" jts 1.25 1.4 1.6 4 150mm >
4 6" >
$'*%//// /'b'
<>y m, >//
<x as, w s :w> /h O 4 Q & ,s.
Q
- - _ - = _ _____= .
A g> o
$2* ' IMAGE EVALUATION [%
(([KN
/ *
/ TEST TARGET (MT-3) Q, x\yfg;\*,
,y, gs $g#'
/4 ,[.[jke
+ %
' !.0 if 2 m l;;g En l,l fje g24 1.8 1.25 1.4 1.6
< 150mm >
< 6" >
fu%
%e ,f
- 4 +
- s h' A
+$6 1' f:M.
3 0 #s ,fh s
'if g
$0
- {p
- ,==- --= _
walkdowns and dependency matrices, adequately identifies the potential systems interactions that could defeat the operation of mu,ltiple systems. In the performance of the SNPS PRA, the methods and techniques used were similar to those recommended for systems interactions analysis by several national laboratories. Tr. 5987 (Burns). Moreover, the PRA provides a way to quantitatively and qualitatively assess the impact of these interactions on overall plant safety. Burns et al., ff.
Tr. 4346, at 95; Tr. 6586 (Thadani).
B-398. The PRA provides a framework within which design basir analyses, operating experience, engineering judg-ment, and logic model analysis can all be brought together and focused on prioritizing systems interactions so that decision makers can be provided a perspective on choosing those interac-tions which can be considered potentially important from a pub-lic safety standpoint. Tr. 5981 (Burns). LILCC has augmented its deterministic analyses of possible adverse systems interac-tion in a manner suggested by the intervenors in their prefiled testimony. "[T]he best method of resolving the systems inter-action issue at any given plant is a combined approach, using dependency analysis /PRA, balanced by a walkdown study."
-347-
Goldsmith et al., ff. Tr. 1114, at 68. LILCO has combined these techniques within the current state of technology to identify systems interactions. See, e.g., Burns et al., ff.
Tr. 4346, at 80, 85, 109.
- 7. SOC Contention 19(b)
B-399. SOC Contention 19(b)(3) alleges that LILCO had not expanded FFAR Table 3.2.1-1 to include NUREG-0737 require-ments. This is not true. The NRC Staff asked LILCO to add a number of items to Table 3.2.1-1, including the safety related items reflected in NUREG-0737. LILCO submitted several letters to the NRC and made the changes in the table that LILCO believed appropriate. Burns et al., ff. Tr. 4346, at 171-72.
The NRC Staff has approved the extent of LILCO's revisions to Table 3.2.1-1. Id., see Speis et al., ff. Tr. 6357, at 15.
B-400. SOC Contention 19(b)(4) and SC/ SOC 7B contend that Emergency Operating Procedures (EOPs) must be taken into account when classifying structures, systems and components for a nuclear power plant. The basis of SC/ SOC's position is that systems and components included in the Shoreham emergency operating procedures should have been " required to meet either
-348-
' safety-related' quality standards . . . or some other standards consistent with the GDC and the safety functions to be performed." Goldsmith et al., ff. Tr. 1114, at 37.
- a. Development of EOPs B-401. Following the accident at TMI-2, the BWR Owners' Group initiated two projects that related to EOPs. The first effort was a review of BWR capabilities conducted by the BWR Owners' Group Systems Subgroup. Burns et al., ff. Tr.
4346, at 130. The second effort, which evolved from the first, involved the development and validation of emergency procedure guidelines by the BWR Owners' Group Subcommittee on Emergency Procedure Guidelines. Id. at 132.
B-402. In reviewing the capabilities of BWRs to handle abnormal events, including multiple failures, the BWR Systems Subgroup examined whether the safety related set of structures, systems and components was a sufficient set of safety systems to prevent core damage, assuming certain failures, including multiple failures, in these systems. Burns et al., ff. Tr.
4346, at 130. The LILCO witness on this subject, Paul J.
l McGuire, was personally involved in the Subgroup effort. Part
-349-
of this effort included a review of the classification of systems included in EOPs. Tr. 5509 (McGuire). This review looked at Shoreham specifically, as well as other BWRs. Tr.
4755-56 (McGuire). The Subgroup concluded that the safety re-lated systems were a sufficient set of systems for safe shut-down of the reactor. No classification changes resulted from the Subgroup review. Burns et al., ff. 7r. 4346, at 130-31; Tr. 4756, 4489-90 (McGuire).
B-403. Although the Subgroup reached the conclusion stated above, it also recognized that many abnorma; conditions could be handled with the use of non-safety related equipment.
This means that the objectives accomplished by the safety re-lated systems could be accomplished while minimizing the demands placed upon the safety related systems. Burns et al.,
ff. Tr. 4346, at 130.
B-404. In order to take better advantage of the full capabilities of the plant, including both safety related and non-safety related systems, the Subgroup recommended develop-ment of simple, complete emergency operating procedures. The Subgroup concluded that these procedures should be symptom-oriented and include both safety related and non-safety
-350-
related systems so the operator would better understand them.
Burns et al., ff. Tr. 4346, at 131.
B-405. As a result of the Subgroup's recommendations, the BWR Owners' Group formed the Subcommittee on Emergency Pro-cedure Guidelines to develop and validate emergency procedure guidelines (EPGs). LILCO has been an active participant in this Subcommittee. Burns et al., ff. Tr. 4346, at 132.
B-406. The EPGs are designed to give the operator understandable, symptom-oriented instructions for handling abnormal events. The EPGs consi' der the full capabilities of the plant. They typically instruct the operator to use the normally used non-safety related systems in dealing with symp-toms. If, however, these non-safety related features cannot control the conditions, the EPGs anticipate that the automatic safety related plant systems will operate. Burns et al., ff.
Tr. 4346, at 132.
B-407. The EPGs also take into account the possibility of multiple failures of safety related and non-safety related systems. Thus, they guide the operator in dealing with events that are beyond the design basis of the plant. Burns et al.,
ff. Tr. 4346; Tr. 4753-55 (McGuire).
-351-
B-408. LILCO has used the emergency procedure guidelines developed by the BWR Owners' Group in developing the Emergency Operating Procedures for Shoreham. Tr. 4495-96 (McGuire).
- b. Purpose of EOPs B-409. The purpose of emergency operating procedures is to give plant operators understandable guidance in dealing with abnormal plant conditions. These procedures should take advantage of the full capabilities of the plant, whether safety related or non-safety related. Burns et al., ff. Tr. 4346, at 131. The inclusion of non-safety related systems and compo-nents in the Shoreham EOPs ensures that these full capabilities are available and effectively used in responding to abnormal events. In some cases, it also minimizes the challenges to safety related systems. Id. at 139-140.
B-410. The inclusion of non-safety related systems and components in the Shoreham EOPs does not mean that the systems have been improperly classified. Rather, it adds an additional layer of protection to the safety related systems included in Shoreham's design. Burns et al., ff. Tr. 4346, at 140.
-352-
- c. Review of Shoreham EOPs B-411. In the Suffolk County prefiled testimony, six design basis accidents and the corresponding Shoreham EOPs were reviewed in an attempt to support the County's position that LILCO's inclusion of non-safety related systems and components in the EOPs should have resulted in a reclassification of such systems and components to safety related. Goldsmith et al.,
ff. Tr. 1114, at 31-38.
B-412. The event procedures used in the Suffolk County analysis had become outdated by the time LILCO's witness panel took the stand. They had been replaced, in large part, by symptom-oriented procedures. The conclusions stated by LILCO witness McGuire, however, were not affected by this change.
Tr. 4502 (McGuire).
B-413. LILCO witness McGuire has substantial experi-ence as a nuclear plant operator and manager. Burns et al.,
ff. Tr. 4346, Attachment 1 (Qualifications of Paul J. McGuire).
Mr. McGuire reviewed the Shoreham EOPs included in the County's testimony. Id. at 129-140. The purpose of the review was to determine whether the non-safety related systems or components
-353-
identified in the SC/ SOC EOP analysis are, in fact, relied upon for accident mitigation. Id. at 133. The result of Mr.
McGuire's analysis demonstrated that for each non-safety relat-ed component or system identified by SC as being in an EOP, ei-ther (a) the component or system played no role in mitigating the event in question or (b) where the component or system could play a role in mitigating the event, there is a safety related system capable of preventing core damage in the event the non-safety related equipment failed. Id. at 139.
B-414. In addition, Mr. McGuire testified that non-safety related systems referred to in the EOPs are general-ly those used for the generation of power. They are normally in operation, which is an indication of their reliability.
Moreover, these components are subject to activities designed to ensure the reliability of these non-safety related struc-l tures and components. Burns et al., ff. Tr. 4346, at 140; Tr.
l l
4771-72 (McGuire).
B-415. Based upon his review of the Shoreham EOPs in question and his extensive experience at other plants, Mr.
McGuire concluded that "the classification of the structures, systems and components used in the Shoreham EOPs is correct and
-354-
consistent with other BWRs." Burns et al., ff. Tr. 4346, at 129.
B-416. Mr. McGuire also noted that it is entirely appropriate and desirable to include non-safety related systems
. and components in EOPs. Tr.-4769-70 (McGuire).
B-417. The NRC Staff agreed that non-safety related equipment would be operable during an accident and that the use of non-safety related equipment during an accident would be appropriate. Speis et al., ff. Tr. 6357, at 22.
B-418. There is no regulatory requirement to classify all equipment used in EOPs as safety related nor has it been the NRC Staff's practice to recommend such a classification scheme. Speis et al., ff. Tr. 6357, at 21.
I 1
- d. Flaws in the Intervenors' Analysis B-419. The analysis of the EOPs included in Section V.A of the SC/ SOC testimony has substantial flaws.
B-420. First, it was prepared chiefly by SC/ SOC witness Harwood. While Ms. Harwood is a degreed engineer and has had some experience in the nuclear field, she has no
-355-
experience with the operation of commercial nuclear power plants or nuclear power plant simulators. Nor has she had any experience in either the development of emergency operating procedures, analysis of their adequacy, or their use in a nu-clear plant. Tr. 1271-75 (Harwood).
B-421. The secondary author of Section V.A, Mr. Gold-smith, also does not have any experience in the operation of a nuclear power plant or nuclear power plant simulators. Tr.
1276-77 (Goldsmith). -
B-422. The analysis was' essentially a tabulation of all the systems mentioned in the Chapter 15 analysis and the corresponding EOP analysis for the six events selected. Appar-ently, no attempt was made to analyze the function of the equipment cited. Tr. 1565-66 (Harwood). This was demonstrated by the fact that the County's table, Goldsmith et al., ff. Tr.
1114, Exhibit 4, included many components that had no relation-ship to the mitigation of the accident in question. For exam-ple, from the Feedwater/ Level Control System Failure Procedure, SC/ SOC listed, among other things, the main turbine associated valves, main turbine oil pumps, condensate pump and condensate booster pumps. Goldsmith et al., ff. Tr. 1114, at Exhibit 4,
-356-
at 3-4. In this procedure, the turbine is isolated using its associated valves, and the oil pumps are started to protect the turbine. They do not play any role in the mitigation of the event. Burns et al., ff. Tr. 4346, at 135. Similarly the condensate and condensate booster pumps are removed from service to protect these pumps. Id. at 135. See also id. at 136 (main turbine and reactor M-G sets), 137, 139 (turbine as-sociated valves and oil pump, condensate pumps and condensate booster pumps).
B-423. The SC/ SOC tabulation also included items that were referred to in the procedure for use after the accident or transient has been completed. From the Loss of offsite Power Procedure, SC/ SOC listed TBCLCWS (Turbine Building Closed Loop Cooling Water System) as a system relied upon to mitigate the accident. Goldsmith et al., ff. Tr. 1114, at Exhibit 4, at 2.
The reference in the procedure to this system calls for this to be restarted after power is restored and the transient complet-ed. Consequently, it has nothing to do with accident mitiga-tion. Burns et al., ff. Tr. 4346, at 136. See also id. at 138 l
(turbine bypass). SC/ SOC witness Goldsmith conceded that the inclusion of the TBCLCWs was inappropriate. Tr. 1585 (Goldsmith).
-357-
B-424. In at least one instance the SC/ SOC Table referred to a condition rather than a component. Under the Loss ,of Offsite Power Procedure, the table listed condenser vacuum as a component. Goldsmith, et al., ff. Tr. 1114, at Exhibit 4, at 4. Condenser vacuum refers to a plant parameter to be measured, not a component. Burns et al., ff. Tr. 4346, at 134, 136.
B-425. The County's consultant who prepared the table was apparently unfamiliar with the function of many of the pieces of equipment included in ,the table. See, e.g., Tr.
1589, 1591-92 (Harwood).
B-426. The County's testimony also did not contain any description of the quality standards that were applied to the non-safety related equipment included in the table. See Gold-l smith et al., ff. Tr. 1114, at 31-38. Instead, the County sim-ply listed the classification of each component as safety re-lated or non-safety related. Tr. 1564-66 (Harwood).
-358-
_ _ _ _ _ _ _ _