Text

,

q 3.

i f f M oq*g UNITED STATES j

NUCLEAR REGULATORY COMMISSION.

'b WASHINGTON, D.C. 20555-0001

%,,,,/

March 18, 1997 i

4 i

' MEMORANDUM TO: Chairman Jackson FRON:

L. Joseph Callan Executive Director f Operations

SUBJECT:

USE OF NON-SAFETY-RELATED EQUIPMENT TO ADDRESS SAFETY CONCERNS DN NUCLEAR POWER PLANTS' i

.In the attached paper, I am responding to your request to provide historical examples of how the NRC has taken credit for non-safety-related equipment to satisfy safety concerns raised on nuclear power plants, and the rationale for taking.such credit.

In general, safety-related equipment !s relied on to mitigate design-bases accidents. However, in some specific instances, the staff has, with appropriate justification, relied on non-safety-related equipment to address safety concerns.

i The. attachment provides the requested examples, which fall into three general j

areas:- (1) examples that show where non-safety-related equipment is addressed in the regulations, (2) examples that show how the NRC has taken credit for non-safety-related equipment to satisfy other-than-design-bases safety concerns and the : rationale for taking such credit and (3) examples that show where non-safety-related equipment is considered in analyzing design-bases accidents. The three sets of examples are not intended to be an all-encom-passing list for the respective areas.

i

Attachment:

As stated cc:

Commissioner Rogers Commissioner Dicus Commissioner Diaz Commissioner McGaffigan SECY 0GC OCA OPA f)

]h CONTACT: Joseph M. Sebrosky, NRR f

415-1132

/

100039 y

<> n % Cw^i% '

qpS" #f lmmmn ptp D f & & O 3 2 1 0 3l & h

i March 18, 1997

'e

~'

MEMORANDUM'TO: Chairman Jackson OddnalS!gned by FROM:~

L. Joseph Callan an '

]

~

Executive Director for Operations 1

SUBJECT:

USE OF NON-SAFETY-RELATED EQUIPMENT TO ADDRESS SAFETY CONCERNS ON NUCLEAR POWER PLANTS In the attached paper, I am responding to your request to provide historical examples of how the NRC has taken credit for non-safety-related equipment to 4

, satisfy safety concerns raised on nuclear power. plants, and the rationale for i

taking such credit.

In general, safety-related equipment is relied on to 1

mitigate design-bases accidents. However, in.some specific instances, the staff has, with appropriate justification, relied on non-safety-related equipment to address safety concerns.

The attachment provides the requested examples, which fall into three general areas:

(1) examples that show where non-safety-related equipment is addressed

-in the regulations, (2) examples that show how the NRC has taken credit for

' non-safety-related equipment to satisfy other-than-design-bases safety concerns and the rationale for taking such credit and (3) examples that show

~

where non-safety-related equipment is considered in analyzing design-bases accidents. The three sets of examples are not intended to be an all-encom-passing. list for the respective areas.

l

Attachment:

As stated l

{

cc:

Comissioner Rogers Comissioner Dicus Comissioner McGaffigan Comissioner Diaz SECY OGC i

OCA OPA CONTACT: Joseph M. Sebrosky, NRR 415-1132 j

DISTRIBUTIQN: See next page DOCUMENT NAME: A:W9700003.JS

• See previous concurrence fa suosive a sepy of this deemsnent, Insbeste in the bes: "C" = Copy without ettechenent/ enclosure "E" = Copy with attachnpnyonciosure "r = No copy OFFICE PM:PDST:DRPM l

D:PDST:DRPM [

D:DRPM l

ADT N

1 NAME JMSebrosky: sed 349/4RQuay*

TTMartin*

ACThadani h-as/-W Em---842---

NAME

$40MTns

./ 3 T ////

LJ0dBan DATE-03/F/97 03/ W 97 '/ I 03')fCr97 0FFICIAL RECORD COPY l

}

e v f.,

-t J

DISTRIBMILQfi:

Central file.

Public-PDST R/F;

' EDO R/F

-EDO WITS 9700003.

'LJCallan,- 0-17 G21 HLThompson,:0-17 G21

..JLBlaha,'0-17 G21-SJCollins/FMiraglia'.0-12.G18l ACThadani, 0-12 G18-

'RPZimmerman, 0-12 G18

^

.EJordan,L0-17 G21 TTMartin-

-DMatthews:

'WTraver 0-14 D4 "PMilano, 0-14 E4 TQuay:

KBohrer,' WITS 9700003, 0-12 G18

BSweeney, WITS 9700003 lBBoger, 0-9 E4-PCota' 0-8 E2 "GHolahan, 0-8 E2 ACRS1 DOCUMENT >NAME:.A:W9700003.JS

'1 f:

l I

l

USE'0F NON SAFETY RELATED EQUIPMENT TO ADDRESS SAFETY CONCERNS ON NUCLEAR POWER PLANTS This paper provides examples of how the NRC has allowed licensees to take credit for non safety related equipment to satisfy safety concerns raised on nuclear power plants, and the rationale for taking such credit.

In general, j

safety related equipment is relied on to mitigate dasign bases accidents.

l However, in some specific instances, the staff has, with appropriate justifi-cation, relied on non safety related equipment to address safety concerns.

The staff's Standard Review Plan (SRP) provides guidance where credit can only l

, be given for safety related equipment to mitigate a Chapter 15 accident, and i

' where credit can be given for using both safety and non safety related ecuip-l ment to mitigate other events. However, the'SRP only provides review guic-ance, and the staff can deviate from this guidance provided sufficient

[

justification is provided.

This paper provides the requested examples, which fall into three general areas:

(1) examples that show where non safety related equipment is addressed in the regulations, (2) examples that show how the NRC has considered non-safety related equipment to satisfy other than design bases safety concerns and the rationale for taking such credit and (3) examples that show where non-safety related equipment is credited in analyzing design bases accidents. The three sets of examples are not intended to be an all encompassing list for the respective areas.

1.

The following examples show where non safety related equipment is addressed in the regulations:

A.

Equipment Qualification The equipment qualification rule,10 CFR 50.49, specifies the scope of electric equipment important to safety in that section as 1.

Safety related equipment, 2.

Non safety related equipment whose failure under postulated environmental conditions could prevent satisfactory accom-plishment of safety functions by safety related equipment, and 3.

Certain post accident monitoring equipment.

B.

Maintenance l

The maintenance rule,10 CFR 50.C5, defines the required scope of a monitoring program as l

1.

Safety related SSCs, and 1

b Attachment

2.

Non safety related SSCs:

a.

that are relied upon to mitigate accidents or transients or are used in plant emergency operating procedures, b.

whose failure could prevent safety-related SSCs from fulfilling their safety related function, or c.

whose failure could cause a reactor scram or actuation of a safety related system.

C.

License Renewal The license enewal rule,10 CFR Part 54, defines its scope as:

1.

Safety related SSCs, 2.

Non safety related SSCs whose failure could prevent safety-related SSCs from fulfilling their safety related function, 1

and 3.

All SSCs relied on in safety analyses or plant evaluations to perform a function that demonstrates compliance with the regubtions for fire 3rotection, environmental qualification, pressurized thermal s'ock, anticipated transients without scram (ATWS), and station blackout (SB0).

D.

Important to Safety The terms " safety related" and "important to safety" are used throughout the NRC's regulations and guidance. The staff does not consider these terms to be synonymous: rather, the staff considers safety related equipment to be a subset of the equi) ment that is important to safety. The staff believes another suaset of equipment important to safety includes certain non safety related equipment.

The non safety related equipment that the staff considers important to safety is another example of where the staff has allowed credit for non-safety related equipment to satisfy safety concerns.

This topic was briefly discussed in SECY 97 035, " Proposed Regulatory Guide Related to Implemontation of 10 CFR 50.59 (Changes.

Tests, and Experiments), dated February 12, 1997.

In that paper under the discussion of malfunction of equipment important to safety, it states

... Therefore, in considering the scope of equipment for which malfunctions should be addressed, the licensee must address not only safety related equip-ment, but also other equipment that may be relied upon such that safety related equi) ment performs its intended functions and equipment tlat can initiate accidents and transients. Generally, the equipment

l' l

l 3-important to safety for a particular plant is deter.

mined as part of the licensing reviews, and the malfunctions are evaluated in the SAR to the extent that they affect plant safety.

. II.

The following examples show how the NRC has allowed credit for non-safety related equipment to satisfy safety concerns (non DBA) and the rationale for allowing such credit. For the three examples that follow, a backfit analysis was performed before the corrective action was imple-mented. This analysis was performed because, consistent with the backfit rule (10 CFR 50.109), backfitting for purposes other than adequate protection or compliance with regulations is only permitted if it can be demonstrated that, a) there is a substantial increase in the overall protection of the public health and safety or the common defense and security to be derived from the backfit and that, b) the direct and indirect costs of implementation for that facility are justified in view of this increased protection.

A.

Davis Besse Third Auxiliary Feed Pump The motor driven auxiliary feedwater (AFW) pump at Davis Besse Nuclear Power Station is an exam)le of equipment important to safety because it acts as a diverse baccup in the event of a common mode failure (beyond the single active failure criterion) of the two j

safety related turbine driven AFW pumps. A third motor driven AFW pump was added at Davis Besse and other operating plants that 1

previously had only a two train AFW system with two turbine driven AFW pumps. Although the two turbine driven pump systems met all of the design basis criteria (including single active failure) for all i

DBAs, the staff stated in Generic Issue 124 " Auxiliary Feedwater System Reliability," that because of the potential for common mode i

failures (such as dryout of two steam generators), an appropriate level of AFW system reliability did not exist at these plants for the more probable accident precursors. The core damage frequency, or plant risk, associated with seismic events (and other low proba-bility accident precursors) was acceptably low with reliance on only the safety related turbine-driven AFW pumps. Therefore, the third motor driven AFW pump was not required to be designed to safety-grade' criteria.

Hence, the added motor driven AFW pump is impor-tant to safety but cannot be considered safety related because it is not designed or constructed to safety-grade criteria. Although the l

l 1

2The term " safety-grade" is not used explicitly in regulations.

For the purposes of this paper. unless otherwise noted, the term " safety-grade" refers to the quality. fabrication, and construction specifications which are applic-able to equipment deemed safety-related, i

4 addition of a third non safety grade AFW pump would 3rovide a substantial increase in overall protection of the pualic health and safety, the added design and installation costs of making the third AFW p/ benefit basis. ump meet safety grade requirements could not be justified o cost B.

Anticipated Transient Without Scram (AWS) Ruie In order to reduce the risks from ATWS events.

>arsuant to 10 CFR 50.62, the Commission requires operators of lig1t water reactors to prcvide features that are diverse from the reactor trip system and that will reliably aerform their function under conditions indica-tive of an ATWS. T1e featurcs include automatic initiation of the AFW (or emergency feedwater) pumps and turbine trip for all pressur.

ized water reactors (PWRs): a diverse system to interrupt the power to the control rods for Combustion Engineering and Babcock & Wilcox plants; and an alternate rt.,d injection system, and an automatic trip of the recirculation pumps for boiling water reactors (BWRs)

The Statements of Consideration for the ATWS rule state that the additional equipment required by the rule

....to implement diversity for auxiliary feedwater system initiation, turbine trip, recirculation pum i

trip, and reactor trip, while required to be reli p able, will not have to meet all of the stringent requirements normally applied to safety related equipment. The equipment required by this amendment is for the purpose of reducing the probability of unacceptable consequences following anticipated operational occurrences. Since the combination of an anticipated operational occurrence, failure of the existing reactor trip system, and a seismic event or an event which results in significant plant physical damage has a low probability, seismic qualification and physical separation criteria need not be applied to equipment required by this rule.

Generic Letter 85 06 provides quality assurance guidance for ATWS equipment that is not safety related.

C.

Station Blackout (SBO) Rule The SB0 rule (10 CFR 50.63)

" Loss of All Alternating Current Power," requires that each light water-cooled nuclear power plant be able to withstand and recover from an SB0 (i.e., loss of the offsite electric power system concurrent with reactor trip and unavail-ability of the onsite emergency alternating current (ac) electric 2For EWRs. the ATWS rule also placed additional requirements on the standby liquid control system.

J 5

power system) of a specified duration. The term " station blackout" refers to the complete loss of ac electric power to the essential i

and nonessential switchgear buses in a nuclear power )lant.

However, ac power to buses fed by station batteries tarough inverters is available. Section 50.63 requires that for the dura-tion of the SB0 the plant must be capable of maintaining core cooling and appropriate containment integrity. The objective of the rule is to reduce the risk of severe accidents resulting from SB0 by-maintaining highly reliable ac electric power systems and, as

' additional defense in depth, ensuring that plants can cope with an SB0 for some period of time.. The rule requires all plants to be-able to cope with an SB0 for a specified acceptable duration selected on a plant specific basis. All licensees and applicants are required to assess the capability of their plants to cope with an SBO, and to have procedures and training to cope with such an event.

One of the ways to comply with the rule is to provide an alternate ac (AAC) power source. The " alternate ac power source" means an alternating current (ac) power source that is available to and located at or near a nuclear power plant, and meets the following requirements:

1.

It is connectable to', but not normally connected to, the offsite or onsite emergency ac power systems; I

2.

It has minimum potential for common mode failure with offsite power or the onsite emergency ac power sources; 3.

It is available in a timely manner after the onset of an SB0; and 4.

It has sufficient capability and reliability for operation of j

all systems required for coping with an SB0 and for the time j

required to bring and maintain the plant in safe shutdown i

(non DBA).

The AAC power source is not required or specified to be safety-grade, and may be comprised of non safety grade equipment on the 1

basis of the following rationale:

Equipment used to prevent or respond to an SB0 should be suffi-ciently available and operable to meet its required function. To this extent. the Commission desires that appropriate attention be paid to maintaining a sufficiently high state of operability and reliability.

Both the' staff's findings (NUREG 1032) and public comments received do not support an explicit need for plant modifi-cations (AAC power source) for coping with an SB0 event to be safety-grade.

The substantial increase in protection sought by the SB0 rule can be achieved by. modifications that meet criteria somewhat less stringent i

p' 6-than generally required by safety grade criteria. Safety related equipment modifications to meet all safety grade criteria would be more burdensome and expensive and would likely achieve only a very small further reduction in risk. -The major contributors to the residual risk of loss of offsite power are adequately dealt with by modifications that conform to the quality assurance and equipment specification guidance provided in Regulatory Guide (RG) 1.155. The equipment installed to meet the SB0 rule must be implemented so that it dces not degrade the existing safety related systems. This implementation is to be accomplished by making the non safety; grade equipment independent, to the extent practicable, from existing safety-related systems.

Non safety grade AAC power sources that have been used by nuclear power plants for the SB0 rule include, but are not limited to, the following: diesel generators, gas turbines, A?pendix R diesel generators, end hydro generators. Sites that lave installed non-safety grade diesel generators as an AAC power source include:

Quad Cities, Dresden, Arkansas f!uclear One, North Anna, and Surry.

Sites such as Palo Verde and Point Beach rely on non safety grade gas turbine generators as their AAC power source.

III. The following examples of the use of non safety related equipment in

-analyzing DBAs include instances in which the staff found that credit for the use of non safety-related systems to mitigate DBAs was accept-able for both operating plants and an evolutionary plant, Also discussed is a proposal to use non safety related systems in the transient analysis' for a passive plant that is currently under review.

J A.

Main Steam Isolation Valve (HSIV) Leakage Control System (LCS)

The staff has allowed credit for the renoval of radioactive iodine by holdup / decay and deposition in the main steam system in the DBA dose analyses of the Advanced Boiling Water Reactor (ABWR) and a number of operating BWRs. The issue of taking such credit was brought to the Commission's attention in SECW93 087, " Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light Water Reactor (ALWR) Designs " dated July 21, 1993.

A draft of this Commission paper entitled, " Issues Pertaining to Evolutionary and Passive Light Water Reactors and Their Relationship to Current Regulatory Requirements," was forwarded to the Commission on February 20, 1992. Subsequent to these papers, operating plants j

have been ulowed credit for the removal of radioactive iodine by holdup / decay and deposition in the nain steam system in the DBA dose analyses.

Since the components in the main steam system are relied on for the l

plant to meet the regulations, they would normally be classified as safety related; and as such would be designed to safety grade i

standards. However, the main steam system, including the main steam lines ~ downstream of the MSIVS, the turbines, and the condenser, are

7-not generally designed to safety grade standards.

For many plants it can be shown that the system will not collapse in a seismic event even though the system is not qualified to safety grade seismic criterie.

If analys1s and a system walkdown inspection indicate that the system will remain intact in a seismic event, credit has been given in the DBA dose analyses for removal of radiciodine.

This credit and the lower calculated dose allow a larger HSIV leakage limit in the Technical Specification (TS) and elimination of the HSIV LCS. References concerning this issue include the ABWR Final Safety Evaluation Report (NUREG 1503), dated July 1994, and the " Issuance of Amendment Edwin I. Hatch Plant, Unit 2" dated March 17, 1994.

B.

ABWR Non-Safety Related Eouipment Credited in Chapter 15 Transient Analysis Chapter 15 of the ABWR Standard Safety Analysis Report (SSAR) addresses the use of non safety related equipment in the transient analysis to perform safety related functions. General Electric (GE) indicated that non safety related equipment is credited for the high water level 8 trip, use of turbine bypass valves, the recircu-lation pump trip on load / turbine trip, and the relief function of the safety relief valves.

The staff questioned the appropriateness of GE's taking credit for equipment that is not safety grsde to perform safety related func-tions in the transient analysis as stated in the ABWR Draft Safety Evaluation Report (SECY 91-355). GDCs 1 through 4 require that components important to safety be designed to be commensurate with the quality standards, and GDC 21 requires that the protection system be designed for high functional reliability.

In response to this concern, GE identified the redundancy, isolation, environmen-tal, seismic, periodic testing, and QA requirements for the equip-ment.

Even though the equipment previously discussed will not be catego-rized as safety grade, the staff concludes that it is of high quality and has sufficient redundancy to ensure its operability. To ensure an acceptable level of aerformance for the ABWR, GE has identified this equipment in t1e ABWR TS with regard to availabi-lity, set points, and surveillance testing. The staff has stated that this design aporoach is acceptable in the ABWR Final Safety Evaluation Report (FSER), and concludes that credit for this non-safety grsde equipment in the ABWR transient analyses is appropri-ate.

C.

Steam line break accidents Another example of the use of r.on safety related components and systems for a safety pur)ose is in evaluation of a postulated steam line break accident for )WRs. The following is a synopsis of the

8 1

discussion found in NUREG-0138,8 " Staff Discussion of Fifteen Tech-nical Issues Listed in Attachment 'to November 3,1976. Memorandum from Director, NRR, to NRR Staff."

~

In evaluating a postulated steam line break accident for PWRs. the staff assumes that certain non safety related components (as backup to the single active failure of safety related equipment) operate 1

when needed to limit the resultant blowdown to a single steam generator and to lirr.it the consequences of the postulated accident.

The staff believes that it is acceptable to rely on non safety-related components because their design and aerformance are compati-ble ith the accident conditions for which t1ey are es11ed on to function. For LOCAs involving spontaneous rupture of the primary i

system boundary, when damage to the fuel and a release of fission products are potential consequences, the most stringent quality and design requirements, including seismic qualification, are imposed on those systems needed to mitigate a LOCA. However, for accidents involving spontaneous failures of secondary system piping that is not part of the primary boundary, the potential consequences are significantly lower, and less stringent requirements are imposed on the quality and design of the systems needed to cope with such secondary system ruptures.

(See item III.D for an example).

j D.

Credit for Non Safety Related Components as Backup Protection for Design Basis Events for the AP600 During its review of the AP600 design certification application, the staff is evaluating requests by Westinghouse to take credit for non-safety related systems in the transient analyses.

In response to a l

staff request for additional information regarding the use of non-l safety grade systems or components in the licensing design basis analyses Westinghouse stated that non safety related components are assumed operable when they are used as backup protection, l

Westinghouse credited the following non safety related components as backup protection in non LOCA design basis analyses:

(1) the main feedwater event. (2) pump trip in the analysis of an increased feedwater flow the pressurizer heater block in the analyses of loss of normal feedwater and steam generator tube rupture (SGTR) events, (3) turbine stop and control valves, and main steam brar.ch isolation valves in the analyses of increased feedwater flow, inadvertent opening of safety valves, steam line break, and SGTR events.

'Fce the purpose of the discussion of issues in NUREG-0138 a safety-grade component was defined as one that is designed to seismic Category 1 (RG 1.29). Quality Group C (RG 1.26) or better, and is operated by electrical instruments and controls that meet Institute of Electrical and Electronic i

Engineers (IEEE) Standard IEEE-279.

4 9-The. staff is in the process of determining whether crediting these non safety grade backup protection systems and compo-nents in the respective analyses is acceptable.

In determin-ing the acceptability of this approach, the staff is taking into consideration the following:

1.

The trip mechanisms of feedwater aump b'eakers and pressurizer r

heater breakers are simple, and t1e likelihood of the breaker function failure is low.

2.

Available operating data show that the turbine stop and control valves are reliable, and taking credit for the turbine. valves in non LOCA analyses is consistent with the staff position stated in NUREG 0138 (see Item III.C above).

3.

Westinghouse will include testing requirements in the inser-vice test program for (1) feedwater pump trip breakers and

'I a

redundant pressurizer heater breakers, and (ii) turbine stop valves and main steam branch isolation valves to ensure the reliability of these components for backup protection over the

)

life of the plant. The acceatability of Westinghouse's approach to this issue will ae addressed in the AP600 FSER.

j l

E.

Consideration of Enhanced Safety Features in Future Reactors In the Severe Accident Policy Statement (50 E8 32139), dated August 8,1985. the Commission stated that it " fully expects that vendors engaged in designing new standard (or custom) plants will achieve a higher standard of severe accident safety performance than their prior designs." The Commission reaffirmed these expectations in a i

staff requirements memorandum dated December 15. 1989.

In an effort to provioe this additional level of safety in the design of advanced nuclear power plants, the NRC has developed guidance and goals for designers to strive for in accommodating events that are beyond what was previously known as tne design basis of the plant.

In 10 CFR Part 52, the Commission stated that a new design for a nuclear power plant can be shown to be acceptable through (1) demonstration of compliance with the Commission's regulations, including any techni-cally relevant pcrtions of 10 CFR 50.34(f): (2) acce ing applicable unresolved safety issues, and medium ptably address-and high-priority generic safety issues; and (3) acceptably addressing the severe accident vu~lnerabilities identified tarough probabilistic risk assessment. The nuclear industry, through the Electric Power Research Institute, has also recognized the need to establish a higher standard for advanced designs. They have developed addition-al standards to which the nuclear industry believes the designers should conform.

For future nuclear power plants (evolutionary and passive), the staff concluded that vendors should address severe accidents during i

the design stage to take full advantage of the insights gained from j

L nput such as probabilistic. safety assessments, operating experi-1 i

ence, severe accident research, and accident. analysis by designing features to reduce the likelihood that severe accidents will occur and, in the unlikely occurrence of a severe accident, to mitigate the consequences of such an accident.

Incormrating insights and:

design features during the design phase has :een demonstrated to be

- much more cost effective than modifying existing plants.

In light of these initiatives to enhance safety, the NRC, in promul-gating the new 10 CFR Parts 50 and 100 regarding reactor site

- criteria (61 fB 65157), created a framework to permit the consider-ation of enhanced safety features having a significant bearing on i

the probability or consequences of accidental release of radioactive e

i material. Within the framework of the recent rule change to reactor site criteria, the concept of enhanced safety features was intro-duced. The rule change indicates that "the extent to whir the

' reactor incorporates unique, unusual, or enhanced safety totures

' having a significant bearing on the probability or consequences of -

l accidental release of radioactive materials" (emphasis added) can be i

taken into consideration by the Commission. The addition of the enhanced safety clause is' intended to allow consideration of safety enhancements in the assessment of the consequences of accidents.

This would include the consideration of non safety related SSCs in analyzing DBAs where enhanced safety featurec are included in the design to deal with beyond design basis safety concerns.

i 1

4 s

9 e

l i

i

.f

,r.

..