ML17212B412

From kanterella
Revision as of 09:57, 19 June 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
Jump to navigation Jump to search
08/01/2017 - Nei_Criterion 6_20170801
ML17212B412
Person / Time
Site: Nuclear Energy Institute
Issue date: 07/31/2017
From: Leblond P
Nuclear Energy Institute
To:
Office of Nuclear Reactor Regulation
Holonich J, NRR/DPR, 301-415-7297
References
NEI 96-07
Download: ML17212B412 (46)
v  d  e


Text

BASIS FOR ADDRESSING

10 CFR 50.59

CRITERION 6 "DIFFERENT RESULT" Peter LeBlondNEI 96-07 Appendix D Team

Nuclear Energy InstituteAugust 1, 2017 Assess the meaning of "a different result" used within 10 CFR 50.59 criterion 6 by answering three

questions:

1.Does/should UFSARs of varying degrees of detail affect the role/application of 10 CFR 50.59?

2.What is a "malfunction of an SSC important to safety"?3.Is the current UFSAR description the proper point for determining when prior NRC approval is

required?PURPOSE TODAY

  • Questions extracted from SECY 97-035 oThese three questions were among the 24 separate issues that were eventually resolved by issuance of the current regulation
  • The questions were not linked to digital issues at the time*The "three answers" will be developed within the rulemaking framework PURPOSE CONTINUED
  • Dispute had existed on numerous issues for years oThe most contentious was the meaning of "may be increased" oNEI 96-07 was first generated to resolve this issue

without rulemaking

  • In parallel, numerous other issues arose oe.g. Millstone lessons learnedBIG PICTURE

SUMMARY

MAJOR RULEMAKING STEPS

  • SECY 97-035 compiled the 24 issues (and numerous sub-issues) involved oNUREG-1606 was attached as a compilation of the staff's view for proper implementation of 10 CFR 50.59 (1997 version)
  • Comments requested
  • Resolution led to the standard rulemaking process involving NPRM, SOC, and NEI 96-07 oAnswers to the Three Questions will relate to this processBIG PICTURE

SUMMARY

MAJOR RULEMAKING STEPS CONT.

SECY 97-035Sections III.E (Definition of "as described") and IV.A ("Policy Issues"), Discussion of NRC Position and Options

-if a licensee believes that the scope includes only those SSCs specifically mentioned in the

SAR, and not an SSC absent from the SAR but

that has the potential for affecting the function of those SSCs specifically mentioned, then the licensee could prematurely conclude that the SSC being changed is not within the scope of the

rule -QUESTION #1 Do varying degrees of UFSAR detail affect 10 CFR 50.59

application?

SECY 97-035Sections III.E (Definition of "as described") and IV.A ("Policy Issues"), Discussion of NRC Position and Options

-Plant SARs vary in depth and completeness. In general, the level of detail of information contained in an SAR for later facility applications was muchgreater than that for the earlier licensed plants. Thus, tying the scope of 10 CFR 50.59 to the SAR

results in uneven application of 10 CFR 50.59

- QUESTION #1 Cont.

  • Two features addressed this problem, both of which involved an emphasis on functions rather

than descriptions 1.The definition of "facility" was created to include a(3)(ii): The design and performance requirements for such SSCs described in the FSAR (as updated), 2.The screening process was created for the first time by including within the rule language:"Change" means affecting a Design Function

-ANSWERING QUESTION #1

  • Separates the UFSAR's level of detail from the screening process oScreening decision is based upon "adverse effects"

on a "function"

  • UFSAR updating now occurs independently from the screening decision
  • Sites with more UFSAR detail have a greater obligation under 10 CFR 50.71(e), but the treatment under 10 CFR 50.59 is the sameSCREENING PROCESS' FOCUS DESIGN FUNCTIONS Design Function Definition Design functionsare UFSAR-described design bases functionsand other SSC functions described in the UFSAR that support or impact design bases functions. Implicitly included within the meaning of design function are the conditions under which intended functions are required to be performed, such as equipment response times, process conditions, equipment qualification and single failure.Design bases functions are functions performed by systems, structures and components (SSCs) that are (1) required by, or otherwise necessary to comply with, regulations, license conditions, orders or technical specifications, or (2) credited in licensee safety analysesto meet NRC requirements HIGHLIGHTS OF FUNCTIONAL LEVELS From RG 1.186
  • DBF are high level functions correlated to GDCs
  • Individual SSCs are subsidiary
  • DBF are "Credited in the safety analyses"(not descriptive material)
  • Generally, no individual SSC "supports or impacts"
  • The higher functional level of Design Functions explains the importance of the second element of "facility" and the repeated NEI 96-07 discussions regarding cascading of effects.

HIGHLIGHTS OF FUNCTIONAL LEVELS Malfunction of SSCs important to safety means the failure of SSCs to perform their intended design

functionsdescribed in the UFSAR (whether or not classified as safety-related in accordance with 10 CFR 50, Appendix B).

  • All design functions are to be assessed for their "malfunction"
  • The UFSAR description of a failed SSC is not, strictly speaking, a "malfunction" oA failed SSC may/will propagate a "malfunction" at a higher functional level oNote "credited in the safety analysis "QUESTION #2 What is a "malfunction of an SSC important to safety"?
  • Regulatory Guide 1.186 (NEI 97-04, page B-2) states:"10 CFR 50.2 design basis functional requirements are derived primarily from the principal (sic) design criteria for an individual facility-" (GDC

)*All sites have these requirements in their UFSAR

  • Regulatory treatment of activities, including "malfunctions" is independent of additional UFSAR

design detail

  • "Malfunctions" are expressed at higher functional levels than an individual SSC
  • Future NPRM discussion will be consistentEXPANDED IMPLICATIONS OF QUESTION #2
  • This was manifest as part of:

oScreening -Engineering margins installed above UFSAR functional requirements oCriteria 1 and 2

  • Treatment of margin between current design and code compliance oCriteria 3 and 4
  • Treatment of UFSAR reported doses oCriterion 7 (then termed "Margin of Safety")
  • Treatment of margin between UFSAR analytical results and analysis acceptance limits QUESTION #3 Is the current UFSAR description the proper "prior NRC

approval required" threshold?

  • In every instance, these margins are now controlled by the licensee oImplemented with specific rule changes, and/or supported by NEI 96-07 language QUESTION #3 Cont.
  • Consider the definition of Design Function oAddresses solely Design Basis Functions, not Design Basis Values oExcess engineering margin is allotted to the licensee
  • Consider the treatment of "consequences" oThe current UFSAR value is not the limit, but relies upon the SRP acceptance criteria
  • Consider the language of criterion #7 o"Exceeded or altered" oLicensee manages margin up to Design Basis LimitEXPANDED ILLUSTRATIONS OF QUESTION #3 1.Does/should UFSARs of varying degrees of detail affect the role/application of 10 CFR 50.59?

oAlternatively, should the same change at two different plants generate the same regulatory response?oNo. The same change under the same circumstances is intended to produce the same regulatory response.

SUMMARY

OF THE THREE QUESTIONS 2.What is a "malfunction of an SSC important to safety"?oAlternatively, at what functional level should a "malfunction" be considered?

o"Malfunctions" are assessed at the functional level of Design Functions, which can be "credited in the safety analysis."

SUMMARY

OF THE THREE QUESTIONS 3.Is the current UFSAR description the proper point for determining when prior NRC approval is

required?oAlternatively, who has control of the "white space" between an UFSAR description and a plant level acceptance criterion?

oThe licensee controls the margin between the UFSAR description and the plant level acceptance criteria.

SUMMARY

OF THE THREE QUESTIONS WHAT DOES"A DIFFERENT RESULT" MEAN?

  • The answers to the Three Questions oThe same change under the same circumstances is intended to produce the same regulatory response.

o"Malfunctions" are assessed at the functional level of Design Functions, which can be "credited in the safety analysis."

oThe licensee controls the margin between the UFSAR description and the plant level acceptance criteria.KEEP IN MIND Malfunctions of SSCs are generally postulated as potential single failures to evaluate plant performance with the focus being on the result of the malfunction rather than the cause or type of

malfunction.A malfunction that involves an initiator or failure whose effects are not bounded by those explicitly described in the UFSAR is a malfunction with a different result-NEI 96-07, SECTION 4.3.6

-In evaluating a proposed activity against this criterion, the types and results of failure modes of SSCsthat have previously been evaluated in the UFSAR and that are affected by the proposed activity should be identified. This evaluation should be performed consistent with any failure modes and effects analysis (FMEA) described in the UFSAR, recognizing that certain proposed activities may require a new FMEA to be performed.

NEI 96-07, SECTION 4.3.6

  • First sentence discusses "credited in the safety analysis" and "plant performance"
  • The second cited paragraph attempts to summarize a wide range of possible combinations of GDCs/Design Basis Functions and functional levels for a specific change oNeed for a new FMEA would be likely oUse of NEI definitions and RG 1.186 is crucial
  • The answers to the Three Questions are consistent with these phrases and the approach implemented with the other criteria
  • NEI 96-07 discussion was not focused on digital conversions NEI 96-07, SECTION 4.3.6

SUMMARY

  • The functional level of screenings and evaluations was one of the issues that prompted the change in rule language oA "malfunction" can be the failure of any Design Function*UFSAR descriptions of SSC failures do not define/limit the scope of "malfunctions" to be considered CONCLUSION
  • The safety analysis level is the only alternative level cited oConsistent with the answer to Question #s 1 and 3
  • Same approach utilized for criteria 1, 2, 3, 4, 6 &

7*The need for a new FMEA reflects this logic oFailures of individual SSCs are generally not stand-alone "malfunctions" CONCLUSION CONT.

  • Rulemaking record repeatedly describes this logic
  • NPRM states:However, the Commission recognizes that in its reviews, equipment malfunctions are generally postulated as potential single failures to evaluate plant performance; thus, the focus of the NRC review was on the result, rather than the cause/type of

malfunction. Unless the equipment would fail in a way not already evaluated in the safety analysis, there is no need for NRC review of the change that led to the new type of malfunction.

  • More detailed review of the rulemaking record is available CONCLUSION CONT.
  • Software Common Cause Failure (SCCF) is not part of the "Design Basis" oPages B-1 and B-2 of Appendix B to NEI 97-04 provide this guidance and definitions, specifically addressing Design Basis Functions
  • Design Input is not restricted to Design Basis oSee ANSI N45.2.11 and page B-5 of Appendix B oDesign Output can include SCCF considerations
  • Summary Statement would be:SCCF is not part of the Design Basis,but it can be part of the Design.FMEA's RELATIONSHIP TO RG 1.186 Plant #1 UFSAR is 7 Volumes Plant #2 UFSAR is 12 Volumes Plant #3 UFSAR is 17 Volumes 100%125%Pump works to remove heatDelivers flow when requiredOverspeedtrip existsOverspeedtrip exists 125%AFW Pump Turbine speedTimeTechnical Work Indicates no adverse effect to 120%Pump works to remove heat Delivers flow when requiredPump works to remove heatDelivers flow when required The Design Function is on the bottom line.The requirement to update the UFSAR is unrelated to the screening decision.

120%

FSAR-RELATED TERMINOLOGYFROM 10 CFR 50.34bFinal safety analysis report. Each application for an operating license shall include a final safety analysis report. The final safety analysis report shall include information that describes the facility

,presents the design bases and the limits on its operation , and presents a safety analysis of the structures, systems, and components and of the facility as a whole , and shall include the following:Appendix D has been calling this "accident analyses" Design bases Descriptive information The pre-1999 10 CFR 50.59 read in part:-if a possibility for an accident or malfunction of a different type than any evaluated previously in the safety analysis report may be created-Which was changed to include a stand alone "criterion 6":Create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis report (as updated);

1999 10 CFR 50.59 CHANGE TO CRITERION 6

  • "May be created" was changed to:

o"Create a possibility"

  • "Malfunction" was changed to:

o"a malfunction of an SSC important to safety"

  • "A different type

" was changed to:

o"A different result

"*The remainder of this presentation will focus on the meaning of "a different result"THREE PARTS TO THE OVERALL CRITERION 6 CHANGE

  • The basic rulemaking pattern outlined below will be reviewed for the issue of "a different result" oGenerating the licensing record for this issue
  • Excerpts will be provided on the following slides CONTENT OF THIS REVIEWNUREG 1606 described NRC's position for implementing the pre-2000 rule.NPRM is issued (10/98) and relates to NUREG-1606.(Rule had to be changed to accommodate improvements.)

Altered rule is issued and SOC (10/99) describes basis.NEI 96-07 is generated (11/00) to be implement revised rule.

In determining whether a malfunction is of a different type than any evaluated previously in the safety analysis report, some licensees believe they need to consider only the results and not the mode of failure(as suggested in TR-102348). The staff provided clarifications concerning TR-102348 in Generic Letter 95-02. Specifically, the staff's position was that the "system-level" failure should be malfunction of the equipment being modified. As stated in GL 95-02, it is the digital equipment replacing the analog equipment, rather than the otherwise unchanged system of which that equipment is a part, that is to be analyzed to see if a malfunction of a different type could be created. In considering malfunctions of equipment, the staff would recommend that this be done at the component level. However, for some SSC, the evaluation of malfunctions discussed in the SAR may well have been only at the train or overall system level.

NUREG-1606 CIRCA 1997 Further, in determining whether a malfunction is of a different type, the licensee needs to consider not only the effect of the malfunction on equipment or plant response but also what causes the malfunction. If the proposed activity could lead to a different initiator, or involves a failure mode of a different type than the types previously evaluated, then the failure results from a malfunction of a different type (and involves a USQ), even though the accident may be the same. Section 4.2.6 of NSAC-125 gives as an example, "replacement of a mechanical control system on equipment important to safety with a digital control system that can potentially fail in a different mode." For example, if a pressure transmitter using mechanical linkage is replaced with an oil-filled transmitter, oil loss is now a failure mechanism which might result in a type of failure at the output of the transmitter that did not exist previously, and therefore was never analyzed. This is a new type of malfunction, and should need staff review. If a digital trip system is now being used, and software failure is a new failure mode, staff review is also required.

NUREG-1606 CIRCA 1997

  • Industry states that the then current rule could be implemented by examining the results of

malfunctions

  • NRC disagrees (in NUREG 1606) and states that the review should be performed at the component

level NUREG-1606

SUMMARY

The final change is being proposed in response to the comments on the staff proposed guidance (NUREG-1606) on the interpretation of malfunction (of equipment important to safety) of a different

type-.. NOTICE OF PROPOSED RULEMAKING The Commission does not agree that the industry interpretation is consistent with the rule as written , which refers to creation or possibility of a malfunction of a different type, not of a different result. However, the Commission recognizes that in its reviews, equipment malfunctions are generally postulated as potential single failures to evaluate plant performance; thus, the focus of the NRC review was on the result, rather than the cause/type of malfunction. Unless the equipment would fail in a way not already evaluated in the safety analysis, there is no need for NRC review of the change that led to the new type of malfunction.

NOTICE OF PROPOSED RULEMAKING Therefore, as the third change in §50.59(a)(2)(ii), the Commission is proposing to change the phrase

of a different type to with a different result.This language is consistent with the previous answers to the Three Questions.

  • "Malfunctions" are assessed for the Design Function/Design Basis Function at the safety

analysis level.

  • The plant level acceptance criteria, not UFSAR descriptions, were used in criteria 1, 2, 3, 4, and 7.

NOTICE OF PROPOSED RULEMAKING

  • Industry position is not consistent with the then current rule language of "a different type"
  • Noted: oUnless the equipment would fail in a way not already evaluated in the safety analysis , there is no need for NRC review of the change that led to the

new type of malfunction.

oPostulated single failures evaluated plant performance as part of NRC reviews o"Safety Analysis" is distinct from the "Safety Analysis Report" throughout, i.e., the "accident analysis" is not the SAR description

SUMMARY

OF NPRM The staff has provided guidance on this issue in Generic Letter (GL) 95-02, concerning replacement of analog systems with digital instrumentation. The GL states that in considering whether new types of failures are created, this must be done at the level of equipment being replaced-not at the overall system level. Further, it is not sufficient for a licensee to state that since failure of a system or train was postulated in the SAR, any other equipment failure is bounded by this assumption, unless there is some assurance that the mode of failure can be detected and that there are no consequential effects (electrical interference, materials interactions, etc), such that it can be reasonably concluded that the SAR analysis was truly bounding and applicable

.NPRM (ADDITIONAL DETAILS)

  • The discussion that begins with "unless" immediately follows the earlier discussion from

NUREG-1606

  • Previous recitation of GL 95-02 is modified from previous positions to include some assurance that:

oFailure is detected oSAR analysis is bounding NPRM (ADDITIONAL DETAILS) CONT.

The proposed rule discussion further stated that this determination should be made either at the component level, or consistent with the failure modes and effects analyses (FMEA), taking into account single failure assumptions, and the level of the change being made. Several commenters stated that this guidance should be revised to refer only to the failure modes and effects analysis in the FSAR, and not to specify the component level. The Commission agrees that this criterion should be considered with respect to the FMEA, but also notes that certain changes may require a new FMEA , which would then need to be evaluated as to whether the effects of the malfunctions are bounding.

  • This is consistent with the functional level of Design Functions and Design Basis Functions being above the functional level of individual SSCs.

SOC FOR FINAL RULE

  • New FMEAs may be required and
  • The determination of whether a "different result" exists is not constrained to the pre-existing FSAR-described FMEA oCommission specifically clarified commenters' suggestion to restrict to UFSAR functional level
  • Discussion continues the threads previously discussedSTATEMENT OF CONSIDERATION

SUMMARY

  • The finalreview level is not at the component level per GL 95-02 oIndustry comments on NUREG-1606 highlight interpretation not consistent with the old rule, as written oThus, the rule language was altered to accommodate the revised approach Continued-PUTTING THE FEDERAL REGISTER CITATIONS TOGETHER-
  • The NRC's licensing decision is made based upon single failures at the safety analysis level oThe GL 95-02 digital-specific guidance was modified in support of the rule change to include:
  • Detecting failures
  • Ensuring the safety analysis remains bounding
  • New FMEAs may be required (See above)
  • The determination of whether a "different result" exists is not constrained to the pre-existing FSAR-described FMEA.
  • NEI 96-07 guidance reflects the entire discussion PUTTING THE FEDERAL REGISTER CITATIONS TOGETHER-
Retrieved from "https://kanterella.com/w/index.php?title=ML17212B412&oldid=1699972"