Regulatory Guide 3.6
| ML003740163 | |
| Person / Time | |
|---|---|
| Issue date: | 04/09/1973 |
| From: | Office of Nuclear Regulatory Research |
| To: | |
| References | |
| RG-3.6 | |
| Download: ML003740163 (8) | |
"ViSr Olt
I. INTRODUCTION
In accordance with § 50.34 of 10 CFR Part 50. an application for a construction permit for a production or utilization facility is required to include an identification and justilication for the selection of those variables, conditions, or other items which are determined as a result of preliminary safety analysis and evaluation to be probable subjects of technical specifications for the plant. Special attention should be given to those items which may significantly influence the final design. The objective in selecting probable technical specification subjects is to identify those items that would require special attention at the construction permit stage to avoid the necessity for any significant change in design to support final technical specifications, e.g., particularly those specifications that include technical operating limits, conditions, and requirements imposed upon plant operation in the interest of the health and safety of the public.
The probable subjects for technical specifications and the corresponding justification proposed by an applicant for its plant are included in the Preliminary Safety Analysis Report (PSAR)
and should be as complete as the status of the design permils, i.e.. to the fullest cxteiit possible, numerical values and other pertinent data should be provided.
In accordance with § 50.36 of 10 CFR Part 50.
each operating license for a production or utilization facility issued by the Atomic Energy Commission must contain technical operating limits, conditions, and requirements imposed upon plant operation in the interest of the health and safety of the public. The technical specifications are proposed by the applicant
!*,r an operating license. After review by the AEC
'ýegulatory staff, they are modified as necessary before becoming part of the operating license. A statement of the bases or reasons for all specifications, other than
4/9174 GUIDE
those dealing with administrative controls, must be included in the application but does not become part of the technical specifications. Technical specifications cannot be changed without prior Commission approval.
Section 50.36 of 10 CFR Part 50 sets forth definitions and requirements relating to five categories for which technical specifications for fuel reprocessing plants may be appropriate: (1) safety limits and limiting control settings, (2) limiting conditions for operation.
(3) surveillance requirements. (4) design features, and
(5) administrative controls. This document provides general guidelines for the development of technical specifications under each category. Exhibit I of this guide presents a suggested format for technical specifications for Categories 1, 2. 3, and 4, as listed above.
II. CONTENT OF TECHNICAL SPECIFICATIONS
Technical specifications should include both technical and administrative matters.
Technical specifications related to technical matters should consist of those features (process variables, systems, or components) of the facility that are of controlling importance to safety.
In addition, technical specifications related to technical matters should include effluent and environmental monitoring and specifications addressed to the attainment of "as low as practicable" levels of releases and exposures. Technical specifications related to administrative matters should be addressed to those organizational and functional requirements that are important to the achievement and maintenance of safe operation of the facility.
1. Technical Matters The identification of controlling features can be accomplished by a thorough safety analysis of the USAEC REGULATORY GUIDES
Regulatory Guides re issued to describe and make available to the public methods acceptable to the AEC Regulatory staff of iplermensting specific parts of the Cornsnission's regulations, to delineate techniques used by the staff in euialuating specific problems or postulated accidents, or to tWovide guidance to applimants. Regulatory Guides are not substitutes for regulations and compliance with them Is not required. Methods and solutions different from than set out in the guides will be acmeptable if they provide a tbats for the findings requisite to Ith, isuanci or continuance of a permit or license by the Commission.
Pulshaid guides will be revised pcriodically, as appropriate, to accommodate comments and to rellci new infoir*ation or e*oerience Copies of published guides may be obtained by request indiclting the divisic-s desired to the US. Atomic Energy Commiusson. Washington. D.C. 20646.
Attention: Director of Regulatory Standards. Commints and suggestions 10f improvemints*i$
these gudes are encOuraged and should be sent to the Secretary of the Commission. U.S. Atomic Energy Commission, Washington. D.C. 20645.
Attention: Chief. Public Proceedings, Staff.
The guides wre issued in the following ten broad divisions:
1. Power Reactors
6. Products
2. Research and Test Reactors
7- Transportationi
3. Fuels and Mateirials Facilities
8.
OcupEationm Health
4. Environmentat and Siting
9. Antitrust
5. Materials and Plant Protection
10. General U.S. ATOMIC ENERGY COMMISSION
REGULATORY
DIRECTORATE OF REGULATORY STANDARDS
REGULATORY GUIDE 3.6 CONTENT OF TECHNICAL SPECIFICATIONS
FOR FUEL REPROCESSING PLANTS
facility based on current knowleuxe and understanding
,of safety needs and techniques. The safety analysis should determine:
a. The margins of safety dluring normal operations and transient conditions anticipated during the life of the facility; and b
The adequacy of structures, systems, and components provided for the prevention of accidents and the mitigation of the consequences of accidents.
The performance of such an analysis should entail:
a.
Detailed examination of structures, systems, and components with respect to their ability to meet assigned objectives;
b.
Evaluation of their ability to resist malfunction;
c.
Estimation of their ability to function reliably despite malfunction of related structures, systems, or components; and d.
Determination and understanding of the conditions or circumstances relating to equipment or process variables, under which each can no longer function properly.
The focal points for the analysis should be (1) the design features that assure that radioactive materials will not be dispersed from the process equipment (accidentally. or otherwise) and (2)
the filters and barriers that prevent radioactive materials from reaching the environment. These various successive barriers to the release of radioactivity form a defense in depth on which overall safety depends. "Defense in depth" carries a broader connotation than just that related to successive protective features to prevent release of radioactivity.
For example, the principle applies to control and alarm instrumentation (i.e., redundancy and backup); to people, equipment, and procedural interactions; and to review and audit by various groups at several levels of management. This is further illustrated in section IV of this guide in which the five categones of technical specifications are discussed.
The relationships of the barriers to the operation of a facility and to the conditions and characteristics that lead to protection of the barriers are shown in Figure 1 of this guide, which is a simplified diagram showing the course of events which could lead to violation of one or more of the barriers. Conditions of normal operation are represented by the first block in Figure 1. To maintain these conditions, two important sets of circumstances must exist
(1) important process variables must be maintained in their normal ranges and (2) components and systems of equipment must be operating properly.
Process variables are maintained in their normal ranges by use of standard operating procedures, and in
,;ome instances, by automatic control systems.
Equipment which is necessary to operate or control the process is monitored throughout the operation, and s"meI
c mpolnenis and systems are tested and checked during operation to assure that they are operating ct.riectly.
In the event of errors in operation or relatively minor malfunctions of equwpment, a condition of abnormal operation, as illustrated by the second block in Figure 1, will exist. To prevent further progression of these circumstances, special operating proedures, alarms, or automatic controls are usually provided. Even though these procedures and controls return the operating situation to normal, any radioactivity :hat was released to the cells must not reach the environment.
Hence, the further barriers must be functioning adequately.
The progression in Figure I illustrates the need to develop specifications which will ensure that successive barriers exist: that process controls, procedures, and equipment are functioning as necessary to prevent accidents and dispersal of radioactivity; and that systems controlling the liquid and gaseous effluents, possess sufficient reserve capacity not needed for routine operation to control the results of any accidents. For example, in a fuel reprocessing plant, the scrubbers, filters, and absorbers used to treat the offgas constitute a barrier to release of radioactive contamination to the environment. As a prerequisite for facility operation, it is necessary to specify the condition of operability of these systems. It is also necessary to specify survefllance and testing programs for these items to assure their proper functioning.
No barrier is perfect, and therefore sole reliance should not be placed on any single barrier to protect public health and safety. However, careful attention to the maintenance of integrity and performance of each of the barriers can substantially reduce the consequences of a serious accident. Therefore, technical and engineering matters forming the subjects for technical specifications should be addressed to reasonable maintenance of each of the barriers.
Surveillance of the site, by monitoring of the potential pathways of radionuclides through the environment to man, provides added assurance that the integrity and performance of the barriers has been adequate to protect public health and safety.
2.
Administrative Matters With respect to administrative controls, the framework for technical specifications is based on four principal functions that should be performed:
a.
Operatior of the plant equipment;
b.
Maintenance of equipment;
c.
Record keeping; and d.
Audits, reviews, and evaluation of operations (i.e., performance of both equipment and people).
While reprocessing plants may vary in size, character, and complexity, the safe operation of a facility depends on an organization that includes people of various talents. For the organization to operate successfully, there must be delegation of responsibility
3.6-2
and authority.
To ensure a
safety consciousness throughout the organization, management must provide safety standards and objectives as well as a procedural system that implements these.
Important factors in such a system include the fol!owing:
a.
An organizational structure that provides a clear definition of responsibility, authority, and accountability;
b.
Personnel with adequate technical ability, experience, and training;
c.
Standards and limits within which the fuel reprocessing plant and auxiliaries must be operated;
d.
Approved written procedures for all operations, including procedures for abnormal and emergency conditions and procedures for review, approval, and execution of changes to the process, equipment, or procedure;
e.
Thorough analysis of all unusual incidents;
f.
Scheduled periodic review of the operation by competent independent staff with a high level of authority; and g.
Prompt corrective action on deficiencies found during audits.
III. BASES FOR TECHNICAL SPECIFICATIONS
When a technical specification has been selected, the bases for its selection and its significance to safety of
"operation should be defined. This can be done by the provision of a summary statement, in writing, of the technical and operational considerations which justify the selection. The Safety Analysis Report (SAR) should fully develop, through analysis and evaluation, the details of these bases. The physical format for technical specifications therefore assumes importance, since the collection of specifications and their written bases form a document which delineates facility features that are important to safety of operation, the reasons for their importance, and their relations one to the other.
Furthermore.
as experience in operation and technical knowledge accrue, changes in technical specifications become desirable from time to time, and the written basis for a specification provides for orderly analysis and evaluation of such changes. Only the specifications are binding upon the licensee. Bases are supporting information.
IV. DEVELOPMENT OF TECHNICAL
SPECIFICATIONS
The five categories for which technical specifica tions are defined in § 50.36 of 10 CFR Part 50 have been derived from a consideration of factors that bear on the use and maintenance of physical barriers in the operation of a facility. Additional categories may be designated by the applicant. The following discussion will examine and outline the development of technical specifications that must be covered.
3.6-3
1. Safety Limits and Limiting Control Settings Specifications of this category apply to safety-related process variables which are observable and measurable (e.g., pressures, temperatures, flow rates, concentrations, volumes, and quantiti-1. Control of such variables is directly related to the performance and integrity of equipment and confinement oarriers.
Figure 2 of thib guide illustrates in a general way the concepts of limits and their relation to normal conditions of plant operation.
The safety limit for a given variable is a value of that variable at which one can say with confidence that no serious consequences will occur. If the value of the variable were to reach this limit, no hazard to the public health and safety would exist even if all other variables were at the upper bounds of their operating ranges.
Beyond the safety limit, and separated from it by a finite margin, is a danger zone in which unacceptable consequences may occur or for which a safety analysis has not been performed. Somewhere in this zone is a real limit which divides values that are certain to result in unacceptable consequences from those that will not.
Usually, this limit cannot be precisely located because of uncertainties both in the acceptability criteria and in technical knowledge of the process, and because this limit is interdependent with the values of other variables.
Therefore, the safety limit for a given variable is chosen after consideration of experience, experimental results, interaction between variables, and all other pertinent plant characteristics, and is located conservatively within the bounds of knowledg
e. The margin noted as
"Allowance for Uncertainty..." in Figure 2 is intended to take into account the factors mentioned above. For example, consider the variables pressure, temperature, and acid concentration in a dissolver. Pressure may be limited so that the dissolver offgas system does not become overloaded. Temperature and acid concentration may be limited at a certain stage of the process to control reaction rate.
The practical result of this approach is that the transgression of a safety limit by a small amount would not produce unacceptable consequences. However, this action would represent a significant and undesirable departure from proper operation. To transgress a safety limit, significant equipment malfunction or failure or one or more significant deviations from operating procedures, or both, would have to occur.
At a level on the safe side of the safety limit, a limiting control setting is selected. The region between this setting and the safety limit should be sufficient to allow for alarms and for subsequent corrective action by automatic protective action controls or procedure systems to return the situation to normal or to shut the process down before the safety limit is reached.
Selection of the limiting control settings must take into account response times, transient characteristics,
calibration uncertainties, and instrument reliabilities and inaccuracies.
Some examples of situations that should be considered are excess pressure or vacuum in a cell or glove box, high concentration of fissile material in an extraction unit, high temperature of solvent systems, loss of coolant in a high-heat-generating system, and abnormal hydrogen concentration in an offgas system.
On the safe side of the limiting control setting lies the zone of normal operations. Allowance must be made for the possibility that the value of the variable may transgress the normal zone occasionally due to the instrument drift, minor operatimnal errors, and normal fluctuations in process or control characteristics.
Therefore, a margin should be left between the normal operating zone and the limiting control setting because of these factors. This is the "Operating Margin" shown in Figure 2. Usually, alarms or annunciators are provided between the operating zone and the limiting control setting or the safety system action point to promote corrective action and to help prevent any significant invasion of the safety margin.
A result of proper relation between the safety limit or the limiting control setting and the normal operating zone is that the limiting control setting should seldom be exceeded and any safety system should seldom be activated.
2.
Limiting Conditions for Operation This category of technical specification covers two general classes, (a) equipment and (b) technical conditions and characteristics of the plant necessary for continued operation, as discussed below:
a.
Equipment Several types of equipment are important to the safety of the operation and to the maintenance of a barrier between the radioactivity inside the plant and the external environment.
For these types, technical specifications must establish the lowest acceptable level of performance for a system or component and the minimum number of components or the minimum portion of the system that must be operable or available.
One such type of equipment, with its associated specifications, consists of those systems and components directly related to the control of operating conditions essential to safety and to the prevention of accidents. Many items in this type also will have safety limits.
As examples, this type would include concentration monitors, temperature monitors, interlocks to control maximum evaporator temperatures, and radioactivity monitors on effluetts.
A second type is the vital equipment and services which must always be available or in a state of readiness to assure continaied "afe operaticn and to prevent a malfunction from developing into a severe accident situation. Examples of this type are emergenc.
power, emergency air, emergency steam, spare on-line ventilation fans, backup cooling water supplies, and fire prevention systems.
A third type of equipment that requires performance and integrity specifications are the filters and barriers that must perform well routinely but must also have some minimum reserve capacity to contain large accidents. Examples of this equipment type. with typical appropriate specifications, are iodine absorbers and their minimum efficiency, main ventilation filters and their minimum efficiency, segregated or closed loop cooling systems and their maximum leakage rate.
ventilation system structures and their maximum backflow or leakage rates at some accident-generated pressure wave, and the building or process cell structures and their leakage rate at some pressure differential.
b.
Technical Conditions and Characteristics Technical conditions and characteristics should be stated in terms of allowable quantities, e.g..
temperature, pressure, mass of fissionable material in certain systems, concentration of radioactive material in certain systems, volume of fluid required in a system, chemical constitution of certain fluids, or allowable configurations of equipment.
As an example of an allowable quantity, the temperature of a cell containing solvent extraction equipment might qualify as a technical specification.
Such a cell could be assumed to contain spilled or uncontained solvent. If the temperature of the cell were allowed to rise to the flash point of the solvent, a fire and explosion might result which could adversely affect the confinement systems.
To derive a limiting condition for operation, one must consider both the minimum complement of equipment necessary to maintain operation in the
"normal"
range and the equipment neccessary to accommodate abnormal situations.
For example, sufficient equipment in all systems should be operable so that in the event of further, but limited and defined, failure of equipment. a power outage or other transient situation, or an error in operation, the plant could be safely shut down and the design basis accident could be accommodated with the equipment remaining availabie.
3.
Surveillance Requirements Major emphasis in surveillance specifications should be placed on those systems and components which are essential to safety during all modes of operation or are necessary to prevent or mitigate the consequences of accidents.
Tests, calibrations, or inspections are necessary to verify performance and availability of important equipment and detect incipient deficiencies.
3.6-4
This is particularly true of those systems that are not used for normal operation but are necessary to cope with abnormal situations.
Surveillance requirements and limiting conditions for operation are frequently complementary.
For a specific system, a limiting condition specification will typicaliy establish the minimum performance level, and the surveillance requirement will prescribe the frequency and scope of tests to demonstrate such performance.
Surveillance requirements also include effluent monitoring and site environmental monitoring. The object of effluent and environmental monitoring is to verify and demonstrate that the integrity and performance of the barners designed to contain radioactivity have been adequate to protect public health and safety.
Whenever possible, the frequency and type of surveillance should be based on quantitative data derived through experience or experiment on the possible rate at which defects might occur or at which limits might be exceeded. Surveillance programs should be periodically examined and modified as necessary to reflect new data or conditions.
4.
Design Features These technical specifications cover design characteristics of special importance to each of the physical barriers and to the maintenance of safety margins in the design. The principal objective of this category is to control changes in design of vital equipment.
Selection of specifications in this category should be predicated upon an examination of all, equipment and materials associated with (and including) each barrier with respect to:
a.
Whether a change in design would affect any technical specification;
b.
Whether any margin of safety associated with any technical specifications wouid be affected; and c.
Whether the equipment or its performance is covered in any other technical specification.
5.
Administrative Controls Tne Safety Analysis Report should contain a fuli description and discussion of organization and
&dministrative systems and procedures for operation of the facility.
Technical specifications of tnis category should consist of summary statements and descriptions of ad mi*istrative arrangements for the Collowing subjects:
a.
Organization ..ýhowing lines of authority from top kilcensee) management on througli all activities, both technical and operationai, with a description of the minimnrum qualifications established for key management and'
technical posit,ons, for members of saiecy committees when such exist. and for positions on the operating staff. For this purpose, a chart may be used, if preferred, with footnotes as required.
b.
Administrative action to be taken by the licensee in the event any requirement imposed by technical specifications is violated.
c.
Detailed written procedures governing normal operation, abnormal situations, emergencies, and maintenance operations that may affect plant safety.
d.
Logs and records of operation, maintenance.
changes to procedures and equipment, tests. inspections.
calibrations, incidents, investigations, and reviews.
e.
Review and approval mechanisms for authorization of new procedures as well as changes in procedures, equipment, and process, and for determining whether such changes can be made within the existing technical specifications.
f.
Training programs for plant personnel.
g.
Periodic review and audit of operations, including performance of both equipment and operating personnel.
h.
Reports to the AEC.
V. CHANGES IN TECHNICAL SPECIFICATIONS
AND IN PLANT EQUIPMENT
The technical specifications discussed in this guide are incorporated into the license issued for the operation.
of a facility. This means that the limits and conditions set forth in the specifications become legal bounds within which the licensee is required to operate the facility.
The system of specifications described above is intended to provide a reasonable degree of flexibility to licensee management for its control of operations in the interest of safety. Furthermore, in recognition of the fact that. as knowledge and experience accrue, changes in specifications or in equipment may become desirable or even necessary, the rules of the Commission provide for two categories of changes:
I.
Changes in technical specifications or changes that involve an "unreviewed safety question"
(see
§ 50.59 of 10 CFR Part 50) require prior review and authorization by the Commission.
2.
Certain changes in plant equipment and procedures may be made by the licensee without prior Commission authorization provided he is able to make a suitable finding to the effect that the change does not involve an unreviewed safety question.
As equipment and personnel performance data become available throughout the operating life of a facility, earlier studies and data should be regularly reconsidered and updated to reflect actual experience.
When a change in a technical specification appears in order, its effect on related equipment and procedures should be analyzec and evaluate
d. The basis for the
"old"
specification provides a
starting point for evaluation of the cnange.
3.6-5
When a chanie or jodz1'...or.
is.
a.,
s.t ts contemplated, It ihiuld bo rxar.-tcf itit dffact on related equipment &no Iwocodurw, ,,. £'oy a4 tfkc: on the validity of the balss for t14iot
&
wr
1wiu al specifcatiaons. In tids way, it C4,1 he deoer*nild whether the mapn of safety would be adversely sff'ecwd. Where necessaay to justify the chanp, a revised basis should be provided, In addition, a revised bads should'be sub.
mitted whenever a determination is made that an exist.
lng one is not valid, regardlesa of whether a splclcaUtion chane is proposed.
NORMAL
OPERATION
AINORMA
OPERATICd CELL
VESSEL
GLOVE BOX
BUILDING
DISTANC
I
I
I
I
RELEASE
RELEASE
RELEASE
iOFF-MT
L
] TOCELL OR
'
T
GLOVED
TCONEOUENCES
-ENCLOSURE
BUILDING
IATMOSIOEREI
I l I
I
Figure 1. RELATIONS AMONG PHYSICAL BARRIERS AND FACILITY CONDITIONS
3.6-6 BARRIER
FACILITY
CONDITION
- -I ý
SAFETY LIMIT
LIMITING CONTROL SETTING
NORMAL OPERATING LIMIT
I
I
I
I
I
Danger Zone Unacceptable consequences may occur.
Allowance for Uncertainty in Omet of Damage or Consequences Safety Margin Allowance for control or safety system action plus calibration uncertainties and instrument inaccuracies.
Operating Margin Necessary to allow for instrument drift, minor operational errors, and fluctuations in process or control characteristics.
Zone of Normal Operation Figure 2. LIMITS ON SAFETY PARAMETERS
3.6-7
EXHIBIT I
SUGGESTED FORMAT FOR TECHNICAL SPECIFICATIONS
Title (e.g., Temperature Control of Waste Evaporators)
Applicability. System(s) or portion(s) of the facility to which the specification applies should he clearly defined.
Objective. The reason(s) for the specification and the specific unsafe condition(s) it is intended to prevent.
Specification. Safetly limits and limiting control setting(s) for the important variable(s), or the condition or surveillance requirement imposed.
Bases. The Safety Analysis Report should contain all pertinent information and an explict, detailed analysis and assessment supporting the choice of the item and its specific value or characteristics. The basis for each specification should contain a summary of the information in the Safety Analysis Report in enough depth to indicate the completeness and validity of the source material and to provide justification for the specification. Subjects which may be appropriate for discussion in the bases are:
i.
Technical Basis The technical basis is derived from technical knowledge of the process and its characteristics and should support the choice of the particular variable as well as the value of the variable. The results of computations, experiments, or judgments should be stated, and analysis and evaluation should be summarized.
2.
Equipment A safety limit often is protected by or closely related to certain equipment. Such relation should be noted, and the means by which the variable is monitored and controlled should be briefly mentioned.
For specifications in categories 2, 3, and 4 of the text of this guide, this section of the bases is particularly important. The function of the equipment and how and why the requirement is selected should be noted here. In addition, the means by which surveillance is accomplished should be noted. If surveillance is required periodically, the basis for frequency of required action should be given.
3.
Operation The margins, and the bases therefore, that relate to the safety limit(s), the operating limit(s),
and the normal operating zone(s) should be mentioned. The roles of operating procedures and of protective systems in guarding against exceeding a limit or condition should be stated. Brief discussion should be included of such factors as system response(s), process or operational transients, malfunctions, and procedural errors. Reference to related specifications should be made.
4.
Assessment of Risk The degree of confidence in the value of the variable or the condition specified or the uncertainties associated therewith should be stated as precisely as is possible. The potential results and effects of exceeding the limit should be mentioned, and the risk resulting therefrom should be evaluated.
3.6-8