Text

.

UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION BEFORE THE ATOMIC SAFETY AND LICENSING BOARD In the Matter of LONG ISLAND LIGHTING COMPANY

)

Docket Nos. 50-322 (Shoreham Nuclear Power Station,

)

Unit 1)

)

NRC STAFF TESTIMONY OF THEMIS P. SPEIS, WALTER P. HAASS, MARVIN W. H0DGES, C. E. ROSSI, JAMES H. CONRAN, SR.

AND ROBERT KIRKWOOD ON SAFr"Y CLASSIFICATION AND ANtLYSIS OF STRUCTURES, SYSTEMS AND COMPONENTS (SC/SOCCONTENTION7B (S0CCONTENTION-19(b))

)

j I6SIGNMO f

ified W 8206040420 820525 PDR ADOCK 05000322 T

PDR

OUTLINE OF TESTIMONY Suffolk County and Shoreham Opponents Coalition contend that Long Island Lighting Company (LILCO) has not adequately classified or analyzed Shoreham structures, systems and components which are important to safety and thus is unable to demonstrate compliance with the Nuclear Regulatory Commission's General Design Criteria. Shoreham Opponents Coalition further contends that the NRC Staff has not required LILC0 to incorporate measures to assure that Shoreham conforms with the standards or goals of safety criteria contained in specified regulatory guides.

This testimony addresses the matters raised in SC/ SOC 7B and 50C19(b). The following principal points are made:

1.

The principal terms used in the safety classification of structures, systems and components are "important to safety" and " safety-related."

2.

Structures, systems and components which are important to safety are addressed in Applicant's Safety Analysis Report and in the Staff's review.

3.

Structures, systems and components which are safety-related receive special attention through the application of stringent design criteria and quality assurance standards and a more extensive regulatory review and are listed explicitly in Section 3.2.1 of Applicant's Safety Analysis Report.

4.

A systematic methodology has been utilized in addressing structures, systems and components important to safety.

5.

The water level indication system and the standby liquid control system specifically have been properly analyzed and classified to ensure compliance with NRC regulations.

6.

The turbine bypass system, level 8 trip, rod block monitor and RCIC are also discussed and the appropriateness of the analysis and classification applied to them is demonstrated.

_ =.

7.

The alternative methodologies proposed by Intervenors and their witnesses are not required by either the regulations or staff practice in the safety classification of structures, systems and components. Good reasons exist why this is so.

8.

The Staff believes it is acceptable to permit operation of Shoreham despite the issues being studied as unresolved safety issue A-17.

9.

The Staff believes it is acceptable to permit operation of Shoreham despite the issues being studied as unresolved safety issue A-47.

10. The safety classification of structures, systems and components at the Shoreham plant and the measures taken to assure the reliability of structures, systems and components important to safety are in compliance with NRC regulations and with staff practice implementing those regulations.

i I

l r

l l

l l

l e

l 1

TABLE OF CONTENTS I.

INTRODUCTION OF WITNESSES................................

1 II.

STATEMENT OF CONTENTION..................................

3 III. PREMISE FOR SAFETY CLASSIFICATION OF STRUCTURE 3, SYSTEMS AND COMP 0NENTS...........................................

4 IV.

CLASSIFICATION OF STPIICTURES, SYSTEMS, AND C0ftPONENTS AT SH0REHAM..............................................

9 V.

DEFENSE OF METHODOLOGY USED IN CLASSIFICATION OF STRUCTURES, SYSTEMS AND COMP 0NENTS AT SHOREHAM...........

15 VI.

DEMONSTRATION OF THE ADEQUACY OF THE CLASSIFICATION OF STRUCTURES, SYSTEMS, AND COMPONENTS AT SHOREHAM..........

23 VII. DEMONSTRATION OF THE ADEQUACY OF THE CLASSIFICATION AND ANALYSIS OF THE REACTOR VESSEL WATER LEVEL MEASUREMENT SYSTEM AT SH0REHAM.......................................

28 VIII. DISCUSSION OF ALTERNATIVE METHODOLOGIES PROPOSED BY SUFFOLK COUNTY AND THE SH0REHAM OPP 0NENTS C0ALITION CON T ENT I O N 7 8............................................ 31 IX.

MANAGEMENT OF UNRESOLVED SAFETY ISSUES A-17 AND A-47 FOR S H 0 R E H AM................................................. 34 X.

CON C LU S I ON............................................... 4 6 l.

I I

EXHIBIT LIST Letter, dated February 12, 1982, from William J. Dircks, EDO, to Paul Shewmon, ACRS, re: Sy!,tems Interactions.

)

s

)

I l

l

-m

UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION BEFORE THE ATOMIC SAFETY AND LICENSING BOARD In the Matter of LONG ISLAND LIGHTING COMPANY

)

Docket No. 50-322 (Shoreham Nuclear Power Station, Unit 1)

)

NRC STAFF TESTIMONY OF THEMIS P. SPEIS, WALTER P. HAASS, MARVIN W. H0DGES, C.E. ROSSI, JAMES H. CONRAN, SR. AND ROBERT KIRKWOOD ON SC/ SOC CONTENTION 7B AND S0C CONTENTION 19(b) 1.

INTRODUCTICN OF WITNESSES Q.1 Would each of the panelists please state his name and position with the NRC.

A.1 My name is Themis P. Speis.

I am Assistant Director for Reactor Safety, Division of Systems Integration. A copy of my professional qualifications is attached.

I My name is Walter P. Haass.

I am Branch Chief, Quality Assurance Branch. A copy of my professional qualifications is attached.

My name is Marvin W. Hodges.

I am a Section Leader in the Reactor Systems Branch. A copy of my professional qualifications is attached.

My name is C. E. Rossi.

I am a Section Leader in the Instrumentation and Control Systen.s Branch. A copy of my professional qualifications is attached.

l

+ My name is James H. Conran, Sr.

I am a Principal Systems Engineer in the System Interaction Section, Reliability and Risk Assessment Branch. A copy of my professional qualifications is attached.

My name is Robert Kirkwood.

I am a Principal Mechanical Engir.eer in the Mechanical Engineering Branch. A copy of my professional qualifications is attached.

Q.2 Dr. Speis, would you please describe the responsibility of each of the panelists for the various portions of the prefiled testimony.

A.2 Dr. Rossi was jointly respensible for Sections III, V, VI and VII and was responsible for Section IX (questions 40 and 41); he also commented on and participated in prepar:+ ion of all of the testimony.

Mr. Conran was jointly responsible for Section III and was responsible for Section VIII and Section IX (question 39); he also commented on and participated in preparation of all of the testimony.

l Mr. Hodges was jointly responsible for Section V and VI and was responsible for Section VII; he also commented on and participated in preparation of all of the testimony. Mr. Haass was jointly responsible for Section III and was responsible for the answer to question Q-12; he also commented on and participated in preparation of Sections IV, V and VI. Mr. Kirkwood was responsible for the answers to questions Q-7, Q-8, Q-9, Q-10 and Q-11.

I have participated in preparation and review of all of the testimony; I was not the primary author of any specific portion of the testimony.

. Q.3 What is the purpose of your testimony?

A.3 The purpose of this testimony is to respond to Suffolk County and the Shoreham Opponents Coalition Contention 78 that Long Island Lighting Company has not adequately classified or analyzed Shoreham structures, systems and components (SS&C) which are important to safety, and is therefore unable to demonstrate compliance with the Nuclear Regulatory Commission's General Design Criteria.

It is also the purpose of this testimony to respond to the Shoreham Opponents Coalition Contention 19(b) that the Staff has not required LILC0 to incorporate measures to assure that Shoreham conforms with the standards or goals of safety criteria contained in specific regulatory guides.

II. STATEMENT OF CONTENTION Contention 7B as restated by the Board in ASLB Memorandum and Order March 15, 1982, p. 12 is as follows:

"LILC0 and the Staff have not applied an adequate methodology to l

Shoreham to analyze the reliability of systems, taking into account systems interactions and the classification and qualification of systems important to safety, to determine which sequences of accidents should be considered within the design basis of the plant, and if so, whether the design basis of the plant in fact adequately protects against every such sequence.

In particular, proper systematic methodology such as the fault tree and event tree logic l

approach of the IREP program or a systematic failure modes and l

effect analysis has not been applied to Shoreham. Absent such a l

methodological approach to defining the importance to safety of each piece of equipment, it is not possible to identify the items to which General Design Criteria 1, 2, 3, 4, 10, 13, 21, 22, 23, 24, 29, 35, 37 apply, and thus it is not possible to demonstrate compliance with these criteria."

Contention 19(b) as admitted by the Board in ASLB Order February 8, 1982, p. 1 reads in part as follows:

l

. " SOC contends that the NRC Staff has not required LILC0 to incorporate measures to assure that Shoreham conforms with the standards or goals of safety criteria contained in recent regulatory guides. As a result, the Staff has not required that Shoreham stractures, systems and components be backfit as required by 10 C.F.R. 6 50.55a, 5 50.57, and 6 50.109 with regard to:

(b) Regulatory Guides 1.26 and 1.29. -- LILCO's general list of quality group and seismic design classifications listed in FSAR Table 3.2.1-1 is not in compliance with 10 C.F.R. Part 50, Appendix A, Criteria 1 and 2,10 C.F.R. 5 50.55a, and 10 C.F.R. Part 100, Appendix A in that:

(1) the quality group classifications contained in FSAR Table 3.2.1-1 do not comply with the regulatory position of Revision 3, of Regulatory Guide 1.26 for safety-related components containing water, steam or radioactive materials; (2) the seismic design classifications contained in FSAR Table 3.2.1-1 do not comply with the regulatory position of Revision 3 of Regulatory Guide 1.29 with regard to control room habitability and radioactive waste systems; (3) LILC0 has not revised the FSAR Table 3.2.1-1 to expand the list of safety-related equipment as reflected in NUREG-0737 and as a result of the NRC Staff review of the Q-List as set forth in Supplement 1 of the SER on page 17-1; and (4) LILC0's list of safety related equipment contained in FSAR Table 3.2.1-1 does not include equipment upon which the plant operators will rely in response to accidents outlined in the Shoreham emergency operating procedures."

III. PREMISE FOR SAFETY CLASSIFICATION OF STRUCTURES, SYSTEMS AND COMPONENTS Q.4 What is the purpose of the safety classification of nuclear power plant structures, systems, and components?

A.4 A nuclear power plant is comprised of many structures, systems, and components which have varying degrees of importance with respect to

~

public health and safety. These structures, systems and components are designated as items "important to safety" in the General Design Criteria of Appendix A to 10 CFR Part 50. Appendix A to 10 CFR Part 100 identifies a specific subset of "important to safety" items required to assure certain critical safety functions in the event of accidents or emergency conditions.

Items in this subset are referred to as " safety-related."

Clarification of the definition of these terms as used in licensing reviews was provided in a letter dated November 20, 1981, to all Office of Nuclear Reactor Regulation Personnel from Harold R.

Denton, Director of the Office of Nuclear Reactor Regulation.

In this letter the terms "Important to Safety" and " Safety Related" are defined as follows:

"Important to Safety Definition - From 10 CFR 50, Appendix A (General Design Criteria - see first paragraph of " Introduction".

Encompasses the broad class of plant features, covered (not necessarily explicitly) in the General Design Criteria, that contribute in important way to safe operation and protection of the public in all phases and aspects of facility operation (i.e., normal operation and transient control as well as accident mitigation).

. Includes Safety-Grade (or Safety-Related) as a subset.

Safety-Related Definition - From 10 CFR 100, Appendix A - see sections III.(c),VI.a.(1),andVI.b.(3).

Those structure, systems, or components designed to remain functional for the SSE (also termed ' safety features')

necessary to assure required safety functions, i.e.:

(1) the integrity of the reactor coolant pressure boundary; (2) the capability to shut down the reactor and maintain it in a safe shutdown condition; or (3) the capability to prevent or mitigate the consequences of accidents which could result in potential off-site exposures comparable to the guideline exposures of this part.

Subset of "Important to Safety""

A third term often used in classifying nuclear power plant structures, systems and components is " safety-grade." The Director's letter states that the terms " safety-related" and

" safety-grade" are equivalent.

In this testimony, we will be following these definitions of terms.

A basic premise in the licensing of nuclear power plants is that the plant structures, systems and components which are safety-related (or safety-grade) are distinguishable from those which are non-safety-related (or non-safety-grade) by the stringency of the design criteria and quality assurance standards imposed on each and by the extensiveness of the review by the NRC staff each receives.

. Practically speaking, a nuclear power plant must satisfy utility requirements for the production of power. Plant systems to accomplish the desired operational characteristics are designed with the objective of allowing the plant to perform normal operations while at the same time providing sufficient margin for plant safety.

In some cases, safety-related (or safety-grade) structures, systems, and components are used during normal plant operation. This is the case, for example, with the reactor coolant system.

In other cases, safety-related (or safety-grade) structures, systems, and components are provided for the sole ourpose of accomplishing safety functions.

For example, this is the case for systems that automatically initiate reactor trip or automatically initiate systems to remove decay heat following an abnormal plant event.

In any case having a specific, well-defined group of safety-related (or safety grade) structures, systems, and components to accomplish required safety functions allows both the applicant and the NRC staff to concentrate their efforts on structures, systems, and components most important I

in achieving critical safety functions in case of an accident or emergency.

It should be noted, however, that a substantial fraction of the regulatory staff's review effort is applied to the review of systems whose proper operation can help prevent accident or emergency conditions, and, in fact, whose operation is important l

in assuring public health and safety even if there is never an 1

accident (e.g., effluent control systems and reactor control rooms).

. Q.5 Please describe the classification systems for plant items relative to quality assurance presently utilized by the staff.

A.5 Appendix B to 10 CFR Part 50 requires that a QA program which complies with criteria contained in that Appendix be applied to safety-related structrures, systems and components.

In implementing this requirement, safety-related structures, systems and components are placed on what we call the QA-list which is generally presente( in Section 3.2.1 of the Safety Analysis Report submitted by the applicant. This listing is reviewed by the various technical review branches within NRR to determine its correctness and completeness in the area of review responsibility for each branch. The listing must include all plant items designed to seismic category I requirements (see Position C.1 of Regulatory Guide 1.29).

It also includes other items not classified safety-related (e.g. PORV) identified after the TMI-2 accident as deserving increased QA attention by the applicant and staff.

Further, some applicants on their own initiative have included yet other additional items not classified safety-related (e.g. fire protection system, radwaste system) to which they intend to give higher emphasis with regard to QA.

The remaining items in the total set of "important to safety" (i.e.,

those items which are important to safety but not safety-related) are subjected to quality assurance requirements in accordance with

_g.

GDC 1.

The staff's present review process does not require that this subset be specifically identified in a listing, nor has the staff developed quality assurance requirements, analogous to Appendix B, for these items. The staff simply requires an applicant to commit to meeting the provisions of GDC 1 and has permitted applicants to determine the appropriate quality assurance requirements for these items consistelt with their importance to safety.

ppropriate quality assurance for some of these plant items may be no more than normal commercial practice.

Nevertheless, all structures, systems and components important to safety are required to be addressed, some in considerably more detail than others, in the Safety Analysis Report submitted by the applicant.

IV. CLASSIFICATION OF STRUCTURES, SYSTEMS, AND COMPONENTS AT SHOREHAM l

Q.6 Based on the staff's review of the Shoreham plant design, has a systematic methodology been used to determine which structures, systems and components are safety-related or important to safety?

A.6 Yes. The structures, systems, and components which are "necessary to assure (i) the integrity of the reactor coolant pressure boundary, (ii) the capability to shut down the reactor and maintain it in a safe condition or (iii) the capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures comparable to the guideline exposures of l

. this part" (10 C.F.R. Part 100, Appendix A) have been explicitly identified as safety-related (or safety-grade) by the applicant in plant design documents. These structures, systems and components include the containment building and that equipment such as piping and valves used to isolate the containment from the outside environment to the extent necessary to maintain radiological releases to within the limits of 10 CFR Part 100 following an accident. Also included as safety-related (or safety-grade) are those instruments and controls used for reactor trip, engineered safeguards actuation, or containment isolation.

With regard to those structures, systems and components important to safety but not classified as safety-related, compliance with the criteria and requirements of approved regulatory guidance documents l

(eg., Standard Review Plan, Regulatory Guide, etc.) assures that l

such structures, systems and components are properly classified l

and addressed in the Applicant's submittal although they are not explicitly identified in a listing equivalent to the QA-list for safety-related items.

Q.7 What seismic design classification system was used by LILC0 for identifying those structures, systems, and components of the Shoreham plant that should be designed to withstand the effects of l

the Safe Shutdown Earthquake (SSE) and remain functional?

A.7 LILC0 used Regulatory Guide 1.29, Revision 1, for identifying those structures, systems, and components that should be designed to l

l withstand the effects of the SSE and remain functional. Revision I was used by LILC0 since this was the revision in effect at the time the FSAR was docketed. The current revision of Regulatory Guide 1.29 is Revision 3 which is not substantially different from Revision 1.

As there are no changes in Revision 3 which would cause a change in the seismic classification of the structures, systems, and components at Shoreham, the use of Revision 1 is acceptable.

The plant features that should be designed to withstand the effects of the SSE and remain functional are identified in Regulatory Guide 1.29 as seismic Category I.

To determine the extent to which the seismic Category I design classification is applied to each fluid system, Table 3.2.1-1 must be used concurrently with the appropriate Piping and Instrumentation Diagram in order to perform a satisfactory review. The NRC staff performed the seismic classification review of the Shoreham systems identified in Table j

3.2.1-1 in this manner. Our review of the seismic classification of the structures, systems, and components of the Shoreham plant l

indicates that these plant features are in conformance with the guidance in Regulatory Guide 1.29.

The content and format of Table 3.2.1-1 for Shoreham is consistent with other licensing applications such as LaSalle and Susquehanna and, in general, is at least as 1

detailed as that provided for currently licensed plants.

Q.8 How has LILC0 applied 10 CFR 50, Appendix B, to the structures, 1

systens, and components of Shoreham?

l l

. A.8 The LILC0 Quality Assurance Program that is in conformance with 10 CFR 50, Appendix B, is applied to those structures, systems, and components of the Shoreham plant that are designated safety-related.

LILC0 has committed to apply quality assurance requirements to other structures, systems, and components that are not within the scope of Regulatory Guide 1.29 in accordance witn the requirements of GDC 1.

This practice is and has been acceptable to the staff on licensing applications since the promulgation of the regulation.

Q.9 What quality group classification system was used by LILC0 for water, steam, and radioactive waste containing components of the Shoreham plant?

A.9 LILC0 used Regulatory guide 1.26, Revision 1, as the basis for classifying water, steam and radioactive waste containing components of the Shoreham plant. Radioactive waste management systems are classified in accordance with Regulatory Guide 1.143. This guidance in Regulatory Guide 1.143 supercedes that found previously in Regulatory Guide 1.4o for these systems. Revision 1 of Regulatory Guide 1.26 was used by LILC0 since this was the revision in effect j

at the time the FSAR was docketed. The current revision of Regulatory Guide 1.26 is Revision 3 which is not substantially different from Revision 1.

As there are no changes in Revision 3 which would cause a chance in the system quality group classifications of the water, steam and radioactive waste containing components at Shoreham, the use of Revision 1 is acceptable.

. The classification system identified in Regulatory Guide 1.26 consists of four Quality groups A, B, C, and D.

The Guide identifies the fluid systems applicable to each Quality group and the construction code applicable to each pressure-retaining component. To determine the classification boundaries of each fluid system, Table 3.2.1-1 must be used concurrently with the appropriate Piping and Instrumentation Diagram in order to perform a satisfactory review as it is the intent to only identify major components in the table. The NRC staff performed the quality group classification review of the Shoreham systems identified in Table 3.2.1-1 in this manner. Our review of the quality group classifications of the water, steam and radioactive waste containing components of the Shoreham systems indicates that these components are in conformance with the guidance in Regulatory Guide 1.26. The content and format of Table 3.2.1-1 for Shoreham is consistent with other licensing applications such as LaSalle and Susquehanna and is at least as detailed as that provided i'r currently licensed plants.

Q.10 Is the LILC0 Quality Assurance Program that is in conformance with 10 CFR 50, Appendix B, also applied to all components that are classified Quality Groups A, B, C or D?

A.10 No.

For Shoreham all itens that are classified Quality Groups A or B are within the scope of the LILC0 Appendix B Quality Assurance Program.

Items classified Quality Group C are also within the scope of the Appendix B Quality Assurance Program except for certain items

. that are upgraded from Quality Group D io Quality Group C.

An example of items that are upgraded at Shoreham are components of the reactor water cleanup system beyond the reactor coolant pressure bout.dary isolation valves.

Items upgraded to Quality Group C standards need not be subjected to an Appendix B Quality Assurance Program.

Quality Group D items are not within the scope of the LILCO Appendix B Quality Assurance Program. The description of Quality Group D in Regulatory Guide 1.26 does include the term " safety-related."

Nevertheless, the staff does not require that Quality Group D items be subjected to the Appendix B Quality Assurance Program. Even the most recent revision of Regulatory Guide 1.26 (Revision 3) was issued in 1976, well before Mr. Denton's letter clarified staff usage of safety classification terms.

Q.11 What seismic design classification was used by LILC0 for the control i

room air conditioning system.

A.11 As noted in FSAR Table 3.2.1-1, LILC0 has classified the control room air conditioning system as seismic Category I.

The system is also within the scope of the LILC0 Quality Assurance Program that is in conformance with 10 CFR Part 50, Appendix B.

In addition, as noted in FSAR Section 9.4.1, the chilled water cooling coils in the air conditioning units are classified Quality Group C and constructed to the requirements of ASME Section III, Class 3.

. The system is therefore in conformance with the current applicable regulatory requirements.

Q.12 Has the QA Listing of equipment shown in FSAR Table 3.2.1-1 been expanded to include items as reflected in NUREG-0737 ("Classifica-tion of TMI Action Plan Requirements")?

A.12 In response to staff questions, the Applicant has documented its committment to apply the pertinent requirements of the Appendix B QA program to equipment listed in NUREG-0737. The documentation is presently provided by letters from LILC0 dated May 27, 1981 and July 15, 1981. The Applicant has been requested to include this documentation in the FSAR although use of Table 3.2.1-1 for this purpose may not be appropriate nor is it necessary.

1 V.

DEFENSE OF THE METHODOLOGY USED IN CLASSIFICATION OF STRUCTURES, SYSTEMS AND COMPONENTS AT SHOREHAM Q.13 What analyses are used to verify that the proper structures, systems, and components have been identified as safety-related (or safety-grade)?

A.13 Analyses of " anticipated operational occurrences" and " accidents" are used to verify that the proper structures, systems, and components have been identified as safety-related (or safety-grade).

These analyses are contained in Chapter 15 of the Final Safety Analysis Report (FSAR) and the Staff review procedures for these analyses are delineated in Chapter 15 of the Standard Review Plan.

Q.14 How are the analyses in chapter 15 of the Final Safety Analysis Report (FSAR) used in verifying that the proper structures, systems and components have been required to be safety-related (or safety-grade)?

A.14 A specific set of " anticipated operational occurrences" and

" accidents" are analyzed and documented in Chapter 15 of the FSAR to demonstrate that plant trip and/or safety system equipment actuation occurs with sufficient capability and on a time scale such that the consequences are within specified, acceptable limits.

In these analyses, conservative initial plant conditions, core physics parameters, equipment availability, and instrumentation setpoints have been assumed. Conservative core parameters (for example, heat fluxes, temperatures, pressures, and flows) are also assumed. Among the specific set of " anticipated operational occurrences" and

" accidents" analyzed are the limiting events resulting from both i

mechanistic and non-mechanistic equipment and system failures. The 1

conservative bounding analyses performed are used to demonstrate that the potential consequences to the health and safety of the public are within acceptable limits for a wide range of postulated events even though specific actual events might not follow the same assumptions made in the analyses.

In addition, the analyses I

performed are used to demonstrate that the potential consequences to i

. the health and safety of the public are within acceptable limits (i.e., offsite exposures are less than the guideline exposures of 10 CFR Part 100) when only safety-related (or safety-grade) equipment and systems are used to mitigate the consequences of the postulated events. Sufficientsafety-related(orsafety-grade)equipmentis provided to assure that essential safety functions will be performed even with the most limiting single failure.

Q.15 What is the definition of a single failure?

A.15 The definition of a single failure is given in the " Definitions and Explanations" included in 10 CFR Part 50, Appendix A:

"A single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure."

Q.16 Are all possible accident sequences analyzed in Chapter 15 of the Shoreham FSAR?

l A.16 No, it would not be possible to analyze or even define all possible accident sequences for any nuclear power plant. However, the transient and accidents analyzed are representative of classes of l

events that have been judged to be of signiffcant severity and sufficient likelihood to require consideration. Similarly, the i

associated analysis methods and acceptance criteria are also not

. realistic, but are conservative, or bounding representations of actual or expected conditions.

Q.17 How can the staff conclude that Shoreham can be safely operated if all possible accident sequences have not been analyzed?

A.17 As was discussed in the answer to the proceeding question, the plant design has been reviewed for a spectrum of transients and accidents that are rtpresentative of classes of events that have been judged to be of significant severity and sufficient likelihood to require consideration. But assuring an ucceptable level of reactor safety is not limited to the analyses of a number of transients and accidents end ascertaining that the plant is designed to control and/or accommodate the consequences of these events. Adequate safety also depends on a " defense in depth" approach which recognizes the availability of a large number of plant design features as well as the availability of well trained l

l operators using carefully prepared procedures. The cornerstone of the " defense in depth" philosophy is the use of multiple, l

successive barriers to the escape of radioactivity and assuring l

that these barriers are not compromised as the result of transients and accidents.

The first level of protection deals with design for safety in normal operation and tolerance for system malfunctions.

It emphasizes gaulity, redundancy, and inspectability. Critaria and

. requirements applied to the structures, systems and components needed for normal operatiom (e.g., primary pressure boundary, main feedwater system, main steam system, turbine, radiation monitoring system, effluent control system, the control room and control systems) are found in regulatory guidance documents and in the Standard Review Plan, Regulatory Guides, General Cesign Criteria (10 CFR Part 50, App. A).

The second level of protection assumes that incidents will occur in spite of care in design, construction and operation.

It requires the provision of systems to detect incipient failure and to shutdown the plant so as to prevent or minimize damage when such incidents occur. The third level of protection assumes the occurrence of damaging accidents.

It requires the provision of safety systems to limit or control the consequences of hypothetical accidents (e.g.,

loss of coolant accidents).

In designing these safety systems, we require the assumption of a large fission product release per 10 CFR Part 100, where some protective systems are assumed to degrade or fail simultaneously with the accident they are intended to control.

The reactor fuel cladding, the reactor coolant system pressure boundary, and the reactor containment building constitute the key parts of the third level of defense in depth. The fuel clad and the reactor coolant system boundary are designed to contain the radioactive fission products produced in the core; likewise the reactor containment building and assiciated isolation equipment, which are safety-related (safety-grade), are designed to limit radioactivity releases and serve as the final boundary to the

. outside environment. The analyses in Chapter 15 of the FSAR, which are reviewed by the NRC staff, are used to verify that the integrity of the cladding, reactor coolant system boundary, or both, are maintained within specified limits following the postulated limiting events (i.e., both transients and accidents) discussed earlier.

Another level of protection is provided by the trained operator and the emergency operating procedures. The operator, utilizing the procedures, is trained to take actions to maintain the plant in a safe condition independent of the type or number of equipment or system failures which might occur.

In performing the key safety functions, the operator is instructed to use any end all equipment or systems which might be available whether it is safety-related (safety-grade) or not.

In addition to the design basis events, analyses assuming various event sequences (including multiple failures) that could occur and fall outside of the required design envelope have been utilized in tiie preparation of the emergency operating procedures. This approach for the plant operators is a result of the lessons learned from the TMI-2 accident.

Its objective is to further assure that the operator is able to respond to the complete spectrum of possible events.

It would be impossible to assume that an operator could memorize all multiple failure sequences, and rapidly diagnose the actual, specific event. Therefore, the approach we use is to guide the operator to recognition of certain symptoms of events, and to respond to

. symptoms rather than to a specific event. This involves "all" events being broken down into categories that are all inclusive, e.g.,

loss of heat sink, overcooling, loss of inventory reactivity. We train operators and write procedures to treat symptoms of these categories and gain control of the plant no matter what combination of failures caused the particular event. This approach is being implemer.ted at the Shoreham plant.

In summary, the analyses in Chapter 15 of the FSAR combined with the " defense in depth" approach, which has been extended to incluae multiple failures outside of the required design basis in the emergency operating procedures, and compliance with approved regulatory guidance, constitute the methodology used to insure that nuclear power plant operation will not result in undue risk to the health and safety of the public.

It was never intended nor is it necessary to analyze all possible accident sequences to assure an adequate level of safety.

Q.18 Is there any regulatory requirement or has past practice on any nuclear power plant been to classify all equipment which is specified for use in emergency operating procedures as safety-related(orsafety-grade)?

A.18 No. As previously stated, regulations and the staff proctice require that structures, systems, and components be safety-related (or safety-grade) if the structures, systems, and components are

, "necessary to assure (i) the integrity of the reactor coolant pressure boundary, (ii) the capability to shut down the reactor and maintain it in a safe condition, or (iii) the capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures comparable to the guideline exposures of this part" (10 CFR Part 100). The key word above is the word necessary in the phrase"...if the structures, systems, and components are necessary to assure...".

Structures, systems, and components which may be utilized in emergency procedures over and above those which are necessary -- actually required -- to assure the functions above are not required to be classified as safety-related (or safety-grade).

Q.19 Does the staff expect equipment which is not safety-related (or safety-grade) to be operable following an accident?

A.19 Yes, in general.

It is expected that the operator would use the non-safety-related equipment which remains operable to the maximum extent possible in controlling the course of any accident. However, the regulations arc staff require that safety-related (or safety-grade) equipment meeting stringert fesign criteria and quality assurance requirements be 3 ^a aen to mitigate the consequences of accidents which co>id rosa 5 c in pctential offsite exposures comparable to the guideline exposures of 10 CFR Part 100.

As discussed previously, however, this is only one part of the methodology used to assure no undue risk to the health and safety of the public.

y,-

/

/

- 23 2 '

)

VI. DEf!0NSTRATION OF THE ADEQUACY OF THE CLASSIFICATION OF STRUCTURES, SYSTEMS, AND COMPONENTS AT SHOREHAM Q.20 In the Staff's review of the hortha'm Chapter 15 " anticipated operational occurrence" and " accident" analyses, was adequate consideration given to the safety classification of systems used for

" anticipated operational occurrence" and " accident" mitigation?

A.20 Yes.

In the sequerre of events for each " anticipated operational occurrence" or "acc ' Ant" the safety classification of the normally operating plant sys' ems and engineered safety feature systems was reviewed.

Further, in addition to analyses of design basis events, Shoreham plant systems desigm was reviewed against other criteria f

and requirements of approved regulatory guidance such as applicable Regulatory Guides and Standard Review Plan, sections.

/

Q.21 Is the staff aware of the use of any equipment not classified as I; r

safety-related (or safety-grade) for the mitigation of any

" anticipated operational occurrence" or " accident" in the Shoreham Chapter 15 analyses?

A.21 Yes.

For example in the Feedwater Controller Failure (Maximum Demand) transient (" anticipated operational occurrence"), the high water level (Level 8) tr.ip and the turbine bypass system are used to mitigate the transient. The equipment used for these functions is not classified as safety-related. Use of this equipment in mitigation of the transient is based on the consideration that the 1

. equipment is of high reliability and subject to periodic surveillance requirements in the technical specifications.

(See I,

Sections 7.6.11 and 15.2.1 of the Shoreham Safety Evaluation Report.) Furthermore, the Feedwater Controller Failure event with assumed failura of the Level 8 trip and turbine bypass system would result in only very limited, if any, fuel failure and, thus, would not result in an undue risk to the health and safety of the public.

Q.22 Is the reactor vessel water level measurement system at Shoreham safety-related?

A.22 Yes. All portions of the Shoreham reactor vessel water level measurement system required to perform safety functions such as reactor trip or engineered safety feature system actuation are safety-related.

(The operation of this measurement system is discussed it. detail later in this testimony.)

Q.23 Is the Standby Liquid Control System at Shoreham safety-related?

A.23 Yes. All portions of the Shoreham Standby Liquid Control System required for the injection of fluid including the switch used to initate the system are safety-related. The portion of the control board upon which the switch is mounted is designed to survive a seismic occurrence. Heaters, indicator lights and alarms not needed for the actual injection of fluid are not safety-related. The o

_ system is not required to be a totally redundant system since it is used only as a backup means for bringing the reactor to a subcritical condition.

Q.24 Is the Reactor Core Isolation Cooling (RCIC) system at Shoreham safety-related?

A.24 Yes. The equipment required for the RCIC system to perfonn its safety function of injecting water is safety-related.

The RCIC is a high pressure system primarily designed to maintain sufficient water in the reactor pressure vessel to cool the core and then maintain the reactor in the standby condition in the event the vessel becomes isolated and feedwater is not available. During a loss-of-coolantaccident(LOCA),theRCICinitiatesonlowvessel water level and delivers rated flow to the vessel through a connection in the feedwater system.

Even though RCIC is not a part of the Emergency Core Cooling System (ECCS) network, the RCIC system is traditionally designated as a safety-related system.

It is similar to the auxiliary feedwater l

systems in PWRs. During limiting conditions of operation (LCO),

i.e., when High Pressure Core Injection System (HPCI) is inoperable, l

power operation is allowed to continue for a period of time provided i

RCIC is operable. Moreover, credit is taken for RCIC when HPCI is l

inoperable in the Shoreham accident analysis (e.g., control rod drop accident).

1

. Q.25 Is the Feedwater Control System at Shoreham relied upon to mitigate

" anticipated operational occurrences" or " accidents"?

A.25 No.

It is, however, expected that the operator would attempt to manually control this system to mitigate excessive feedwater flow to the reactor vessel caused by a feedwater/ level control system failure. However, the Feedwater Control System is not required for the mitigation of any " anticipated operational occurrence" or

" accident".

Q.26 Would non-safety-related equipment at Shoreham be used during an

" anticipated operational occurrence" or " accident"?

A.26 Yes. Much non-safety-related equipment is in service during normal operation of the plant. This equipment would probably continue to l

operate during an " anticipated operational occurence" or " accident".

It would be logical to make use of this equipment in mitigating an

" anticipated operational occurrence" or " accident" when possible.

However, backup safety-related systems are available to insure the health and safety of the public.

l An example is the plant feedwater system which is not safety-related. The operator is very familiar with this particular system and would use it during a loss of coolant accident if it is available.

It is not, however, necessary that the system be safety-related even though it might be used during an accident because other items which are safety-relcted are available to protect public i

health and safety.

i

. Q.27 Are ther' structures, systems and components at Shoreham which are not safety-related but for which special design features or other considerations have been provided to assure reliability?

A.2/ Yes. Three specific examples are discussed in Section 7.6.11 of the Shoreham Safety Evaluation Report. The three examples are:

(1) the reactor manual control system - rod block monitor (2) the feedwater control system high water level trip (" Level 8 trip")

(3) the turbine bypass system.

Q.28 What types of considerations have been applied to these systems over and above provisions which would normally apply to structures, systems and components having no "importance to safety"?

4 A.28 The rod block monitor has a self-testing capability and the operability of this self-testing feature will be demonstrated l

periodically. The " level 8 trip" includes redundant level sensors l

j and trip circuits with electrical isolation between the redundant portions. The time during which portions of the " level 8 trip" may be inoperable will be limited in the technical specifications. The I

technical specifications will require periodic surveillance to l

l confirm operability of the turbine bypass system.

(SeeSections 7.6.11 and 15.2.1 of the Shoreham Safety Evaluation Report.)

. VII. DEMONSTRATION OF THE ADEQUACY OF THE CLASSIFICATION AND ANALYSIS OF THE REACTOR VF.SSEL WATER LEVEL MEASUREMENT SYSTEM AT SHOREHAM Q.29 Flashing in the reference leg of water level instrument lines has been cited by Suffolk County and the Shoreham Opponents Coalition as a systems interaction effect which may delay ECCS actions. What type of events will lead to flashing in the reference leg?

A.29 There is the potential for flashing whenever the reactor coolant system (RCS) pressure drops below the saturation pressure corresponding to the temperature near the reference leg. The staff has identified three possible scenarios which will lead to flashing.

These are:

(1) Failure of drywell coolers and subsequent depressurization as for shutdown. This has occurred at one plant (Pilgrim).

For water level instruments such as exist at Shoreham, the RCS pressure would have to be lowered to approximately 50 psia for flashing to occur.

(2)

For a small steamline break, the drywell temperature could reach 340 F.

Flashing could then occur for RCS pressures less than 115 psia.

(3) A large break LOCA would result in approximately equal drywell and RCS pressure.

Subsequent actuation of the containment spray would reduce RCS and drywell pressure and the heat stored in the instrument piping could cause some flashing to occur.

Liquid line breaks or large steamline breaks with resultant l

two-phase flow out of the break will not result in flashing in the instrumentlinesexceptasincase(3)describedabove.

Q.30 Will any of the scenarios discussed above result in delayed actuation of the ECCS?

l I

A.30 For case #(1) above, no break exists and there is no need for ECCS actuation.

If a LOCA is postulated to occur while the reactor is in the shutdown cooling mode of operation and while the drywell temperature is still high, there is a possibility for delayed ECCS actuation. However, this is a very unlikely scenarie.

For case (2) above, there would be no delay in ECCS actuation. For case (3) above, the ECCS would already have been actuated prior to containment spray; thus, there is no delay in ECCS actuation.

Q.31 What are the consequences of loss of level indication due to flashing in the instrument lines?

A.31 If water level cannot be determined, the operator is instructed to depressurize the vessel (if not already depressurized) and flood the vessel with low pressure systems. Therefore, the fuel would remain covered and there would be no adverse safety consequences.

Q.32 What is the maximum water level error which can result from flashing 1

in the reference leg of the water level instrumentation at Shoreham?

A.32 There are two reference columns for the water level instrumentation at Shoreham. One reference column has a vertical drop in the drywell of 3.45 ft and the other reference column has a vertical drop in the drywell of 6.73 ft. The maximum error which can result from flashing due to high temperature in the drywell is just the l

vertical drop in the drywell. However, the nar.mw range and wide

. range level instruments are calibrated for normal operating conditions (fluid in the reactor saturated at 1000 psi and drywell temperature of 135 F). The vessel depressurization results in saturated fluid at a lower pressure. Therefore, the depressurization results in a decalibration of the wide range and narrow range instruments. The combined error due to flashing and decalibration is approximately 4.6 ft, for one reference column and 9 ft. for the other reference column.

Q.33 What is the safety significance of the 4.6 ft. and 9 ft. water level measurement error?

A.33 There is no safety significance. The ECCS, if required, would be actuated prior to depressurization. The normal water level is approximately 18 ft. above the top of the fuel. Therefore, even if the operator controls water level using the instrument with the maximum error, the fuel would still be covered with water and would be adequately cooled.

For the case of a large LOCA in a recirculation line and insufficient injection to flood the vessel above the top of the jet pumps, the actual level in the downcomer region (where level is measured) would be at the top of the jet pumps (2/3 core height) and the actual level in the core would be higher due to the generation of voids in the core. Tests conducted by General Electric have shown this water level sufficient to adequately cool the core.

Q.34 If there is no safety significance of the flashing phenomenon, why was a board notification issued?

A.34 The vertical drop of the reference legs in the drywell is variable from plant to plant. One operating BWR has been reported to have a maximum vertical drop in the drywell of approximately 40 ft.

Several' BWRs have vertical reference leg drops of approximately 20 ft. Some corrective measures will have to be taken for those plants (several of these plants are already voluntarily making modifications). Various operating plants are in the process of providing plant specific information. Data on the reference legs for Shoreham were not obtained prior to issuance of the board notification.

Q.35 Is there sufficient redundancy in the water level instrumentation to prevent a sensing line malfunction and another random single failure from impacting ECCS actuation?

i A.35 There is sufficient redundancy in the water level instrumentation to prevent a sensing line malfunction e.g., break or leak) and another s

random electrical failure from impacting ECCS actuation.

VIII. DISCUSSION OF ALTERNATIVE METHODOLOGIES PROPOSED BY SUFFOLK COUNTY AfiD THE SHOREHAM OPPONENI5 COALITION CONIENTION 78 Q.36 Are probabilistic risk assessment, failure modes and effects anlayses, systems interaction analyses, or dependency analyses required by either the regulations or staff practice in the safety classification of structures, systems, and components?

A.36 No. These techniques have, however, been used.in some cases to look for weak points in plant systems designs or to evaluate the risk of particular event sequences. The techniques have been used to identify failure modes and the need for equipment changes, increased surveillance, additional testing, and improved procedures to reduce the risk of particular event sequences.

Q.37 Has a systematic methodology been developed for using probabalistic risk assessment, failure modes and effects analyses, systems interaction anclyses or dependency analyses for the specific purpose of safety classification of nuclear power plant structures, systems and components?

A.37 No, not for safety classification. However, since the mid-1970s the IEEE has considered the need for additional safety classes of electrical equipment and methodologies which could be used to determine a " level of importance to safety" for nuclear power plant instrumentation and control systems. To date, the IEEE efforts have l

not been successful in producing a methodology acceptable on a consensus basis to the IEEE. Techniques for semi-quantitatively determining a " level of importance to safety" of instrumentation and j

control systems have been proposed, but these techniques are currently not sufficiently nature to be acceptable on a consensus basis to the IEEE or NRC staff.

I l

[

i

. Q.38 What use, if any, will the staff make of the Shoreham Probabilistic Risk Assessment (PRA) particularly as it relates to classification of structures, system, and components and identification of potential adverse system interactions?

A.38 The staff has neither required a probabilistic risk assessment for Shoreham as part of the regulatory review process for issuing an operating license nor does the staff have specific criteria for evaluating such an assessment for Shoreham. The staff will, however, require submittal of the Shoreham PRA and will review it to gain added insight into potential safety improvements and will take appropriate actions. The staff will also review any actions taken by LILC0 as a result of the Shoreham PRA.

Other PRAs which are under review by the staff are being used to identify outliers, i.e., accident sequences which are major contributors to core melt or events with severe societal consequences. The staff has not used these PRAs specifically to classify items in the past. Adverse systems interactions that are identified by these studies and are major contributors to dominant accident sequences would be considered for additional action if deemed warranted.

Classification of structures, systems and components is associated with analyses of design basis accidents, which include conservative analyses of certain postulated events and a single failure in systems relied on to mitigate the consequences of these postulated

_ events.

PRAs use realistic assumptions to consider multiple failure events that result in extensive core damage or core melt. The PRAs consider all plant equipment, and the use of component failure probabilities in PRAs attempts to weight appropriately the potential contribution of non-safety grade equipment (to the extent that it is included in the analysis). The inclusion of non-safety grade equipment in a PRA is not necessarily a basis for changing its classification.

IX. MANAGEMENT OF UNRESOLVED SAFETY ISSUES A-17 AND A-47 FOR SHOREHAM Q.39 Provide a brief description of the general concern and specific objectives involved in Unresolved Safety Issue A-17, " Systems Interactions in Nuclear Power Plants". Also provide a brief discussion of the status of the staff's program to address and resolve this USI generically and for Shoreham.

A.39 The discussion in Appendix B of the Shoreham Safety Evaluation Report will be augmented and updated here. The general concern involved in the systems interations issue is the possibility of one i

reactor plant system actino on one or more other systems in a way not consciously intended by design so as to adversely affect the safety of the plant.

In designing reactor plant systems, therefore, l

a primary objective has been to incorporate design features (e.g.,

redundancy and diversity in systems that perform required safety functions, and independence of safety systems from all other plant systems and from each other) such that, ideally, several independent

. system failures must occur to degrade unacceptably or to fail totally any necessary safety function. The specific objective of a systems interaction analysis is to provide assurance that the independent functioning of safety systems is not jeopardized by preconditions within the plant design (particularly dependencies hidden in supporting and interfacing systems) that cause faults to be dependent.

Within the existing regulatory framework, the systems interaction concern is addressed by evaluating plant designs against well-established deterministic requirements and criteria embodied in existing regulatory guidance documents (e.g., Regulatory Guides and the Standard Review Plan). These current requirements are founded on the principle of " defense-in-depth"; and they include provisions for design features such as physical separation and functional independence of redundant safety systems, as well as other measures that provide protection against hazards such as pipe ruptures, missiles, seismic events, fires, and flooding. Also,-the Quality Assurance Program that is applied during the design, construction, and operational phases for each plant provides additional assurance in this regard by helping-to prevent inadvertent introduction of adverse systems interactions contrary to approved design.

Thus, although there is no explicit requirement for a dedicated, comprehensive systems interaction analysis of plant designs, and although there currently exists no well-defined, documented

. methodology for systematic analysis of plant designs for systems interactions, the existing regulatory framework provides reasonable assurance against many types of potential systems interactions. As stated in a recent letter (dated February 12,1982) from William J.

Dircks, Executive Director for Operations to Paul Shewmon, chairman, Advisory Corriittee on Reactor Safeguards (ACRS), regarding an ACRS recommendation that some additional systems interaction requirements be imposed immediately on licensee / applicants:

"NRR continues in the confidence that current regulatory requirements and procedures provide an adequate degree of public health and safety" As also noted in that letter to the ACRS, some events have occurred in the past at operating plants that have adversely affected safety system redundancy, and the functioning of safety systems have actually been degraded in other events (e.g., the Browns Ferry partial failure -to-scram). The frequency and possible implications of such events has prompted the staff to consider whether additional l

system interaction analysis requirements should be developed and imposed in order to examine more fully than currently required the question of susceptibility of reactor plant systems to potential systems interactions. A program has been initiated to address these questions and has progressed significantly over the past few years.

However, the NRC staff has affirmed repeatedly on numerous occasions (such as che one noted above) its view that, until the generic program is completed and provides the basis for making an orderly l

decision regarding the possible need for additional systems inter-I action requirements, adequate reasonable assurance of public health i

. and safety is provided by compliance with current requirements and procedures.

The staff's program for studying the systems interaction issue as outlined above was initiated in May 1978 with the definition of USI A-17, " Systems Interaction in Nuclear Power Plants." The early phase of this program involved development of a candidate systems interaction methodology by Sandia Laboratory, and a limited-scope trial application of that methodology to the Watts Bar I facility.

The objective of this effort was to attempt to evaluate both the methodology developed and (by comparison) the adequacy of existing Standard Review Plan procedures for uncovering potential systems interactions.

This Phase I analysis was performed by fault trees to identify component failure combinations (cut-sets). The total number of possible independent failure combinations that could have been analyzed was redr ad by introducing six linking features into the l

analysis. This effort identified a few potentially adverse l

interactions within the limited scope of the study. The staff reviewed the interactions identified for safety significance and I

generic impiications. The staff concluded that no corrective l

measures were needed immediately at Watts Bar I, except with regard to the potential for interaction between the Power Operated Relief Valve and its associated block valve. This interaction had been separately identified by analyses of the TMI-2 accident and l

l l

l

.=

i I

corrective measures were already being implemented. This initial A-17 effort was deemed unsuccessful.

l In May 1980, in the aftermath of the TMI-2 accident, the TMI-2 I

Action Plan (NUREG-0660) was approved by the Commission.

Item II.C.3oftheActionPlan(SystemsInteraction)incorporatedtheUSI l

A-17 effort and broadened the systems interaction program. Special limited-scope (spatially coupled, seismic initiator) system i

l interaction analyses were performed at Diablo Canyon Units 1 and 2 and at San Onofre Unit 2.

The basic method used in both analyses was in-situ visual examination of plant systems for potential f

failures of " sources" (i.e., non-seismic Categoruy I piping / equipment) that could adversely affect the functioning of

. safety-related " targets". The staff and ACRS accepted both analyses i-even though the results differed significantly in terms of the number of potentially adverse systems interactions discovered. The I

differences in results obtained were explainable in view of differences in design criteria applied at the two facilitias. The San Onofre unit design criteria required both non-safety and safety-related systems to be mounted with Seismic I qualified l

mountings. This design criteria had not been applied at Diablo Canyon.

In January 1981, a staff assessment (based on surveys by three national laboratories under contract to the staff) of then available methodologies led to the conclusion that application of any single

(

l i

. method could not identify all potentially important systems interactions. Therefore, the staff undertook a program to further develop available methods (or combinations of available methods) and to incorporate them into what has been termed " Interim Guidance" that could be used by licensees / applicants for a comprehensive, systematic systems interaction evaluation of specific facilities.

The Interim Guidance was intended to describe an acceptable general approach to a comprehensive systems interaction anlysis effort, and to provide at least two distinct alternative detailed step-by-step illustrative procedures for accomplishing that objective. The documentation of one illustrative procedure (characterized as a Fault Tree / Interactive FMEA methodolgy) is essentially complete and ready for trial application at this point. Documentation of the second illustrative procedure (called the Matrix-based Diagraph Method) is scheduled to be completed by August 1982. <The Interim Guidance is based upon experience gained during the Watts Bar limited-scope analysis, the Diablo Canyon and San Onofre seismic-initiator systems interaction reviews, the surveys conducted by the national laboratories, and review of the Indian Point-3 program plan (described further below).

Another major element in the expanded systems interaction program included under Action Plan Item II.C.3 is the broad-scope systems interaction evaluation of the Indian Point-3 facility by the Power Authority of the State of New York (PASNY), employing a methodology developed by themselves.

PASNY submitted a preliminary plan for 4

this systems interaction study in March 1981, and staff review was completed six months later.

PASNY's final program plan, incorporating staff's review comments, was received in January 1982 and has been approved / endorsed for performance at IP-3 by both the staff and the ACRS. The actual study effort got underway in April 1982 and is progressing satisfactorily at this time.

It is estimated that approximately one year will be required to complete this study.

One remaining major element in the staff's system interaction i

program plan under Action Plan Item II.C.3, which has not yet been approved or initiated by the NRC staff, is the so-called " Pilot Program" effort. As initially conceived, the Interim Guidance described in the proceeding was to be' applied on a trial basis in several plants undergoing operating license review, and results from both the pilot plant analyses and the IP-3 study were to be evaluated in reaching a final decision regarding the need for additional requirements to perfonn expanded scope system interaction analyses on some or all LWRs.

The staff has also given consideration to the option of requiring that systems interaction analyses be performed on the first group of NREP/SEP Phase III*/ plants using the PASNY methodology as the basis,

-*/

The Systematic Evaluation Program (SEP) is an ongoing program involving a deterministic review of operating plants to assess the adequacy of the design and operation of existing reactors, to (footnote continued on following page)

. after the staff has reviewed initial phases of the IP-3 study and identified any needed modifications. Subsequent NREP/SEP plants could perform systems interaction analyses using methodology that incorporates further improvements on the later pilot studies. Thus, the refinement of methodology, and the decision to proceed with each additional step, would depend on what had been learned to date.

This option is consistent with the view that performance of systems interaction dependency analyses in combination with current PRAs will better assure that PRA results will provide adequate insight regarding the possible need for improvements in safety and reliability.

Therefore, as stated in the SER for Shoreham "... studies to date indicate that current review procedures and criteria supplemented by the application of post-TMI findings and risk studies provide reasonable assurance that the effects of potential systems interaction on plant safety will be within the effects on plant (Footnote continued from previous page) compare them with current safety criteria, and to provide the basis for integrated and balanced backfit decisions, if required. The program was initiated in 1977; Phase II of the program is now in progress.

Phase III (SEP III) is scheduled to begin in FY 1983 for completion in FY-1989.

The National Reliability Evaluation Program (NREP) is a program propo.ed to assess design and operational deficiencies of all commercial operating power reactors employing probabilistic risk assessment (PRA) techniques. The staff will recommend that this program begin by the end of FY 1982. The staff is seeking Commission approval to coordinate NREP with SEP Phase III and require SEP III licensees to do PRA under NREP.

. safety previously evaluated."

(SERatB-11). And as reaffirmed recently in the Dircks letter dated February 12, 1982 (referred to above), the staff " continues in the confidence that current regulatory requirements and procedures provide an adequate degree of public health and safety."

Q.40 What is the technical concern in Unresolved Safety Issue A-47,

" Safety Implications of Control Systems"?

A.40 This issue is discussed in Appendix B of the Shoreham Safety Evaluation Report (NUREG-0420) and will be discussed again here.

The issue concerns the potential for transients or " accidents" being made more severe as a result of control system failures or mal functions.

Failures or malfunctions may occur independently or as a result of an accident or transient. One concern is the potential for a single failure such as a loss of a power supply, sensor impulse line failure, or sensor failure to cause simultaneous malfunction of several control features.

Such an occurrence could conceivably result in a transient more severe than those transients l

analyzed as " anticipated operational occurences". A second concern l

l is for a postulated accident to cause control system failures which would make the accident more severe than presently analyzed.

Accidents could conceivably cause control system failures by creating a harsh environment in the area of the control equipment or by physically damaging the control equipment.

l In accordance with Standard Review Plan Chapter 7, NRC staff reviews

. have been performed on currently licensed plants as well as on Shoreham with the goal of assuring that control system failures will not prevent automatic or manual initiation and operation of any safety system equipment required to trip the plant or maintain the plant in a safe shutdown condition following any " anticipated operational occurrence" or " accident". The approach has been either to provide independence between safety-related and non-safety related systems or to require isolating devices such as isolation amplifiers between safety-related and non-safety related systems such that failures of non-safety related equipment cannot propagate through the isolating devices to impair operation of safety related equipment.

In addition, a specific set of " anticipated operational occurrences" and " accidents" has been conservatively analyzed to demonstrate that plant trip and/or safety system equipment actuation occurs with sufficient capability and on a time scale such that the consequences are within specified acceptable limits. The analyses are intended to be sufficiently conservative to verify that the potential consequences to the health and safety l

of the public are within acceptable limits for a wide range of postulated events even though specific actual events might not follow the same assumptions made in the analyses.

i In general, until approximately one year ago systematic evaluation of control systems designs had not been performed to detennine whether single event induced multiple control system actions could result in a transient such that core limits established for

" anticipated operational occurrences" are exceeded. Single failures

. or events which could induce multiple control system actions would presumably include events such as a loss of power supply or failure of a sensor impulse line.

If single failure or event induced multiple control system actions do indeed exist, experience with operating plants indicates that incidents resulting in transients more severe than currently analyzed as " anticipated operational occurrences" have a low probability.

Until approximately two and one half years ago systematic evaluations of control system designs had not been performed 'o determine whether postulated accidents could cause control system failures resulting in control actions which would make accident consequences more severe than presently analyzed. Licensees have, however, now reviewed the possibility of consequential control system failures which exacerbate the effects of some high energy line breaks and taken action where needed, to assure that the postulated events would be adequately mitigated.

The resolution of Unresolved Safety Issue A-47 will systematically determine if current licensing practices with respect to control systems are adequate. Should the resolution of A-47 indicate that additional criteria for control system designs are necessary or that specific problems require resolution, appropriate action will be taken for plants in the licensing process as well as for plants now in operation. At this time, the staff knows of no specific control

. system failures or actions on Shoreham or any other plant which would lead to undue risk to the health and safety of the public.

Q.41 Wnat will be done specifically for the Shoreham plant to demonstrate that the consequences of control system failures do not represent an undue risk to the health and safety of the public?

A.41 The staff has requested (see Section 7.7 of the Shoreham Safety Evaluation Report) that the applicant identify any power sources, sensors, or sensor impulse lines which provide power or signals to two or more control systems and demonstrate that failures of these power sources, sensors, or sener-impulse lines will not result in consequences more severe than those bounded by the analyses of

" anticipated operational occurrences" in Chapter 15 of the FSAR.

In addition, the staff has requested that the applicant perform a i

revie4 to demonstrate that the harsh environments associated with high energy line breaks will not cause control system malfunctions resulting in consequences more severe than those of the Chapter 15 accident analyses. Upon cohpletion of these efforts by the applicant to the satisfaction of the staff, the staff will be able to conclude, with reasonable assurance, that control system failures l

do not represent an undue risk to the health and safety of the public. The Applicant vill, however, be required to address any ddditional staff guidance which may result from the resolution of Unresolved Safety Issues A-47 and A-17.

l t

~ - -.

X.

CONCLUSION Q.42 What conclusion does the staff draw with respect to the adequacy of the safety classification and analysis of structures, systems, and components at the Shoreham plant for identifying the items to which General Design Criteria 1, 2, 3, 4, 10, 13, 21, 22, 23, 24, 29, 35 and 37 apply?

A.42 The safety classification of structures, systems, and components at the Shoreham plant, and the measures taken to assure the reliability of structures, systems, and components important to safety are in compliance with current Commission regulations and with the staff practice which has evolved since the inception of commercial nuclear power. Those structures, systems, and components that provide reasonable assurance that Shoreham can be operated without undue risk to the health and safety of the public have been adequately addressed in this regard by the applicant and by the staff throuch the design and review process.

4 n

\\.CnY M h/

~

~!

UtJITED STATES E'

1 NUCLEAR REGULATORY COMMISSION

{,y

,,E wAssincTos, o. c. 20sss ew e

%N....

FEB1 2 393g MEMORANDUM FOR:

Paul Shewmon, Chairma'n Advisory Committee on Reactor Safeguards FROMi William J. Dircks Executive Director for Operations

SUBJECT:

SYSTEMS' INTERACTIONS -

In the January 8,1982 memorandum from J. J. Ray to me on this, subject, the Acting.

Chairman stated the Committee's desire to hear from the staff concerning the systems interaction program at. Indian Point-3, and the staff's plans for systems interaction,' reviews at all pla'nts'.

As noted, a meeting with the cognizant ACRS subcommittee, origin. ally scheduled for January 5,1982, to discuss these matters was postponed because of a delay. in the ::ubmittal by the licensee describing the Indian Point-3 systems interaction program.

That submittal has now been. received by NRC; and the subcommittee meeting 'has been rescheduled for February 26,198 Our suggestions for topics to be discussed at that meeting are provided. in an,2.

r, enclosure to this memorandum.

T'he staff's licensing reviews already deal with some aspects of systems interaction.

~

Applications for cps and OLs are evaluated against the Standard Review' Plan which requires interdisciplinary reviews of safety-grade equipment and addresses several different types of potential systems interactions.

Two specific sections of the SRP (S.ections 3.6 and 7.4) extend the reviews' to include the adverse effect of nonsafety equipment, i.e., high energy lines and associated electrical circuits.

The staff's evaluations of systems interactions occurring from high energy line breaks, jet-

' impingement, local flooding, and pipe whip are summarized in Section 3.6 of the SERs.

The staff's evaluation of the environmental qualification of equipment is covered in Section 3.11 of the SERs.

The evaluations of systems interaction due to masonry walls (IE Eulletin 80-11) are addressed in Section 3.12 of the SER.

The staff's evaluations of potential interactions between reactor protection and control systems are add'ressed in Sections 7.2 and 7.4.

(This includes the staff's evaluations of the applicant's response to IE Bulletin 79-27 and IE ' Notice 79-22).

The staff's ' valuations of e

interhetions between fire protection systems and safety-grade.' systems are addressed in Section 9.5.

Also, the ~ quality assurance program which is followed during the design, construction, and operational phases for each plant can contribute to the prevention of introducing adverse systems interactions.

w 9

'NRR continues in the confidence that current regulatory requirements and procedures provide an adequate degree of public health and safety.

However, the frequency of events that adversely affect safety systems redundancy at LWRs justified the proposed,

NRR level of effort directed toward enhanced systems interactions analyses.

~

O O

o

.-~

o t

Pa01 Shewmon

_2 The level of effort currently given to. systems interactions was established against the

' backdrop of many other regulatory programs that compete for limited staff and utility

"~

resources.

Only the items cited above are routinely reviewed for all applications.

No

[

explicit requirement presently exists.for operating plants or applicants to perform a comprehensive, systematic systems interaction analysis.

Special, limited systems inter-actions analyses have been perfomed at Diablo Canyon and San Onofre-3 and have been des.cribed to the ACRS.

~

i The staff views the forthcoming Indian Point-3 systeras interactions review as the.most i

comprehensive, systematic review to date, and proposes to begin soon with reviews of four HT0L plants using two different methodologies for two plants each.

This phased program has been underway for more than a year, and is planned eventually to form a part of the HREP/SEP cc6bined review program.

However, the' staff is considering ' expediting the phased appreach by requiFing that systems interaction analyses be performed on the first group of WREP/SEP Phase III plants using the PASNY methodology as the basis, after s'uitably

~

modifying their methodology by the experience gained during the pilot reviews. Subse.

quent NREP/SEP plants would perform systems interactions analyses using methodology that incorporates further improvements based on the conclusions from the pilot studies.

We. do not believe it is appropriate at this time to elevate the efforts of all other ap-plicants (much less licensees) by a regulatory requirement to perform a comprehensive systems interaction analysis.

The reasons not to elevate the efforts of.others at this time are:

First, a comprehensive systems interaction evaluation appears to be a r.esource-intensive undertaking (a crude estimate.is, 52M) and'the benefits of such an undertaking have not yet been measured.

The pilot programs should measure the benefit, and refine and reduce the cost.

Second, a requirement now would preempt the future possibility o'f a conclusion that the benefits do not justify the cost.

Third, no acceptance criteria or 90idelines have bien established to judge the adequacy of such an e~ffort.

The pilot pro-grams.are believed to be needed for this purpose, also.

Finally, develop' ment of a methodology for systems interactions analyses has been a complex problem.

The analyses include topics outside the present scope of nuclear reactor safety review.

The Committee noted by the January 8,1982 memorandum that " current probabilistic risk i

assessments (PRA) do not usually include a systematic examination of systems interactions and can'not be counted Upon to provide adequate insight regarding possible improvements in' safety and reliability."

The staff also has stated that PASNY shou.ld not rely prin-cipally on PRA results in.its systems interaction study (paragraph I.S of memorandum Conran to Thadani, " Meeting Summary and Status Report," 10/20/81, enclosed.) The s.taf.h believes that the systems interactions methodology can be usefulli integrated with the i scope of present-day PRAs, and the strengths of these two efforts offer opportunities for enhancing safety and effective utilization of both staff and utility resources.

l 9

4 g

e a

O g

v

,w w

/

Pau) Shem.on,

The nonsafety-grade / safety-grade dependency information disco'vered by a systems inter-action analysir, is important for the accuracy of PRA re.sults.

PRA is a frpmewor.k for

~

assessing the safety implications of systems interactions.

He look fonfard to the February 26, 1982, meeting and welcome your comments on the sug-gested topics.

(Signed) p.1riizm J. Di4

~

William J. Dircks Executive Director for Operations Enclos"ures:

1.

Conran mero dated 10/20/81 2.

Suggested topics --

~

.,3.

Updated Schedule

~

i_Cer) tral. f,il e

• NRC PDR' RRA,B.RDG. 4 V. Stello F Coffman R.Minogue Coffman Chron R.DeYoung

'A Thadani J.G. Davis M Ernst C.Michelson AD-T RDG H.Shapar H Hanauer

. J. Austin, DST RDG J.Funches E Case D.Eisenhut H Denton R.Mattson W Dircks H. Thompson EDO - 11385 P. Check S.Cavanaugh B.Snyder K. Cornell R. Vollmer T.Rehm

.EDO RDG P,Brandenburg i

.-y s

em.

hM [ '

or,,co 5.RAB,3 DS,T[hRA,B,; DST,, d,,,, AD-T : DST,,,,.D,; D,5TM

,i,(RP,

,,,, [,,,, f.i R,R,,,,,,,,,,,,

,,E D 0.,,,,,,,,,'.

su mo ECo.f.fman........ AIha.dani.

.., A-. d.......

.. HHa af r......ECas e.........

HDent.on........ N' Di.r.cks.........

I

,n,

-M aAlino

_o;/ r9 21 IR7 21

/82 1/..l 82.....'

e

ENCLOSURE I A

' SUGGESTED TCPICS:

SYSTEMS INTERACTION PROGRAM ACRS MEETING, FEBRUARY 26, 1982 I.

PASNY(INDIANPOINT3 OWNER)

Description of the IP-3 Program Scope and Magnitude of Program Methodology

~'

., Criteria -

e Occupational Exposure Estimates for In-Situ Examinations II.

NRC STAFF t

NRC Systems Interaction Program e

e Methodology e

Indian Point-3 e 4 Pilot Reviews p

o All Plants t

~

e SEP/NREP i

e 01 Reviews

~

e. CPrML Plants t

l 7

e e

e e

g t

w n-.

.v..

d'

.. ~

^

ENCLOSURE 3 i

4 UPDATED STATUS 0F SYSTEMS INTERACTION PROGRAM M11.ESTONE STATUS Evaluation of Diablo Canyon id/80 (NUR'EG-0675, 5"upp'll)I

~

t Sur.vey of Methods 1/81 (NUREG/CR-185'9,1896,1901)

Evaluation of San Onofre 2/3 5/81 (NUREG-0712, Supp 2)

Selection.of plants for demonstration analyses 2/82 Implementation of Indian Point-3 methodology 10/82 on first NREP/SEP Phase III plants Evaluation df Indian, Point-3'Studi 6/83 Evaluation of selected plants

• 10/83 Issue Requirement & General Guidance Concern-1/84

'ing Systems Interaction **

?

Issde Regulatory Guide 1/85

• Includes measures of the benefits of 'the analyses and refinements to. reduce future costs.

l

• • In'cludes acceptance criteria within the Guidance and the scope of the requiremehts for fut,ure NREP/SEP-III plants.

h

?

9 J

+

4 d

s.:,. )

l i

3

• /.

~

E g

I

?

l 1

PROFESSIONAL QUALIFICATIONS THEMIS P. SPEIS REACTOR SAFETY GROUP DIVISION OF SYSTEMS INTEGRATION 1

My name is Themis P. Speis.

I am employed by the U.S. Nuclear Regulatory l

Commission, Washington, D. C. 20555. Since September,1981, I have been the Assistant Director for Reactor Safety in the Division of Systems Integration.

l Office of Nuclear Reactor Regulation. My responsibilities include the planning and supervising the programs and activities of the Reactor Safety Branch which i

include the Containment Systems Branch, the Reactor Systems Branch, and the l

Instrumentation and Control Systems Branch. These activities pertain to safety evaluation of reactor safety systems matters on proposed and operating reactors.

i A summary of my previous professional positions is provided below:

j 1975 to Present - Assistant Director for Reactor Safety l

Branch Chief Reactor Systems Branch Branch Chief, LMFBR Branch U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation j

Washington, D. C.

l 1974 - 1975 Senior Reactor Engineer / Acting Branch Chief LMFBR Branch l

U.S. Nuclear Regulatory Comission l

Division of Reactor Licensing Washington, D. C.

i 1967 - 1974 Reactor Physicist / Reactor Engineer l

U.S. Atomic Energy Commission Division of Reactor Development and Technology Washington, D. C.

1962 - 1967 Engineer / Senior Engineer Westinghouse Astronuclear Laboratory Westinghouse Electric Corporation Pittsburgh, Pennsylvania 1958 - 1962 Associate Engineer / Engineer Westinghouse Testing Reactor i

Westinghouse Electric Corporation Pittsburgh, Pennsylvania 1956 - 1958 Associate Engineer Blaw-Knox Co.

Chemical Plants Division Pittsburgh, Pennsylvania 4

. My duties as Chief of the Reactor Systems Branch involved the management of the Branch activities dealing with the review and evaluation of the design and performance of reactor thermal-hydraulic systems, reactor coolant systems, emergency core cooling systems and associated auxiliary systems.

It also included responsibility for the review, analysis and evaluation of calcula-tional methods developed and utilized by applicants and licensees for the following activities:

independent calculations and complex computer coding.

Other responsibilities included the analyses and evaluations of the effects of severe accidents, including core degradation and melt accidents on present Light Water Reactor (LWR) designs and the effectiveness and impact of proposed severe accident mitigation features on present and future LWRs.

A summary of my education is listed below:

B.S., Chemical Engineering, University of Pittsburgh,1956 M.S., Mechanical Engineering, University of Pittsburgh,1966 Ph.D., Nuclear Engineering, University of Maryland,1975 I have been an inv?ted lecturer on a number of subjects dealing with nuclear reactor safety at a number of Universities (University of Florida, Massachusetts Institute of Technology, Purdue University, University of Maryland) and most recently (Fall '81) at the International Centre for Heat and Mass Transfer in Yugoslavia.

I am the author of over 25 papers on advanced reactor and LWR safety.

l l

l l

SGptember 1981 WALTER P. HAASS PROFESSIONAL QUALIFICATIONS CHIEF, QUALITY ASSURANCE BRANCH DIVISION OF ENGINEERING OFFICE OF NilCLEAR REACTOR REGULATION U.S. NUCLEAR REGULATORY COMMISSION My name is Walter P. Haass.

I am Chief, Quality Assurance Branch, Division of Engineering in the Office of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission (NRC). My duties are to direct, supervise, and coordinate the review of nuclear power plant license applications and topical reports to determine com-pliance with the Commission's quality assurance criteria stated in Appendix B to 10 CFR Part 50 for plant design, construction, and operation in order to promote pro-tection of public health and safety.

I received a Bachelor of Science degree in Mechanical Engineering from Stevens Institute of Technology in 1952.

Upon graduation, I joined the Westinghouse Electric Corporation with an ini-tial assignment on the Graduate Student Training Program. As part of this program, I spent one year at the Oak Ridge School of Reactor Technology. My next assignment was at the Atomic Power Division where I was engaged in the thermal-hydraulic as-pects of the design of proposed nuclear power plants.

l l

In 1959, I accepted a position at the Martin Marritta Corporation, Nuclear Division. My activities included project engineering work on the mechanical design aspects of the PM-1 anf -ti-3A portable nuclear power plants at Sundance, Wyoming j

and McMurdo Sound, respectively; and program management work for several radioiso-l topic SNAP programs including SNAP-11 and SNAP-13.

l In 1968. I joined the Atomic Energy Comission's regulatory staff (now NRC) as.

a licensing program manager (LPM) responsible for overall management of the staff's l

review of seve al nuclear power plant applications for construction pennits.

I l

..~

~

was also involved in the development of guidance for the review of quality assur-ance program descriptions based on the QA criteria given in Appendix B.

In 1972, I became the Technical Assistant for Boiling Water Reactors, reporting to the Assis-tant Director for BWRS.

In 1974, I was assigned to the position of Special Assis-tant for Standardization with the responsibility for developing the programatic requirements for the licensing of standardized nuclear power plants.

j In June 1978, I was appointed to my present position of Chief, Quality Assur-ance Branch.

1 I

T

,,. ~

. ~,

_. ~ _ _ _.,

,.,,._--.m-.

- - - _ _ =

• Marvin W. (Wayne) Hodges Professional Qualifications Reactor Systems Branch Division of Systems Integration U. S. Nuclear Regulatory Commission I am employed as a Section Leader in Section B of the Reactor Systems Branch, DSI.

I graduated from Auburn University with a Mechanical Engineering Degree in 1965.

I received a Master of Science degree in Mechanical Engineering from Auburn University in 1967.

In my present work assignment at the NRC, I supervise the work of 7 graduate engineers; my section is responsible for the review of primary and safety systems for BWRs.

I have served as principal reviewer in the area of boiling water reactor systems.

I have also participated in the review of analytical models use in the licensing evaluations of boiling water reactors and I have the technical review responsibility for many of the modifications and analyses being implemented on boiling water reactors post the Three Mile Island, Unit-2 accident.

As a member of the Bulletin and Orders Task Force which was formed af ter the TMI-2 accident, I was responsible for the review of the capability of BWR systems to cope with loss of feedwater transient and small break loss-of-coolant accidents.

I have also served at the NRC as a reviewer in the Analysis Branch of the NRC in the area of thermal-hydrulic performance of the reactor core.

I served l

as a consultant to the RES representative to the program management group for 1

the BWR Blowdown / Emergency Core Cooling Program.

Prior to joining the NRC staff in March,1974 I was employed by E. I. DuPont at the Savannah River Laboratory as a research engineer. At SRL, I conducted hydraulic and heat transfer testing to support operation of the reactors at the Savannah River Plant.

I also performed safety limit calculations and participated in the development of analytical models for use in transient analyses at Savannah River. My tenure at SRL was from June 1967 to March 1974.

From September 1965 to June 1967, while in graduate school, I taught courses in thermodynamics, statics, mechanical engineering measurements, computer programing and assisted in a course in the history of engineering.

During the summer of 1966, I worked at the Savannah River Laboratory doing hydraulic testing.

l

+,

STATEMENT OF PROFESSIONAL QUALIFICATIONS CHARLES E. ROSSI I have been with the U. S. Nuclear Regulatory Commission (NRC) since October 1980.

Since August 1981 I have been a Section Leader in the Instrumentation and Control Systems Branch, Division of Systems Integration, Office of Nuclear Reactor Regulation.

I am responsible for supervising the review of nuclear power plant instrumentation and control system designs for compliance with regulatory criteria. From October 1980 to August 1981 I was a Principal Reactor Engineer in the Instrumentation and Control Systems Branch.

~

I performed the operating license review of the Callaway and Wolf Creek instrumentation and control system designs, the review of construction permit applicant responses to Three Mile Island Lessons Learned Items related to instrumentation and control systems, and the review of licensee responses to recommendations made by Babcock and llilcox resulting from failure modes and effects analyses of the Integrated Control System.

I have a Ph.D degree (1969) and M.E degree (1967) in Applied Physics from l

Harvard University, a M.S degree (1962) in Physics from George Washington University and a B.A degree Magna cum Laude Highest Honors (1958) in Engineering and Applied Physics from Harvard University.

I have a certificate from a six month reactor engineering course given by the Bettis Atomic Power Laboratory (1960).

I was elected to Phi Beta Kappa in 1958 and Sigma Xi in 1962.

From June 1958 to July 1962 I served as a commissioned officer in the United States Navy.

I was assigned to Naval Reactors, U. S. Atomic Energy Commission, where I reviewed and approved test and operating procedures for submarine nuclear power plant fluid systems and reactor instrumentation and control systems designs for the pressurized water reactor at Shippingport, PA.

Professional Qualifications Charles E. Rossi From September 1966 to November 1977 I held professional and management positions in the Nuclear Energy Systems division of the Westinghouse Electric Corporation. As a manager I supervised the preparation of system functional design requirements for nuclear reactor plant systems which affect plant control, protection, and transient performance.

In addition to reactor control and protection systems, these systems included emergency feedwater systems, emergency boration systems, and steam dump systems.

For four years I was the lead engineer responsible for establishing functional requirements I

for reactor control and protection systems used in the Westinghouse 3 loop i

l nuclear reactor plants and for perfonning transient and accident analyses of I

these plants for safety analysis reports submitted to the Atomic Energy Conunission.

i From November 1977 to October 1980 I was Systems and Civilian Applications Program Manager in the Office of Inertial Fusion at the U. S. Department of Energy.

In this position, I provided technical and administrative direction for studies of the commercial applications of inertial confinement fusion.

l I am a member of the American Nuclear Society and past member of the IEEE Nuclear Power Engineering Committee Standards Subcommittee (SC-6) on Safety Related Systems.

I nave authored or co-authored over ten technical articles for presentation at conferences or publication in journals.

f 1

e v

TECHNICAL QUALIFICATIONS INFORMATION JAMES H. CONRAN SYSTEMS INTERACTION BRANCH DIVISION'0F SYSTEMS INTEGRATION OFFICE OF NUCLEAR REACTOR REGULATION Education:

B. S-in Physics,1963, The Colorado College, Colorado Springs m_ _

Col, ora do.

Post-grad,uate and Pr.ofe'ssional Courses in Physics and.___

Solid-State _ Electronic Engineering; University of Xan ;es 1962-1963.

Professional Courses in Fault-Tree Analysis 1972 and 1980..

Experience:

U. S. Nuclear Regulatory Comission/U. S. Atomic Energy Comission Washington, D.

C., 1973 to Present

- Principal Systems Engineer, Systems Interaction Branch, Division of Systems Integration, and Reactor and Risk Assessment Branch, Division of Safety Technology, Office of Nuclear Reactor Regulation.

Responsible for: development of systems interaction analysis methods,. systems integra. ion review methods, and corresponding i

regulatory guidance; systems integration review of operating license and construction permits; and review of operating experience for~ systems interaction effects.

Senior Project Manager on[ special assignment for one year to the Lessons Learned Task Force and follow-on implementation activities.

j Responsible for: identification and evaluation of safety concerns arising out of Ti'l-2 accident, and recommendatior. of chances to licensing requirements and safety licensing process; liaison with the Bulletins and Orders Task Force and ACRS on TMI-2 accident review matters, follow-on implementation of Lessons Learned Task Force recommendations to Near-Term Operating License Applications;

development of Near-Term Construction Permit Lessons Learned licensing requirements; and participation in the formulation of the overall NRC TMI-2 Action Plan (NUREG-0660).

Senior Project Manager, Standardization Branch, Division of Project Management, Office of Nuclear Reactor Regulation.

Responsible for management and coordination of safety review of applications for standard design approvals, and development of standar-dization policy.

Senior Nuclear Engineer, Reactor Systems Safety Branch, Divis'on of Engineering Standards, Office of Standards Development.

Involvement in development of quality assurance standards and Regulatory Guides for nuclear material processing facilities, protection-of-informants policy studies,and special safeguards-related investigations and hearings.

Systems Engineer and Senior Safecuards Analyst, Requirements Analysis branch, Division of Safeguards, Office of Nuclear Material Safety and Safeguards. Responsible for comprehensive studies of adequacy of safeguards for existing licensed nuclear facilities (including nuclear materials processing facilities and power reactors),

and development of applicable safeguards regulations and other regulatory guidance.

s l

Senior Safeguards Analyst, Special Safeguards Study Project, Office l

l of Special Studies. Responsible for: management, coordination, and technical review and evaluation of contractor studies relating to safeguards issues identified in GESMO (plutonium recycle) proceedings; development of recommendations regarding the Reference Safeguards System concept.

Senior Staff Assistant / Project Engineer, Advisory Comittee for Reactor Safeguards. Senior project leader responsible for:

coordinating activities of ACRS project subcomittees, ACRS consultants, Regulatory Staff, and applicants in support of ACRS licensing reviews; preparation of reports for ACRS use identifying areas requiring detailed evaluation or resolution of deficiencies.

U. S. Atomic Energy Commission, Albuquerque Operations Office (ALOO),

~ 1970 - 1973

- Reactor and Criticality Safety Engineer, Reactor and Criticality Safety Branch, Division of Operational Safety.

Responsible for:

inspection and evaluation for criticality safety of all the facilities within the AL00 complex (e.g., weapons design and l

research laboratories, weapons production plants, weapons test l

Lites) that support the U. 5. Nuclear weapons program, and all pertinent, activities therein (e.g., research reactor and critical assembly operation, uranium and plutonium processine, weapons assembly, packaging and transportation of fissle materials, etc.);

and safety review of reactor and critical assembly instrumentation,

control, protection, and electric pcwer systems, including proposed modifications.

San Francisco Bay Naval Shipyard, Vallejo, California, 1967 - 1970 l

Nuclear Power Engineer, Test Engineering Branch, Nuclear Power Division.

Qualified for Shif t Test Engineer position; responsible for preparation of detailed. test procedures and direction of on-board shift testing operations involved in the acceptance testing l

4_

(pre-operational flushing and hydrostatic testing, systers tests, initial criticality and power range ter. ting, and sea trial) of naval nuclear propulsion systems (new construction, refuel and overhaul ).

- Electronic Engineer, Refueling Engineering Branch, Nuclear Power Division. Qualified for Assistant Refueling Director position; responsible for direction of dockside and on-board shift refueling operations for naval nuclear propulsion systems (refuel and cverhaul)

Western Electric Company, Kansas City Manufacturing Works, Lee's Summit, Missouri, 1960 - 1967

- Product Planning and Design Engineer, Test Planning Engineer, and Test Equipment Design Engineer. Responsible for: planning and direct engineering support in the production and testing of radio and voice frequency telephone carrier systems; design of major production test equipment; and trouble-shooting problems encountered in the production testing and field application of the telephone communications equipment manufactured at the Kansas City Works.

hobert Kirkwood l

Professional Qualifications Mechanical Engineering Branch Division of Engineering Office of Nuclear Reactor Regulation-I am a Principal Mechanical Engineer in the Mechanical Engineering Branch 3

responsible for the review.and evaluation for compliance with the Codes and Standards Rule, Section 50.55a of 10 CFR Part 50, pertaining to the codes and standards.under which pressure-retaining components of the reactor coolant pressure boundary are designed, fabricated, erected, and tested.

Included in this review and evaluation is the classification system pertaining to the codes and standards under tAich pressure-retaining components of other fluid systems important to safety of a nuclear power plant are designed, fabricated, erected, and tested.

I am responsible for the review and evaluation pertaining to the identification of structures, fluid systems and components and other mechanical c mponents that should be designed to withstand the effects of the Safe Shutdown Earthquake (seismic Category I) and within the scope of a Quality Assurance Program that is i.4 compliance with 10 CFR 50, Appendix B.

I graduated from Belfast College of Technology with a B.S. degree.in Mechanical Engineering.

I am a registered professional engineer in the State of California.

l From January 1949 to March 1951, I was employed by Monsanto Chemical Company,

^

Montreal, Quebec, Canada. During this period, I was engaged in chemical plant layout and associated design of pressure vessels, storage tanks, piping systems and mechanical equipment.

1 From March 1951 to September 1956 I was employed by Atomic Energy of Canada Limited, Chalk River, Ontario, Canada. During this period, I was engaged i

in the design of fuel elements, fuel handling equipment, remote handling equip-ment, experimental loops, pressure vessels and nuclear piping systems.

From October 1956.to November 1959, I was employed by General Dynamics /Convair Scientific Research Laboratory, San Diego, California. During this period. I was responsible for the design, fabrication and installation of laboratory equipment.

From November 1959 to July 1968, I was employed by Gulf General Atomic, San Diego, California. During this period, I was the engineer in charge of a design group in the High Temperature Gas-Cooled Reactor Division, responsible i

for nuclear power plant arrangement. designs including detailed piping layouts for the nuclear steam supply system. Other areas of responsibility included conceptual and preliminary design of reactor concepts utilizing prestressed concrete reactor vessels, reactor vessel internals, and associated design of fuel handling equipment.

In August 1968, I started work for the U.S. Atomic Energy Commission as a specialist in the Engineering and Component Branch, Division of Reactor Standards, where I. participated in the development of reactor standards, codes and criteria.

In October 1971, I was reassigned to the Mechanical Engineering Branch, Division s

, - ~ -

w...

_2-of Reactor Standards, where I participated in the development of ASME nuclea In April 1972, I was reassigned to the Reactor Systems Branch, Division of Reactor Standards, where I participated in ANS standards codes and standards.

development and C.P. review of the applicability of co cooled and gas-cooled nuclear power plants.

In December.1975, I was reassigned into the U.S. Nuclear Regulatory Commission.

In January 1977, to the A/D for Plant Systems with duties similar to the above.

I was reassigned to the Auxiliary Systems Branch, where I participated in AN standards development and C.P. and 0.L. review of the applicability of codes and standards and seismic classification of structures, systems, and compone In September 1980, I was reassigned to the Mechanical m

of nuclear power plants.

Engineering Branch with duties similar to the above.

)

t