ML20045F047
| ML20045F047 | |
| Person / Time | |
|---|---|
| Issue date: | 04/08/1993 |
| From: | Crutchfield D Office of Nuclear Reactor Regulation |
| To: | Kintner E ALWR UTILITY STEERING COMMITTEE |
| References | |
| PROJECT-669A NUDOCS 9307060352 | |
| Download: ML20045F047 (19) | |
Text
W i
April-8, 1993 p
4
' Project No. 669 Mr. E. E. Kintner, Chairman ALWR Utility Steering Committee Bradley Hill Road P. O. Box 682 Norwich, Vermont 05055
Dear Mr. Kintner:
SUBJECT:
TRANSMITTAL OF STAFF COMMENTS ON THE ELECTRIC POWER RESEARCH INSTITUTE'S (EPRI'S) FEBRUARY 23, 1993, SUBMITTAL ON REGULATORY TREATMENT OF NON-SAFETY SYSTEMS (RTNSS)
In accordance with the agreements reached at the management meeting held between the staff and EPRI in Palo Alto, California, on January 22, 1993, the Nuclear Regulatory Commission staff has completed its preliminary review of EPRI's submittal dated February 23, 1993,- concerning the regulatory treatment of non-safety systems and is providing its comments.
' contains a brief summary of the staff's technical position on the RTNSS issue. contains the staff's detailed comments on EPRI's proposal for resolution of the RTNSS issue, as described in its February 23, 1993, submittal. provides the staff's proposed process for resolution of the RTNSS issue.
We are providing these comments in advance of the issuance of the Commission paper currently in preparation on this subject, in order to achieve prompt resolution of this key policy issue. We request that you provide any feedback in response to this transmittal within two waeks of the receipt of this letter.
Within the next two weeks, we would also like to have a meeting between our staffs to discuss this issue.
If you have any questions, please contact the project managers, J. H. Wilson at (301) 504-1108, or Nancy Markisohn at (301) 504-1320.
Sincerely, OAginal8%q,,,
Dennis M. Crutcih' field, Associate Director for Advanced Reactors and License Renewal Office of Nuclear Reactor Regulation
Enclosures:
As stated cc w/ enclosures:
See next page g)t w W c,u,j, DISTRIBUTION:
Central File PDST R/F TMurley WRussell PDR DCrutchfield WTravers RBorchardt PShea TEssig JHWilson NMarkisohn JMoore, 15B18 GGrant, ED0 ACRS (11) w/o encl. AThadani, 8E2 D:PDj/
I:ADAR A[$ilijRRet 0FC:
LA:PDST:A R PM:PDST AR SC:
T:ADAR NAME: PS JHWilso ( Q T RBotchardt DCitt clifield 1
DATE: 04 04/B/93 04 93 04/g/93 04/ /93 kkbhk rf' h g
93 603 93o og PDR PROJ 669A ppg i
~
O O
' ALWR Utility Steering Committee EPRI Project No. 669 cc:
Mr. John Trotter Nuclear Power Division Electric Power Research Institute Post Office Box 10412 Palo Alto, California 94303 Mr. Brian A. McIntyre, Manager Advanced Plant Safety & Licensing Westinghouse Electric Corporation Energy Systems Business Unit Post Office Box 355 Pittsburgh, Pennsylvania 15230 Mr. Joseph Quirk GE Nuclear Energy Mail Code 782 General Electric Company 175 Curtner Avenue San Jose, California 95125 Mr. Stan Ritterbusch Combustion Engineering, Inc.
1000 Prospect Hill Raad Post Office Box 500 Windsor, Connecticut 06095 i
s i
b A
9
s#
II.b STAFF TECHNICAL POSITION ON REGULATORY TREATMENT OF NONSAFETY SYSTEMS IN PASSIVE DESIGNS Unlike the current generation of light water reactors or the evolutionary advanced light water reactors (ALWRs), the passive ALWR designs employ passive safety systems that rely exclusively on natural forces, such as density differences, gravity, and stored energy for their safety systems to supply safety injection water, and provide core and containment cooling. There are no pumps in these passive systems, and all valves either require only DC electric power by means of batteries, or air operated, or are check valves operating by means of pressure differential across the valve.
There is no safety-related AC electric power. All the active systems are designated non-safety systems by the designers.
Although the passive ALWR designs rely on the passive safety systems to per-form design basis safety functions of reactor coolant makeup and decay heat removal, they also include active non-safety systems to provide defense-in-depth capabilities for reactor coolant makeup and decay heat removal.
These active systems serve as the first line of defense in the event of transients or plant upsets to reduce challenges to the passive systems.
As specified in the EPRI Utility Requirements Document for the passive plant designs, these active systems include:
(1) the chemical and volume control system and control rod drive system, which provide reactor coolant makeup for the passive PWR and BWR, respectively, (2) the reactor shutdown cooling system and backup feedwater system for PWR decay heat removal, and the reactor water cleanup system for BWR decay heat removal, (3) the fuel pool cooling and cleanup system for spent fuel decay heat removal, and (4) the associated systems and structures to support these functions, including non-safety stand-by diesel generators. EPRI also states that the specific list of the defense-in-depth systems for a standardized design are defined by the Plant Designer and may include additional systems beyond those discussed above.
The passive ALWR designs also include nonsafety-grade active systems (such as the control room HVAC system) for mitigation of the radiological consequences of an accident.
Many of these systems traditionally have been safety-grade systems, but in the passive plants, they are not designed to meet safety-grade criteria, and credit is not taken for them in the Chapter 15 licensing design basis accident (DBA) analyses.
In SECY-90-406, " Quarterly Report on Emerging Technical Concerns," dated December 17, 1990, the staff identified the role of these nonsafety systems in the passive design as an emerging technical issue.
In the Commission paper entitled, " Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor Designs," (No date yet) the staff discussed the issue of regulatory treatment of active nonsafety systems, and indicated that the proposed resolution of this issue will be provided in a separate Commission paper.
EPRI contended that nonsafety systems in the passive ALWR designs are not subject to regulatory oversights.
As discussed in the March 19, 1992, EPRI position paper, and subsequent EPRI presentations, this contention is based on
r-1 l
g p
w J
EPRI's belief that active nonsafety systems in the passive ALWR designs are provided for utility investment protection, are not required for plant safety or meeting regulatory requirements, and that passive safety systems alone meet the Commission's regulation and safety goal guidelines.
The staff has not determined that passive safety systems alone meet the Commission's safety goals because of large uncertainties of passive system performance and difficulty in quantification of passive systems reliability.
Because of limited operational experience and low driving force of the passive safety systems, uncertainties exist concerning the performance of the passive features and overall performance of reactor coolant makeup and core and' containment heat removal. Though uncertainties of the passive system performance will be reduced through the carefully planned and implemented separate effects and integral system tests for the ALWRs, there are inherent phenomenological uncertainties associated with the passive systems.
For example, there are uncertainties about the performance of check valves in the passive safety systems, which operate at low differential pressures provided by natural circulation or gravity injection. These low pressures may not provide sufficient force to fully open sticking check valves, unlike the pumped ECCS systems which can overcome stuck valves. These uncertainties enhance the importance of some active nonsafety systems in providing the (efense-in-depth to prevent and mitigate accidents and core damage.
The staff telieves that credit may be needed for some non-safety systems to alleviate high reliability performance requirements of the passive systems to meet the safety goals. Therefore, until proven otherwise, it is premature to preclude regulatory oversight of selective active nonsafety systems in the passive ALWR designs. The staff will not require that these active nonsafety systems meet all the safety-grade criteria, but there should be a high level of confidence that risk-significant active systems are designed in accordance with their performance / reliability missions to ensure their availability when needed.
For those active systems that perform defense-in-depth functions, the EPRI requirements document for passive designs specifies requirements concerning performance and systems and equipment design. These include radiation shielding requirements (to permit access following an accident), redundancy, (single active failure consideration), availability of nonsafety-grade electric power, and protection against internal hazards.
The requirements also address safety analysis and testing to demonstrate system capability to satisfy defense-in-depth considerations.
EPRI does not currently provide specific requirements for the reliability of these systems.
However, in response to staff questions, EPRI has indicated that it is evaluating specific reliability targets and other measures to provide confidence that the passive plants will met performance requirements. These requirements will address both passive safety and active nonsafety systems.
Since the passive ALWR design philosophy departs from current licensing practices, new regulatory and review guidance is necessary so that the staff can appropriately review the AP600 and SBWR submittals. Significant decisions need to be made concerning the scope of staff review of the nonsafety systems and reliance on the passive safety systems.
The staff has held several meetings with EPRI to determine steps needed to 2
,/
w w
resolve the issue of regulatory treatment of nonsafety systems (RTNSS) in passive plants, and define the scope of requirements and acceptance criteria to ensure that they have adequate capability and availability when required.
In a meeting between NRC and Utility Steering Committee on January 22, 1993, an agreement was reached for an overall process for determining the regulatory treatment of nonsafety systems, and importance of passive systems and/or components for meeting NRC Safety Goals and Requirements. This process involves the following specific steps:
- 1. The passive VRD will describe the process to be used by the designer for specifying risk significant systems, structure and components (SSC) reliability / availability missions needed to meet NRC Safety Goals and Requirements.
- 2. The designer will apply the process to the design to establish reliability / availability missions for the risk significant SSC.
- 3. If nonsafety systems are determined to be risk significant, NRC will review these reliability / availability missions to determine if they are adequate (if met) and if the operational reliability assurance program (0 RAP) and simple technical specifications and limiting conditions for operation for some items (including the maintenance rule) are adequate to give reasonable assurance the missions can be met during operation.
- 4. If nonsafety systems are relied on to meet the reliability / availability missions, then design requirements commensurate with risk significance will be imposed by the designer on those elements involved.
- 5. NRC will not include any reliability / availability missions in the Design Certification Rule.
Instead, NRC would include deterministic requirements on both safety and nonsafety design features in the Design Certification Rule.
By a letter dated February 23, 1993, EPRI submitted a proposed process for determining the appropriate regulatory treatment for nonsafety systems for passive ALWRs.
It calls out a structured, step-by-step process for identifying risk-significant nonsafety features based on a Level 3 PRA.
The process involves constructing a focused PRA by removing the defense-in-depth (DID) systems from the Baseline Level 3 PPA, which will then be used to determine any DID system or component is needed to help the safety systems satisfy the Commission's safety goals. Risk-significant SSCs and their reliability and availability missions can then be determined.
The staff has performed a preliminary review of the EPRI process, and finds that, though it generally conforms to the agreement, it is overly complex and excluded consideration of several issues which need to be factored into the RTNSS issue.
For example, the process is limited to the previously identified DID systems, precluding consideration of other nonsafety systems that could be safety significant. Also, certain important issues relevant to the RTNSS issue, such as external events, containment performance, and long term safety issues, will be resolved separately, thus precluding them from an integrated evaluation of all important relevant issues in the determination of risk 3
O O
significant nonsafety systems. To correct these omissions, the staff has proposed a more ' generalized set of steps, developed based on the agreement in the meeting of January 22, 1993, between the NRC and EPRI Utility Steering Committee, to resolve this issue.
~
t 3
4
)
t 4
b t
1 I
4
O O
w w
STAFF COMMENTS REGARDING EPRI PROPOSED PROCESS FOR RESOLUTION OF THE REGULATORY TREATMENT OF NONSAFETY SYSTEMS ISSUE The following are the staff comments regarding EPRI's proposed process for resolution of the issue of regulatory treatment of nonsafety systems (RTNSS) in the passive ALWR designs provided in its February 23, 1993, submittal.
1.
The Background section states that resolution of the RTNSS issue is beyond the licensing basis, because the passive safety system alone must meet all deterministic regulatory requirements. The staff believes that the resolution of the RTNSS issue is not beyond the licensing basis.
Though the passive safety systems alone may meet all deterministic regulatory requirements, nonsafety systems may be necessary to supplement passive safety systems to meet the Commission's safety goal guidelines. Also, 10 CFR 52.47(a)(1)(v) requires a design-specific PRA as part of application for design certification.
2.
The Background section indicates that the proposed process is to be used for resolution of the RTNSS issue, and that other specific areas, such as external events, systems interaction, control room habitability and long term safety (beyond 72-hours), must be satisfactorily resolved to address the entire RTNSS issue.
It further states that a PRA based approach is not the best means for resolution of these specific issues, which will be resolved in separate, but complementary interactions with the NRC staff as part of the ongoing review of the URD.
The staff believes that resolution of the RTNSS issue can be best completed with a process that includes consideration of all relevant issues in total. As an example, the passive plant designs rely on stored water and energy sources for 72-hours after design basis accidents. After that period, non-safety systems will be required to replenish water, air and DC power sources or to assume core and containment heat removal loads directly.
The staff believes that safety system performance and reliability up to and beyond 72-hours is important in determining the safety importance of the alternative systems which will be called upon to support the plant post 72-hours.
Some of these systems will be normal balance of plant features such as control room ventilation, plant lighting, communications as well as inventory makeup systems utilizing portable pumps or temporary piping connections.
The safety importance of these features and their reliability / availability missions can not be determined if the long term safety issue is to be resolved separately.
Also, the process that excludes consideration of external event challenges in the determination of defense in depth system importance will significantly understate the safety importance of selected non-safety systems that could be called upon to respond to extended periods of loss of offsite power combined with loss of unprotected non-safety water and fuel tar.ks due to high winds or floods.
The standby AC power
.o
.o-sources proposed for the passive plants are not required to be protected to survive external events of the scope included in the safety systems design basis. As the recent Hurricane Andrew in Florida demonstrated, such natural disasters can result in extended periods for.offsite power-recovery and considerable onsite damage. This omission in the process
~
is especially significant in light of long term safety issue discussed above,-since the unprotected non-safety systems may'well not be available to support and re-supply the passive -safety systems as they are depleted at 72-hours.
The staff believes that this feature of the process will impose bias on system importance findings and preclude proper identification of SSCs needing regulatory oversight..Therefore, it is necessary to integrate the resolution'of these issues into the whole process for resolution of the RTNSS issue.
Also, EPRI submittal indicates that the systems interaction issue must be satisfactorily resolved to address the entire RTNSS issue, and will be resolved separately.
The staff believes that a systematic evaluation of adverse systems interactions between the active nonsafety and passive systems should be performed.
The results of this analysis should be used for design improvements to minimize adverse systems interaction, and also be factored into the PRA model.
Some guidance from EPRI on the evaluation approach should be provided.
3.
Section 2.1 states that only DID systems are considered relevant to the
}
RTNSS issue because other nonsafety-grade SSCs not associated with DID systems are either functionally similar to existing designs (e.g., B0P' systems) or typically treated by regulations. (e.g., ATWS mitigation, containment protection).
The staff believes. that the RTNSS issue'should not be limited to the DID systems.
In principle, all parameters in.the
" risk model" are subject to some oversight.
It may be minimal or implicit. All risk-significant systems should be identified' and receive proper regulatory treatment.
For example, the offsite power. system and the plant lighting systems should be considered for possible risk significance.
In addition, containment performance, including containment bypass issue, is an important issue relative to Commission's safety goal guidelines, and therefore should not be excluded from consideration of the RTNSS issue.
4.
In the EPRI 4-step approach, the first step is to construct a focused PRA model, which is derived from the baseline PRA by removing the defense-in-depth systems after initiating events.
It is stated that a prerequisite to this step is an acceptable baseline Level 3 PRA, which is developed by the piant Designer and approved by NRC. Therefore, the i
process of determining the need for regulatory treatment of nonsafety systems cannot be completed before an adequate detailed design-specific PRA evaluation.
Even on the design-specific basis, the availability mission, as well as the design and operational requirements cannot be determined until an NRC accepted baseline PRA is used to perform the focused PRA analysis. Therefore, it is not possible to determine risk significance of any particular nonsafety systems until the design-3 specific baseline and focused PRA evaluations are complete, nor is it possible to preclude the need for regulatory oversight of nonsafety systems in the context of URD requirements.
O O-
~
5.
The 4-step process should be an integral part of the use of PRA in the design process. A Baseline PRA should in its initial submittal involve the sensitivity analyses described by EPRI, results of these analyses, and resulting impact on nonsafety-grade systems availability missions.
Lists of important SSCs for these systems should also be included.
Integrating the EPRI process in the design process will help avoid the needless iterations built in the process, and help the staff focuses its resources.
6.
Step 2, " Define DID Availability Missions Important for Preventing Initiating Events," is to review the set of initiating events, identify those DID systems that play a role in reducing initiating event frequencies, and define the availability missions of these DID systems.
(a) Discussions in Steps 1 and 2 are somewhat confusing.
It is stated that DID systems prevent initiating events.
It indicates that initiating events could be affected by the DID systems, whereas Step 1 states that the initiating events are not altered by the removal of the DID systems from the Baseline PRA. The confusion arises in the definition of initiating event. These two steps essentially redefine the " initiating event" as " challenges to safety systems." A shortcoming of this approach is that a nonsafety system can be excluded from further RTNSS-evaluation until safety systems challenges, and therefore, get less regulatory oversight.
For example, a RCS leakage within makeup system capacity will not be treated as an initiating event, and be eliminated from the event trees for small break LOCA.
If a leakage were accounted for as an initiating event with an operating makeup system as a success path, the reliability / availability mission of the makeup system could be determined in the overall evaluation including fault trees.
The EPRI.
Step 2 will only determine the " availability missions for preventing initiating events," and a loss of offsite power to incapacitate the makeup system while making up the leakage will apparently not be captured in the PRA model.
One solution would be to revert the PRA input of " initiating event" to the initiation of an event (e.g., an RCS leakage). All DID systems are removed from the Focused PRA. Any DID system (e.g., makeup system) credited for " preventing initiating event" would be accounted for as a_
mitigating path and be evaluated in step 4.
The step 2 can therefore be eliminated.
This would also be consistent with the NRC/EPRI agreement of January 22, 1993 that, if a nonsafety system is not taken credit for, it will not be available to affect initiating event frequencies.
(b) The Focused model that removes DID systems after initiating events are inconsistent with the NRC/EPRI agreement, that requires no nonsafety systems at all in the focused PRA model if no' credit is to be taken.
EPRI should perform sensitivity study for the following two cases:-(1) remove DID systems completely from PRAs, and (2) remove DID systems after IEs.
The resulting CDFs and LRFs from the two cases should be compared as part of DID system importance evaluation.
7.
In Step 3 of the process, EPRI intends to compare the results performed' trom Focused PRA model to criteria used for NRC's Safety, Goal Policy, i.e., having a core-damage frequency not higher than 10"' per year and a.
9 9
J t
frequency of large release from containment not higher than 10 6 per i
year.
If the plant designs meet these criteria, then the DID systems-need not be subjected to the assessment of Step 4.
i EPRI does not address the containment performance goal or other NRC performance requirements, such as GDC 19 for control room habitability.
i Containment is an important element of defense-in-depth.
In order to drive down large release frequency to 10~6 per year, there is a need either to drive down core damage frequency by reducing. initiating.
frequency or take significant credit for containment.. Though not mentioned, it is clear that credit for containment systems will be a key element of overall safety. Containment systems which appear in the risk' model are candidates for regulatory oversight activities, and are i
properly part of the RTNSS issue.
Significant attention should be paid to containment performance issue, including containment bypass.
8.
The term in Steps 3 and 4 for "DID systems to mitigate initiating events" is confusing.
As the DID systems are removed after IEs or are i
evaluated for " preventing IEs," would the term " mitigating IE" be better phrased as mitigating consequences of IEs?
9.
It is stated in Step 4 that "if the model in Step 3 is acceptable, including the consideration of uncertainties, without credit for DID systems after the initiating events, then Step 4 need not be performed.".
There is no discussion on how uncertainties-with respect-to frequencies of event sequences and phenomenological issues will be treated in using the Focused PRA model to demonstrate meeting the Commission's safety goal guidelines.
Because the focused PRA is developed by removing credit for the DID systems.from the Designer's Baseline PRA,-the staff believes that the same treatment of uncertainties discussed in'the URD for the baseline PRA_will be used.
In Appendix A to Chapter 1 of Utility Requirements Document, "PRA Key Assumptions 'and Groundrules,"
EPRI requires that point estimates of the -risk measures of interest be obtained, and that, to the extent practicable, these point estimates be mean values. The URD does not require a quantitative assessment of uncertainties, or provide guidance regarding how uncertainties should be addressed for the different portions of the analysis (Levels' 1, 2, and
- 3) and for internal versus external events.
It requires only a i
qualitative uncertainty analysis as part of PRA, supplemented by quantitative evaluation of the sensitivity of the results to certain key j
uncertainty issues to aid in investigating the significance of these
.i sources of uncertainties.
Passive systems unavailabilities are not mean values but are rather guesstimates of the mean values, and their associated uncertainties are supposed to be rather high to reflect lack of experience. As the results of the Focused PRA model will be dominated by the passive systems unavailabilities, the staff believes proper treatment of uncertainties is key to demons.trating that mean core damage frequency and large release values' meet the safety goal guidelines.
l Though mean values are appropriate measures for safety goal guidelines, the staff draft SER on the URD also stated that point estimates do not permit investigation of the effect that uncertainties may have on the
-4.
O O
j t
insights from a PRA. The staff does not agree that sensitivities alone are an adequate substitute for uncertainty analysis.
It is the staff's view that sensitivity analyses supplement uncertainty analysis by integrating areas of subjectivity in the analysis and by helping the analyst characterize major contributions to uncertainties in the results.
Therefore, the URD should provide guidance on how a full uncertainty analysis will be performed for the Level 1 portion of the PRA, with uncertainties propagated from basic events, including initiating event frequencies, data, common cause/ mode failure, success' criteria, and human error. Uncertainty analyses will-be such that the staff has reasonable assurance that the PRA reflects variability in (1)-
the significance of key actions, events, and phenomena for the plant _
design, and (2) the effectiveness of the accident prevention systems and potential design improvements.
Other staff concern is in the reliability assessment of the digital instrumentation and control systems, i.e., being able to provide a complete and realistic representation of the digital I&C M-MIS, that includes technically defen'dable estimates for the probability that these systems' will function as specified. The problem is the significant influence on any probability estimate caused by the chance for common mode failures in one or more of the software life cycle activities.
As Section 8.2 of IEC 1226, Requirements for Assurance of Reliability stated:
"The reliability assessment shall consider the effects of common mode failures, including hardware failures, software failures and human errors during operation, maintenance, alteration and repair activities.
l The techniques used to assess these effects range-from purely qualitative engineering judgement to detailed quantitative analyses, which may themselves depend on qualitative estimates.
The type of analysis chosen shall be consistent with the reliability requirement, the higher the reliability requirement, the more rigorous the technique.
Where consideration of the effects of common mode failures, such as software failures or human error, shows limits on achievable reliability for redundant FSEs, then diversity may be necessary for that FSE. The function concerned may then require two or more FSEs or sub-FSEs, diverse from one another."
l 10.
In Step 4, it is stated that the approach for selecting DID SSCs important to mitigating initiating events involves both the use of PRA techniques such as importance measures and engineering judgement. As the Element 3 of the NRC/EPRI agreement is to determine risk significant nonsafety systems, EPRI should provide specific criteria for this selection.
11.
The following comments are regarding Table 4-1:
(a) In the second row, the " Process does not identify DID SSCs as'important for mitigating initiating events" in Mission Description column has-a i
corresponding Step 2 in Step Section column.
This is inconsistent with the steps described in Section 2.2 of the text where the step to define i
DID availability missions important for mitigating initiating events:is Step 4.
Please clarify the inconsistency.,
. =
.I a
(b) The' third row should identify the fact that techdeal specifications may be needed to support the assumed event initiating frequencies for those nonsafety SSCs (such as the offs b power circuits) that could also be event initiators.
(c) In fifth row, Mission Description Column states that " additional DID SSCs needed (to mitigate initiating events) to enhance-the reliability of Safety SSCs to Safety Goals."
It is not clear how a DID SSC can enhance ~ the reliability of safety SSCs rather than'to mitigate the-importance of safety SSCs.
Also, it should be understood that technical specifications are part of the mix to be considered under " compensatory design and/or operations conditions" since the table only explicitly identifies non-technical.
specification programs such as the RAP.
3 (d) In sixth row, the Mission DescriptionTof " Identify important DID systems for mitigating initiating events from focused PRA study" has a corresponding Step 4 rather than 3 in Step Section.
(e) Once the missions for a particular nonsafety system are defined by Steps 2 or 4, the regulatory design criteria for the instrumentation'and control systems and equipment for that nonsafety system can'be l
established by first assigning the categories of importance to safety-for the functions (missions) performed by the I&C system based on the deterministic criteria (as related to the established missions). given below. The design criteria are those concerned.with the as'surance of functionality, performance, reliability, environmental durability and QA and QC. The design requirements for the I&C systems are'givenlin Section 8 of.the IEC Standard (IEC11226: The Classification of.
A Instrumentation and Control Systems Import to Safety for Nuclear Power-Plant) for classification.
i 12.
Table B-1 provides possible deterministic requirements for nonsafety systems. The following comments are directed toward the requirements for the example CVCS system.
(a) The staff agrees that seismic qualification is not required.
- However, it should require appropriate seismic capability and margin.
(b) For environmental consideration, in addition to normal operating environment as indicated, consideration should also be given to possible conditions under a small break LOCA because the CVCS is used to respond t
to such a scenario.
(c) With regard to the CVCS to provide makeup capacity, Table B-1 calls' for only a very simple functional analysis, limiting to consideration 'of.
head / flow and tank capacity, etc. The staff believes that there should be an adequate best estimate thermal-hydraulic analysis. to show ' mission success given a system challenge.
4 (d) The staff questions the presumption that' technical. specifications are not applicable to the-CVCS before its risk significance is determined 4
for mitigating accident initiators. Some important defense-in-depth-1 a
~
g w
w systems may need appropriate technical specifications.
13.
The third step in Figure 1-1 indicates URD Augmentaticn, but does not mention where the proposed process for the resolution of RTHSS issue will be incorporated.
EPRI should provide appropriate modifications to Appendix A to Chapter 1 of URD to reflect the use of the " Focused PRA" and corresponding process with respect to the resolution of nonsafety SSCs.
14.
Appendix A defines the availability mission as the combination of availability targets as well as the requirements needed to perform its function within the context of the conditions and needs defined in the focused PRA.
It should be made clear that the availability missions should also include operational capability / performance missions.
15.
Insufficient emphasis is placed on the comprehensiveness of the model which is necessary to support resolution of the RTNSS issue.
The modelling must address in an intearated fashion all modes of operation, and external as well as internal events. Artificial cutoffs are not to be employed; " terminating" a sequence initiated at full power means "a transition to normal shutdown cooling." The transition itself, as well as subsequent operation, must in principle be analyzed on at least a scoping basis.
9 9
m
[!RC PROCESS FOR RESOLUTION OF RTNSS ISSUE The staff believes the EPRI process paper of February 23, 1993, was overly cnmplex and excluded consideration of several issues which need to be factored into the Regulatory Treatment of Nonsafety Systems issue.
We have proposed a more generalized set of steps to resolvc this issue, which are discussed below.
Each step also comments as to where the EPRI-approach may be lacking.
A detailed set of comments on the entire EPRI submittal is' provided in Attachment 1.
A key element of the staff approach is that the process for resolution of the RTNSS issue should be integrated in the design process.
Results of identification of risk important systems and their r? liability / availability missions and comparisons with the safety goal guidelines should be.used by the designer and reported in the PRA. A staff review of the PRA and related discussions with the designer will define the extent of regulatory oversight on the nonsafety SSCs. This approach will eliminate iterations in the_ review and help focus the staff and designer resources.
The following is the staff proposed process for resolution of the RTNSS issue, and a comparison and comments on the EPRI proposed process described in the February 23, 1993, submittal.
PROPOSED STEPS FOR RESOLUTION OF THE RTNSS ISSUE:
This process.is developed based on the agreement in a meeting of January 22, 1993, between the NRC and EPRI Utility Steering Committee.
A. Hiah Level Criteria To Be Complied With:
The objectives of the process are.to determine risk significant nonsafety systems, structures and components (SSCs), and their reliability / availability missions needed to meet NRC requirements and safety goal guidelines.
Vendors will utilize the following criteria to identify important SSCs, for which regulatory oversight will be necessary.
Any SSC relied upon to satisfy the following criteria will be subject to regulatory oversight.
1.
Deterministic performance requirements such as 10 CFR 50.62 for'ATWS mitigation, and GDC 19 for control room habitability, etc.
2.
Commission's' Safety goal guidelines of core damage frequency of less than 1.0E-4 per reactor ' year and large' release frequency of less than 1.0E-6 per reactor year.
G u
4
--r I
e a
w 3.
Containment performance goal, including containment bypass, during severe accidents.
The containment performance goal approved by the Commission for the evolutionary plant is that containment should maintain its role as reliable, leak-tight barrier by ensuring that containment stresses do not exceed ASME Service Level C limits for metal containments, or a comparable criterion for concrete containments, approximately 24-hours following the onset of core damage and, following this period, the containment should continue to provide a barrier against the uncontrolled release of fission products. The staff believes that this containment performance goal should also be met by the passive ALWR design.
4.
No significant adverse systets interactions.
5.
Consideration of all modes of operations ranging from power operation to shutdown.
The February 23, 1993, EPRI submittal indicated that some specific issues relevant to the RTNSS issue such adverse systems interaction, external events, long term safety (beyond 72-hours), and containment performance will be resolved separately. The staff believes that all relevant issues, including severe accidents, should be evaluated in total for the resolution of the RTNSS issue.
B. Specific Actions Needed for Resolution of RTNSS on Individual Desions:
- 1. Vendors Perform Comprehensive PRA:
The evaluation process starts with vendor constructed comprehensive Level 3 PRAs that must include all internal and appropriate external events considering both power and shutdown operations, and have adequate treatment of uncertainties, long term safety operation, and containment performance.
Containment performance should be addressed with considerations for sensitivities and uncertainties in accident progression and inclusion of severe accident phenomena, including explicit treatment of containment bypass.
Appropriate and defensible uncertainty distributions must be used for calculation of mean values for passive systems unavailabilities and for core damage frequency and large release frequency before making comparisons to the Commission's Safety goal guidelines.
The february 23, 1993, EPRI submittal indicated that the process will start with the Designers' Baseline Level 3 PRA.
Though the January 22, 1993, presentation indicated that the Baseline Level 3 PRA considers internal and external events at power and during zero power operations, the EPRI submittal indicates that some specific issues relevant to the RTNSS issue such external events, long term safety (beyond 72-hours), and containment performance will be resolved separately. The staff believes that these issues should be an integral part of the PRA, rather than resolved independently.
As an example, the passive plant designs rely on stored water and 2
l a
A w
w energy sources for 72-hours after design basis accidents.
After that period, non-safety systems will be required to replenish water, air and DC power sources or to assume core and containment heat removal loads directly.
The staff believes that safety system performance and reliability up to and beyond 72-hours is important in determining the safety importance of the alternative systems which will be called upon to support the plant post 72-hours.
Some of these systems will be normal balance of plant features such as control room ventilation, plant lighting, communications as wel'! as inventory makeup systems utilizing portable pumps.or temporary piping connections. The safety importance of these features and their reliability / availability missions can not be determined if the long term safety issue is to be resolved separately.
Also, the EPRI process that excludes consideration of external event challenges in their determination of defense in depth system importance will significantly understate the safety importance of selected non-safety systems that could be called upon to respond to extended periods of loss of offsite power combined with loss of unprotected non-safety water and fuel tanks due to high winds or fl oods. The standby AC power sources proposed for the passive plants are not required to be protected to survive external events of the scope included in the safety systems design basis. As the recent Hurricane Andrew in Florida demonstrated, such natural disasters can result in extended periods for offsite power recovery and considerable onsite damage.
This omission in the EPRI process is especially significant in light of long term safety issue discussed above, since the unprotected non-safety systems may well not be available to support and re-supply the passive safety systems as they are depleted at 72-hours.
The staff believes that this feature of the EPRI process will impose unacceptable bias on system importance findings and preclude proper identification of SSCs needing regulatory oversight.
- 2. Vendors Search for Adverse Systems Interactions:
The vendors must provide a systematic evaluation of adverse systems interactions between the active nonsafety and passive systems.
The results of this analysis should be used for design improvements to minimize adverse systems interaction, and also be factored into the PRA model.
EPRI submittal indicates that the systems interaction issue must be satisfactorily resolved to address the entire RTNSS issue, and will be resolved separately.
It does not provide specific information for resolution of the ASI issue.
Some guidance from EPRI on the evaluation approach should be provided.
- 3. Focused PRA:
The vendors should then construct Focused PRAs by removing nonsafety systems and components from the comprehensive Level 3 PRA and only 3
~
O A
U w
crediting safety systems and components. This is to determine if the passive safety systems alone can meet the safety goal guidelines of core 4
damage frequency of 10" per year and large release frequency of 10 per year.
In removing the nonsafety systems from the baseline Level 3 PRA, proper adjustment of the scope of initiating events and their frequencies should be made. The containment performance, including bypass, during a severe accident should also be evaluated.
In the EPRI proposed 4-step process, Step 1 will construct a Focused PRA by removing the defense-in-depth systems from the Baseline Level 3 PRA after initiating events (with the initiating event frequencies not altered); and Step 2 will examine the set of initiating events, determine the DID systems that could affect the frequencies of initiating events, and define the specific availability missions for the DID systems important to preventing these events.
These two steps are somewhat confusing and essentially redefine the
" initiating event" as " challenges to safety systems." A shortcoming of this approach is that a nonsafety system can be excluded from further RTNSS evaluation until safety systems challenges, and therefore, get less regulatory oversight.
For example, a RCS leakage within makeup system capacity will not ce treated as an initiating event, and be eliminated from the event trees for small break LOCA.
If a leakage were accounted for as an initiating event with an operating makeup system as a success path, the reliability / availability mission of the makeup system could be determined in the overall evaluation including fault trees.
The EPRI Step 2 will only determine the " availability missions for preventing initiating events," and a loss of offsite power to incapacitate the makeup system while making up the leakage will apparently not be captured in the PRA model.
- 4. Selection of Important Nonsafety Systems:
The vendor will determine what combination (if any) of nonsafety SSCs are necessary to meet NRC regulations, safety goal guidelines and the containment performance goal objectives. This is done by adding the necessary success paths with nonsafety systems and functions in the
' Focused PRA" in order to meet the safety goal guidelines.
There is nore than one way to add nonsafety systems in order to meet safety goal gsidelines, and the designers can choose those systems needed by ctnsidering the factors for optimizing design impact and safety benefit of particular systems.
All relevant issues such as containment pe formance, containment bypass, long term safety performance beyond 72-hot rs, and potential external challenges (e.g., hurricane, flood) should be included in this evaluation.
In principle, all nonsafety SSCs, not solely the defense-in-depth systems identified by EPRI, necessary (in the PRA model) for meeting the NRC requirements including the safety goal guidelines and containment performance goals are potentially subject to proper regulatory oversight. The specific regulatory requirements will be based on their missions and identified safety importance.
4
9 9
o EPRI's Step 3 will compare the results of the Focused PRA to the-j Safety goal guidelines.
If the safety goal' guidelines cannot be met even after exhausting options of modifications to the safety system designs and process, some of the DID systems will be added back to i
become a part of the Focused PRA model in order to meet the safety goal guidelines.
In Step 4 of EPRI process, those DID systems that are needed to meet the safety goal guidelines are evaluated for their importance for mitigating initiating events by using PRA techniques such as importance measures and engineering judgment.
EPRI does not consider those nonsafety SSCs needed in the Focused i
i PRA model to meet the safety goal guidelines to be necessarily risk significant, nor does it provide specific criteria for risk j
significance of the nonsafety systems.
Also, EPRI considers only the DID systems listed in the URD to be relevant to the RTNSS because other nonsafety grade SSCs not associated with DID systems are either functionally.similar to existing designs or typically treated by regulations. This is unacceptable since it may exclude other risk significant SSCs from regulatory oversight. For example, neglecting careful modeling of-offsite power availability could bias the safety importance of onsite AC sources. This is because, rather than requiring two available offsite sources as in current designs, the passive designs are required to only have a single offsite sourc_e available during -
plant operating modes with a second circuit required for use.only "in the event of an extended unavailability of the normal power 1
supply, e.g., during plant outages." Loss of offsite power.
frequency may be higher and likelihood'of recovering offsite' power may be lower.for the passive designs which would increase. relative-importance of onsite standby sources.
Decisions may have to be made whether to improve the availability of the onsite standby sources.on the offsite power sources in order to meet NRC safety goal guidelines and requirements. Arriving at such decisions requires that the offsite power system be fully incorporated into the Regulatory Treatment of Non-Safety Systems evaluations to be performed by the vendors. The EPRI position that the RTNSS issue is-limited to the DID systems excludes such necessary inclusion.
- 5. Nonsafety System Reliability / Availability Missions:
The vendor will identify and document nonsafety systems functional reliability and availability goals that are necessary to meet the safety goal guidelines, containment performance goals, and other NRC performance requirements per Step 4.
Steps 4 and 5 should be iterated to optimize the selection of risk-significant nonsafety systems. and their reliability / availability missions.
The vendor should also establish a graded safety classification system for I&C systems as discussed in SECY-91-292.
This safety classification system accounts for I&C systems that perform functions that are important to safety, but not part of the safety system.
5
'I
v n_n.w. -~
~..
m w
l' EPRI's Steps 2 and 4, respectively, will define the availability l
missions for the DID systems important for preventing and mitigating These two steps will identify the specific initiating events.
functions each DID system fulfills with respect to minimizing the potential for the initiating event, their operating conditions and environments, the type, amount and duration of output required, and any supporting functions, and quantitative reliability / availability missions including basic failure rates, unavailability, potential However, as the Step 2 can exclude common cause failure rates, etc.further evaluation if an initiating event a nonsafety system from is " prevented," the availability missions of these "prcventing IE" One example is shown in nonsafety SSCs may not be appropriate.
Table B-1 of the submittal, where it is indicated that only normal operating environment is considered for the CVCS because of its mission of preventing initiating event of RCS leakage, although we believe that the CVCS should be considered for environmental conditions under small break LOCAs.
- 6. Regulatory Oversight Evaluation:
The staff will review vendor submittals on steps 1 through 5, andThe devehp regulatory requirements for SSCs identified in Step 5.
regulatory oversight may include the following:
Proper design of risk-significant nonsafety SSCs to satisfy performance capability and reliability / availability mission.
a.
Projer Operational reliability assurance program, including b.
compliance with the maintenance rule, to ensure system reliability consistent with assumed initiating event frequencies and system avr.ilabil ity.
Proper technical specification limiting conditions for operation for c.
operational control.
Administrative procedures such as shutdown configuration.
d.
Though the EPRI submittal describes the operational and design requirements, and states that technical specifications will be implemented for SSCs selected by appropriated deterministic and probabilistic criteria, the availability missions described in Table For 4-1 appears to tightly circumscribe areas of NRC review.
example, it is indicated that no technical specifications are required for those DID SSCs determined in Step 3 of its process as needed to enhance the reliability of safety SSCs to Safety goal The staff does not believe this exclusion to be guidelines.
appropriate.
- 7. NRC/ Vendor Interaction:
The staff will interact with the vendors on appropriateness of the Focused PRA models and reliability values, reliability / availability missions, and level of regulatory oversight on various nonsafety systems.
_