ML17279A043
| ML17279A043 | |
| Person / Time | |
|---|---|
| Site: | Nuclear Energy Institute |
| Issue date: | 10/11/2017 |
| From: | Leblond P Nuclear Energy Institute |
| To: | Office of Nuclear Reactor Regulation |
| Holonich J | |
| References | |
| Download: ML17279A043 (29) | |
Text
ILLUSTRATIONS FOR ADDRESSING
CRITERION 6 "DIFFERENT RESULT" Peter LeBlondNEI 96-07 Appendix D Team
Nuclear Energy InstituteOctober 11, 2017 Illustrate the meaning of "create a possibility of a different result" used within 10 CFR 50.59 criterion 6:
1.Review the conclusions of August 1, 2017 NEI/NRC public meeting.
2.Illustrate the application of Criterion 6 for a non-digital example.
3.Extend the illustration in #2 above to a variety of digital-related applications.
PURPOSE TODAY
- Brief review of major conclusions from August 1, 2017, NEI/NRC meeting o Involved sequential application of definitions from NEI 96-07, Revision 1, endorsed in Regulatory
Guide 1.187
- A non-digital modification to the jacket water surge tank level control system will be described oThe approach required to answer Criterion 6 will be illustrated in detail oThe definitions cited above will be utilizedOUTLINE FOR TODAY
- The framework established will be applied to a closely-related digital modification
- This framework will be graphically summarized to aid in evaluating any modification
- Additional examples may be presented in an overview fashionOUTLINE FOR TODAYCONT.
- Questions being posed today are not new issues oThese questions were among the 24 separate issues that were eventually resolved by issuance of
the current regulation
- The issues were fundamentally resolved by focusing on functions, not UFSAR descriptions oDefinition of "facility" and "change" established the required regulatory foundation
- The presentation did not describe a new regulatory position oSimply applied existing regulatory definitions CONCLUSIONS FROM 8/1/2017
SUMMARY
OFAUGUST 1, 2017 PRESENTATIONA "malfunction" is a failure to perform a Design FunctionADesign Function is either:A Design Basis FunctionSupports or impacts a Design Basis FunctionADesign Basis Function is:
Credited in the safety analysisDefined in Regulatory Guide 1.186Regulatory Guide 1.186 states that
Design Basis Functions are:
Linked to GDCsFunctionally far above individual SSCsSafety Analyses provide context The safety analysis is distinct from descriptive
material as defined in 10
CFR 50.34(b).
All of the information on this slide is directly quoted from approved Regulatory Guides or the regulation itself.
Description of Change:The current Manual Control of EDG Jacket Water Surge Tank Level is being replaced with pneumatic controller and air-operated valves.UFSAR Content:
- Chapter 15 contains a standard set of safety analyses that assume single failure. (One train operates)
- The D/G's ability to supply the required emergency loads is described.
- The surge tank is described as having a manual-operated supply and drain, along with various alarms and a high temperature EDG trip.
Non-Digital ExampleManual D/G Jacket Water Surge Tank Level Control to Automatic The Emergency Diesel System shall be capable of automatically starting and have sufficient capacity to provide AC power to the emergency buses to power
the required emergency loads-FUNCTIONAL LEVELS INVOLVEDSurge Tank Itself Surge Tank Level
ControlSafety Analyses:
- Creditsthe availability of AC power
- Assumea single failurePart of "facility" because of "design and performance requirements-"
Performs a Design Function
because:
- Supports or impacts-
1.186 based upon GDC 17. Each site's language may vary slightly.*Credits the DBF.
- Evaluates the EDG's Malfunction (Failure of one train.)
- Create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis
report (as updated);
- Two pieces to the criterion oMalfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis report (as updated);
o Create a possibility ANSWERING CRITERION 6
- NEI 96-07, definition 3.9 results in identification of the single failure-based safety analysis oHas the single failure assumption (one train operates) become invalid due to cross-connection, installation of common devices, etc.?oThe postulated presence of lower level UFSAR descriptions of possible reliance on alarms does not alter this conclusion.
- Hardware Common Cause Failure is not credible
- Criterion 6 answer would be "No"Malfunction previously evaluated-Create a possibility Description of Change:The current Manual Control of EDG Jacket Water Surge Tank Level is being replaced with digital controllers and air-operated valves.UFSAR Content:
- No change from Non-digital Example.Technical Information:
- The low level alarm actuates at 200 gallons remaining in a 450 gallon surge tank.
- The drain line averages 5 GPM.
Digital ExampleManual D/G Jacket Water Surge Tank Level Control to Automatic The Emergency Diesel System shall be capable of automatically starting and have sufficient capacity to provide AC power to the emergency buses to power
the required emergency loads-No Change in Functional Levels InvolvedSurge Tank ItselfSurge Tank Level
ControlSafety Analyses:*Creditthe availability of AC power
- Assumea single failurePart of "facility" because of "design and performance requirements-"
Performs a Design Function
because:
- Supports or impacts-
1.186 based upon GDC 17. Each site's language may vary slightly.*Credits the DBF.
- Evaluates the EDG's Malfunction (Failure of one train.)
- Create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis
report (as updated);
- Two pieces to the criterion oMalfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis report (as updated);
o Create a possibility CRITERION 6 IS UNCHANGED
- Software Common Cause Failure likelihood is not sufficiently low oIllustration for today's discussion
- NEI 96-07, definition 3.9 results in identification of the single failure-based safety analysis oHas the single failure assumption (one train operates) become invalid due to the SCCF?
oWe cannot simply rely on the previous absence
of cross-connections.
- A "New FMEA" is needed to determine if the SCCF will propagate to the higher functional levelMalfunction previously evaluated-Create a possibility
- Use of the acronym "FMEA" within NEI 96-07 oDoes not refer to any IEEE standard oNo guidance regarding content or structure was developed in 1997-1999*Their use is discussed in NPRM, SOC, and NEI 96-07 oMight be summarized with "What will happen when the failure occurs?"
- NEI Task Force Discussions have resulted in a simplistic format for FMEAs oPresumes compliance with pre-existing procedures and any "interdependent," modification-related
procedures USE OF FMEAs
- Procedures already exist for:
oLocal operator monitoring of EDG operation oResponse to Low Surge Tank Level alarms*MCR Trouble alarm typically points to a Local Panel oOperator manipulation of surge tank supply and
drain valves*These will be modified due to new reliance upon automatic level controlGENERATION OF AN FMEA FOR THE EDG SURGE TANK CONTROLLER
- In this situation, 40 minutes (200 gallons being drained at 5 GPM) are available after alarm
generation.
- Operator complies with procedural guidance
- Surge Tank Function is preserved
- Answer to Criterion 6 is "No"
- Summarize the overall approach by revisiting the "Functional Level" slideGENERATION OF AN FMEA FOR THE EDG SURGE TANK CONTROLLER CONT.
The Emergency Diesel System shall be capable of automatically starting and have sufficient capacity to provide AC power to the emergency buses to power
the required emergency loads-
SUMMARY
OF EVALUATIONSurge Tank ItselfSurge Tank Level
ControlSafety Analyses:*Creditthe availability of AC power
- Assumea single failure*Effect of SCCF will be manifest over a period of time.*Procedure compliance will detect and respond to SCCF and preserve the DBF. *No change in the Evaluation of the EDG's "Malfunction"*Results remain the same*SCCF is:classed as "create a possibility."
Induces effects across trains FMEA is needed
- The previous slide can be generalized to describe this approachSTANDARDIZED APPROACH CAN BE GRAPHICALLY EXPRESSED Identify the DBF(s) involved and classify its relationship with the identified functions below using NEI 96-07, definition 3.3.(If no DBF apparently exists, specialized evaluations may be required.)
GraphicalSummary of Approach*Describe the activity*Identify any functions involvedIdentify all Safety Analyses that credit directly or indirectly the DBF identified below.(If no Safety Analysis apparently exists, specialized evaluations may
be required.)*Is the DBF preserved?*Was a FMEA needed to assess
the propagation of effects? *Do all assumptions remain valid?*Does the Safety Analysis remain
valid?*Determine if SCCF:Is classed as "create a possibility."
Induces effects across trains FMEA is needed?
- The graphical summary introduced on slide #8 is entirely based upon unambiguous use of approved
definitions.
- The characteristics of an FMEA developed for 10 CFR 50.59 use was introduced on slide #15 oThis guidance is not from NEI 96-07.
oReflects a basic requirement that personnel will follow their procedures.
- The graphical summary of the overall approach was introduced on slide #20 o May be used to guide personnel in future Evaluations oTask Force Members are prepared to discuss any example utilizing that graphical approach.
CONCLUSION
- NPRM states:However, the Commission recognizes that in its reviews, equipment malfunctions are generally postulated as potential single failures to evaluate
plant performance; thus, the focus of the NRC review was on the result, rather than the cause/type of malfunction.
Unless the equipment would fail in a way not already evaluated in the
safety analysis, there is no need for NRC review of the change that led to the new type of malfunction.
This Functional Level provides the Evaluation of the D/G's "Malfunction"
- NEI 96-07, section 4.3.6 states:Malfunctions of SSCs are generally postulated as potential single failures to evaluate plant performance with the focus being on the result of the malfunction rather than the cause or type of
malfunction.
This Functional Level provides the Evaluation of the D/G's "Malfunction" As used above, "credited in the safety analyses" means that, if the SSC were not to perform its design bases function in the manner described, the assumed initial conditions, mitigativeactions or other information in the analyses would no longer be within the range evaluated (i.e., the analysis results would be called into question).
The phrase "support or impact design bases functions" refers both to those SSCs needed to support design bases functions (cooling, power, environmental control, etc.)and to SSCs whose operation or malfunction could adversely affect the performance of design bases functions (for instance, control systems and physical arrangements). Thus, both safety-related and nonsafety-related SSCs may perform design
functions.
Definition 3.3 from NEI 96-07 FSAR-RELATED TERMINOLOGYFROM 10 CFR 50.34bFinal safety analysis report. Each application for an operating license shall include a final safety analysis report. The final safety analysis report shall include information that describes the facility
,presents the design bases and the limits on its operation , and presents a safety analysis of the structures, systems, and components and of the facility as a whole , and shall include the following:Appendix D has been calling this "accident analyses" Design bases Descriptive information Plant #1 UFSAR is 7 Volumes Plant #2 UFSAR is 12 Volumes Plant #3 UFSAR is 17 Volumes 100%125%Pump works to remove heatDelivers flow when requiredOverspeedtrip existsOverspeedtrip exists 125%AFW Pump Turbine speedTimeTechnical Work Indicates no adverse effect to 120%Pump works to remove heat Delivers flow when requiredPump works to remove heatDelivers flow when required The Design Function is on the bottom line.The requirement to update the UFSAR is unrelated to the screening decision.
120%
The staff has provided guidance on this issue in Generic Letter (GL) 95-02 , concerning replacement of analog systems with digital instrumentation. The GL states that in considering whether new types of failures are created, this must be done at the level of equipment being replaced-not at the overall system level. Further, it is not sufficient for a licensee to state that since failure of a system or train was postulated in the SAR, any other equipment failure is bounded by this assumption
, unless there is some assurance that the mode of failure can be detected and that there are no
consequential effects (electrical interference, materials interactions, etc), such that it can be reasonably concluded that the SAR analysis was truly bounding and applicable
.NPRM Discussion of "FMEAs" The proposed rule discussion further stated that this determination should be made either at the component level, or consistent with the failure modes and effects
analyses (FMEA), taking into account single failure assumptions, and the level of the change being made. Several commentersstated that this guidance should be revised to refer only to the failure modes and effects analysis in the FSAR, and not to specify the component level. The Commission agrees that this criterion should be considered with respect to the FMEA, but also notes that certain changes may require a new FMEA , which would then need to be evaluated as to whether the effects of the malfunctions are bounding.SOC Also Reinforces Possible Use of "FMEA"
-In evaluating a proposed activity against this criterion, the types and results of failure modes of SSCsthat have previously been evaluated in the UFSAR and that are affected by the proposed activity should be identified. This evaluation should be performed consistent with any failure modes and effects analysis (FMEA) described in the UFSAR, recognizing that certain proposed activities may require a new FMEA to be performed.