Text

..

December 29,1997 j

i Mr. Felix M. Killar, Jr.

Nuclear Energy Institute Suite 400 1778 l Street, NW Washington, DC 20006 3708 Dear Mr. Killar; As you requested prior to the Nuclear Regulatory Commission / Utility Workshop on December 810,1997, please find enclosed the documents that were distributed or produced during Working Group Session 111 on Fuel Facility integrated Safety Analyses and Licensee Performance Reviews.- Enclosure 1 is the agenda for the session, f Jntrary to the agenda, the session focused almost exclusively on Integrated Safety Analyses (IdA). Enclosure 2 is a set of the slides that I used at the beginning of the Working Group session as a starting point for our dinussions about ISAs. Enclosure 3 is a copy of the viewgraphs that Charlie Vaughan used in i

the plenary session at the conclusion of the workthop to repor1 on the observations and conclusions of Working Group Session Ill. You may be particularly interested in the proposal at the end of the report to conduct an industry workshop in February 1998 to explore and resolve problems with the ISA process. Enclosure 4 pro' tides the eummary.lotes for Working Group Session lil, which were prepared by Deborah Seymour, NRC Region 11.

If you have any questions or would like to discuss this information, please contact me at my current telephore number (301-415 7293) or via email at mfw@nre. gov.

Sincerely, Michael F. Weber, Acting Deputy Director Division of Waste Management Office of Nuclear Material Safety and Safeguards

Enclosures:

As stated I

cc: CVaughan, General Electric

[h-DIS rRIBUTION:

Central File FCI.D r/f NMSS r/f FCSS r/f MGalloway Madams

.WSchwink TSherr DWM rif ETen Eyck EWDrach RMilstein DSeymour EMcAlpine PDR TCox DDamon DCollins DWM

/E

- MWeber[

12/2 i97 g y,, p (f OFHCIAL RECORD COPY l

spCWnpfo"d #

wu

,vesgg ECFUCMMby PDR

.e Eue t oJvs E I

c rw nos o)

Working Group Session ill Fuel Facility Integrated Safety Analyses and Licensee Performance Reviews Wednesday, December 10,1997 Objective:

To explore current issues associated with fuel facility Integrated Safety Analyses (ISAs) and Licensee Performance Reviews (LPRs) and identify possible approaches for resolution of these issues.

Agenda:

9:15 Opening (Michael Weber / Charlie Vaughan) 0:20 ISA Status Summary and Seed Presentation (Michael Weber / Charlie Vaughan) 0:40 Facilitated Discussion on ISAs What barriers currently exist to the development and maintenance of ISAs?

Recognizing established programs for double contingency e

protection against nuclear criticality, how can criticality safety best be considered in ISAs?

e How much ISA information needs to be submitted to NRC and in what form?

How can the ISA best be incorporated into the licensing e

process? Inspection process? Emergency response?

10:40 Wrap Up on ISAs 10:50 Break 11:00 LPR Status Summary and Seed Presentation (Michael Weber / Charlie Vaughan) 11:10 Facilitated Discussion on LPRs How cari the LPR process be more constructive or rnore e

useful for fuel cycle licensees (e.g., improved timing, format)?

Should the LPRs be more quantitative?

e

I e.

e 2

Have the " standards" for the LPRs changed since their e

inception?

11:50 Wrap Up on LPRs 12:00 Adjourn i

p. %

'3

. Definition ofIntegrated Safety Analysis (ISA)

An analysis to identify hazards and their potential for initiating event seqe 4 ik,

- potential event sequences, and their consequences, ar.d the site, structures, equipment and controls that prevent or mitigate the event sequences or

. consequences.

- Scope includes nuclear criticality, radiological, chemical, industrial, and environmental hazards.

A type of systematic analysis that considers:

1. What can happen?

2. Howlikely?

3. What are impacts?

4.. What controls are needed for safety?

r 1

}n E

Ec.

3 4

~

ISA Analysis Method is Matched to Need 4

l Methods developed to analyze process hazards at chemical facilities.

U i

4 Deductive (Top down) and inductive (bottom up) approaches acceptable.

l I

. Deterministic, qualitative approaches preferred by industry-emphasis on failure sequences and controls

,- j Full range of deterministic and probabilistic techniques available l

e U

L l

4 I

i i'

[

i n

i!

j.'l j

i

[

+

t 3>

[

[

l i

~

~

... _. _ - _ _.. -. _. - _ _ _... ~.. _ _ _ _ _ _ _ _., _. _, _

.,._.._.._...-_..____________._J

^

5 ISA Approach at Fuel Fabrication Plants j

c I

Conduct hazard analysis on systems; consider likelihood and unmitigated l

. consequences of failure sequences F

Assign risk importance to failure sequences i

i L

l x

. Identify controls (active and passive engineered controls; administrative controls) to l

l preven't or reduce likelihood and mitigate consequences l

4 i -

l

[

Apply graded level of management programs to ensure controls remain available-

[

and reliable; higher level programs for controls that protect against highe wk t

sequences 4

Management programs include functional testing, quality assurance, preventive l

maintenance, configuration control, training, and others i

i 1

4 I

IL i

ISA at the NRC Need for ISAs at fuel facilities identified in late 1980s to early 1990s after Sequoyah Fuels and GE-Wilmington events l

u

- Rulemaking initiated by NRC in 1993 to require fuel fabricators to develop ISAs to j

l provide a systematic safety basis for continued operations a

}

L Nuclear Energy Institute petitioned NRC for rulemaking to require ISAs in 1996 in L

response to request from Commission 3

i F,

lL Proposed rule (amendments to Part 70) due to Commission in July 1998 l

Licensees have committed to prepare ISAs in renewed licenses; ISAs build on existing Criticality Safety Analyses and chemical safety programs for EPA / OSHA NRC and licensees are learning from initial reviews; lessons are being incorporated l

into Part 70 amendments and Standard Review Plan k

s f

..... ~..

.-~.-,,..._.-,-m.-,

. 1

\\

12 Status ofISA Development -

Specifications for ISAs for fuel facilities to be determined in amendments to Part 70 for fuel fabrication facilities

. Draft proposed rule with implementing guidance due to Commission in July 1998 All but one of the fuel fabricators are currently developing ISAs, as required by

[

' license conditions Last of the ISAs will be completed and submitted to NRC in 2001; first ISAs are already under review -

Licensees are already implementing ISAs for new processes (e.g., NFS amendment L

for new Navy fuel process)

~

f 3

4 i

i

-e a e

~v-w e-

= -

e or

+w,,e-r---nr---

v+,-

r we - -. - ~

e-

-,==-

• v-- - - -+

+rw-a-----..r-...

{.,

pu,- 3 FUEL FACILITY INTEGRATED SAFETY i

l ASSESSMENT

{

l The ISA is an analysis to identify hazards and their i

l potential for initiating event sequences, the potential event sequences, and their consequences, and the site, structures, equipment, and controis that prevent and mitigate the event sequences or consequences.

i l

Severalissues were identified:

i i

The NRC needs to define the scope of the ISAs including inspection and licensing activities. If l

the NRC agrees with the safety analysis, perhaps the NRC should not inspect areas l

covered by OSHA and EPA regulations.

There is a lack of qualified Individuals to build / maintain the ISAs. Plus, the use of existing, qualified individuals is a drain on plant resources and can affect a piant's competitive l

edge.

The licensee needs consequence criteria for the ISAs now, especially in the areas of industrial and chemical safety. How will existing ISAs be treated when Part 70 is amended?

l How should criticality events be handled in the ISA? Some plants perform a separate " check" on criticality events.

.{s.~

i What does it mean to maintain an ISA? Is it a living document, or a bounding document which would be referenced when changes to the plant are proposed? Could reactor experienca with 50.59 be used as a model for change control at fuel fabrication feellities?

I What is required when a plant is proposing a

)

temporary change to the plant to support research and development? What type of involvement will the NRC have?

Is public access to proprietary information a barrier to ISA development?

Proposal of an industry workshop in February i

1998 to explore and resolve problems with the l

ISA process. Perhaps include NRC during second half of workshop.

1 I

i

Cucu w 4 4

NOTliS TAKEN DURING FUEL FACll,lTY INTEGRATED SAFETY ASSESSMENT (ISA)

AND LICENSEE PERFORMANCE REVIEWS (LPR) WORKSilOP l

i The workshop's agenda included ISAs and LPRs, however, the group decided that ISAs should be the primary topic for the workshop. LPRs doing well, no surprises. LPRs are assessments of safety and safeguards aspects of fuel fabrication facilities; they do not address fuel quality issues.

One workshop facilitator proposed to discuss vendor responsibility for design and quality issues associated with the use of the fuel in power reactors (based on the enforcement actions at Siemens Power Corporation this past summer). However, the group decided that there probably wouldn't be enough time to cover both topics and that a different group of participants would be needed to have a meaningful discussion of the design and quality topic.

INTEGRATED SAFETY ASSESSMENTS Session started with a brief presentation by NRC facilitator (F), which included an unoflicial definition of an ISA and a list of possible discussion subjects.

F indicated that IS As include radiological, chemical, environmental, criticality, and industrial safety; and that industrial safety included fire, lining and falling, and electrical hazards, where such hazards impact the safety or security of special nuclear material. Licensee attendees indicated that they did not realize that the ISA included industrial safety concerns such as these.

F discussed that several different acceptable methods exist to develop an ISA. AIChH has guidance Ibr approaches.

llasic development of an ISA: hazard analysis is used, risk importance is assigned, controls identified, graded level of assurance implemented.

llistory ofISAs: initial resiews. GE, llWXT have submitted ISAs to NRC Question posed by F: what needs to be submitted to NRC, how much detail is needed 7 Specifications for ISAs will be included in amendments to 10 CFR Part 70.

Continued presentation by licensee representative acting as facilitator (LF):

ISAs are dramatic change in way to view safety. AlChE handbook is very good reference - but barely gets process started because there are so many differences between the chemical industry and nuc! car industry, Licensee has to develop graded hierarchy for implementation; software to support this has to be developed; culture change hard to get teams to work in integrated fashion, criticality and radiological protection interests may conflict; have to work through tradeoffs. Good software is not available. Analytical techniques are event driven and require human interface before specitic controls can be identified.

2 ISA summaries sent to NRC NitC was not happy with the summaries, even though it was prepared in accordance with an NRC outline; industry needs to know what summaries should look like.

General Discussion with Group:

Is ISA analogous to IPE at reactors? Some analogies, but ISA is not as in-depth as a FRA, and NRC does not have target level risk values for the fuel fabrication facilities. NRC has asked licensees to establish safety basis for plants.

Improvements in one area may have negative impacts in another area. Ilow is this going to be handled? For example, trays under leaking equipment may affect criticality safety while improving radiological safety. Recognize that a trade off exists and take a reasonable approach to reduce both risks, as appropriate (e.g., tray one inch deep). Fire safety and chemical safety have bigger trade-ofTs than radiological protection and criticality control.

Where decs the industrial safety side ofISA stop and when does it fall outside of NRC'=

purview? One licensee didn't consider industrial safety as part of scope (i.e., lifling, acid spill).

For example, in the event of an No, release, operators leave area with no impact on nuclear safety or security, so didn't consider release as part ofISA and didn't think NRC was going to inspect this.

F - these types of events may be dominant risk. Comment made that safety program are in place, but seen as outside of NRC domain. This issue needs to be resob ed by clearly stating the -

scope of the ISAs and the extent of NRC's licensing and inspection reviews.

Licensee - llow do we separate these areas of concern? Reactors have MOU w/ OSilA. Fuel facilities (FF) have same MOU, Comment made that the scope ofISAs needs to be clearly defmed and whether they include industrial safety. Licensee doing ISAs to improve efficiency of operation, and looking at large scope. NRC has to define the scope ofinspections at sites. Is the NRC going to regulate fuel facilities to higher standard than OSliA7 Why does NRC need to regulate safety aspects that fall under OSIIA or EPA? These are concerns oflicensecs.

Licensees have established double contingency protection for nuclear criticality. An example was shared regarding a conflict between an airborne issue and criticality safety (curtail airborne and creme unfavorable geometry).

Criticality safety folks need specialized knowledge, and it is tough to find these people. This is biggest bottle neck to b iilding/ maintaining ISAs. As prices drop, need better people. People diverted from plant operations to support regulatory issues.

+

3 NRC should be careful not to force ISAs into PRAs. NRC regulatory programs tend to grow with time. This drives resource and at:entic.n issues. This drives safety program to " average."

1he NRC should try not to proliferate requirements.

NRC - 1he NRC has determined that ISAs are necessary to provide a current, up-to-date, and comprehensive safety basis for operations. This is one of the principle benefits of establishing and maintaining ISAs. Maintaining the ISAs as living documents may actually reduce burdens associated with license renewals and allow for change controls such as those allowed for under 10 CFR 50.59.

Licensee Should the NRC limit the scope of the ISA, taking in consideration proprietary information. Do licensees need to prepare a proprietary free ISA and a proprietary ISA? This would be resource intensive, and why is it needed?

What does the NRC expect the licensee to do with the ISAs once they are completed?

F - the NRC will have a comprehensive safety basis (br plant operation (right now, the safety basis is not fully integrated, incomplete, and dated; thic was an important consideration for development ofISAsube ISAs will simplify renewals since they are living documents; perhaps changes to procest

< ll be approved quicker. The ISA should streamline changes.

llave any plants had to make changes as a result ofISA7 Licensee Yes. Ilowever the changes have not been substantial or costly. Fuct facilities operate safely. Ilowever, an average safety program will result in periodic failures; ISAs will not result in much increases in safety, although they will fme tune some items.

Need to discuss scope of what protecting against; where is cutoff? Licensee need; to know if the scope changes when the regulations are issued. Changes in scope n.ay significantly impact licensees. NRC guidance will t>e available in the form of the proposed rule sometime after 7/98.

Final rule issued approximately a year aller the proposed rule. Licensee needs scope criteria now, since they are working on programs now. Licensees believe that NRC needs to provide protection for licensees to prevent having to redo ISAs.

Regarding high exposure to chemicals, etc.; OSilA and epa already look at these, why do w e need double regulations? What does the NRC mean by chemical hazards? A facility had a NO, release, didn't the regulatory sphere grow? If NRC concurs with licensee's safety analysis, the NRC should not inspect chemical safety or industrial safety. If a chemical spill has no impact on nuclear safety, then NRC should not inspect.

Should NRC inspectors look at fire protection in areas where there is no impact on nuclear safety?. The licensee would like to carve out pieces ofISA from NRC inspection.

i

4 Double Contingency issue:

lixisting nuclear safety programs treat criticality safety more imponant than other saf:ty areas. Is this true?

NRC - it is a rare circumstance where NRC will buy off on single contingency; under what conditions would NRC relax requirements for double contingency? Ilow can the ISA best

[

infonn these decisions?

Li'. in criticality safety,if you don't assume double contingency, you go to bl hl consequence and likell. 3d and have to have maximum assurances. One licensee looked at unmitigated consequences and assumed at least one contingency was in place, and moved criticality events to medium consequences, llaving all criticality safety events go to high high consequences doesn't lead to a balanced program.

Two licensees handled criti;ality events twice: once in the ISA and then again to ensure double contingency protection, consistent with existing practice.

Ilow likely is a specific event or event sequence? This pushes licensees towards pRA space, lias anyone developed a small pRA? There have been arguments over risk numbers when developing fault trees. One licensee used expertise of team to decide risk bins, but NRC said this appeared to be " guessing."

What does it mean to maintain an ISA? Is it necessary to update ISA for every change in plant?

This would be too costly. One lleensee indicated that they did not want to maintain ISA as living doemnent. They would look it all changes and do integrated review and look at ISA, but not update the ISA. Another licensee said should only have to update the ISA if change risk isn't bounded by the ISA. The first licensee commented that every thing that has an effect on system is updated. What does this change do?

Question by licensee Should scenarios be maintained? Scenarios are a snapshot in time. Every change made to the plant introduces or changes scenarios. Some licensees are updating scenarios, some don't.

Risk matrix discussion. One licensee has yes/no conclusions come out of a 5x7 (likelihood vs.

conrequences) control risk matrix, another licensee has a 3 level graded approach. NRC is still considering the alternatives for presenting the results of the ISA in a meaningful format. One licensee is looking at this to remove criticality from a high QA category.

NRC however, when criticality events are categorized as a medium risk, some controls do not get as good assurances (e.g., functional testing, configuration control, QA), and this may increase

a 5

risk. With the lesser level of protection, can licensees suppon the conclusion that failure of the contingency is unlikely, i

When do you update an ISA? As you get further and further from the original ISA after several changes, when is that ISA no longer relevant or adequate to assess the riis? This might be a challenge. One licensee documents the safety basis in "ever green" technical reports for each system. There may be a threshold where it would make sense to revisit a particular topic; time and experience will tell.

1 NRC. Ilowever, over time, as changes are made, if the ISA is not updated, the ISA could lose its validity and currency. Ilow many changes can you make before the prior ISA is no longer valid? The answer may vary depending on the area looked at (criticality vs fire safety).

Question from licensee: Do you need to do fonnal ISA for a 2 month experiment or prototype operation intended Ihr research and development? Or could subset ofISA sullice?

NRC - first type evolution, one of a kind evolution may have higher risk, so an ISA may be especially needed and helpful.

l.icensee. how much is needed for these? Complete, formal ISA with lots of documentation, or a less rigorous method, and how much of this should go to the NRC for review and approval?

Ilow much does NRC have to know about new processes, changes in operation, tests, belbre licensees can move forward with changes?

!.icensee - the handling of proprietary infonnation does not work well, i.engthy process, and sensitive, state of the-art inihmiation becomes vulnerable for inadvertent release to competitors.

There is a perception that NRC has, in the past, released information that licensees wanted to retain as proprietary.. Also, much of this information is time sensitive, and proecss to deal with proprietary infbrmation can be slow and cumbersome (e.g., screening documents for proprietary infonnation; redacting documents); the licensee loses a competitive edge, and it is not worth it, l.icensee We are trying to protect proprietary information, however the NRC tries to get detailed infonnation on our processes as part of their review,1701A requests create problems with which parts of documents are proprietary and can be withheld from public disclosure.

NRC The safeguards are in place to ensure proper handling of proprietary information by NRC.

On occasion, NRC does not agree with licensees that certain information is proprietary and, therefore, either returns the intbrmation to licensees or releases it. NRC also pointed out the dilTerences between protecting proprietary infonnation under the Atomic Energy Act and under the Freedom ofinformation Act. Criteria for release ofinformation are somewhat different.

This is highlighted to licensee attention in the fonnat disclosure determination letters that NRC issues. Any specific instances where industry believes NRC inappropriately released information -

- ~,

y

,-y,

,e.,

6 to the public (and the competition) should be brought to NRC's attention and evaluated. This should not be a barrier for developing, submitting, and maintaining ISAs.

1 1.ieensee - Perhaps reactor experience with the change control process under 10 CFR 50.59 can be incorporated into the fuel facility arena.

NRC 'the plan for part 70 revision is to allow upgrades without prior approval (similar to what exists for safeguards now under J70.32). "Ihe Commission is currently evaluating the f 50.59 process for reactors. Any changes NRC would propose for fuel cycle faciiities under Part 70 would consistent with Commission-directed changes in 650.59 or would bejustified based on the specific situation for fuel facilities.

l 1

The discussion ended with the LF proposing the licensees hold a workshop deciding industry's positions on these issues in the February 1998 timeframe; and to consider inviting NRC for pan of this proposed workshop.

t e

9 L

,.m_

_., -.,. -