Text

BASIS FOR Peter LeBlond ADDRESSING NEI 96-07 Appendix D Team Nuclear Energy Institute 10 CFR 50.59 CRITERION 6 August 1, 2017 DIFFERENT RESULT

PURPOSE TODAY Assess the meaning of a different result used within 10 CFR 50.59 criterion 6 by answering three questions:

1. Does/should UFSARs of varying degrees of detail affect the role/application of 10 CFR 50.59?

2. What is a malfunction of an SSC important to safety?

3. Is the current UFSAR description the proper point for determining when prior NRC approval is required?

PURPOSE CONTINUED

• Questions extracted from SECY 97-035 o These three questions were among the 24 separate issues that were eventually resolved by issuance of the current regulation

• The questions were not linked to digital issues at the time

• The three answers will be developed within the rulemaking framework

BIG PICTURE

SUMMARY

MAJOR RULEMAKING STEPS

• Dispute had existed on numerous issues for years o The most contentious was the meaning of may be increased o NEI 96-07 was first generated to resolve this issue without rulemaking

• In parallel, numerous other issues arose o e.g. Millstone lessons learned

BIG PICTURE

SUMMARY

MAJOR RULEMAKING STEPS CONT.

• SECY 97-035 compiled the 24 issues (and numerous sub-issues) involved o NUREG-1606 was attached as a compilation of the staffs view for proper implementation of 10 CFR 50.59 (1997 version)

• Comments requested

• Resolution led to the standard rulemaking process involving NPRM, SOC, and NEI 96-07 o Answers to the Three Questions will relate to this process

QUESTION #1 Do varying degrees of UFSAR detail affect 10 CFR 50.59 application?

SECY 97-035 Sections III.E (Definition of as described) and IV.A (Policy Issues),

Discussion of NRC Position and Options if a licensee believes that the scope includes only those SSCs specifically mentioned in the SAR, and not an SSC absent from the SAR but that has the potential for affecting the function of those SSCs specifically mentioned, then the licensee could prematurely conclude that the SSC being changed is not within the scope of the rule

QUESTION #1 Cont.

SECY 97-035 Sections III.E (Definition of as described) and IV.A (Policy Issues),

Discussion of NRC Position and Options Plant SARs vary in depth and completeness. In general, the level of detail of information contained in an SAR for later facility applications was much greater than that for the earlier licensed plants. Thus, tying the scope of 10 CFR 50.59 to the SAR results in uneven application of 10 CFR 50.59

ANSWERING QUESTION #1

• Two features addressed this problem, both of which involved an emphasis on functions rather than descriptions

1. The definition of facility was created to include a(3)(ii):

The design and performance requirements for such SSCs described in the FSAR (as updated),

2. The screening process was created for the first time by including within the rule language:

Change means affecting a Design Function

SCREENING PROCESS FOCUS DESIGN FUNCTIONS

• Separates the UFSARs level of detail from the screening process o Screening decision is based upon adverse effects on a function

• UFSAR updating now occurs independently from the screening decision

• Sites with more UFSAR detail have a greater obligation under 10 CFR 50.71(e), but the treatment under 10 CFR 50.59 is the same

HIGHLIGHTS OF FUNCTIONAL LEVELS Design Function Definition Design functions are UFSAR-described design bases functions and other SSC functions described in the UFSAR that support or impact design bases functions. Implicitly included within the meaning of design function are the conditions under which intended functions are required to be performed, such as equipment response times, process conditions, equipment qualification and single failure.

Design bases functions are functions performed by systems, structures and components (SSCs) that are (1) required by, or otherwise necessary to comply with, regulations, license conditions, orders or technical specifications, or (2) credited in licensee safety analyses to meet NRC requirements

HIGHLIGHTS OF FUNCTIONAL LEVELS From RG 1.186

• DBF are high level functions correlated to GDCs

• Individual SSCs are subsidiary

• DBF are Credited in the safety analyses (not descriptive material)

• Generally, no individual SSC supports or impacts

• The higher functional level of Design Functions explains the importance of the second element of facility and the repeated NEI 96-07 discussions regarding cascading of effects.

QUESTION #2 What is a malfunction of an SSC important to safety?

Malfunction of SSCs important to safety means the failure of SSCs to perform their intended design functions described in the UFSAR (whether or not classified as safety-related in accordance with 10 CFR 50, Appendix B).

• All design functions are to be assessed for their malfunction

• The UFSAR description of a failed SSC is not, strictly speaking, a malfunction o A failed SSC may/will propagate a malfunction at a higher functional level o Note credited in the safety analysis

EXPANDED IMPLICATIONS OF QUESTION #2

• Regulatory Guide 1.186 (NEI 97-04, page B-2) states:

10 CFR 50.2 design basis functional requirements are derived primarily from the principal (sic) design criteria for an individual facility (GDC)

• All sites have these requirements in their UFSAR

• Regulatory treatment of activities, including malfunctions is independent of additional UFSAR design detail

• Malfunctions are expressed at higher functional levels than an individual SSC

• Future NPRM discussion will be consistent

QUESTION #3 Is the current UFSAR description the proper prior NRC approval required threshold?

• This was manifest as part of:

o Screening - Engineering margins installed above UFSAR functional requirements o Criteria 1 and 2

• Treatment of margin between current design and code compliance o Criteria 3 and 4

• Treatment of UFSAR reported doses o Criterion 7 (then termed Margin of Safety)

• Treatment of margin between UFSAR analytical results and analysis acceptance limits

QUESTION #3 Cont.

• In every instance, these margins are now controlled by the licensee o Implemented with specific rule changes, and/or supported by NEI 96-07 language

EXPANDED ILLUSTRATIONS OF QUESTION #3

• Consider the definition of Design Function o Addresses solely Design Basis Functions, not Design Basis Values o Excess engineering margin is allotted to the licensee

• Consider the treatment of consequences o The current UFSAR value is not the limit, but relies upon the SRP acceptance criteria

• Consider the language of criterion #7 o Exceeded or altered o Licensee manages margin up to Design Basis Limit

SUMMARY

OF THE THREE QUESTIONS

1. Does/should UFSARs of varying degrees of detail affect the role/application of 10 CFR 50.59?

o Alternatively, should the same change at two different plants generate the same regulatory response?

o No. The same change under the same circumstances is intended to produce the same regulatory response.

SUMMARY

OF THE THREE QUESTIONS

2. What is a malfunction of an SSC important to safety?

o Alternatively, at what functional level should a malfunction be considered?

o Malfunctions are assessed at the functional level of Design Functions, which can be credited in the safety analysis.

SUMMARY

OF THE THREE QUESTIONS

3. Is the current UFSAR description the proper point for determining when prior NRC approval is required?

o Alternatively, who has control of the white space between an UFSAR description and a plant level acceptance criterion?

o The licensee controls the margin between the UFSAR description and the plant level acceptance criteria.

WHAT DOES A DIFFERENT RESULT MEAN?

KEEP IN MIND

• The answers to the Three Questions o The same change under the same circumstances is intended to produce the same regulatory response.

o Malfunctions are assessed at the functional level of Design Functions, which can be credited in the safety analysis.

o The licensee controls the margin between the UFSAR description and the plant level acceptance criteria.

NEI 96-07, SECTION 4.3.6 Malfunctions of SSCs are generally postulated as potential single failures to evaluate plant performance with the focus being on the result of the malfunction rather than the cause or type of malfunction. A malfunction that involves an initiator or failure whose effects are not bounded by those explicitly described in the UFSAR is a malfunction with a different result

NEI 96-07, SECTION 4.3.6 In evaluating a proposed activity against this criterion, the types and results of failure modes of SSCs that have previously been evaluated in the UFSAR and that are affected by the proposed activity should be identified. This evaluation should be performed consistent with any failure modes and effects analysis (FMEA) described in the UFSAR, recognizing that certain proposed activities may require a new FMEA to be performed.

NEI 96-07, SECTION 4.3.6

SUMMARY

• First sentence discusses credited in the safety analysis and plant performance

• The second cited paragraph attempts to summarize a wide range of possible combinations of GDCs/Design Basis Functions and functional levels for a specific change o Need for a new FMEA would be likely o Use of NEI definitions and RG 1.186 is crucial

• The answers to the Three Questions are consistent with these phrases and the approach implemented with the other criteria

• NEI 96-07 discussion was not focused on digital conversions

CONCLUSION

• The functional level of screenings and evaluations was one of the issues that prompted the change in rule language o A malfunction can be the failure of any Design Function

• UFSAR descriptions of SSC failures do not define/limit the scope of malfunctions to be considered

CONCLUSION CONT.

• The safety analysis level is the only alternative level cited o Consistent with the answer to Question #s 1 and 3

• Same approach utilized for criteria 1, 2, 3, 4, 6 &

7

• The need for a new FMEA reflects this logic o Failures of individual SSCs are generally not stand-alone malfunctions

CONCLUSION CONT.

• Rulemaking record repeatedly describes this logic

• NPRM states:

However, the Commission recognizes that in its reviews, equipment malfunctions are generally postulated as potential single failures to evaluate plant performance; thus, the focus of the NRC review was on the result, rather than the cause/type of malfunction. Unless the equipment would fail in a way not already evaluated in the safety analysis, there is no need for NRC review of the change that led to the new type of malfunction.

• More detailed review of the rulemaking record is available

FMEAs RELATIONSHIP TO RG 1.186

• Software Common Cause Failure (SCCF) is not part of the Design Basis o Pages B-1 and B-2 of Appendix B to NEI 97-04 provide this guidance and definitions, specifically addressing Design Basis Functions

• Design Input is not restricted to Design Basis o See ANSI N45.2.11 and page B-5 of Appendix B o Design Output can include SCCF considerations

• Summary Statement would be:

SCCF is not part of the Design Basis, but it can be part of the Design.

Technical Work Indicates no adverse effect to 120% 125%

AFW Pump 100%

Turbine speed Time Plant #1 Plant #2 Plant #3 UFSAR is 7 UFSAR is 12 UFSAR is 17 Volumes Volumes Volumes The requirement to 120%

The Design update the UFSAR is 125%

Function is unrelated to the screening decision.

on the bottom line. Overspeed trip exists Overspeed trip exists Pump works to remove heat Pump works to remove heat Pump works to remove heat Delivers flow when required Delivers flow when required Delivers flow when required

FSAR-RELATED TERMINOLOGY FROM 10 CFR 50.34b Final safety analysis report. Each application for an operating license shall include a final safety analysis report. The final safety analysis report shall include information that describes the facility, presents the design bases and the limits on its operation, and presents a safety analysis of the structures, systems, and components and of the facility as a whole, and shall include the following:

Design bases Descriptive information Appendix D has been calling this accident analyses

1999 10 CFR 50.59 CHANGE TO CRITERION 6 The pre-1999 10 CFR 50.59 read in part:

if a possibility for an accident or malfunction of a different type than any evaluated previously in the safety analysis report may be created Which was changed to include a stand alone criterion 6:

Create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis report (as updated);

THREE PARTS TO THE OVERALL CRITERION 6 CHANGE

• May be created was changed to:

o Create a possibility

• Malfunction was changed to:

o a malfunction of an SSC important to safety

• A different type was changed to:

o A different result

• The remainder of this presentation will focus on the meaning of a different result

CONTENT OF THIS REVIEW

• The basic rulemaking pattern outlined below will be reviewed for the issue of a different result o Generating the licensing record for this issue

• Excerpts will be provided on the following slides NUREG 1606 NPRM is Altered rule NEI 96-07 is described issued is issued and generated (11/00)

NRCs (10/98) and SOC (10/99) to be implement position for relates to describes revised rule.

implementing NUREG- basis.

the pre-2000 1606.

rule. (Rule had to be changed to accommodate improvements.)

NUREG-1606 CIRCA 1997 In determining whether a malfunction is of a different type than any evaluated previously in the safety analysis report, some licensees believe they need to consider only the results and not the mode of failure (as suggested in TR-102348). The staff provided clarifications concerning TR-102348 in Generic Letter 95-02.

Specifically, the staff's position was that the "system-level" failure should be malfunction of the equipment being modified. As stated in GL 95-02, it is the digital equipment replacing the analog equipment, rather than the otherwise unchanged system of which that equipment is a part, that is to be analyzed to see if a malfunction of a different type could be created.

In considering malfunctions of equipment, the staff would recommend that this be done at the component level.

However, for some SSC, the evaluation of malfunctions discussed in the SAR may well have been only at the train or overall system level.

NUREG-1606 CIRCA 1997 Further, in determining whether a malfunction is of a different type, the licensee needs to consider not only the effect of the malfunction on equipment or plant response but also what causes the malfunction. If the proposed activity could lead to a different initiator, or involves a failure mode of a different type than the types previously evaluated, then the failure results from a malfunction of a different type (and involves a USQ), even though the accident may be the same. Section 4.2.6 of NSAC-125 gives as an example, "replacement of a mechanical control system on equipment important to safety with a digital control system that can potentially fail in a different mode." For example, if a pressure transmitter using mechanical linkage is replaced with an oil-filled transmitter, oil loss is now a failure mechanism which might result in a type of failure at the output of the transmitter that did not exist previously, and therefore was never analyzed. This is a new type of malfunction, and should need staff review. If a digital trip system is now being used, and software failure is a new failure mode, staff review is also required.

NUREG-1606

SUMMARY

• Industry states that the then current rule could be implemented by examining the results of malfunctions

• NRC disagrees (in NUREG 1606) and states that the review should be performed at the component level

NOTICE OF PROPOSED RULEMAKING The final change is being proposed in response to the comments on the staff proposed guidance (NUREG-1606) on the interpretation of malfunction (of equipment important to safety) of a different type..

NOTICE OF PROPOSED RULEMAKING The Commission does not agree that the industry interpretation is consistent with the rule as written, which refers to creation or possibility of a malfunction of a different type, not of a different result. However, the Commission recognizes that in its reviews, equipment malfunctions are generally postulated as potential single failures to evaluate plant performance; thus, the focus of the NRC review was on the result, rather than the cause/type of malfunction. Unless the equipment would fail in a way not already evaluated in the safety analysis, there is no need for NRC review of the change that led to the new type of malfunction.

NOTICE OF PROPOSED RULEMAKING Therefore, as the third change in § 50.59(a)(2)(ii),

the Commission is proposing to change the phrase of a different type to with a different result.

This language is consistent with the previous answers to the Three Questions.

• Malfunctions are assessed for the Design Function/Design Basis Function at the safety analysis level.

• The plant level acceptance criteria, not UFSAR descriptions, were used in criteria 1, 2, 3, 4, and 7.

SUMMARY

OF NPRM

• Industry position is not consistent with the then current rule language of a different type

• Noted:

o Unless the equipment would fail in a way not already evaluated in the safety analysis, there is no need for NRC review of the change that led to the new type of malfunction.

o Postulated single failures evaluated plant performance as part of NRC reviews o Safety Analysis is distinct from the Safety Analysis Report throughout, i.e., the accident analysis is not the SAR description

NPRM (ADDITIONAL DETAILS)

The staff has provided guidance on this issue in Generic Letter (GL) 95-02, concerning replacement of analog systems with digital instrumentation. The GL states that in considering whether new types of failures are created, this must be done at the level of equipment being replacednot at the overall system level. Further, it is not sufficient for a licensee to state that since failure of a system or train was postulated in the SAR, any other equipment failure is bounded by this assumption, unless there is some assurance that the mode of failure can be detected and that there are no consequential effects (electrical interference, materials interactions, etc), such that it can be reasonably concluded that the SAR analysis was truly bounding and applicable.

NPRM (ADDITIONAL DETAILS) CONT.

• The discussion that begins with unless immediately follows the earlier discussion from NUREG-1606

• Previous recitation of GL 95-02 is modified from previous positions to include some assurance that:

o Failure is detected o SAR analysis is bounding

SOC FOR FINAL RULE The proposed rule discussion further stated that this determination should be made either at the component level, or consistent with the failure modes and effects analyses (FMEA), taking into account single failure assumptions, and the level of the change being made.

Several commenters stated that this guidance should be revised to refer only to the failure modes and effects analysis in the FSAR, and not to specify the component level. The Commission agrees that this criterion should be considered with respect to the FMEA, but also notes that certain changes may require a new FMEA, which would then need to be evaluated as to whether the effects of the malfunctions are bounding.

• This is consistent with the functional level of Design Functions and Design Basis Functions being above the functional level of individual SSCs.

STATEMENT OF CONSIDERATION

SUMMARY

• New FMEAs may be required and

• The determination of whether a different result exists is not constrained to the pre-existing FSAR-described FMEA o Commission specifically clarified commenters suggestion to restrict to UFSAR functional level

• Discussion continues the threads previously discussed

PUTTING THE FEDERAL REGISTER CITATIONS TOGETHER

• The final review level is not at the component level per GL 95-02 o Industry comments on NUREG-1606 highlight interpretation not consistent with the old rule, as written o Thus, the rule language was altered to accommodate the revised approach Continued

PUTTING THE FEDERAL REGISTER CITATIONS TOGETHER

• The NRCs licensing decision is made based upon single failures at the safety analysis level o The GL 95-02 digital-specific guidance was modified in support of the rule change to include:

• Detecting failures

• Ensuring the safety analysis remains bounding

• New FMEAs may be required (See above)

• The determination of whether a different result exists is not constrained to the pre-existing FSAR-described FMEA.

• NEI 96-07 guidance reflects the entire discussion