Latest revision as of 17:45, 19 October 2019

Text

Nei'S Presentation (with Background Slides) for Public Meeting on Endorsement of NEI 96-07, Appendix D, June 25, 2019
	ML19176A070
Person / Time
Site:	Nuclear Energy Institute
Issue date:	06/25/2019
From:	; Nuclear Energy Institute
To:	Tekia Govan; NRC/NRR/DIRS/IRGB
	Govan T, 415-6197, NRR/DIRS
References
	NEI 96-07
	Download: ML19176A070 (49)
	v • d • e

NEI 96-07 Appendix D Criterion 6 Examples June 25, 2019

Examples Will Show:

Sec. 4.3.6 of Appendix D is consistent with NEI 96-07, R1 Two decades of implementation Developed with NOPR and 1999 Final Rule SOC in mind Logic and treatment of Criterion 6 is consistent with the application of other 10 CFR 50.59 Evaluation criteria Sec. 4.3.6 of Appendix D avoids uneven application of 50.59 Consistent with NEI 96-07, R1 Consistent with NRCs Reliability Principle of Good Regulation Supports NRC focus on risk-significant issues

Examples for Discussion Instrument Air Compressor Digital Controls Diesel Generator Jacket Water Surge Tank Level Control Containment Fan Coolers Digital Controls Digital Feedwater Control System As time allows:

Feedwater Debris Strainer

Instrument Air (IA) Compressor Digital Controls The Instrument Air system provides compressed, filtered and regulated air in support of various plant needs.

Compressed air is supplied to the IA system by three 50% capacity (405 scfm), oil-free, reciprocating air compressors, each with its own after-cooler, moisture separator and air receiver.

When Instrument and Station Air Systems are separated, only two of the three IA compressors are required to supply the IA header requirements for both units.

Instrument Air Compressor Digital Controls Example Plant UFSAR

Instrument Air Compressor Digital Controls UFSAR Proposed Activity The IA compressors discharge Install new IA compressors with to an IA header which is digital controls common to both units. Likelihood of SCCF of all FMEA: 2 of 3 IA compressors compressors not sufficiently are required during normal ops; low = 0 of 3 compressors low P in the supply line auto Possible loss of normal starts standby IA compressors feedwater event Safety analyses: assume loss of the Instrument Air System

IA Compressor Digital Controls Scenario UFSAR 3.12 Safety SA current different Description Analyses new result?/LAR?

Plant 1 - NEI 2/3 0/3 Loss of IA system No Normal assumed to Feedwater fail (no (LONF) change)

Plant 2 - NEI No existing LONF No change No description Plant 1 - NRC 2/3 0/3 LONF No change Yes Plant 2 - NRC No existing LONF No change Not Clear description

IA Compressor Digital Controls Illustrates Appendix Ds approach is consistent with NEI 96-07, Rev. 1

using the safety analysis level Appendix Ds approach supports NRC focus on risk-significant issues

The NRCs approach appears to require LARs for a lot of very reasonable and benign modifications.

Diesel Generator (D/G) Jacket Water Surge Tank Level Control Diesel generator supplies power to required emergency loads

D/G needs jacket water supply in order to perform its design function Two 100% redundant trains Surge tank is described as having a manual-operated supply and drain, along with various alarms and a high temperature D/G trip

Low level alarm actuates at 200 gallons remaining in a 450 gallon surge tank

Drain line averages 5 GPM Effect of operator error on surge tank draining is discussed

D/G Jacket Water Surge Tank Level Control

D/G Jacket Water Surge Tank Level Control UFSAR Proposed Activity One D/G train operates Replace manual control with FMEA: low water makeup digital controllers and air-water replaces losses operated valves Safety analyses: assume single Likelihood of SCCF of both failure; one train operates controllers not sufficiently low

= 0 of 2 D/G FMEA would examine losing both trains Safety analyses would reflect FMEA outcome

D/G Jacket Water Surge Tank Level Control - new/revised FMEA Procedures already exist for:

Local operator monitoring of D/G operation

Response to Low Surge Tank alarms MCR Trouble Alarm typically points to a local panel

Operator manipulation of surge tank supply and drain valve 40 minutes (200 gallons being drained at 5 GPM) are available after alarm generation Operator complies with procedural guidance Surge tank function is preserved D/G design function is preserved

D/G Jacket Water Surge Tank Level Con.

Scenario UFSAR 3.12 Safety SA current different Description Analyses new result?/LAR?

Plant 1 - NEI Detailed D/G At least one No FMEA Operation D/G operates (no change)

Plant 2 - NEI No existing D/G No change No description Operation Plant 1 - NRC Detailed D/G No change Yes FMEA Operation Plant 2 - NRC No existing D/G No change Not Clear description Operation

D/G Jacket Water Surge Tank Level Control Illustrates Appendix Ds approach produces a consistent answer independent of UFSAR detail, avoiding uneven application

NRCs approach appears to differ based upon level of UFSAR detail (reinstates problem of uneven application)

NRCs approach is not clear for plants with no existing UFSAR description Appendix Ds approach is consistent with NEI 96-07, Rev. 1

Both developed with NOPR and 1999 Final Rule SOC in mind

Revised FMEA = The result of the logically required operator actions in response to the effect of the level controllers failure is the preservation of the D/Gs function ©2019 Nuclear Energy Institute 14

Containment Fan Coolers Digital Controls Limits the containment ambient temperature during normal plant operating conditions Reduce containment ambient temperature and pressure following a Loss of Coolant Accident (LOCA) or a Main Steam Line Break (MSLB) inside containment Provides mixing of the sprayed and unsprayed regions of the containment to improve airborne fission product removal Provides a mixed atmosphere for hydrogen control Five containment fan coolers provided

Containment Fan Coolers Digital Controls

Containment Fan Coolers Digital Controls UFSAR Proposed Activity 2 of 5 coolers required to Install digital controls for each operate following a DBA containment fan cooler FMEA: at least two operable Likelihood of SCCF of all fan coolers has no effect on the coolers "not sufficiently low = 0 Containment Heat Removal of 5 coolers following a DBA System Calculation that used the cooling Containment pressure safety rate produced by two fan coolers analyses: two coolers assumed revised to using a value of zero to operate (0)

Containment Fan Coolers Digital Controls Scenario UFSAR 3.12 (vi) (vii) LAR?

Safety different DBLFPB Analyses result? exceeded or altered?

Plant 1 - 2/5 0/5 Ctmt Yes - SA No - SA Yes NEI coolers Press. Acc. Crit. Acc. Crit.

NOT Met Met Plant 2 - No existing Not No No No NEI description Credited Plant 1 - 2/5 0/5 Ctmt Yes No Yes NRC coolers Press.

Containment Fan Coolers Digital Controls Illustrates Appendix Ds approach produces a consistent answer independent of UFSAR detail, avoiding uneven application

NRCs approach appears to differ based upon level of UFSAR detail (reinstates problem of uneven application)

NRCs approach is not clear for plants with no existing UFSAR description Appendix Ds approach focuses on the same safety analysis as criterion 7, but with differing assumptions

Criterion 6: to create a possibility, assume SCCF (0/5 coolers)

Criterion 7: to reflect performance as designed, assume single failure (at least 2/5 coolers) ©2019 Nuclear Energy Institute 19

Digital Feedwater Control System Main Feedwater Regulating Valves (MFRV) and Bypass Feedwater Regulating Valves (BFRV) automatically control feedwater flow and maintain steam generator water level.

The Steam Generator Water Level Control System (SGWLCS) establishes and maintains the steam generator water level within predetermined limits during normal operating transients. The SGWLCS also maintains the steam generator water level within predetermined limits and unit trip conditions.

Digital Feedwater Control System UFSAR Proposed Activity A switchover from the BFRVs to Install digital controls to use the the MFRVs is initiated manually BFRV alone, the MFRV and by the operator at approximately BFRV in parallel, or the MFRV 25 percent power alone to automatically control UFSAR Section 15.1.2, feedwater flow as power level Feedwater System changes.

Malfunctions that Result in an Possible increase in feedwater Increase in Feedwater Flow, flowrate in two loops due to both considers the full opening of the MFRVs and BFRVs going one feedwater regulating valve fully open.

Digital Feedwater Control System The reanalysis of the hot full power case feedwater malfunction event in one loop demonstrated that the results and conclusions discussed in UFSAR Section 15.1.2 are acceptable with the proposed change and assuming a SCCF. An analysis of a hot full power case feedwater malfunction event in two loops was also performed and also demonstrated that the results and conclusions discussed in UFSAR Section 15.1.2 for the hot full power case for one loop are also satisfied. Specifically, the peak heat flux does not exceed 118 percent of its nominal value, and the DNBR remains above the design DNBR limit of 1.24/1.23. Additionally the RCS pressure remains below 110%

of RCS design pressure.

Digital Feedwater Control System Scenario UFSAR 3.12 Safety SA current different Description Analyses new result?/LAR?

Plant 1 - NEI 1 con/ loop Increase in 1 FRV full No - SA Acc.

1 con/ 2 loops FW Flow open 4 Crit. Met FRV full open (2 MFRV & 2 BFRV)

Plant 2 - NEI No existing Increase in See above No - SA Acc.

description FW Flow Crit. Met Plant 1 - NRC 1 con/ loop Increase in See above Yes 1 con/ 2 loops FW Flow Plant 2 - NRC No existing Increase in See above Not Clear description FW Flow ©2019 Nuclear Energy Institute 23

Digital Feedwater Control System Illustrates Appendix Ds approach is consistent with NEI 96-07, Rev. 1

using the safety analysis level Appendix Ds approach produces a consistent answer independent of UFSAR detail, avoiding uneven application

Consistent with NRCs Reliability Principle of Good Regulation

Supports NRC focus on risk-significant issues

Criterion 6 - Four Major Points

1. NEI 96-07, Definition 3.9, malfunction of an SSC important to safety is used within Section 4.3.6 of Appendix D consistently

2. The rulemaking record is clear - the rules intent to identify a different result is to examine the safety analyses

3. Consistent with NEI 96-07, Rev. 1, Section 4.3.6 of Appendix D avoids uneven application of 10 CFR 50.59

4. Section 4.3.6 of Appendix D is consistent with the other 10 CFR 50.59 Evaluation criteria

Back-up Slides Feedwater Discharge Filter Installation Feedwater discharge piping currently has a debris strainer intended for the removal of larger objects. (Installed during pre-operational testing.)

A higher quality duplex filter is being installed, along with:

A differential pressure alarm to indicate the need to rotate the filter

New procedural steps to direct operation of the filter

Feedwater Discharge Filter Installation Example of Plant UFSAR

Feedwater Discharge Filter Installation UFSAR Proposed Activity Debris strainers currently exist. Install new duplex filters in Filters have large clearances support of high feedwater quality resulting in no potential for Duplex filter will include a high Feedwater flow disruption differential pressure alarm to Safety analyses: assumes Loss indicate need for filter rotation.

of Normal Feedwater Flow Operations personnel will have (LONF) required procedural steps No involvement of digital devices LONF event will be considered

Feedwater Discharge Filter Installation Scenario UFSAR 3.12 Safety SA current different Analyses new result?/LAR?

Plant 1 - NEI strainers Loss of Strainer/filter No filters Normal equivalent to Feedwater a section of (LONF) pipe (no change)

FW Discharge Filter Installation Illustrates ANALOGOUS TO THE IA COMPRESSOR DIGITAL CONTROL EX.

Appendix Ds approach is consistent with NEI 96-07, Rev. 1 treatment of commonly encountered non-digital modifications

using the safety analysis level Appendix Ds approach is consistent with NRCs Reliability Principle of Good Regulation

NRCs approach appears to introduce differing treatment for digital versus non-digital activities

Treatment of Manual Actions to rotate the filter are addressed by criterion 2

NEI 96-07, Rev. 1, 3.12 Safety Analyses Definition Safety analyses are analyses performed pursuant to NRC requirements to demonstrate the integrity of the reactor coolant pressure boundary, the capability to shut down the reactor and maintain it in a safe shutdown condition, or the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposures comparable to the guidelines in 10 CFR 50.34(a)(1) or 10 CFR 100.11. Safety analyses are required to be presented in the UFSAR per 10 CFR 50.34(b) and 10 CFR 50.71(e) and include, but are not limited to, the accident analyses typically presented in Chapter 15 of the UFSAR.

NEI 96-07, Rev. 1, 3.12 Safety Analyses Discussion Safety analyses are those analyses or evaluations that demonstrate that acceptance criteria for the facilitys capability to withstand or respond to postulated events are met. Containment, ECCS and accident analyses typically presented in Chapters 6 and 15 of the UFSAR clearly fall within the meaning of safety analyses as defined above. Also within the meaning of this definition for purposes of 50.59 are:

Supporting UFSAR analyses that demonstrate that SSC design functions will be accomplished as credited in the accident analyses UFSAR analyses of events that the facility is required to withstand such as turbine missiles, fires, floods, earthquakes, station blackout and ATWS. ©2019 Nuclear Energy Institute 33

FMEA-related Operator Actions APP D, SEC 4.3.6, STEP #3 PROVIDES THE FOLLOWING GUIDANCE:

Interdependence From Section 4.3 of NEI 96-07:

It is appropriate for discrete elements to be evaluated together if (1) they are interdependent as in the case where a modification to a system or component necessitates additional changes to other systems or procedures; or (2) they are performed collectively to address a design or operational issue.

The jacket water modification/design must include provisions for manual override of the supply and drain lines

Any interdependent procedure/plant changes are considered to be part of the modification

Example #4 FROM SECTION 4.3.2 OF NEI 96-07:

Examples of Unacceptable Manual Actions Opening containment sump outlet valves within a roughly ten-minute post-accident window to properly fill ECCS suction piping. (ECCS system will automatically draw from piping within the ensuing 10 minutes.)

Does not satisfy the third bullet:

The evaluation of the change considers the ability to recover from credible errors in performance of manual actions and the expected time required to make such a recovery

Examples of Unacceptable Manual Actions Stationing an operator on a chair to shut a 10 inch manual valve that forms the boundary between a seismic RWST and a non-seismic clean-up system. (This action would take place following a seismic event.)

Does not satisfy the second bullet:

The licensee has demonstrated that the action can be completed in the time required considering the aggregate affects, such as workload or environmental conditions, expected to exist when the action is required

Timing Requirements for Manual Actions The first bullet of Example #4 states:

The action (including required completion time) is reflected in plant procedures and operator training programs Most situations are resolved by examining the other bullets.

No NRC-approved guidance exists

DG-1052 intended to endorse ANS 58.8-1994

Useful for difficult situations

Comparison of Rulemaking Record, NEI 96-07, Section 4.3.6, and the D/G Jacket Water Surge Tank Controller NEI 96-07, Revision 1, was developed using important portions of the Notice of Proposed Rulemaking and Statement of Consideration This practice was applied to Section 4.3.6 Conclusions for the application of criterion 6:

The safety analysis functional level is intended to be used to determine the need for NRC review

Pre-existing FMEAs are to be considered, but may need to be altered

Comparison of NOPR and NEI 96-07, Section 4.3.6 However, the Commission The NPRM words were recognizes that in its reviews, repeated in 96-07.

equipment malfunctions are generally postulated as Malfunctions of SSCs are potential single failures to generally postulated as evaluate plant performance; potential single failures to thus, the focus of the NRC evaluate plant performance review was on the result, rather with the focus being on the than the cause/type of result of the malfunction malfunction. Unless the rather than the cause or type equipment would fail in a way of malfunction.

not already evaluated in the safety analysis, there is no The reference to safety analysis is linked to the first sentence in section 4.3.6 and need for NRC review of the represents the Chapter 15 Analysis.

change that led to the new type of malfunction.

Comparison of SOC and NEI 96-07, Section 4.3.6 The proposed rule discussion In evaluating a proposed activity against this further stated that this criterion, the types and results of failure determination should be made modes of SSCs that have previously been either at the component level, or evaluated in the UFSAR and that are affected consistent with the failure modes by the proposed activity should be identified.

and effects analyses (FMEA), taking This evaluation should be performed into account single failure consistent with any failure modes and assumptions, and the level of the effects analysis (FMEA) described in the change being made.. UFSAR, recognizing that certain proposed The Commission agrees that this activities may require a new FMEA to be criterion should be considered with performed. Attention must be given to respect to the FMEA, but also notes whether the malfunction was evaluated in the that certain changes may require a accident analyses at the component level or new FMEA, which would then need the overall system level.

to be evaluated as to whether the The current FMEA had to be altered due to effects of the malfunctions are the new level controller; thus new FMEA.

bounding.

Point 1 - A Malfunction is Defined A Design Function is either:

A Design Basis Function is either:

A malfunction is a A Design Basis Function Required by regulations, license failure to perform a Supports or impacts a conditions, orders, or TS Design Function Design Basis Function Credited in the safety analysis Accident/transient initiator App B to NEI 97-04 (endorsed by RG 1.186) states that Design Basis Functions are:

Derived primarily from the GDCs Functionally far above individual SSC functions Safety Analyses provide context In every instance, the Evaluation All of the information on this slide is begins at the lower SSC level and found in approved regulatory guidance or assesses the impact at the safety the regulation itself. analysis level.

(e.g., D/G jacket water level D/G)

Point 2 - Rulemaking Record Refers to Safety Analysis Level for Different Result From the Notice of Proposed Rulemaking for the current regulation:

The final change is being proposed in response to the comments on the staff proposed guidance (NUREG-1606) on the interpretation of malfunction (of equipment important to safety) of a different type However, the Commission recognizes that in its reviews, equipment malfunctions are generally postulated as potential single failures to evaluate plant performance; thus, the focus of the NRC review was on the result, rather than the cause/type of malfunction. Unless the equipment would fail in a way not already evaluated in the safety analysis, there is no need for NRC review of the change that led to the new type of malfunction. Therefore, as the third change in § 50.59(a)(2)(ii), the Commission is proposing to change the phrase of a different type to with a different result.

different result with respect to safety analyses - the focus since 1999

Point 2 - Rulemaking Record Refers to Safety Analysis Level for Different Result GL 95-02 Guidance generated for applying the pre-1999 rule language of type The staff has provided guidance on this issue in Generic Letter (GL) 95-02, concerning replacement of analog systems with digital instrumentation.

The GL states that in considering whether new types of failures are created, this must be done at the level of equipment being replacednot at the overall system level. Further, it is not sufficient for a licensee to state that since failure of a system or train was postulated in the SAR, any other equipment failure is bounded by this assumption, unless there is some assurance that the mode of failure can be detected and that there are no consequential effects (electrical interference, materials interactions, etc.), such that it can be reasonably concluded that the SAR analysis was truly bounding and applicable.

Guidance generated for where to apply result in the revised rule

Point 3 - Avoid Uneven Application of 10 CFR 50.59 From SECY 97-035:

Plant SARs vary in depth and completeness. In general, the level of detail of information contained in an SAR for later facility applications was much greater than that for the earlier licensed plants. Thus, tying the scope of 10 CFR 50.59 to the SAR results in uneven application of 10 CFR 50.59.

The solution in the current rule was to focus on Design Functions and not the descriptive material contained in the UFSAR

Since individual sites have varying degrees of UFSAR descriptive material, this is necessary to avoid having the same change treated differently

App B to NEI 97-04 (endorsed by RG 1.186) provides guidance that the response to an individual SSCs failure is part of the descriptive material and not part of the safety analysis

Point 4 - Section 4.3.6 Consistent With Other Criteria

10 CFR 50.59 c(2) iii states:

accident previously evaluated in the final safety analysis report (as updated)

10 CFR 50.59 c(2) iv states:

malfunction of an SSC important to safety previously evaluated in the final safety analysis report (as updated)

10 CFR 50.59 c(2) vii states:

as described in the FSAR (as updated) being exceeded or altered

Criteria 3, 4, and 7 all rely solely on the results of safety analyses

The guidance contained in NEI 96-07 is endorsed in Regulatory Guide 1.187 and is an approved way to meet the 10 CFR 50.59 rule

Summary

Section 4.3.6 of NEI 96-07, Appendix D, solely utilizes previously approved definitions from NEI 96-07, Revision 1

Section 4.3.6 of NEI 96-07, Appendix D relies on the 1999 rulemaking record and two decades of experience with NEI 96-07, Rev. 1 to understand different result

The rulemaking record establishes that [u]nless the equipment would fail in a way not already evaluated in the safety analysis, there is no need for NRC review of the change...

The logic and treatment of Section 4.3.6 of NEI 96-07, Appendix D, is consistent with the application of other 10 CFR 50.59 Evaluation criteria.

NEI 96-07 Appendix D - Purpose

Supplemental Guidance for Application of 10 CFR 50.59 to Digital Modifications, provides focused application of the 10 CFR 50.59 guidance contained in NEI 96-07, Revision 1, to activities involving digital modifications

Incorporates RIS 2002-22 Supplement 1 clarification on preparing and documenting qualitative assessments

Engineering and technical work is complete to support the 10 CFR 50.59 Review conclusions

Recall that 10 CFR 50.59 is a licensing/right-of-prior-approval review

NRC inspects following Licensee approval and implementation, or

NRC approves in advance with license amendment

ML19176A070: Difference between revisions

Latest revision as of 17:45, 19 October 2019

Text

Navigation menu

ML19176A070: Difference between revisions

Latest revision as of 17:45, 19 October 2019

Text

Navigation menu

Search