Text

NEIs Presentation (with Background Slides) for Public Meeting on Endorsement of NEI 96-07, Appendix D, June 25, 2019
	ML19176A070
Person / Time
Site:	Nuclear Energy Institute
Issue date:	06/25/2019
From:	; Nuclear Energy Institute
To:	Tekia Govan; NRC/NRR/DIRS/IRGB
	Govan T, 415-6197, NRR/DIRS
References
	NEI 96-07
	Download: ML19176A070 (49)
	v • d • e

©2019 Nuclear Energy Institute 2 Sec. 4.3.6 of Appendix D is consistent with NEI 96-07, R1 Two decades of implementation Developed with NOPR and 1999 Final Rule SOC in mind Logic and treatment of Criterion 6 is consistent with the application of other 10 CFR 50.59 Evaluation criteria Consistent with NEI 96-07, R1 Consistent with NRCs Reliability Principle of Good Regulation Supports NRC focus on risk-significant issues Sec. 4.3.6 of Appendix D avoids uneven application of 50.59 Examples Will Show:

©2019 Nuclear Energy Institute 3 Instrument Air Compressor Digital Controls Diesel Generator Jacket Water Surge Tank Level Control Containment Fan Coolers Digital Controls Digital Feedwater Control System As time allows:

Feedwater Debris Strainer Examples for Discussion

Compressed air is supplied to the IA system by three 50% capacity (405 scfm), oil-free, reciprocating air compressors, each with its own after-cooler, moisture separator and air receiver.

When Instrument and Station Air Systems are separated, only two of the three IA compressors are required to supply the IA header requirements for both units.

Instrument Air (IA) Compressor Digital Controls

FMEA: 2 of 3 IA compressors are required during normal ops; low P in the supply line auto starts standby IA compressors Safety analyses: assume loss of the Instrument Air System Proposed Activity Install new IA compressors with digital controls Likelihood of SCCF of all compressors not sufficiently low = 0 of 3 compressors Possible loss of normal feedwater event

Plant 1 - NEI 2/3 0/3 Loss of Normal Feedwater (LONF)

IA system assumed to fail (no change)

No Plant 2 - NEI No existing description LONF No change No Plant 1 - NRC 2/3 0/3 LONF No change Yes Plant 2 - NRC No existing description LONF No change Not Clear

©2019 Nuclear Energy Institute 8 Appendix Ds approach is consistent with NEI 96-07, Rev. 1 using the safety analysis level Appendix Ds approach supports NRC focus on risk-significant issues The NRCs approach appears to require LARs for a lot of very reasonable and benign modifications.

IA Compressor Digital Controls Illustrates

©2019 Nuclear Energy Institute 9 Diesel generator supplies power to required emergency loads D/G needs jacket water supply in order to perform its design function Two 100% redundant trains Surge tank is described as having a manual-operated supply and drain, along with various alarms and a high temperature D/G trip Low level alarm actuates at 200 gallons remaining in a 450 gallon surge tank Drain line averages 5 GPM Effect of operator error on surge tank draining is discussed Diesel Generator (D/G) Jacket Water Surge Tank Level Control

©2019 Nuclear Energy Institute 11 D/G Jacket Water Surge Tank Level Control UFSAR One D/G train operates FMEA: low water makeup water replaces losses Safety analyses: assume single failure; one train operates Proposed Activity Replace manual control with digital controllers and air-operated valves Likelihood of SCCF of both controllers not sufficiently low

= 0 of 2 D/G FMEA would examine losing both trains Safety analyses would reflect FMEA outcome

Local operator monitoring of D/G operation Response to Low Surge Tank alarms

MCR Trouble Alarm typically points to a local panel Operator manipulation of surge tank supply and drain valve 40 minutes (200 gallons being drained at 5 GPM) are available after alarm generation Operator complies with procedural guidance Surge tank function is preserved D/G design function is preserved D/G Jacket Water Surge Tank Level Control - new/revised FMEA

Scenario UFSAR Description 3.12 Safety Analyses SA current new different result?/LAR?

Plant 1 - NEI Detailed FMEA D/G Operation At least one D/G operates (no change)

No Plant 2 - NEI No existing description D/G Operation No change No Plant 1 - NRC Detailed FMEA D/G Operation No change Yes Plant 2 - NRC No existing description D/G Operation No change Not Clear

©2019 Nuclear Energy Institute 14 Appendix Ds approach produces a consistent answer independent of UFSAR detail, avoiding uneven application NRCs approach appears to differ based upon level of UFSAR detail (reinstates problem of uneven application)

NRCs approach is not clear for plants with no existing UFSAR description Appendix Ds approach is consistent with NEI 96-07, Rev. 1 Both developed with NOPR and 1999 Final Rule SOC in mind Revised FMEA = The result of the logically required operator actions in response to the effect of the level controllers failure is the preservation of the D/Gs function D/G Jacket Water Surge Tank Level Control Illustrates

©2019 Nuclear Energy Institute 15 Limits the containment ambient temperature during normal plant operating conditions Reduce containment ambient temperature and pressure following a Loss of Coolant Accident (LOCA) or a Main Steam Line Break (MSLB) inside containment Provides mixing of the sprayed and unsprayed regions of the containment to improve airborne fission product removal Provides a mixed atmosphere for hydrogen control Five containment fan coolers provided Containment Fan Coolers Digital Controls

©2019 Nuclear Energy Institute 17 Containment Fan Coolers Digital Controls UFSAR 2 of 5 coolers required to operate following a DBA FMEA: at least two operable coolers has no effect on the Containment Heat Removal System Containment pressure safety analyses: two coolers assumed to operate Proposed Activity Install digital controls for each containment fan cooler Likelihood of SCCF of all fan coolers "not sufficiently low = 0 of 5 coolers following a DBA Calculation that used the cooling rate produced by two fan coolers revised to using a value of zero (0)

(vii)

DBLFPB exceeded or altered?

LAR?

Plant 1 -

NEI 2/5 0/5 coolers Ctmt Press.

Yes - SA Acc. Crit.

NOT Met No - SA Acc. Crit.

Met Yes Plant 2 -

NEI No existing description Not Credited No No No Plant 1 -

NRC 2/5 0/5 coolers Ctmt Press.

Yes No Yes Plant 2 -

NRC No existing description Not Credited Not Clear No Not Clear

©2019 Nuclear Energy Institute 19 Appendix Ds approach produces a consistent answer independent of UFSAR detail, avoiding uneven application NRCs approach appears to differ based upon level of UFSAR detail (reinstates problem of uneven application)

NRCs approach is not clear for plants with no existing UFSAR description Appendix Ds approach focuses on the same safety analysis as criterion 7, but with differing assumptions Criterion 6: to create a possibility, assume SCCF (0/5 coolers)

Criterion 7: to reflect performance as designed, assume single failure (at least 2/5 coolers)

Containment Fan Coolers Digital Controls Illustrates

The Steam Generator Water Level Control System (SGWLCS) establishes and maintains the steam generator water level within predetermined limits during normal operating transients. The SGWLCS also maintains the steam generator water level within predetermined limits and unit trip conditions.

Digital Feedwater Control System

©2019 Nuclear Energy Institute 21 Digital Feedwater Control System UFSAR A switchover from the BFRVs to the MFRVs is initiated manually by the operator at approximately 25 percent power UFSAR Section 15.1.2, Feedwater System Malfunctions that Result in an Increase in Feedwater Flow, considers the full opening of one feedwater regulating valve Proposed Activity Install digital controls to use the BFRV alone, the MFRV and BFRV in parallel, or the MFRV alone to automatically control feedwater flow as power level changes.

Possible increase in feedwater flowrate in two loops due to both the MFRVs and BFRVs going fully open.

©2019 Nuclear Energy Institute 22 The reanalysis of the hot full power case feedwater malfunction event in one loop demonstrated that the results and conclusions discussed in UFSAR Section 15.1.2 are acceptable with the proposed change and assuming a SCCF. An analysis of a hot full power case feedwater malfunction event in two loops was also performed and also demonstrated that the results and conclusions discussed in UFSAR Section 15.1.2 for the hot full power case for one loop are also satisfied. Specifically, the peak heat flux does not exceed 118 percent of its nominal value, and the DNBR remains above the design DNBR limit of 1.24/1.23. Additionally the RCS pressure remains below 110%

of RCS design pressure.

Digital Feedwater Control System

Plant 1 - NEI 1 con/ loop 1 con/ 2 loops Increase in FW Flow 1 FRV full open 4 FRV full open (2 MFRV & 2 BFRV)

No - SA Acc.

Crit. Met Plant 2 - NEI No existing description Increase in FW Flow See above No - SA Acc.

Crit. Met Plant 1 - NRC 1 con/ loop 1 con/ 2 loops Increase in FW Flow See above Yes Plant 2 - NRC No existing description Increase in FW Flow See above Not Clear

©2019 Nuclear Energy Institute 24 Appendix Ds approach is consistent with NEI 96-07, Rev. 1 using the safety analysis level Appendix Ds approach produces a consistent answer independent of UFSAR detail, avoiding uneven application Consistent with NRCs Reliability Principle of Good Regulation Supports NRC focus on risk-significant issues Digital Feedwater Control System Illustrates

NEI 96-07, Definition 3.9, malfunction of an SSC important to safety is used within Section 4.3.6 of Appendix D consistently 2.

The rulemaking record is clear - the rules intent to identify a different result is to examine the safety analyses 3.

Consistent with NEI 96-07, Rev. 1, Section 4.3.6 of Appendix D avoids uneven application of 10 CFR 50.59 4.

Section 4.3.6 of Appendix D is consistent with the other 10 CFR 50.59 Evaluation criteria

Back-up Slides

A higher quality duplex filter is being installed, along with:

A differential pressure alarm to indicate the need to rotate the filter New procedural steps to direct operation of the filter Feedwater Discharge Filter Installation

Filters have large clearances resulting in no potential for Feedwater flow disruption Safety analyses: assumes Loss of Normal Feedwater Flow (LONF)

Proposed Activity Install new duplex filters in support of high feedwater quality Duplex filter will include a high differential pressure alarm to indicate need for filter rotation.

Operations personnel will have required procedural steps No involvement of digital devices LONF event will be considered

Plant 1 - NEI strainers filters Loss of Normal Feedwater (LONF)

Strainer/filter equivalent to a section of pipe (no change)

No Plant 2 - NEI No existing description LONF No change No Plant 1 - NRC strainers filters LONF No change Yes Plant 2 - NRC No existing description No change Not Clear

©2019 Nuclear Energy Institute 31 Appendix Ds approach is consistent with NEI 96-07, Rev. 1 treatment of commonly encountered non-digital modifications using the safety analysis level Appendix Ds approach is consistent with NRCs Reliability Principle of Good Regulation NRCs approach appears to introduce differing treatment for digital versus non-digital activities Treatment of Manual Actions to rotate the filter are addressed by criterion 2 FW Discharge Filter Installation Illustrates ANALOGOUS TO THE IA COMPRESSOR DIGITAL CONTROL EX.

©2019 Nuclear Energy Institute 32 Definition Safety analyses are analyses performed pursuant to NRC requirements to demonstrate the integrity of the reactor coolant pressure boundary, the capability to shut down the reactor and maintain it in a safe shutdown condition, or the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposures comparable to the guidelines in 10 CFR 50.34(a)(1) or 10 CFR 100.11. Safety analyses are required to be presented in the UFSAR per 10 CFR 50.34(b) and 10 CFR 50.71(e) and include, but are not limited to, the accident analyses typically presented in Chapter 15 of the UFSAR.

NEI 96-07, Rev. 1, 3.12 Safety Analyses

©2019 Nuclear Energy Institute 33 Discussion Safety analyses are those analyses or evaluations that demonstrate that acceptance criteria for the facilitys capability to withstand or respond to postulated events are met. Containment, ECCS and accident analyses typically presented in Chapters 6 and 15 of the UFSAR clearly fall within the meaning of safety analyses as defined above. Also within the meaning of this definition for purposes of 50.59 are:

Supporting UFSAR analyses that demonstrate that SSC design functions will be accomplished as credited in the accident analyses UFSAR analyses of events that the facility is required to withstand such as turbine missiles, fires, floods, earthquakes, station blackout and ATWS.

NEI 96-07, Rev. 1, 3.12 Safety Analyses

It is appropriate for discrete elements to be evaluated together if (1) they are interdependent as in the case where a modification to a system or component necessitates additional changes to other systems or procedures; or (2) they are performed collectively to address a design or operational issue.

The jacket water modification/design must include provisions for manual override of the supply and drain lines Any interdependent procedure/plant changes are considered to be part of the modification Interdependence

©2019 Nuclear Energy Institute 37 Opening containment sump outlet valves within a roughly ten-minute post-accident window to properly fill ECCS suction piping. (ECCS system will automatically draw from piping within the ensuing 10 minutes.)

Does not satisfy the third bullet:

The evaluation of the change considers the ability to recover from credible errors in performance of manual actions and the expected time required to make such a recovery Examples of Unacceptable Manual Actions

©2019 Nuclear Energy Institute 38 Stationing an operator on a chair to shut a 10 inch manual valve that forms the boundary between a seismic RWST and a non-seismic clean-up system. (This action would take place following a seismic event.)

Does not satisfy the second bullet:

The licensee has demonstrated that the action can be completed in the time required considering the aggregate affects, such as workload or environmental conditions, expected to exist when the action is required Examples of Unacceptable Manual Actions

The action (including required completion time) is reflected in plant procedures and operator training programs Most situations are resolved by examining the other bullets.

No NRC-approved guidance exists DG-1052 intended to endorse ANS 58.8-1994 Useful for difficult situations Timing Requirements for Manual Actions

©2019 Nuclear Energy Institute 40 NEI 96-07, Revision 1, was developed using important portions of the Notice of Proposed Rulemaking and Statement of Consideration This practice was applied to Section 4.3.6 Conclusions for the application of criterion 6:

The safety analysis functional level is intended to be used to determine the need for NRC review Pre-existing FMEAs are to be considered, but may need to be altered Comparison of Rulemaking Record, NEI 96-07, Section 4.3.6, and the D/G Jacket Water Surge Tank Controller

©2019 Nuclear Energy Institute 41 Comparison of NOPR and NEI 96-07, Section 4.3.6 However, the Commission recognizes that in its reviews, equipment malfunctions are generally postulated as potential single failures to evaluate plant performance; thus, the focus of the NRC review was on the result, rather than the cause/type of malfunction. Unless the equipment would fail in a way not already evaluated in the safety analysis, there is no need for NRC review of the change that led to the new type of malfunction.

Malfunctions of SSCs are generally postulated as potential single failures to evaluate plant performance with the focus being on the result of the malfunction rather than the cause or type of malfunction.

The NPRM words were repeated in 96-07.

The reference to safety analysis is linked to the first sentence in section 4.3.6 and represents the Chapter 15 Analysis.

©2019 Nuclear Energy Institute 42 The proposed rule discussion further stated that this determination should be made either at the component level, or consistent with the failure modes and effects analyses (FMEA), taking into account single failure assumptions, and the level of the change being made..

The Commission agrees that this criterion should be considered with respect to the FMEA, but also notes that certain changes may require a new FMEA, which would then need to be evaluated as to whether the effects of the malfunctions are bounding.

In evaluating a proposed activity against this criterion, the types and results of failure modes of SSCs that have previously been evaluated in the UFSAR and that are affected by the proposed activity should be identified.

This evaluation should be performed consistent with any failure modes and effects analysis (FMEA) described in the UFSAR, recognizing that certain proposed activities may require a new FMEA to be performed. Attention must be given to whether the malfunction was evaluated in the accident analyses at the component level or the overall system level.

The current FMEA had to be altered due to the new level controller; thus new FMEA.

Comparison of SOC and NEI 96-07, Section 4.3.6

A Design Basis Function Supports or impacts a Design Basis Function Accident/transient initiator A Design Basis Function is either:

Required by regulations, license conditions, orders, or TS Credited in the safety analysis App B to NEI 97-04 (endorsed by RG 1.186) states that Design Basis Functions are:

Derived primarily from the GDCs Functionally far above individual SSC functions Safety Analyses provide context All of the information on this slide is found in approved regulatory guidance or the regulation itself.

In every instance, the Evaluation begins at the lower SSC level and assesses the impact at the safety analysis level.

(e.g., D/G jacket water level D/G)

The final change is being proposed in response to the comments on the staff proposed guidance (NUREG-1606) on the interpretation of malfunction (of equipment important to safety) of a different type However, the Commission recognizes that in its reviews, equipment malfunctions are generally postulated as potential single failures to evaluate plant performance; thus, the focus of the NRC review was on the result, rather than the cause/type of malfunction. Unless the equipment would fail in a way not already evaluated in the safety analysis, there is no need for NRC review of the change that led to the new type of malfunction. Therefore, as the third change in § 50.59(a)(2)(ii), the Commission is proposing to change the phrase of a different type to with a different result.

Point 2 - Rulemaking Record Refers to Safety Analysis Level for Different Result different result with respect to safety analyses - the focus since 1999

©2019 Nuclear Energy Institute 45 Point 2 - Rulemaking Record Refers to Safety Analysis Level for Different Result The staff has provided guidance on this issue in Generic Letter (GL) 95-02, concerning replacement of analog systems with digital instrumentation.

The GL states that in considering whether new types of failures are created, this must be done at the level of equipment being replacednot at the overall system level. Further, it is not sufficient for a licensee to state that since failure of a system or train was postulated in the SAR, any other equipment failure is bounded by this assumption, unless there is some assurance that the mode of failure can be detected and that there are no consequential effects (electrical interference, materials interactions, etc.), such that it can be reasonably concluded that the SAR analysis was truly bounding and applicable.

GL 95-02 Guidance generated for applying the pre-1999 rule language of type Guidance generated for where to apply result in the revised rule

Plant SARs vary in depth and completeness. In general, the level of detail of information contained in an SAR for later facility applications was much greater than that for the earlier licensed plants. Thus, tying the scope of 10 CFR 50.59 to the SAR results in uneven application of 10 CFR 50.59.

The solution in the current rule was to focus on Design Functions and not the descriptive material contained in the UFSAR

Since individual sites have varying degrees of UFSAR descriptive material, this is necessary to avoid having the same change treated differently

App B to NEI 97-04 (endorsed by RG 1.186) provides guidance that the response to an individual SSCs failure is part of the descriptive material and not part of the safety analysis

10 CFR 50.59 c(2) iii states:

accident previously evaluated in the final safety analysis report (as updated)

10 CFR 50.59 c(2) iv states:

malfunction of an SSC important to safety previously evaluated in the final safety analysis report (as updated)

10 CFR 50.59 c(2) vii states:

as described in the FSAR (as updated) being exceeded or altered

Criteria 3, 4, and 7 all rely solely on the results of safety analyses

The guidance contained in NEI 96-07 is endorsed in Regulatory Guide 1.187 and is an approved way to meet the 10 CFR 50.59 rule

Section 4.3.6 of NEI 96-07, Appendix D, solely utilizes previously approved definitions from NEI 96-07, Revision 1

Section 4.3.6 of NEI 96-07, Appendix D relies on the 1999 rulemaking record and two decades of experience with NEI 96-07, Rev. 1 to understand different result

The rulemaking record establishes that [u]nless the equipment would fail in a way not already evaluated in the safety analysis, there is no need for NRC review of the change...

The logic and treatment of Section 4.3.6 of NEI 96-07, Appendix D, is consistent with the application of other 10 CFR 50.59 Evaluation criteria.

©2019 Nuclear Energy Institute 49 NEI 96-07 Appendix D - Purpose Supplemental Guidance for Application of 10 CFR 50.59 to Digital Modifications, provides focused application of the 10 CFR 50.59 guidance contained in NEI 96-07, Revision 1, to activities involving digital modifications Incorporates RIS 2002-22 Supplement 1 clarification on preparing and documenting qualitative assessments Engineering and technical work is complete to support the 10 CFR 50.59 Review conclusions Recall that 10 CFR 50.59 is a licensing/right-of-prior-approval review NRC inspects following Licensee approval and implementation, or NRC approves in advance with license amendment

ML19176A070

Text

Navigation menu

Search