ML20202G446
| ML20202G446 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 12/01/1997 |
| From: | ARIZONA PUBLIC SERVICE CO. (FORMERLY ARIZONA NUCLEAR |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| FRN-62FR53932, FRN-62FR53975, RULE-PR-50 102-04045-JML-S, 102-4045-JML-S, 62FR53932-00023, 62FR53932-23, NUDOCS 9712100036 | |
| Download: ML20202G446 (12) | |
Text
00CKETED c.-
USFRC Jarnes M. Levine TF O' 3) 1 5300 Mad Station 7f02 Palo Verde Nuclear Senior v<e Pres %t dC~4F
- ' % 3-0077 P o Don 52034 Phoents, AZ 85072 2034 Generating Station Ndar 102-04045 - JMUSAB/RKR y
Ft.
December 1,1997 AD U! ' -
~
U. S. Nuclear Regulatory Commission
,all NUMBER ATTN: Document Control Desk PRTOSED Ru PR 50 Washington, DC 20555-0001 g pggy6,5)
Attention: Rulemakings and Adjudications Staff (ggg
Subject:
Palo Verde Nuclear Generating Station (PVNGS)
Units 1,2 and 3 Docket Nos. STN 50-528/529/530 Comments on Proposed / Final Rule (10 CFR 50.55a(h))
Dear Sirs:
In the October 17, 1997, Federal Register (62FR53932 and 62FR53975), the NRC published changes to 10 CFR 50.55a(h) that would require compliance with the Institute of Electrical and Electronics Engineers (IEEE) Std. 6031991, " Criteria for Safety Systems for Nuclear Power Generating Stations,"instead of IEEE Std 279, " Criteria for Protection Systems for Nuclear Power Generating Stations" for protection system changes. The rule changes were published concurrently as both a proposed rule and a direct final rule, effective January 1,1998, unless significant adverse comments are received by the NRC by December 1,1997.
APS has reviewed the proposed / final rule changes to 10 CFR 50.55a(h) and is providing comments in the enclosure. The comments are considered to be significant adverse.
Compliance with the changes to the regulations would impose considerable costs on APS and other licensees that would not have a commensurate safety benefit above compliance with the current regulations.
The costs do not appear to have been considered by tha NRC. If the NRC plans to go forward with implernentation of the proposed / final rule, APS requests that the effective date be delayed from January 1, 1998, to June 1,1998, in order to provide enough time to request and obtain NRC review of an exemption from the rule.
21 036 971201
/
50 62FR53932 PDR 100002 ljlg g g]ggjg glll 1
3 5to
U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Comments on Proposed / Final Rule (10 CFR 50.55a(h))
Page 2 Please contact Mr. Scott Bauer at (602) 393-5978 if you have any questions or would like additional information regarding this matter.
Sincerely, F SML.
JML/SAB/RKR/mah
Enclosure:
Comments on Proposed I Fir al Rule -(10 CFR 50.55a(h))
cc:
E. W. Merschoff K. E. Perkins J. W. Clifford J. H. Moorman
i 4'
4 I
t i
e f
i 8
ENCLOSURE l
Comments on Proposed / Final Rule (10 CFR 50.55a(h))
- ('
I
?
!~
4 i
i
\\.
Common's on Proposed i Final Rule -(10 CFR 50.55a(h))
The direct final rule as written represents a significant impact on licensees' design and licensing basis. Incorporation of IEEE-603 into 10 CFR 50.55a does not recognize the substantial impact on existing licensed facilities. This change will significantly revise the design and licensing basis of installed plant protection systems, since there is an ongoing need for plant mcdifications that maintain the original system design requirements. The implementation schedule for the direct final rule does not take into account the level of effort required to review revisions to regulatory guides and the more significant impact of code of federal regulations revisions. The direct fMal rule does not include an implementation schedule and does not consider the impact on pla at modifications that have already been designed, but have not been installed. This woulo require re-review of the plant modification to ensure that the requirements of the direct final rule will be met.
Our comments included below are grouped into functional categories ihat provide specific examples of the impact of the direct final rule, including the costs associated with approval of the direct final rule without regard to the applicability to existing facilities, increased Scope of the new standard and backfit concerns As stated in the direct final rule, the backfit rule was not intended to apply to regulatory actions which change expectations of prospective applicants, and therefore the backfit rule does not apply to the portion of the rule applicable to new construction permits, new operating licenses, new final design approvals, new design certifications and combined licenses. This is consistent with past NRC practice and the discussions on backfitting in the "Value-impact Statement" prepared for Revision 1 to Regulatory Guide 1.153. This does not acknowledge that significant licensing and design basis impacts are incurred when the same standard is incorporated into the code cf federal regulations without consideration to existing licensed facilities.
The principle rationale for issuance of the direct final rule was the perceived lack of comments to the revision to Regulatory Guide i.153. The "Value-impact" statement from regulatory guide 1.153 (Draft DG-1042) in section 2.1.2 clearly acknowledges that the IEEE-603 standard expands the scope of IEEE-279 "...to include power sources and actuation functions...." While the statement does continue to state that the scope expansion is essentially covered by the guidance provided in existing regulatory guides, it fails to recognize that not all-existing facilities are licensed to those same regulatory guides. We feel that this direct final rulemaking action both directly and indirectly introduces substantial changes to the licensing basis of many existing facilities. This must be considered as a backfit action and transition provisions must be identified to allow existing facilities to continue to operate under the licensing basis currently in effect.
I
l l
The "Value-impact" statement continuer, in each succeeding paragraph to conclude that no new requirements are imposed. This is true in the context of a regulatory guide in which an existing licensee has the ability to maintain the licensing basis in accordance with the original license conditions, or voluntarily revise commitments to endorse the new regulatory guidance. Approval of this direct final rule would compel the licent,ee to involuntarily revise the licensing basis to conform to the IEEE-603 standard if a plant design change was required to maintain the protection system capabilities to meet the original licensing basis (i.e. IEEE-279).
Specific sections of the IEEE Standard that represent significant departures from the PVNGS Design and licensing bases are as follows:
Tha fourth paragraph of the " Discussion" section in the " Direct Final Rule" states, "The Commission considers that the systems covered by IEEE Std. 603-1991 and IEEE Std. 279-1971 are the same." This is clearly unfounded, since many of the
" Auxiliary Supporting Features" and "Other Auxiliary Supporting Features," for which examples are given in Fig. 3 of IEEE 603-1991, were not previously identified as being within the scope of IEEE 279-1971.
IEEE Std. 279-1971 classifies single-failure criterion in Section 4.2 as "Any single failure within the protection system shall not prevent proper protective action at the system level when required *. IEEE Std. 603-1991 classifies single-failure criterion in Section 5.1 as "The safety systems shall perform all safety functions required for a design basis event in the presence of; (1) any single detectable failure within the safety systems concurrent with all identifiable but non-detectable failures; (2) all failures caused by the single failure; and (3) all failures and spurious system actions that cause or are caused by the design basis event requiring the safety functions."
Furthermore, Section 5.1 of IEEE-603 states that if a design does not meet the single-iailure criterion then design features shall be provided or corrective modifications shall be made to ensure that the system meets the specified reliability requirements. The single-failure criterion specified in IEEE Std. 279-1971, was one of the major guidelines / criteria used in the design and development of the protection systems in current nuclear plants. The single-failure criterion specified in IEEE Std. 603-1991 constitutes a major change from the original criteria and scope.
To evaluate the impact of the revised single-failure criteria would require a detailed review of existing systems just to determine the scope of impact. Since the new criteria was not a design guideline in current protection systems and constitutes a significantly expanded scope, revising existing systems to meet this new criteria would typically require major modifications or in some cases complete system replacements. This would be particularly true with the various electronic systems, such as the protection systems, since the existing electronic design and circuitry do not allow major changes in logic and function.
2
IEEE Std. 603, Section 5.3, Quality, requires that all components be designed, manufactured, inspected, installed, tested, operated, and maintained in accordance with ANSI /ASME NOA1-1989. Palo Verde is not currently committed to ANSI /ASME NOA1-1989. This requires that as a minimum, that a quality control program be implemented to maintain items covered by lEEE Std. 603 requirements seperately from the current quality control program requirements for the remainder of the components.
Section 5.12 of IEEE 603 provides requirements for Auxiliary Features. Section 5.12.1 states that " Auxiliary support fectures shall meet all requirements of this standard." Section 5.12.2 (2) further defines other auxiliary features as "... part of the safety system by association (that is, not isolated from the safety system)..."
This section also refers to Appendix A as an illustration of this caterion. The definition on page 13 provides further definition of " auxiliary supporting features, Systems or components that provide services (such as cooling, lubrication, and energy systems) required for the safety systems to accomplish their safety functions."
This would include systems such as instrument air, non-class AC power, and non-class DC power as well as many other systems that would be categorized as an auxiliary feature under the new requirements. Modification of any system / component and it associated auxiliary system would require an extensive, costly modification, including the redesign of all or part of non-class auxiliary systems.
Section 6.2.3 of IEEE 603 states that override capability must be provided for all protective functions, such that manual actions can be taken to control safety equipnient after automatic protective actions have occurred. This is a new requirement that was not previously specified in IEEE 279-1971. Therefore under the new requirements of the proposed change to 10CFR50.55a, any modification to safety equipment, its associated actuation or control logic, or its associated power supplies, would have to incorporate override capability, along with an analysis showing that the displays and controls necessary to perform override functions are,
" located in areas that are accessible, located in an environment suitable for the operator, and suitable arranged for operator surveillance and action." This would significantly increase the costs associated with designing and implementing necessary modifications. No explicit design analyses were previously required or performed to demonstrate the adequacy of manual override capabilities for safety functions.
Section 8 of IEEE 603 has no ec,uivalent requirement in IEEE 279. The design and licensing basis for PVNGS electric power systems is based on IEEE 308-1971.
With the requirement that changes and modifications to the protection system conform to the standards cited within IEEE 603 and associated regulatory guides, this is clearly an increase in the scope of plant changes and will incur an associated increase in the cost of modifications.
3
The PVNGS digital computer Core Protection Calculators (CPC's) were not designed to any standard for software-based protection systems, since none existed when the plant was licensed. The CPC's were licensed via analyse presented in CESSAR and in the FSAR.
IEEE 603 requires that software-based protection systems adhere to IEEE/ANS 7.4.3.2. Since the CPC's were designed and licensed under a different standard, any changes to the CPC's uould require major changes if not complete system replacement due to the fundamental differences in the original design and the new requirements.
The identification of requirements in Section 5.11 of IEEE 603 is different than those in Section 4.22 of IEEE 279. IEEE 603 refers to the requirements of IEEE 384-1981, IEEE 420-1982, and IEEE 494-1974. The PVNGS UFSAR commits to the requirements of IEEE 384-1974 and IEEE 420-1973. This would require a revision to the PVNGS labeling procedure before we could perform any modifications that relabel plant components.
The NRC staff's backfit analysis states in part that this is not considered to be a backfit because any charges required by the NRC would rieed to have a backfit review and any other changes would be done voluntarily by licensees. Since the requirements of IEEE Std. 603-1991 affect more systems than IEEE Std. 279, " voluntary" changes to these added systems will be more costly than the current requirements. Based on the increased costs, modifications that could improve plant reliability may no longer be economically viable. Even though this is not considered to meet the backfit criteria, this rule change will increase modification coste such that licensees may be discouraged from making plant improvements unless mandated by the NRC.
The rationale for direct final rule The background section of the direct final rule action uses as a justification for this action that "Because there were no adverse public comments to Revision 1 to Regulatory Guide 1.153, the Commission believes that there is general public consensus that lEEE Std. 603-1991 provides acceptable criteria for safety systems in nuclear power plants."
This neglects the very different purpose of a review of a regulatory guide, which does not mandate licensee compliance for holders of operating licenses.
The lack of comments received on the regulatory guidance revision is incorrectly used to conclude that the utility industry has no substantial comments to the mandatory imposition of the IEEE-603 standard to existing plants. The revision to R.G.
153 was not reviewed from the perspective of this rulemaking action. Indeed, section D of R.G.1.153 states that the IEEE-603 standard will be used to evaluate applications for construction permits and operating licenses. Since most operating nuclear electric utilities are not applying for construction permits or operating licenses, there is little, if any, impact of the revision of R.G.1.153 to operating facilities.
4
\\
Palo Verde is not committed to Regulatory Guide 1.153. The Palo Verde UFSAR does I
not refer or commit to Regulatory Guide 1.153. Therefore, there would be no reason to review draft regulatory guide DG-1042. Since the NRC staff issued the draft regulatory guide for public comment in November 1995, it is likely that most currently licensed nuclear plants are committed to IEEE Std. 279 and if committed to Regulatory Guide 1.153, the co,nmitment is to rev. O only.
Since Palo Verde is not committed to Regulatory Guide 1.153, it is incorrect to assume that the draft regulatory guide was acceptable to Palo Verde. As issued for comment, there was no indication that the requirements of the draft regulatory guide would be imposed on licensees by rulemaking.
Funhermore, the line of reasoning concluded that "Because there were no adverse public comments to Revision 1 to Regulatory Guide 1.153, the Commission believes that there is general public consensus that IEEE Std. 603-1991 provides acceptable criteria for safety systems in nuclear power plants." Again this is a valid conclJsion as far as it goes, and we also believe that the IEEE-603 document provides acceptable criteria for safety system designs, but we do not conclude that thir criteria should be retroactively applied to operating nuclear facilities that were licensed to a different standard.
The backfit analysis section of the final rulemaking posting concludes incorrectly that approval of this action does not constitute a backfit situation because: "... This direct final rule does not change the licensing basis (i.e., IEEE Std. 279) for plants that do not intend to make any changes to their power and instrumentation and control systems.
However, the direct final rule would require future changes to existing power and instrumentation and control portions of protection systems to comply with the new standard. This would not be considered a backfit, since the changes are voluntarily initiated by the licensee, or separately imposed by the NRC after a separate backfit analysis." This reasoning does not consider that some plant changes are necessitated by the discovery of an existing plant condition that does not conform to the original licensing and design basis of the facility.
If the condition is not expected to be ccrrected, it is considered a " defacto change" that must receive a 10 CFR 50.59 review.
If the defacto change would be acceptable under the plant licensing basis established pre-1998 using IEEE-279; it could be evaluated and implemented under the 50.59 process. However, post 1998. the 50.59 review must consider the IEEE-603 standard, and since the plant was not originally designed to this standard, it would most likely fail the 50.59 change criteria, forcing the plant to implement an unnecessary and costly modification. This does not conform to the staffs stated understanding that changes to the protection system are " voluntary' and as such are not "back fit" considerations.
Plant modifications are often not voluntary. They may be forced by such factors as equipment obsolascence or wear out, increased regulatory ;aterest in some issue, industry experience, discovery of failure modes, etc.
Also, the definition of a modification's " scope of effect" as defined by IEEE 603 is not clear. It is common in the 5
nucleai inductry for utilities to experience ever-widening scopes of effect whether related to modifications, new programs, or new regulations.
Revisions to EQ Requirements contained within the IEEE 603 Standard as applied to existing Licensees Implementation of IEEE Std. 603-1991 incalidates licensee commitrnent to those older s5ndards endorsed by regulatory guides. Therefore, the licensee will be required to reevaluate their current licensing basis in terms of the requirements of the later revision of the standards.
Since, the standards are concerned primarily with equipment qualification, there is a very large impact on plant equipment and equipment installations.
Paragraph 5.4, Equipment Qualification," requirements for safety system equipment conflicts with the requirements of 10CFR50.49(c)(3) that only require " harsh environment" equipment qualification. Programs based on good commercial quality that have been invoked by some licensees does not appear to meet the IEEE Std. 603-1991 requirements for a type test, previous operating experience, analysis, or combination of these that substantiates the performance requirements for safety systems that are not located in " harsh environments."
The PVNGS Post-Accident Monitoring Instrumentation was not designed to IEEE 279, but instead meets specific requirements of equipment qualification, separation, etc. as laid out in the various categories of RG 1.97. If IEEE 279 type requirements are imposed on any of this equipment via a mod developed in accordance with IEEE 603, rnajor redesign or equipment change-out may be required.
Dual Licensing Basis A dual licensing basis will be created for those design modifications initiated after 1/1/98. For example, if a component is reolaced with a like component or with a slightly different component make or model number, or a minor modification to the system architecture is required, an evaluation will be required to determine which portions of the circuit and auxiliary systems must be upgraded to meet IEEE 603.
It is not clear whether c partialimplementation of the new design standard would be acceptaole or if entire system would have to be replaced. Even if IEEE 603 applied only to the portion of the protective system that was changed, it will be difficult and confusing to keep track of the portion of the system that complies with IEEE-279 and the portion that complies with IEEE-603.
6
The direct final rule is ambiguous as to which versions of industry standards licensees are required to comply with for new work. IEEE 603 is significantly different from IEEE 279 in that it references many other standards. This leads to the following questions:
If a certain version of a standard is referenced in IEEE 603, a second version in the Regulatory Guides, and a third version in the licensee's UFSAR, which version must be follnwed?
If a Regulatory Guide is updated in the future to reference a new version of an IEEE standard referenced in IEEE 603, does such " endorsement" by the NRC constitute a de facto revision to 10CFR50.55a? If so, at what time does the change take effect?
If an industry standard is referenced in IEEE 603 and reference other standards not listed in IEEE 603; does the direct final rule require that the subsidiary references also be followed?
Some of the standards referenced in IEEE 603 have been revised and reissued since the publication of IEEE 603. Do licensees have the flexibility to adopt the newer requirements, or must they adhere to the older ones?
In cases where the UFSAR now takes exception to certain provisions of the standards, must licensees revise the UFSAR to eliminate the exception for future work?
Rovisions to current Licensing Basis The level of effort and expense to incorporate IEEE 603 into Palo Verde's licensing basis documents is not trivial. It would be necessary to update the UFSAR and other licensing and design basis documents to reflect the new requirements, including the newer versions of industry standards referenced by lEEE 603. This would include the need for a demarcation between the portions of the plant that are still under the old standard vs. those under the new requirements. Considering the number of disciplines that would be affected, it is estimated that this work would cost at least $100K.
IEEE 603 requirements will effectively change our design basis with regard to modification work, because the new requirements would need to be specified as base design inputs. These inputs are reflected in plant output documerts such as design basis
- manuals, engineering
- drawings, engineering specifications, installation specifications, etc. Therefore, cignificant engineering manhours will need to be spent in a review to identify the differences between our current committed documents and the later revisions of the inferred documents, and determine the impact and complete any required updates Additionally, personnel would have to be trained on the changes and new requirements.
7
I The accelerated approval schedule for the implementation of the direct final rule to incorporate the IEEE-603 standard into 10 CFR Part 50.55a represents a substantial financial and logistical impact to the operation and maintenance of nuclear electric utilities. The impact is manifested in many areas of station engineering, design, and licensing activities. First the impact to the plant licensing basis is more than trivial. The incorporation of the IEEE 603 standard and by reference the many attendant and supporting industry standards represent a major change in the licensing basis of virtually every electric utility in commercial operation.
In this one action a large percentage of the industry standards that PVNGS has committed to and was licensed to are changed to later revisions, by virtue of their endorsement in reCulatory guides, without en appropriate period of time to assess the impact to the station of this indirect revision to its licensing basis.
As identified in the direct final rule notification published on 10/17/97, "If the aferenced standard has been endorsed in a regulatory guide, the standard constitutes a method acceptable to the Commission of meeting a regulatory requkement as described in the regulatory guide. If a referenced standard has not been endorsed in a regulatory guide, the licensees and applicants may consider and use the information in the referenced standard consistent with current regulatory practices." This paragraph implies that if the industry standard is endorsed by a regulatory guide, then the utility must now comply with the industry standard endorsed by the regulatory guidance, even if the utility is commited to a different industry standard in the currently approved licensing basis.
This action in itself represents a backfit issue in that utilities will be required to comply with requirements that are currently outside of its their current licensing basis.
Implementation considerations This accelerated approval cycle makes no allowance for in-process modifications. At a multi-unit facility such as PVNGS, design changes require 18 months following the issuance of the final engineering design change package to be fully implemented in all three units. Specifically, a design change imp!emented in Unit 2 in the Fall,1997 refueling outage would comply with IEEE-279, and the same modification implemented in Unit 1 in the Spring,1998 refueling outage must comply with IEEE-603. There is insufficient time to assess the impact of this direct final rule on the acceptability of the plant design change scheduled for implementation in Unit 1. If the plant design change must be reengineered to comply with the requirements of IEEE 603, it must be rescheduled to the next available outage window. This could represent a three year delay in Slementation of the design change.
This will also lead to additional documentation burden on station staff in maintaining the design and licensing basis for pre 1998 modifications and post 1998 modification implementation.
Additionally, if a design modification is installed pre-1998, and required redesign to install post-1998, due to new design requirements imposed by the mandatory compliance to IEEE 603, must the pre-1998 installations be updated to the revised 8
t design' If redesign is not required, this represents at a minimum an additional burden to configuiation management activities, and brings inb question the value added by mandatory compFance to a revised licensing basis condition. If redesign is required, then the final rulenaking as published Mes not require pre-1998 installations to be modified with the new it E 603 compliara design, apparently in an effort to address the lack of a backfit analysis for this proposed rulemaking activity.
Within the context of compliance to IEEE 603 as incorporated into 10 CFR 50.55a, several areas appear to be open to interpretation. For example:
Within the context of 10 CFR 50.55a, how is the phrase "to the extent feasible and practical (Reference IEEE 603 Section 6.4) to be interpreted?
IEEE 603 Section 2 provides several definitions that have not been previously defined in law such as " Class 1E", " division" and " associated circuit." The definition of division varies between operating plants and significantly between the part 50 and part 52 plants.
What is the iegal interpretation of "neceptable reliability" (Reference IEEE 603 Section 8.3)?
lEEE 603 requires that indication shall be automatically actuated if the bypass is expected to occur more than once a year. How is this frequency to be monitored und what regulatc y consequences would result from more frequent bypasses?
The term " acceptable reliability" is extremely subjective.
And finally, this rulemaking does not include consideration of license life extensions. By incorporating this standard in 10 CFR 50.55a without transition conniderations established for plant license extensions, it would require reanalysis of the protection systems design bases originally approved to IEEE-279, against the criteria of !EEE 603.
It is extmmeiy unlikely that plants designed in the 1960's and 1970's would be capa' of meeting licensing conditions established in the late 1990's.
This effectively preclu.ies the application for plant life extension without substantial protection system redesign and increased costs.
9
_