Text

ILLUSTRATIONS FOR Peter LeBlond ADDRESSING NEI 96-07 Appendix D Team Nuclear Energy Institute 10 CFR 50.59 CRITERION 6 October 11, 2017 DIFFERENT RESULT

PURPOSE TODAY Illustrate the meaning of create a possibility of a different result used within 10 CFR 50.59 criterion 6:

1. Review the conclusions of August 1, 2017 NEI/NRC public meeting.

2. Illustrate the application of Criterion 6 for a non-digital example.

3. Extend the illustration in #2 above to a variety of digital-related applications.

OUTLINE FOR TODAY

• Brief review of major conclusions from August 1, 2017, NEI/NRC meeting o Involved sequential application of definitions from NEI 96-07, Revision 1, endorsed in Regulatory Guide 1.187

• A non-digital modification to the jacket water surge tank level control system will be described o The approach required to answer Criterion 6 will be illustrated in detail o The definitions cited above will be utilized

OUTLINE FOR TODAY CONT.

• The framework established will be applied to a closely-related digital modification

• This framework will be graphically summarized to aid in evaluating any modification

• Additional examples may be presented in an overview fashion

CONCLUSIONS FROM 8/1/2017

• Questions being posed today are not new issues o These questions were among the 24 separate issues that were eventually resolved by issuance of the current regulation

• The issues were fundamentally resolved by focusing on functions, not UFSAR descriptions o Definition of facility and change established the required regulatory foundation

• The presentation did not describe a new regulatory position o Simply applied existing regulatory definitions

SUMMARY

OF AUGUST 1, 2017 PRESENTATION A Design Function is either:

A malfunction is a A Design Basis Function failure to perform a Supports or impacts a Design Function Design Basis Function Regulatory Guide 1.186 states that A Design Basis Function is:

Design Basis Functions are:

Credited in the safety analysis Linked to GDCs Defined in Regulatory Guide Functionally far above individual SSCs 1.186 Safety Analyses provide context The safety analysis is All of the information on this distinct from descriptive slide is directly quoted from material as defined in 10 approved Regulatory Guides CFR 50.34(b).

or the regulation itself.

Non-Digital Example Manual D/G Jacket Water Surge Tank Level Control to Automatic Description of Change:

The current Manual Control of EDG Jacket Water Surge Tank Level is being replaced with pneumatic controller and air-operated valves.

UFSAR Content:

• Chapter 15 contains a standard set of safety analyses that assume single failure. (One train operates)

• The D/Gs ability to supply the required emergency loads is described.

• The surge tank is described as having a manual-operated supply and drain, along with various alarms and a high temperature EDG trip.

FUNCTIONAL LEVELS INVOLVED Safety Analyses:

• Credits the DBF.

• Evaluates the EDGs

• Credits the availability of AC power Malfunction (Failure

• Assume a single failure of one train.)

EDG Design Basis The Emergency Diesel System shall be Function from RG capable of automatically starting and 1.186 based upon have sufficient capacity to provide AC GDC 17. Each sites power to the emergency buses to power language may vary the required emergency loads slightly.

Surge Tank Itself Part of facility because of design Surge Tank Level and performance requirements Control Performs a Design Function because:

• Supports or impacts

• Credited in the safety analyses

ANSWERING CRITERION 6

• Create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis report (as updated);

• Two pieces to the criterion o Malfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis report (as updated);

o Create a possibility

Malfunction previously evaluated Create a possibility

• NEI 96-07, definition 3.9 results in identification of the single failure-based safety analysis o Has the single failure assumption (one train operates) become invalid due to cross-connection, installation of common devices, etc.?

o The postulated presence of lower level UFSAR descriptions of possible reliance on alarms does not alter this conclusion.

• Hardware Common Cause Failure is not credible

• Criterion 6 answer would be No

Digital Example Manual D/G Jacket Water Surge Tank Level Control to Automatic Description of Change:

The current Manual Control of EDG Jacket Water Surge Tank Level is being replaced with digital controllers and air-operated valves.

UFSAR Content:

• No change from Non-digital Example.

Technical Information:

• The low level alarm actuates at 200 gallons remaining in a 450 gallon surge tank.

• The drain line averages 5 GPM.

No Change in Functional Levels Involved Safety Analyses:

• Credits the DBF.

• Evaluates the EDGs

• Credit the availability of AC power Malfunction (Failure

• Assume a single failure of one train.)

EDG Design Basis The Emergency Diesel System shall be Function from RG capable of automatically starting and 1.186 based upon have sufficient capacity to provide AC GDC 17. Each sites power to the emergency buses to power language may vary the required emergency loads slightly.

Surge Tank Itself Part of facility because of design Surge Tank Level and performance requirements Control Performs a Design Function because:

• Supports or impacts

• Credited in the safety analyses

CRITERION 6 IS UNCHANGED

• Create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis report (as updated);

• Two pieces to the criterion o Malfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis report (as updated);

o Create a possibility

Malfunction previously evaluated Create a possibility

• Software Common Cause Failure likelihood is not sufficiently low o Illustration for todays discussion

• NEI 96-07, definition 3.9 results in identification of the single failure-based safety analysis o Has the single failure assumption (one train operates) become invalid due to the SCCF?

o We cannot simply rely on the previous absence of cross-connections.

• A New FMEA is needed to determine if the SCCF will propagate to the higher functional level

USE OF FMEAs

• Use of the acronym FMEA within NEI 96-07 o Does not refer to any IEEE standard o No guidance regarding content or structure was developed in 1997-1999

• Their use is discussed in NPRM, SOC, and NEI 96-07 o Might be summarized with What will happen when the failure occurs?

• NEI Task Force Discussions have resulted in a simplistic format for FMEAs o Presumes compliance with pre-existing procedures and any interdependent, modification-related procedures

GENERATION OF AN FMEA FOR THE EDG SURGE TANK CONTROLLER

• Procedures already exist for:

o Local operator monitoring of EDG operation o Response to Low Surge Tank Level alarms

• MCR Trouble alarm typically points to a Local Panel o Operator manipulation of surge tank supply and drain valves

• These will be modified due to new reliance upon automatic level control

GENERATION OF AN FMEA FOR THE EDG SURGE TANK CONTROLLER CONT.

• In this situation, 40 minutes (200 gallons being drained at 5 GPM) are available after alarm generation.

• Operator complies with procedural guidance

• Surge Tank Function is preserved

• Answer to Criterion 6 is No

• Summarize the overall approach by revisiting the Functional Level slide

SUMMARY

OF EVALUATION

• No change in the Safety Analyses: Evaluation of the EDGs Malfunction

• Credit the availability of AC power

• Results remain the

• Assume a single failure same

• Effect of SCCF will The Emergency Diesel System shall be be manifest over a capable of automatically starting and period of time.

have sufficient capacity to provide AC

• Procedure power to the emergency buses to power compliance will detect and respond the required emergency loads to SCCF and Surge Tank Itself

• SCCF is: preserve the DBF.

Surge Tank Level classed as create a Control possibility.

Induces effects across trains FMEA is needed

STANDARDIZED APPROACH CAN BE GRAPHICALLY EXPRESSED

• The previous slide can be generalized to describe this approach

Graphical Summary of Approach Identify all Safety Analyses that credit directly or indirectly the DBF identified

• Do all assumptions below. remain valid?

(If no Safety Analysis apparently

• Does the Safety exists, specialized evaluations may Analysis remain be required.) valid?

• Is the DBF Identify the DBF(s) involved and classify its preserved?

relationship with the identified functions

• Was a FMEA below using NEI 96-07, definition 3.3. needed to assess (If no DBF apparently exists, specialized the propagation evaluations may be required.) of effects?

• Determine if SCCF:

• Describe the activity Is classed as create a

• Identify any possibility.

functions involved Induces effects across trains FMEA is needed?

CONCLUSION

• The graphical summary introduced on slide #8 is entirely based upon unambiguous use of approved definitions.

• The characteristics of an FMEA developed for 10 CFR 50.59 use was introduced on slide #15 o This guidance is not from NEI 96-07.

o Reflects a basic requirement that personnel will follow their procedures.

• The graphical summary of the overall approach was introduced on slide #20 o May be used to guide personnel in future Evaluations o Task Force Members are prepared to discuss any example utilizing that graphical approach.

This Functional Level provides the Evaluation of the D/Gs Malfunction

• NPRM states:

However, the Commission recognizes that in its reviews, equipment malfunctions are generally postulated as potential single failures to evaluate plant performance; thus, the focus of the NRC review was on the result, rather than the cause/type of malfunction. Unless the equipment would fail in a way not already evaluated in the safety analysis, there is no need for NRC review of the change that led to the new type of malfunction.

This Functional Level provides the Evaluation of the D/Gs Malfunction

• NEI 96-07, section 4.3.6 states:

Malfunctions of SSCs are generally postulated as potential single failures to evaluate plant performance with the focus being on the result of the malfunction rather than the cause or type of malfunction.

Definition 3.3 from NEI 96-07 As used above, credited in the safety analyses means that, if the SSC were not to perform its design bases function in the manner described, the assumed initial conditions, mitigative actions or other information in the analyses would no longer be within the range evaluated (i.e., the analysis results would be called into question). The phrase support or impact design bases functions refers both to those SSCs needed to support design bases functions (cooling, power, environmental control, etc.) and to SSCs whose operation or malfunction could adversely affect the performance of design bases functions (for instance, control systems and physical arrangements). Thus, both safety-related and nonsafety-related SSCs may perform design functions.

FSAR-RELATED TERMINOLOGY FROM 10 CFR 50.34b Final safety analysis report. Each application for an operating license shall include a final safety analysis report. The final safety analysis report shall include information that describes the facility, presents the design bases and the limits on its operation, and presents a safety analysis of the structures, systems, and components and of the facility as a whole, and shall include the following:

Design bases Descriptive information Appendix D has been calling this accident analyses

Technical Work Indicates no adverse effect to 120% 125%

AFW Pump 100%

Turbine speed Time Plant #1 Plant #2 Plant #3 UFSAR is 7 UFSAR is 12 UFSAR is 17 Volumes Volumes Volumes The requirement to 120%

The Design update the UFSAR is 125%

Function is unrelated to the screening decision.

on the bottom line. Overspeed trip exists Overspeed trip exists Pump works to remove heat Pump works to remove heat Pump works to remove heat Delivers flow when required Delivers flow when required Delivers flow when required

NPRM Discussion of FMEAs The staff has provided guidance on this issue in Generic Letter (GL) 95-02, concerning replacement of analog systems with digital instrumentation. The GL states that in considering whether new types of failures are created, this must be done at the level of equipment being replacednot at the overall system level. Further, it is not sufficient for a licensee to state that since failure of a system or train was postulated in the SAR, any other equipment failure is bounded by this assumption, unless there is some assurance that the mode of failure can be detected and that there are no consequential effects (electrical interference, materials interactions, etc), such that it can be reasonably concluded that the SAR analysis was truly bounding and applicable.

SOC Also Reinforces Possible Use of FMEA The proposed rule discussion further stated that this determination should be made either at the component level, or consistent with the failure modes and effects analyses (FMEA), taking into account single failure assumptions, and the level of the change being made.

Several commenters stated that this guidance should be revised to refer only to the failure modes and effects analysis in the FSAR, and not to specify the component level. The Commission agrees that this criterion should be considered with respect to the FMEA, but also notes that certain changes may require a new FMEA, which would then need to be evaluated as to whether the effects of the malfunctions are bounding.

NEI 96-07 Repeats the SOC wording In evaluating a proposed activity against this criterion, the types and results of failure modes of SSCs that have previously been evaluated in the UFSAR and that are affected by the proposed activity should be identified. This evaluation should be performed consistent with any failure modes and effects analysis (FMEA) described in the UFSAR, recognizing that certain proposed activities may require a new FMEA to be performed.