ML20054L542
| ML20054L542 | |
| Person / Time | |
|---|---|
| Site: | Shoreham File:Long Island Lighting Company icon.png |
| Issue date: | 07/01/1982 |
| From: | Conran J Office of Nuclear Reactor Regulation |
| To: | |
| References | |
| ISSUANCES-OL, NUDOCS 8207080224 | |
| Download: ML20054L542 (33) | |
Text
a 2 '. RED conuggr,wn.,,,, ..
- Np 2/ 9 N
UtlITED STATES OF AMERICA // oc\V -4
, NUCLEAR REGULATORY COMMISSION 2 --
i- JUL 21982 >
O' Oifice of the Secrdary }
BEFORE THE ATOMIC SAFETY AND LICENSING BOARD Dacketing & Senice eucch 9
In the Matter of ) ~@ %
)
LO!1G ISLAfiD LIGHTIllG COMPAtlY ) Docket No. 50-322
) (0L)
(Shoreham Nuclear Power Station, )
Unit 1) )
flRC STAFF TESTIMONY OF JAMES H. CONRAtl, SR.
Ifl REBUTTAL TO A.PPLICAtlT'S TESTII0 fly Ofi SAFETY CLASSIFICATI0f4 AND ANALYSIS OF STRUCTURES, SYSTEMS AND COMP 0NENTS (SC/ SOC CONTEllTION 7B) i (SOC C0f4 TENT 10fl 19(b))
i, 8207000224 820701 PDRADOCK05000g y.e/. 7J
I 4
UNITED STATES OF AMERICA
. NUCLEAR REGULATORY COMMISSION BEFORE THE ATOMIC SAFETY AND LICENSIllG BOARD In the Matter of -)
)
L0tG ISLAND LIGHTING COMPAtlY ) Docket No. 50-322
) (OL)
(Shoreham Nuclear Power Station, )
Unit 1) )
f;RC STAFF TESTIMONY OF JAMES H. CONRAN, SR.
If4 REBUTTAL TO APPLICANT'S TESTIMONY ON SAFETY CLASSIFICATION AND At1ALYSIS OF STRUCTURES, SYSTEMS AfiD COMPONENTS (SC/SOCCONTENTION78)
(SOC CONTEf1TIO!1 19(b))
Q.1. Mr. Conran, have you reviewed Applicant's prefiled testimony regarding safety classification of nuclear power plant structures, systems, and components; and have you compared that testimony with
^
Staff's prefiled testimony on the same subject?
A. Yes, I have.
Q.2. And have you heard and considered carefully Applicant's supple-mental testimony under cross-examination in this hearing on the same l subject?
A. Yes, I have.
Q.3. Are there any aspects of Applicant's testimony regarding adequacy of safety classification of structures, systems, and components at the Shoreham facility as to which the Staff disagrees?
l l
2
o 4
A. There appears to be close agreement between most important aspects of the respective positions and conclusions of Staff and Applicant regarding adequacy of safety classification of Shoreham plant features, particularly as to the substantive technical safety clas-sification considerations at issue. With regard to terminology employed in the safety classification of Shoreham structures, systems and components (i.e. , which specific term should be applied to specific plant features, "important to safety" or " safety-related"), there is obvious disagreement between Applicant and the Staff.
Q.4. Is there a specific portion of Applicant's prefiled testimony with which the Staff disagrees in this regard?
A. Yes. The Staff disagrees with, and expresses concern regarding possible implications-of, the following statement (and related footnote) on p. 55 of Applicant's prefiled testimony:
In summary, the Denton memorandum, uses the term .
"important to safety" in a manner inconsistent with -
historic industry and NRC practice. 5[
Q.5 Are you familiar with the "Denton memorandum" referred to in the above quote?
i.
-5/ The Denton memorandum does not specify what design and quality assurance treatment should be applied to structures, systems and components that are "importar+ to safety" except by the definition "any '.ing that contributes in an important way to safety."
This raises many questions particularly since the Denton memo clearly states there is no intent to develop or dictate new requirements.
The fact that the Denton memorandum has raised many questions is demonstrated by recent correspondence of the Nuclear Power Ccnnittee of IEEE.
(emphasis added).
- 'A. Yes. The document referred to is a memorandum dated November 20, 1981 from Harold Re Denton, Director, Office of Nuclear Reactor Regulation (NRR) to All NRR Personnel, regarding " Standard Definitions for Commonly-Used Safety Classification Terms." I prepared that memorandum (and the associated concurrence package) and saw it through a lengthy process of internal review that resulted in approval by Mr. Denton.
Q.6. Could you describe the background for and the scope of the overall effort leading up ta issuance of the "Denton memorandum'?
A. The origins of the "Denton memorandum" on safety classification terminology go back to late-Summer and early-Fall of 1980 and my efforts in connection with preparation of, testimony
- in response to Contention UCS-14 in the TMI-1 Restart Hearing. The overall effort (including preparation and argument of'te'stimony based on the so-called
" standard definitions" in the TMI-l Hearing) covered more than a year, and included review-and-concurrtece by all seniur technical management officials in NRR prior to approvai of these definitions by Mr. Denton himself in the November 20, 1981 memo.
More specifically, the overall effort leading up to issuance of the
~Denton " memorandum" involved the followingt (a) extensive review of those portions of the regulations in which safety classification terms are defined and, safety classification concepts are established (i.e., 10 C.F.R. Parts 20,
~
~*/ A copy of the prefiled testinony -is attached as Attachment R-1, See particularly pages 4-6.
/
2
50 and 100), as well as review of many associated implementing regulatory guidance documents (e.g. , Regulatory Guides , Standard Review Plans, NUREG Reports, etc.) in which those safety classifi-cation terms and concepts are further interpreted, developed, and applied; (b) extensive discussions with senior NRC staff members cognizant or otherwise knowledgeable regarding the historical development of applicable regulations and regulatory guidance documents, and cognizant or otherwise knowledgeable regarding historical and current staff practice in the application of safety classification concepts and terms The views and insights provided by the individuals involved in these discussions reflected a wide variety of backgrounds and/or current assignments in standard development activities, project management, technical review, technical management, and legal review; and ,
(c) . full discussion of the safety classification and safety classification terminology issues addressed in the "Denton Memorandum" with the cognizant ACRS subcommittee, and subsequent consideration by the full ACRS as well.
It should also be noted in the context of the preceding discussion, that interactions with knowledgeable, cognizant representatives of utility / vendor / architect-engineer organizations, and discussions ~with them of the safety classification concepts and terminology set forth later in the "Denton Memorandum", occurred on several occasions during the course of the overall effort described here. (An example of such interaction and discussion was the presentation and discussion provided
at the ACRS subcommittee meeting referred to above by the chairman of the IEEE P-827 standards group working on a contro.1 systems classification scheme). At no time that I can recall in any of these interactions and discussions with industry representatives was any indication given of fundamental disagreement with the " standard definitions" ultimately set forth in the "Denton Memorandum".
Q.7. Were the definitions set forth in your TMI-1 testimony and/or those set forth in the "Denton memorandum" accepted by the Board in that hearing?
A. Yes, they were. The Board's treatment of the safety classification arguments before it in that hearing, and their findings in that regard, are covered explicitly at paragraphs 981, 1003a, 1004, and in footnote 121 at p. 201 of Partial Initial Decision dated December 1981. (Copies of the appropriate pages of the Partial Initial Decision containing these paragraphs are attached as attachment R-2.) ;
Q.8. What'is Staff's conclusion, then, rega'rding the statements on
- p. 55 of Applicant's testimony, referred to earlier in the response to Q.4. , about which the Staff expresses general concern?
A. The Staff considers the statements incorrect to the extent that they imply or mean that there has been a substantive difference among members of the Staff in the application of regulatory requirements.
Although individual members of the Staff (much like individual members of utilities', vendors', and architect-engineers' organizations) have in the past used the terms "important to safety" and " safety-related" in-correctly and inconsistently (a language problem), Staff practice in classifying structures, systems, and components either " safety-related"
or "important to safety, not safety-related," and in specifying quality standards and quality assurance measures appropriate to those clas-sifications, has been consistent in accordance with the intent of the regulations as set forth in the definitions of the "Denton memorandum."
Q.9. Why does Staff feel that the different usage of '.hese safety classification terms is significant?
A. The Staff does not believe it is acceptable for the language differences indicated in the statements on p. 55 of Applicant's testimony to go unresolved because of certain unacceptable implications of the different usage of the safety classification language of the regulations.
These implications obtain not only with regard to Shoreham licensing but also with regard to the efficacy of the Staff's approach and methods of safr ty review in more general application. There are at least three such implications:
- 1. Because the Staff conducts an audi.t review, reliance must be .
placed on commitments by Applicants that all portions of the regulations are complied with (see, e.g., FSAR % 3.1.2.1). It is critical that these commitments mean what the Staff understands them to mean if the Staff's determination of " reasonable assurance" (which finding must be made in accordancewith10C.F.R.%50.35(c)inorhertolicenseafacility)is to be meaningful in the sense intended in the regulations.
- 2. 'It is clear under the Staff's understanding of "important to safety" (but not under Applicant's) that there exists in the regulations a requirement under GDC 1 for a QA program for certain non-safety-related structures, systems and components (i.e. , those important to safety).
t
- 3. Under Applicant's construction of "important to safety," the obligations imposed by 10 C.F.P,. Part 21 might be more narrowly construed than would be the case under the Staff's broader definition of that term.
These examples demonstrate why agreement on the safety classificatica definitions provided by the Denton definition is extremely significant.
0 e9 e
UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION BEFORE THE ATOMIC SAFETY AND LICENSING BOARD In the Matter of )
)
LONG ISLAND LIGHTING COMPANY ) Docket No. 50-322
) (0L)
(Shoreham Nuclear Power Station, )
Unit 1) )
CERTIFICATE OF SERVICE I hereby certify that copies of "NRC STAFF TESTP!ONY OF JAMES H. CONRAN SR.
IN REBUTTAL Tn APPLICANT'S TESTIMnNY ON SAFETY CLASSIFICATInN AND ANALYSIS OF STRUCTURES, SYSTE'45 AND COMPONENTS" in the above-captioned proceeding have been scrved on the following by deposit in the United States mail, first class, or, as indicated by an asterisk, throuch' deposit in the Nuclear Regulatory Comnission's internal mail system, this 1st day of July,1982:
Lawrence Brenner, Esq.* Ralph Shapiro, Esa.
Administrative Judge -
Cammer and Shapiro Atomic Safety and Licensing Board 9 East 40th Street U.S. Nuclear Regulatory Commission New York, NY 10016 Washington, D.C. 20555 Dr. James L. Carpenter
- Administrative Judge Howard L. B-lau, Esq.
.- Atomic Safety and Licensing Board 217 Newbridge Road U.S. Nuclear Regulatory Commission Hicksville, NY 11801
- Washington, DC 20555 l
Dr. Peter A. Morris
- W. Taylor Reveley III, Esq.
Administrative Judge Hunton & Williams t Atomic Safety and Licensing Board P.O. Box 1535 U.S. Nuclear Regulatory Commission Ri'chmond, VA 23212 Washington, DC 20555 Matthew J. Kelly, Esq.
Staff Coun'sel i New York Public Service Commission 3 Rockefeller Plaza Albany, NY 12223 l
l l
Stephen B. Latham, Esq.
John F. Shea, III, Esq. Herbert H. Brown, Esq.
Twomey, Latham & Shea Lawrence Coe Lanpher, Esq.
Attorneys at Law Karla J. Letsche, Esq.
P.O. Box 398 Kirkpatrick, Lockhart, Hill, 33 West Second Street Christopher & Phillips Riverhead, NY 11901 1900 M Street, N.W.
8th Floor Washington, D.C. 20036 Atomic Safety and Licensing Board Panel
- Docketing and Service Section*
U.S. Nuclear Regulatory Commission Office of the Secretary Washington, D.C. 20555 U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Atomic Safety and Licensing Appeal Board Panel
- U.S. Nuclear Regulatory Commission Washington, DC 20555 b
,1c arH~J./Rawfod Counsel for NRC -Staff t
COURTESY COPY LIST Edward M. Barrett, Esq. Mr. Jeff Smith General Counsel Shoreham Nuclear Power Station Long Island Lighting Company P.O. Box 618 250 Old County Road North Country Road Mineola, NY 11501 Wading River, NY 11792 Mr. Brian McCaffrey MHB Technical Associates Long Island Lighting Company 1723 Hamilton Avenue 175 East Old Country Road Suite K Hicksville, New York 11801 San Jose, CA 95125 Marc W. Goldsmith Hon. Peter Cohalan Energy Research Group, Inc. Suffolk County Executive 400-1 Totten Pond Road County Executive / Legislative Bldg Waltham, MA 02154 Veteran's Memorial Highway Hauppauge, NY 11788 David H. Gilmartin, Esq.
Suffolk County Attorney Mr. Jay Dunkleberger County Executive / Legislative Bldg. New York State Energy Office Veteran's Memorial Highway Agency Building 2 Hauppauge, NY 11788 Empire State Plaza -
Albany, New York -12223 I.
l l
l l
l
) /d"~5 - 88
' UNITED STATES OF AMERICA i
NUCLEAR REGULATORY COMMISSION BEFORE THf ATOMIC SAFETY AND LICENSING BOARD In the Matter of -)
METROPOLITAN EDISON COMPANY, Docket No. 50-289 ET AL )
(Three Mile Island Nuclear )
Station Unit 1) )
NRC STAFF TESTIMONY OF JAMES H. CONRAN ;
RELATIVE TO CLASSIFICATION OF SYSTEMS AND COMPONENTS AS IMPORTANT TO SAFETY (UCS CONTENTION 14)
Q.1 Please state your name and your position with the NP.C.
My name is James H. Conran. I am an employee of the U. S. Nuclear R'egulatory
. 'A.
Comission, assigned to the Systems Interaction Branch in the Division of Systems Integration, Office of Nuclear Regulatory Regulation.
' O 2 Have you prepared a statement of professional cualifications? ,
A. Yes. A copy of that statement is attached to this testimony.
Q.2 Please state the nature of the responsibilities that you have had with ,
respect to Three Mile Island Nuclear Station Unit 1 (TMI-1).
A. Prior to the March 28, 1979 accident at Unit 2, I had no involvement with either of the TMI units. Following the accident at Unit 2, I was assi'gned for several months to the task of monitoring for NRR the ACRS proceedings i
related to the TMI-2 accident and the states of recommendations made by the l
l I
i
] [
r
--r...,.
Corcittee in that regard. At the end of May 1979 I was assigned as a member of the Lessons Learned Task Force which was chartered to identify and evaluate safety ccncerns arising out of the THI-2 accident, and to recommend changes to licensing requirements and the if censing process for nuclear power plants based on lessons learned from that experience. In connection with my Lessons Learned Task Force activity, I was also given lead responsibility for evaluating (and drafting the Commission's response to) the Report of the Ad Hoc Committee of the Illinois Commission on Atomic Energy regarding implications of the TMI-2 accident.
After issuance of the Final Report of the Lessons Learned Task Force, I was assigned as a member of a small staff group charged with implementing approved Short Term Lessons.. Learned recommendation.s in the context of the so-called i Near Term Operating License plants, (which included Sequoyah Unit 1, North Anna Unit 2, Salem Unit 2 and Diablo Canyon Units 1 and 2), and I participated ~
~
- in the preparation of Safety Evaluation Reports. to support those proposec licensing actions. Currently, I am assigned to the Systems Interaction Franch, a new entity in the NRR organization. This branch and function was created at the tire of the recent NRR reorganization, specifically in response to lessons learned from the TMI-2 accident; one of the principal functions of the new branch is consideration of the effects of interaction between safety and non-safety systems.
~ - - - . . . . ._
~
04 What is the purpose of your testimony?
A. The purpose of my testimony is to respond to UC3 Contention !14, which states:
"The accident demonstrated that there are systems and ccrnponents presently classified as non-safety-related which can have an adverse effect on the integrity of the core because they can directly or indirectly affect temperature, pressure, flow and/or reactivity. This issue is discussed at length in Section
. 3.4, " System Design Requirements," of NUREG-0578, the THI-2 Lessons Learned Task Force Report (Short Term). The following quote from page 18 of the report describes the problem:
'There is another perspective on this question provided by the TMI-2 accident. At TMI-2, operational problems with the condensate purification system led to a loss of feedwater and
' initiated the sequence of events that eventually resulted in damage to the core. Several nonsafety systems were used at
, various times in the mitigation of the accident in ways not considered in the safety analysis; for example, long-term maintenance of core flow and cooling with the steam generators and the reactor coolant pumps. The present classification system does not adequately recognize either of these kinds of
, effects that nonsafety system can have on the safety of the :
pl a nt. Thus, requirements for nonsafety systems may be needed to reduce the frequency of occurrence of events that initiate or adversely affect transients and accidents, and other require ,
ments may be needed to improve the current capability for use of nonsafety systems during transient or accident situations.
In its work in this area, the Task Force will include a more realistic assessment of the interaction between operators and ,
systems.'
The Staff proposes to study the problem fisrther. This is not a sufficient answer. All systems and ccrnponents which can either cause or aggravate t
an accident or can be called upon to mitigate an accident must be identified l and classified as ccrnponents important to safety and required to meet all safety-grade design criteria."
The Soard limited the scope of this contention to the core cooling system.
(First Special Prehearing Conference Order, December 18, 1979).
l
\
[
- 4-Q.5 How is the term *... cc ponents important to safety ..." defined in the Commission's regulations?
A. The term "... structures, systems, and components important to safety ..."
is defined in the introductory paragraph to the General Design Criteria (Appendix A to 10 CFR Part 50) as those "... structures, systems, and components that provide reasonable assurance that the facility can be operated without undue risk to the health and safety of the public."
From this context, it is clear that the expression "... important to safety ..." is meant to apply generally to all structures, systems, and components addressed in the General Design Criteria (GDC). The term is used consistently in that sense throughout the GDC, and in other parts of the regulations as well (e.g. , see dicussion below).
Q.6 Is the term "... safety-grade ..." defined in the regulations?
A. That term is not defined explicitly in the regulations. 'The term is widely-used, however, in the context of the safety review pro:ess. The meaning of the term, as most commonly used by the staff in that context, ,
is inferred from the language of the regulations,- as follows: .
(a) General Design Criterien 1 introduces the notion of different quality levels for plant features with differing safety roles and .
varying degrees of importance to safety. Specifically, GDC-1 requires application of "... quality standard's commensurate with the importance I
of the safety function to be performed ..." for structures , systems, j .
i and' components important to safety.
(b) Appendix A to 10 CFR Part 100 implements the concept established in GDC-1 (i.e., gradations in quality levels corresponding to relative safety importance) by identifying explicitly a select I
+ - - . _ , - . .T... "...,..--.. - - -- - ., - -
5-sub-class of structures, systems, and components (out of the broad class "important to safety") that are required for the performance of specific, critical safety functions (e.g., safe shutdown, accident prevention and consequence mitigation, etc.). Specifically, Sec. III.c of Appendix A to 10 CFR Part 100 defines the Safe Shutdown Earthquake (the most severe seismic event analyzed for a nuclear power plant),
and requires that "... certain structures systems, and canpanents (important to safety) ..." be designed to remain functional for that event. Those "certain" plant features, and the critical safety functions they must perform, are further identified in Sec. Ill.c as:
... those necessary to assure:
(l) The integrity of the reactor coolant pressure boundary, (2) The capability to shut down the reactor and maintain it in a
~
- safe shutdo'wn condition, or (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exoosures comparable to the guideline exposures' of this part."
~
Very high quality standards must, of course, be applied to plant features l
required for such purposes, in order to assure their availability when -
called upon and very high reliability in service. Such considerations are the origin of the term " safetyIgrade"; and the staff applies that term only to the structures, systems and components recuired to perform the specific critical safety functions identified above. '(frequently, the term " safety-grade, systems or components" is shortened to " safety systems or compcnents." These two terms are used interchangeably in the following testimony).
ll
Q.7 Would you summarize from the preceding, the relationship between the terms "important to safety" and " safety-grade"?
A. (1) The term "important to safety" applies generally to the broad class of structures, systems, and components addressed in the General Design Crit eri a .
(2) " Safety-grade" structures, systems and components are a sub-class of all those "important to safety."
(2) All structures, systems, and components encompassed by the term "important to safety" (including the " safety-grade" sub-class) are necessary to meet the brnad safety goal articulated in Appendix A to 10 CFR Part 50 of the regulations (i.e. , provide rcasonable assurance that a facility can be operated without undue risk to the health and safety of the public).
(4) Only " safety-grade" structures, systeis and components are reodired for the critical accident prevention, safe shutdown, and accident consequence mitigation safety functions identified in Sec. III.c .
of Appendix A to 10 CFR Part 100. .
0.8 Has the staff identified those structures, systems and components which must be safety-grade?
They are listed in detail in Regulatory Guide 1.29. The specific A. Yes.
purpose of Reg. Guide 1.29 was to icentify all structures, systems and components of nuclear power plants that should be designed to withstand the effects of the Safe Shutdown Earthquake (designated Saismic Ca:egory .).
Because of the manner in which the term safety-grade was derived in the preceding discussion, however, the list of Seismic Category I plant features identified in Reg. Guide 1.29 should also be the listing of all " safety-grade" structures, systems, and components in a plant.
7-0.9 is the term "... core cooling system ..." defined in the regulations?
A. To my knowledge, that term is not defined explicitly in the regulations.
'From the context in which it is applied in the spe:ification of thi,s contention, however, the staff considers that term to encompass those
~
primary, secondary, and auxiliary systems used to remove heat from the core and transfer it to the heat sink, both in normal operation and under accident conditions.
Q.lC Feferring now to the first sentence of the contention, (a) Can non-safety systems and components directly or indirectly affect the temperature, pressure, flow and/or reactivity, and
'i (b) Can non-safety systems and components, therefore, have an adverse effect on the integrity of the core?
A. (a) The staff stipu)ates that non-safety systems and components can 4
directly or indirectly affect core reactivity and primary coolant temperature, pressure and flow. It follows, therefore, that (at ~
least in general). failure or off-normal operation of non-safety
~
systet.s and components can cause or aggravate an accident, but ,
(b) That does not establish that failure or off-nont.al operation of non-safety systems and components alone can have an adverse effect on the integrity of ~the core, as st[ongly implied by the wording of the contention. (In the TMI-2 accident sequence, failure of non-safety components, coupled with improper coeration of installed safety systems, led to core damage.)
8 3
,r -_ .- . _ . , , _ ,.__,.___y..,~_ __..._7__ _ ._ , . . . - _ . . . . , _ _ _ . - _ _ _- - , , _ . ,
0.11 Do you have any clarifying or amplifying comments regarding the second paragraph of the contention, i.e., the quote excerpted from NUREG-0578?
A. 'The staff acknowledges that non-safety systems and components were used in the mitigation of the TMI-2 accident; but it is important to note and emphasize, in the discussion of this contention, that resort was made to use of non-safety systems and components in the accident miti-gation role, only after imorocer operation of installed safety systems had resulted in severe core damage and other outside-design-basis conditions (e.g., voiding in the primary coolant and hydrogen generation, which may have blocked natural circulation, thus creating the need for forced cooling).
Q.12 Referring now to the last sentence of the contention, what is the staff's i
position regarding the statement that "All , systems and components which can either cause or aggravate an accident or can be called on to mitigate an accident must be identified and classified as components -
. ~
important to safety. and required to meet all. safety-g' rad ~e design criteria"f
~
A. We believe that, in the sense that the term "important to safety" is defined and used consistently in the regulations (see response to Q.5 above),
such systems and components would already be regarded (i.e., classified) .
- as important to safety'. But, as furthe.r established in the responses l
to Q.6 and Q.7 above, all camponents important to safety need not be safety-grade. Only components reovired for the specific critical safety ,
functions delineated explicitly in the response to 0.6 above need to meet safety-grade desigr. criteria.
i 4
- , .-- -- - , . _ _ - y - --- --,
-r , -- e _, -r - -
9 Q.13 More specifically, if a given non-safety systen. or component is known to have contributed to an accident, or is known to have been relied upon to recover from an accident (as was the case at TMI-2), how does the staff decide whether-or-not the safety classification of the system or component should be changed and whether-or-not that system or component should be made safety-grade?
A. The test applied by the staff, in deciding whether a given non-safety system or component should be upgraded to safety-grade, is not just whether it co:ld cause or aggravate or be called upon to mitigate an accident. The final determination (regarding whether-or-not to upgrade) is based upon consider. tion of the following questions (decision criteria), vehich derive directly from the definitions 'and discussions developed in the responses to Q.5'through Q.10:
, (a) will the failure or off-normal operation of the non-safety system or component in question, in and of itsel'f, degrade the capability of installed safety systems such that those safety systems cannot mitigate accident consequences and assure adequate safety,*
(b) will the effects of f ailure or off-normal operation of the non-safety system or component in question alone exceed the capability of installad safety systems to mitigate accident consequences and assure adequate safety, if installed safety systems are operated properly 'so that full credit can be taken for their functioning to design capability througtaut the accident sequence,*
- Assuming single failure in the installed safety systems in accordance with the Single Failure Criterion.
3
(c) is a non-safety syst'em or component that may be called upon actually reauired to mitigate accident consequences and assure adequate safety, if installed safety systems are operated properly so that full credit can be taken for their functioning to design capability throughout the accident sequence.*
lf the staff determines, either by careful analysis or actual experience, that the answer to any of these questions, in all of its aspects, is yes, then:
(i) the system or component in question would be upgraded to safety-grade, or (ii) the design of the facility and/or the capability of the installed
' safety systems would be improved such that the answer is no to all three questions.
In some instances .(as has been the case for some of the non-safety componen.s which were involved in the TMI-2 accident sequence and recovery process),
even though none of the decision criteria above that would require upgradin; ~
. ~
are met, the staff may decide as a prudent measure to require upgrading of '
the system or component in question, but not to full safety-grade. This might be done, for example, in order to improve the availability and reliability of the component in question, and thereby provide increased safety margins or greater flexibility for dealing with potential future accident situations (either within the current design basis or like TM]-2, and irrespective of how such conditions might come about).
- Assuming single failure in the installed safety systems in accordance with the Single Failure Criterion.
~
- 11 -
Q.14 Were any of the decision criteria set forth in the answer to Q.13 (that would require upgrading to safety-grade) met for any of the non-safety systems or components which either contributed adversely to or had to be called upon to mitigate the TMI-2 accident?
A. Flo.
The severe effects produced in the TMI-2 accident (e.g., serious core damage; voiding in the primary coolant and hydrogen gas generation which may have blocked natural circulation; dispersal of large amounts of radioactive fission products in the primary coolant; etc.) did not result If operator action f rom non-safety system or couponent failure alone.
' had not interfered with the proper functioning of the installed safety 4
systems to their design capability, the safety systems could have accom-modated the effects of the non-safety component failures that occurred,
' and still have . prevented the serious core damage and other outside-design-
- - And if the core damage and other outside basis effects that resulted.
design-basis ef fects which occurred had been prevented, it would not have.
' been necessary to call upon non-safety components to assist in accident citigation and recovery (e.g., long term maintenance of core flow and ,
cooling with RCP's and steam generators).
there a need, then, for any of the non-safety systems or components that Q.15 15 <
contributed to the TMI-2 accident,,,or that were called upon in the accident ;
recovery process, to be made safety-grade? E A. No. Reliance can still be placed, in future TMI-l operations, on the j r
' capability of safety systems currently provided in the TMI-l design to I
assure adequate safety, without resort to the general upgrading of non-safety systems and components which would be recuired by the contention, 8
w gg g p ' -.L
- F."
e.- - - - - - - -
if proper operation of installed safety systems is assured such that full credit can be taken for the functioning of those systems to design capability.*
What has been done to provide increased assurance that installed safety Q.16 systems will be operated properly at THI-1, in view of what happened in that regard in the TMI-2 accident?
A. The staff has specified a number of corrective measures (described in NUREG-0680, "TMI-l Restart SER," and in a letter dated 8/28/80 frcri Director, ONRR, to All Power Reactor Applicants and 1.icensees) in the aftermath of TMI-2, to better assure that operators will not interfere with the proper functioning of installed safety systems in the future. These corrective measures f all into three general categories:
(a) improved analyses of anticipated transients and accidents, and improved procedures for operators based on those analyses, l
(See NUREG-0680 at Cl-12, C2-4, C2-9, C2-16, C2-17, C2-18, C2-4 7, and D2-1 for details) -
(b) improved instrumentation (e.g., sub-c. col,ing meter, improved indication of PORV and safety valve position, improved AFW flow indication, etc.),
to better monitor and understand critical plant parametecs, and 1
to better recognize the need for safety system operation if the occasion arises, ,
i.
(See NUREG-0680 at Cl-5, C8-il, C8-14, CS-38, and D3-1 for details)
- Assuming single failure in installed safety systems, in accordance with the Single Failure Criterion.
' ~'
i (c) improved operator training to better cope with anticipated and unanticipated plant conditions, (See NUPEG-0680 at Cl-6, Cl-7, Cl-16, C2-4, C2-5, C2-9, C2-10, C2-12, C2-16, C2-17 and C8-47 for details. Also see 1tr, dated 3/28/80, Denton to All power Reactor Applicants and Licensees)
The staff believes that satisfactory compliance with these requirements will provide the improved assurance needed that installed safety systems will be operated properly, so that full credit can be taken
' for their effective functioning as required to assure adequate safety.
0.17 Has the staff required upgrading of any of the systems or components I that either contributed to the TMI-2 accident or were called upon in l! the accident recovery process? Has upgrading to full safety-grade been 1 -
f; required? Explain the staff's rationale for whatever action was taken in each case.
f -
A. Examples of non-safety systems or components for which the staff has i
., specified upgrading, but not to full safety-grade, include:
j (1) emergency power supplies for pressurizer heaters UCS (See NUREG-0680 at C8-3; also see Testimony of Jensen re:
l Contention 3)
(2) emergency power supply for PORV and block valves UCS (See NUREG-0580 at CS-8; also see Testimony cf Jensen re:
Contention 5)
TECHNICAL OUALIFICATIONS INFORMATION JAMES H. CONRAN SYSTEMS INTERACTION BRANCH DIVISION'0F SYSTEMS INTEGRATION OFFICE OF NUCLEAR REACTOR REGULATION Education: B. S. in Physics,1963, The Colorado College, Colorado Sprincs,
~
Post-graduate and Profe'ssional Courses in Physics and Col.orado.
1952-1.93.3.
So,1,id-Sta.te.'_ Electronic Engineerino;. University of Kansas Professional Courses in Fault-Tree Analysis.1972 and 1983.
' Experience: U. S. Nuclear Regulatory Commission /U. S. Atomic Energy Commissian Washington, D. C., 1973 to Present I - Principal Systems Engineer, Systems Interaction Branch. Division i
9
- of Systems Integration, Office of Nuclear Reactor Regulation.
i
' Responsible for development of systems interaction analysis
' methods, systems integraticn review methods, and corresponding regulatory guidance; systems integration review of operating license'and construction permits; and review of operating experience for systems interaction effects.
- Senior Project Manager on special assignmant for one year to -he Lessons Learned Task Force and follow-on implementation activities.
Responsible for identification and evaluation of safety conce-ns arising out of TMI-2 accident, and recommendatior of changes :o licensing requirements and safety licensing process; liaison <ith l
the Bulletins and Orders Task Force and ACRS on TMI-2 acc I
review matters, follow-on implementation of Lessons Learned T3sk Force recommendations to Near-Term Operating License Applications; l
I - . . -
- j. .- .. . . ._. . **'M .
e b..
development of Near-Term Construction Permit Lessons Learned licensing requirements; and participation in the formulation of the overall NRC TMI-2 Action Plan (NUREG-0660).
- Senior Project Manager, Standardization Branch, Division of Project Management, Office of Nuclear Reactor' Regulation.
Responsible for management and coordination of safety review of applications for standard design approvals, and development of standardization policy.
- Senior Nuclear Engineer, Reactor Systems Safety Branch, Division of Engineering Standards, Office of Standards Development.
Involvement in developrent of quality assurance standarcs and Regulatory Guides for nuclear material processing facilities, protection-of-informants policy studies, and special safeguards-related investigations and hearings.
- Systers Engineer and Senior Safeguardi Analyst, Requirenents Analysis Branch, Division of Safeguards, Office of Nuclear Material Safety and Safeguards. Responsible for comprehensive studies of adequacy of safeguards for existing licensed nuclear facilities (including nuclear materials ' processing facilities and power reactors),
and development of applicable safeguards regulations and other regulatory guidance.
1
- Senior Safeguards Analyst, Special Safeguards Study Project, Office of Special Studies. Responsible for management, coordination, and technical review and evaluation of contractor studies relating to l safeguards issues identified in GESM3 (plutonium recycle) proceedings; development of recommendations regarding the Reference
_ -,- _ . . <e. -a , e i m 9 a wa. as
" _3 Safeguards System concepti Senior Staff Assistant / Project Engineer, Advisory Comittee for Senior project leader responsible for:
Reactor Safeguards.
coordinating activities of ACRS project subcomittees, ACRS consultants, Regulatory Staff, and applicants in support of AC licensing reviews; preparation of reports for ACRS use identify areas requiring detailed evaluation or resolution of deficiencie U. 5. Atomic Energy Commission, Albuquerque Operations
' 1970 - 1973 Reactor and Criticality Safety Engineer, Reactor and Criticality Responsible for:
Safety Branch, Division of Operational Safety.
inspection and evaluation for criticality safety of all the facilities within the ALOO complex (e.g., weapons design and
~
plants, weapons test research laboratories , weapons production sites) that support the U. S. Nuclear weapons program, and '
i
~
l' pertinent activities therein (e.g. ,' research ' reactor and c assembly operation, uranium and plutonium processing, weapons
)
assembly, packaging and transportation of fissie materials ,
i and safety review of reactor and critical assembly instrument control, protection, and diectric power systems; including p modi fi ca ti ons .
1967 - 1970 San Francisco Bay Naval Shipyard, Vallejo, California ,
1 Nuclear Power Engineer, Test Engineering Branch, Nuclea Qualified for Shift Test Engineer position; respens Division.
for preparation of detailed test procedures and direction i board shif t testing operations involved in the acceptance l
. _ -9
- 4 (pre-operational flushing'and hydrostatic testing, systems tests, initial critic:lity and power range testing, and sea trial) of naval nuclear propulsio'n systems (new construction, refuel and i
i
- overhaul).
- Electronic Engineer, Refueling Engineering Branch, Nuclear power i
Division. Qualified for Assistant Refueling Director position; responsible for direction of dockside and on-board shift refueling operations for naval nuclear propulsion systens (refuel and overhaul) i Western Electric Company, Kansas City Manufacturing Works, Lee's Summit, Missouri, 1960 - 1957
- Product Planning and Design Engineer, Test Planning Engineer, and Test Equipment Design Engineer. Responsible for planning anti direct engineering support in the production and testing of radio l
and voice frequency telephone carrier systems; design of major production ' test' equipment; and trouble-shooting problems encounter in the prodoction testing and field application of the telepnene communications equipment manufactured at the Kansas City Works.
9, i
t . . _ _
_ . .- . ~. _ ,
- 205 - l l
and Licensee namely, different quality levels for plant features with differing safety roles and varying degrees of importance to safety.
i -
981. The Board is of the opinion after hearing arguments and testimony
]
on all sides for the question that the Staff's interpretation, especially ,
, that of Mr. Conran, is the one closest to the system actually used by the ,
Staff. It is also the system which the Board feels should be employed.
l .
To argue otherwise would in one aspect of the question argue against 1
i making improvements in safety which would result in a safer system, without ,
upgrading to a fully " safety grade" system. In other words such a viewpoint might discourage safety improvements to existing systems. We agree with ;
i
, Mr. Conran when he states that: "The language of regulations typically is broadly. drawn so as not to be too prescriptive -- to permit flexi-i >
bility in the implementation of those requirements". Tr. 8432. !
- 2. Effects of Nonsafety-Related Systems on the Reactor Core -
' 4 982. UCS Contention 14 states that, The accident demonstrated that there are systems and components presently classified as nonsafety-related which can have an adverse effect on the integrity of the core because they can
- directly or indirectly affect temperature, pressure, flow
- and/or reactivity.
i
~
ar.o that, All systems and components which can either cause or aggravate
. an accident ... must be identified and classified as components ;
important to safety and required to meet safety grade design '
{ criteria.
a e
i I
L ess
- 215 -
reply finding i 13), we find Conran qualified to present the testimony on this subject. See Technical Qualifications Information attached to Mr. Conran's Testimony, f f. Tr 8372.
- 7. Finding on Systems Classification and Interactions 1003. The Board made the following findings on system classification and interventions:
- a. The Staff's definitions of " safety grade" and "important to safety" are accepted by the Board.
- b. Limited improvements to systems which are not safety grade are acceptable to provide improved plant safety. These improvements need not necessar~ily be of such extent that the affected system becomes upgraded-
~
to safety grade.
- c. Nonsafety grade systems and components can directly or indirectly af fect core reactivity and primary coolant temperature, pressure, and flow. Ilowever, we are unaware of any such systems at TMI-1 which can adversely affect the integrity of the core.
- d. Improvements in nonsafety grade systems which will signifi-cantly reduce the rate of challenge of safety grade systems should, in general, be made.
- 216 -
- e. All nonsafety grade systems which might conceivably be called on to mitigate the consequences of an accident need not necessarily be required to meet all safety grade criteria.
- f. TMI-1 shall be included by the Staff in generic reviews of systems interactions. Application of IREP or IREP follow-on studies could reasonably lead to an enhancement of safety at THI-1.
- g. The Commonwealth proposed finding 5 234 which suggests upgrading of the power supplies to the pressurizer level instrumentation before reactor power operation above 5% is adopted as our own.
- h. Staff witness Conran is qualified to present testimony on this subject.
- 8. Concluding Remarks 1004. The Board would like to comment that the discussion on this subject, which was prompted by UCS' contentions, was useful in better defining the expressions "important to safety" and " safety grade" as these expressions are used in the regulatory process. In the Board's view the exercise prompted by UCS Contention No.14 yielded results which should be helpful to the Commission and Staff in current and future safety reviews.
- r. '
- 201 -
corresponding to relative safety importance) by identify-ing explicitly a s' elect sub-class of structures, systems, and components (out of the broad class "important to safety") that are required for the performance of specific,
~
critical safety functions (e.g.,-safe shutdown, accident prevention and consequence mitigation, etc.). Specifically, Sec. III.c of- Appendix A to 10 CFR Part 100 defines the Safe Shutdawn Earthquake'(the most severe seismic event analyzed for a nuclear power plant), and requires that
"... cer:3in structures, systems, and components [important to safetv] .. ;be.
designed to remain functional for that event. Those "certain" plant features, and the critical safety functions they must perform, cre. further identified in Sec. III.c as: "... those necessary to assure:
(1) The integrity of the reactor coolant pressure boundary, (2) The capability to shut down the reactor and maintain -
it in a safe shutdown condition, or (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures comparable to the guideline exposures of this part."
Such considerations are the origin of the tern " safety grade";
and the Staff applies that term only to the structures, systems, and components required to perform the specific ,
critical safety functions identified above. -
- Conran, ff. Tr. 8372, at 4-5.
976. Mr. Conran then summarized these definitions as follows:121/
(1) The term "important to safety" applies generally to the broad class of structures, kystems, and components addressed in the General Design Criteria.
121/ In a memorandum for al'1 NRR personnel dated November 20, 1512 the Director of NRR, noting problems of consistency in the use of safety classification terms in.this proceeding, has directed NRR personnel to employ interim standardized definitions of "Important to Safety",
" Safety-Related",.and " Safety-Grade". The Director's standardized definitions are consistent with Mr. Conran's testimony.
e
=
l l
l .
l ,
l m - ._ _