ML20134C061

From kanterella
Jump to navigation Jump to search
Forwards Short Paper Summarizing Observations & Conclusions Reached by Team of Staff Members,Who Recently Visited Westinghouse
ML20134C061
Person / Time
Site: Westinghouse, BWX Technologies
Issue date: 09/20/1996
From: Tokar M
NRC OFFICE OF NUCLEAR MATERIAL SAFETY & SAFEGUARDS (NMSS)
To: Ten Eyck E
NRC OFFICE OF NUCLEAR MATERIAL SAFETY & SAFEGUARDS (NMSS)
References
NUDOCS 9609250181
Download: ML20134C061 (10)


Text

'

. 4 .

September-20, 1996 MEMORANDUM T0: Elizabeth Q. Ten Eyck, Director Division of Fuel Cycle Safety and Safeguards, NMSS THRU: Robert C..Pierson, Chief Original signed by:

Licensing Branch i Division of Fuel Cycle Safety  !

and Safeguards, NMSS ,

.FROM: Michael Tokar, Section Chief l Licensing Section 2 )

Licensing Branch .

Division of Fuel Cycle Safety I and Safeguards, NMSS l

SUBJECT:

ISA DOCUMENTATION AND THE REVIEW PROCESS Attached is a short paper that summarizes the observations and conclusions reached by a team of staff members that recently visited Westinghouse and the Babcock & Wilcox navy fuel facility in an effort to learn .

more about the status of their ISA programs. Some recommend'ations regarding  !

potential changes in' the draft Standard Review Plan are also presented. l i I

}

Attachment:

As stated ,

l'

!- Distribution

'; Docket' 70-1151 PUBLIC NRC File Center- FCSS R/F i l

70-27 FCLB R/F NMSS R/F Region II -

GTroup, RII CBassett, RII .

l [G:\ dreaming.on]  !

0FC FCLB b FCLB b FCLB _,o FCLB FRIB m FCLB A 8 !

NAME MTdd PShea (hd> MKlas[k TCoNM RM M n # RPihon l DATE 9//5 /96 9/h/96 9////96 9//7/96 9/h/96 9/3u )96 C = C0VER E = COVER & ENCLOSURE N = N0' COPY OFFICIAL RECORD COPY V $G8 007711719k I' * * * *"'"d N F=O'5 '/, j I

9609250181 960920 t PDR ADOCK 07000027 '

C PDR 200035 \

NRC FILE CENTER COPY i i

m _

f@ %

[ 4 UNITED STATES

]

g NUCLEAR REGULATORY COMMISSION 2 WASHINGTON, D.C. 20666-0001

% , , , , , +# September 20, 1996 MEMORANDUM TO: Elizabeth Q. Ten Eyck, Director Division of Fuel Cycle Safety and Safeguards, NMSS THRU: Robert C. Pierson, Chief Licensing Branch Division of Fuel Cycle Safety hCj__ ~

and Safeguards, NMSS FROM: Michael Tokar, Section Chief

  • Licensing Section 2 Licensing Branch #/

Division of Fuel Cycle Safety f/

and Safeguards, NMSS

SUBJECT:

ISA DOCUMENTATION AND THE REVIEW PROCESS Attached is a short paper that summarizes the observations and conclusions reached by a team of staff members that recently visited -

Westinghouse and the Babcock & Wilcox navy fuel facility in an effort to learn more about the status of their ISA programs. Some recommendations regarding potential changes in the draft Standard Review Plan are also presented.

Attachment:

As stated 1

l s'

l

! l 1 .

i e

i - -

ISA DOCUMENTATION and the REVIEW PROCE11t i

PLANT VISITS BY FCSS STAFF

Recent visits by a small team of FCSS staff, to the Siemens Power Corporation (SNP), Westinghouse (W)-Columbia and Babcock & Wilcox-Navy fuel facilities,

~

were made with the dual purpose of: (a) acquiring more information regarding .

the licensees' approaches toward development and documentation of their Integrated Safety Analyses (ISAs) and (b) applying that knowledge to proposed

, revisions to Part 70 and the Standard Review Plan (SRP). The staff's

observations, conclusions, and recommendations regarding the SRP approach toward ISA documentation and review are summarized below. J
Westinghouse
I

}i Observations:

The team examined ISA progress at M Columbia on July 24 and 25, 1996.

! Westinghouse's ISA approach, outlined by W in a Table of Contents for their

. SNM license, submitted as an attachment to a letter, dated July 15, 1996, from

J. Fici to Commissioner Rogers, is reasonably straight-forward. Chapter 4, l titled " Integrated Safety Assessment," of the W SNM license, describes the j structure and content of an ISA in terms of eight areas of required i information with the following titles
1. Process Description

! 2. Process Theory

3. Process Design and Equipment ,

j 4. Drawings and Operating Procedures

5. Safety Analyses _
6. Process Hazards Analysis

! 7. License Compliance Verification i 8. Appendices

)

During our visit, we learned that W has identified 35 major systems and

160 subsystems for analysis. An ISA will be performed on each subsystem.

For each ISA, an ISA summary document will be produced that will address, in concise form, all of the information gathered or produced in each of the eight

, information areas. This summary document may be as large as a couple of j hundred pages, depending on the complexity of the system and analyses covered.

i Supporting each section of the summary documents, and referenced by those sections, there will exist a large volume of more detailed documentation,

) including drawings, specifications, procedures, and related analyses.

In'a very major step forward, W has created a comprehensive document (now in final draft), called " Draft Guidelines for Preparing an ISA," which directs W staff in their preparation for, conduct of, and documentation of an ISA. The .

W method of producing an ISA was designed and executed in conjunction with consultation and training delivered by the Process Safety Institute, a division of J8F Associates in Knoxville, TN. This approach to ISA development ATTACHMENT ,

't

2 is an outgrowth of the more general Process Hazards Analyses required by OSHA regulation and described in publications by the American Society of Chemical Engineers.

For each of the eight sections of an ISA summary, the W draft guidance document describes how to assemble or produce the required data and analysis that will fulfill the purpose and objectives of that section. Our study of the draft guidance document at W provided a more comprehensive understanding of the major sections of the ISA process and documentation than given in the W license application. Descriptions of these sections, based on our review at the W site, are provided below:

1. Process Description 'As the term implies, the process description section of the licensee's ISA summary document (for each system) would contain a narrative description of the process, including the intended purpose of the  ;

process and its relationship to the rest of the facility and products of the ,

facility. This narrative description would be considerably more detailed than l the general facility and process description in Chapter 1 of the license i application and would, for example, include (often by reference) flow i diagrams, schematic diagrams, equipment arrangement drawings, descriptions of system interconnections to related systems, description of safety significant controls, safe upper and lower limits for safety significant process parameters, and maximum intended inventory.

2. Process Theory - The discussion of process theory would contain a narrative description of the physical and chemical states for normal and ,

abnormal operating conditions. A set of postulated transient conditions would I be developed, including the expected ranges of process parameters to be controlled, and including expected transient outcomes. Descriptions of upset i conditions that have the potential for exceeding safety limits would be identified and discussed with references documenting the sources of the l theory. l

3. Process Design and Equipment - This section of the ISA summary I document consists mostly of detailed rHerences to a voluminous package of l data not physically included in the doctment, but filed separately, in what W calls the " Data Pack." These data are necessary to support the Process Description in Section 1 of the ISA summary document. Examples of pertinent design information include equipment drawings, equipment and piping arrangement drawings, process and instrumentation (one-line) diagrams (P& ids),

system and subsystem interconnections to related systems, the specification of all engineering controls, materials of construction, electrical classification information, relief system design, ventilation system design, design codes and standards employed, material and energy balances, and safety systems descriptions (e.g., interlocks, safety control actuation logic diagrams, safety significant utilities, detection or suppression systems).

4. Drawings and Operating Procedures - This section of the ISA summary document consists of nothing more than a reference listing of engineering drawings and photographs of system equipment. There is some overlap between this section and the previous Section 3. The primary difference appears to be

~

3 the inclusion of operating and other procedures in this section. For example, W says that this section will include work schedules, staffing plans, standard operating procedures and instructions, maintenance procedures, preventive maintenance schedules, emergency procedures, operating checklists, etc. The final collection of material referenced by this section will establish the design basis for system configuration management, and all information shall be field verified. Engineering data other than drawings will include control system information such as safety logic diagrams.

5. Safety Analysis - This is the section that assures integration of all postulated interactions among safety disciplines. A discipline-specific safety analysis summary is provided for each of five disciplines:

(1) radiological safety, (2) criticality safety, (3) fire safety, (4) chemical safety, and (5) environmental safety. Each discipline is discussed in terms of consideration of a checklist of concerns to be resolved to assure that coordination with other disciplines is achieved.

6. Process Hazards Analysis - This section reports on the details of the hazards assessment, including a description of the method used for hazard identification and analysis, accident identification and scenario description, consequence determination, and fault and event trees for a given system. The PHA is expected to represent a snapshot in time and would not be redone unless there are " major" process changes; i.e., changes tnat could have a significant impact on process / system safety such that the basis for safety is altered, necessitating a change in process / system controls.

Evaluation /

Conclusion:

In general, the ISA summary document produced by H for each system is comprehensive and descriptive enough to support NRC review of the system. The document references what it does not contain. Some of the referenced material would probably be needed by NRC during a review, and the comprehensive and organized summary would provide for the efficient identification and retrieval of that material. Sections 1 and 2 of the document would probably be sufficient for review as submitted.

With regard to Section 3, most of the information referenced by the section would probably not be needed by NRC staff in its licensing technical review (and thus would not be expected to be submitted by the licensee on the docket). For example, in most instances the electrical classification, detailed equipment drawings, material and energy balances, and relief systems designs would involve a level of detail beyond what would be normally required for a technical review of process safety. Equipment overall dimensions and arrangement, including piping or other devices used to interconnect equipment and provide controlled confinement of radioactive material would, however, in many instances be relevant to a safety review (and might be considered proprietary by the licensee).

With regard to Section 4, NRC staff would not expect detailed engineering drawings or operator instructions to be submitted for review except insofar as it is necessary to determine equipment arrangement and overall dimensions.

s m_

4 1

Schematic drawings of the system and process would be desirable, however, along with a narrative of the operation of the process that is sufficiently detailed to enable the reviewer to fully understand the system and to recognize and comprehend operator actions that are important to safety.

Schematic drawings and narratives needed for licensing decisions would be maintained current, with periodic updates submitted on the docket to NRC.

Chapter 5 of the W ISA summary document will probably eventually provide sufficient information to initiate a review of the accident sequences and controls relied upon for safety. Currently, however, Chapter 5 (for the two pilot systems identified by W as being most complete) only contains nuclear criticality safety material. These Chapter 5 criticality summaries categorize the various criticality accident sequences by grouping them into accident classes. Grouping (summarizing) criticality accident sequences into general accident classes presents less detail than the information contained in the corresponding PHA conducted at Westinghouse. For example, in many cases the initiating event is not revealed in the accident summaries. To address this concern, however, the reviewer could, on a sampling basis, visit the facility to inquire about the various initiating events that may lead to the same accident class for a given process or could request that some additional information be submitted on the docket.

The type of summary document that W is developing for each system appears adequate to begin an ISA review. The W summary documents appear consistent with the scope and depth of what is requested in SRP Chapter 4, and the amount of detail appears to be appropriate for conducting a competent review that would support a credible finding of " reasonable assurance." Westinghouse's stated objectives in conducting an ISA not surprisingly parallel the NRC's ISA guidance statements that are expressed in both the ISA Guidance Document and the SRP. If W were to submit the ISA system summaries on the docket, the staff would then have the opti.on of requesting more information only as needed, as the review proceeds on a sampling basis. W has very tersely described the eight sections of their ISA work in their recent license renewal application (the license application characterizes the aggregate of these sections as the ISA " format and content"), but the entire ISA chapter in the license application is a two page description of the eight sections. The application commit: only that a " documentation of continuing progress...will be maintained for Regulatory Agency review." Moreover, W staff at our meeting stated that it is Westinghouse's intent that aang of the ISA documents prepared would be submitted "on the docket" to NRC for review, though they would be available at the site for review by NRC. Thus, if Westinghouse's approach is accepted, Chapter 4 of the W license application would remain as it is today, and the other licensees would presumably follow suit.

Babcock and Wilcox:

Observations:

The staff discussed ISA progress and studied ISA documents at the B&W facility on July 30 and 31, 1996. B&W's ISA structure differs from that of M in fundamental ways, but the data and information collected and the process hazards analyses methods are similar. B&W's ISA is also performed system by s'

5 system, but pertinent to each system are four separate packages, containing drawings, process description, a baseline Process Hazards Analysis, and an -

SAR. The SAR is an ISA summary for the system, but is not as comprehensive as the ISA summary document produced by W. The B&W SAR does however, contain t

discipline-specific safety analyses for the system, including criticality, chemical safety, radiological safety, and fire safety. This is equivalent to Section 5 in the W summary document. The B&W PHA includes a section that provides a summary of all fire, chemical, radiological release, or criticality incidents that occurred during plant operating history.

The four documents needed to understand a single system analysis are not always unique to that system. A PHA may cover several systems, as may a process description document. Our review staff, found, however, that the depth and scope of B&W analysis is fully consistent with that of M and a similar amount of analytical detail should be available.

B&W treats accident sequences in a different way than W. B&W assigns numerical values to the likelihood of the initiating event, the frequency and duration of failures of preventive and mitigative controls, and the severity of accident consequences. These numerical values are assembled in a scheme that can be said to resemble the classical product of frequency and consequences to obtain risk. The severity table addresses both offsite and onsite effects, differing types of consequences such as criticality, toxic release, and radiological release.

In B&W's approach to an ISA, a risk assessment table is constructed with seven levels of consequence severity and a number of columns representing accident frequency. The assigned numerical risk value for each postulated accident scenario is then compared to the risk table and placed in one of three risk

" zones:" (1) immediate fix required,-(2) fix on some defined, approved schedule, or (3) do not fix at all. It is important to note that this risk assessment scheme does not address double contingency or double protection explicitly.

Evaluation /

Conclusions:

It appears that B&W is producing an ISA in a manner that addresses the requirements of revised Part 70. Further, sufficient information should be available in forms suitable for delivery to the NRC to support a review of that ISA. Several different B&W documents may be necessary to begin an NRC review of even one system, whereas the equivalent M information may be available in one document per system.

3&W has departed from the staff's SRP treatment of acceptable risk by adopting an approach based on a semi-quantitative method that is somewhat of a departure from the agency's long-standing preference for redundancy in preventive or mitigative controls to provide reasonable assurance of safe design. Thus, the NRC's SRP acceptanct criteria for double contingency /

double protection would most likely not be satisfied by B&W's approach.

Because the SRP, as currently conceived, is not sufficient to evaluate the s'

c - - . - - . - . - . - - - . - - . .-._ - _ - - _ - _ . .--

t

. l c

6 adequacy of this approach (i.e., the SRP does not indicate that this quasi -

probabilistic approach can be followed), a review of this approach would require extra time and effort.

SRP Ramifications and Recommendations:

It is clear from the staff's observations of the ISA efforts underway and planned by Westinghouse and B&W, as well as from their very significant accomplishments to date, that these two major fuel cycle licensees (and possibly others as well) are well on their way to developing comprehensive integrated safety analyses, and associated documentation of these analyses, for their facilities. The issues at hand are, (1) to what extent should the resulting ISA documentation be submitted on the docket and reviewed by NRC staff and (2) what if any changes need to be made to the SRP to ensure that it is consistent with the type of ISA information that staff needs to review and ,

that licensees will be asked to provide?

With regard to the information needed to be submitted for NRC review, the staff believes that the information currently requested in the SRP, in the areas of site description, description of the facility, and description of the orocess analyzed, is both necessary and sufficient for the licensee and NRC to ,

submit / review respectively. As noted in the discussion of the visit to ,

Westinghouse and B&W, the ISA summary documents that are being prepared for  ;

each of their systems are comprehensive and descriptive enough in these areas  ;

to support the initiation of a review by the staff.

With regard to process safety information (PSI) that would need to be compiled and used in the performance of an ISA, the SRP currently does not call for I such information to be submitted to the NRC for review. Instead, the SRP only l requires PSI to be compiled and maintained by the licensee. Thus, P& Ids, 1 design codes and standards employed, material and energy balances etc. are I currently not requested to be submitted for review. The staff continues to l believe that this information is not generally needed by the NRC licensing '

reviewer. The absence of this data in the submittal will substantially limit the amount of material to be submitted.

Currently, the SRP requests a descriptive summary of the ISA methodology; i.e., a " cogent description of the methodology and the bases for the selection." The staff continues to believe that this level of detail in the  ;

description of the methodology is sufficient, given that a summary of the l accident analyses will be submitted for NRC review. That is, the demonstration of the sufficiency of the analyses will be judged by the results rather than by a very detailed description of the method employed. However, i the level of detail regarding the results of the ISA that is currently called for by the draft SRP appears to be excessive in that it is implied that the PHA itself is needed. For example, the current draft SRP requests a " list of ,

deviations from normal conditions, the cause of the deviations," etc. To )

lessen the regulatory burden and simultaneously provide the staff with adequate information to make a safety judgement, the staff recommends that this portion of the SRP Acceptance Criteria be modified, s

1 I

~

(- e i 7

=

f

. One way of modifying the SRP to reduce the quantity of information to be j submitted is to revise the acceptance criteria to allow the licensees to group

potential accidents into classes, where an accident class would be one in
which all the events lead to the same consequence and can be prevented /

mitigated by the same controls. For example, a mitigative control, such as a ventilation system, may provide protection against the consequences of releasing a toxic substance. . A preventive control, on the other hand, might ,

require a description of the full event sequence. In either case, the l description of each event / accident (or class of events / accidents) should be complete enough to demonstrate the intended function of each control used to l prevent the accident or to mitigate the consequences of the accident. i i

It should be noted that the regulatory burden on licensees with regard to the submittal of information will in any event inevitably be reduced as a result of the Business Process Re-engineering (BPR) efforts that are now underway and j that will soon to be implemented to encourage electronic transmissions of information. Thus, the licensees' ISA summaries could be submitted

electronically to the NRC, and the licensees could easily transmit updates to

! the ISAs periodically, without involving large volumes of paper hard-copy. '

t  :

3 Another' issue to be resolved regarding the SRP concerns the risk matrix

! approach that is being followed by B&W. The criteria currently contained in '

the SRP that address the frequency of occurrence and level of consequence of ,

an event are based on assuring that multiple (at least two) events are required before severe consequences (e.g., e nuclear criticality) are i possible. These criteria (double contingency / double protection) were

developed using the industry standard for nuclear criticality and the NRC's '

time-tested policy regarding redundancy or defense-in-depth. The risk matrix approach adopted by B&W appears to depart from this approach in that it

utilizes assumed frequencies for the failure of controls, combined with assumed periods for which the failure goes undetected, as the basis for the assignment of accident sequence frequencies utilized in determining risk.

This approach is a significant deviation from the staff's SRP approach in that redundancy may not always be implemented to protect against significant events. If the new Part 70 permits risk matrix - type analyses to be used, the SRP should be modified to accommodate this approach, to enable the NRC's reviewers to efficiently carry out their function.

Finally, the staff believes that there is a significant issue that remains to l be decided regarding the format of the information that will be submitted. As noted in the above discussion, W and B&W are proceeding with significantly different approaches in the documentation of their ISAs. The other fuel l fabricators presumably are also going to have somewhat unique formats. If ,

each licensee were to submit their ISA information in a different format and 1 organizational order or structure, it would significantly increase the ,

difficulty of review of that information by the NRC staff. It would behoove i the staff and benefit the industry if the desired format for submitting the l ISA information were made clear in a Standard Format and Content Guide ,

(SF&CG). Because it constitutes guidance, not requirements, the SF&CG would i not mandate the form of the submittals, but it would provide clear guidance to j the licensees as they proceed with the development of their ISAs, so that i timely decisions can be made as to how to format the documented results. l l

h

COMMENTS ON "ISA DOCUMENTATION AND THE REVIEW PROCESS" i

1. The paper is silent on the implications (as proposed on p4) of visiting the facility to obtain additional information needed to review the ISA. In my opinion, this additional information would need to be placed in the docket, since it would form part of the basis for NRC's determination of adequate safety. ,

s.Jp-rc w in+Anu M, ij' y H & n a v afn yl,g Q af p + m s e ,a-~ s 4.sg ,6~ 4Lt&L sfiadd L W$ A$#

ecnaam + A--

D, -

V~li~9b 4