NRC Design and Licensing Fundamentals

NRC Design and Licensing Fundamentals
Engineering Workbook
Revision: 2 Date: 11/30/2009
Record of Revisions
Revision Number 0 1 2
Reason for Revision Original Issue Corrected spelling errors; updated and clarified information based upon user feedback; reformatted figures. Corrected grammatical errors
Revision Date 1/16/2009 9/15/2009 11/30/2009
Page i
Table of Contents
Section
Page
Purpose.. 1 References. 1 Terminal Objectives 1 Enabling Objectives 1 Objective 1. 5 Objective 2. 6 Objective 3. 15 Objective 4. 20 Objective 5. 36 Objective 6. 41 Objective 7. 50 Objective 8. 51 Objective 9. 52 Objective 10...56 Objective 11...58 Objective 12...59 Objective 13...61 Objective 14...63 Objective 15...63 Objective 16...65
Page ii
PURPOSE: The purpose of this workbook is to provide an overview of the role of a nuclear power design engineer (engineer) working in the U.S. nuclear industry, aid the student in developing a healthy respect for nuclear reactor safety, provide the student with the basics of the Nuclear Regulatory Commission (NRC) licensing documents, issues, and design requirements, and provide the basics of codes and standards used in the U.S. nuclear power industry. REFERENCES: None, all required material and references are included in this workbook. TERMINAL OBJECTIVE: Upon successful completion of this workbook, the student will be able to describe the role of an engineer and the basic NRC design and licensing concepts and requirements that apply to engineers working in the U.S. nuclear power industry. ENABLING OBJECTIVES: 1. Describe the engineers role in solving and preventing problems by: a. Describing the engineers role in plant operation. b. Describing the engineers role in nuclear safety. c. Describing the engineers role in protecting the health and safety of the public. d. Describing the authority/responsibility of the ENERCON engineering divisions. e. Describing the relationship between the corrective action process and the health and safety of the public. 2. Describe the basic concepts of NRC regulation documents by: a. Identifying compliance documents and their purpose. Atomic Energy Act Code of Federal Regulations Operating License Technical Specifications Commitments FSAR
Page 1 of 68
b. Identifying regulatory guidance documents and their purpose. Regulatory Guides Inspection Manual Standard Review Plan NUREG c. Identifying common regulatory correspondence documents and their purpose. Information Notices (IN) Bulletins Generic Letters Safety Evaluations Administrative Letters Inspection Reports 10CFR 50.54(f) Letters Orders Other Correspondence Web Access 3. Describe the principle of defense-in-depth by: a. Describing the purpose of defense-in-depth. b. Describing the basic method for application of defense-in-depth. 4. Describe the Design and Licensing Basis by: a. Describing design basis. b. Describing licensing basis. c. Describing the difference between design basis and licensing basis. d. Describing when one may/should deviate from the design and/or licensing basis. Normal Operation Technical Specifications and the Corrective Action Program Emergencies e. Describing the importance of design basis and licensing basis to engineering processes.
Page 2 of 68
5. Describe the basic concepts for the application of the Maintenance Rule by: a. Identifying the regulatory requirement for the Maintenance Rule. b. Describing how the Maintenance Rule affects the engineering process. c. Defining Functional Failure, Maintenance Preventable Functional Failure (MPFF), A(1) Status, A(2) Status, and Scoped Components/Systems. A(1) Status A(2) Status Functional Failure Maintenance Maintenance Preventable Functional Failure (MPFF) Reliability Risk Scoped Components/Systems Unavailability d. Defining the Maintenance Rule relationship to the Probabilistic Safety Assessment (PSA). 6. Describe the basic concepts of single failure analysis by: a. Defining single failure. b. Describing when single failure analysis applies to new design. c. Describing when single failure analysis applies to existing designs. d. Describing when single failure analysis need not be applied. 7. Describe the basic concepts of safety evaluations by describing how a safety evaluation relates to the safety or safe operation of the plant. 8. Describe the basic concepts of operability determinations by defining OPERABLE and OPERABILITY. 9. Describe the basic concepts of the Appendix R analysis by: a. Describing Appendix R. b. Identifying the equipment to which Appendix R applies. c. Explaining how Appendix R affects the engineering process.
Page 3 of 68
10. Describe the basic concepts of electrical separation analysis to include: a. Regulatory Background b. The importance of electrical separation for the engineer 11. Describe the basic concepts of seismic II/I analysis by: a. Defining Seismic II/I. b. Identifying the equipment to which Seismic II/I applies. 12. Describe the basic concepts of loss of offsite power and station blackout analysis by: a. Identifying the requirements for station blackout program. b. Defining station blackout. 13. Describe the basic concepts of the high energy line break analysis by: a. Identifying the requirements for high energy line break analysis. b. Defining high energy line break. c. Identifying to which equipment high energy line break analysis applies. 14. Describe the basic concepts of the flooding analysis by: a. Identifying the requirement for flooding analysis. b. Identifying equipment/features/rooms to which flooding analysis applies. 15. Describe the basic concepts of tornado and wind analysis by: a. Identifying the requirements for tornado and wind analysis. b. Identifying the equipment to which tornado and wind analyses apply. c. Describing the purposes of an Internal Missile Analysis. 16. Describe the concept of Codes and Standards. a. Describe the difference between a Code and a Standard. b. Describe some of the more popular Codes and Standards that are used in the U.S. nuclear industry.
Page 4 of 68
1.0
OBJECTIVE 1: Describe the engineers role in solving and preventing problems. The engineer must have knowledge of the regulatory and design basis requirements for the equipment/systems and procedures used in our clients facilities in order to protect the health and safety of the public.
1.1
Describe the engineers role in plant operation. The engineers job is to ensure that the design and licensing bases of our clients facilities are maintained for the projects to which they are assigned. This is especially important when performing plant modifications (both permanent and temporary) with applicable calculations/analyses. When plant/system modifications are being developed, the engineer must keep in mind all of the analyses that have gone into the initial plant/system design and ensure the new design does not invalidate those. As an alternative, the evaluations are re-performed with new analyses to ensure the safety and regulatory acceptance of the change BEFORE it is implemented.
1.2
Describe the engineers role in nuclear safety. Keeping in mind defense-in-depth, (see Objective 3) the engineer maintains reasonable assurance of public health and safety by ensuring that radionuclides are kept within the fuel rods. This is done by ensuring that parameters such as fuel and cladding temperatures do not exceed maximum allowed values. This is accomplished in part by ensuring that all emergency accident mitigation systems continue to perform their intended safety-related functions. Nothing must compromise that.
1.3
Describe the engineers role in protecting the health and safety of the public. The plants Operating License (OL) is granted by the NRC on the basis that there exists reasonable assurance that the facility can be operated without undue risk to the health and safety of the public. The engineer must keep in mind that the primary objective is to protect the health and safety of the public. The regulator is tasked with protecting the publics interest and it is their primary objective.
1.4
Describe the authority/responsibility of the ENERCON engineering divisions. The clients engineering department has the responsibility to ensure that the design basis of the facility is documented, interpreted, and maintained. However, while making operability evaluations, temporary modifications, permanent modifications, evaluations, testing and analyses the ENERCON engineer must ensure that the design basis is maintained or changed in accordance with approved procedures for the project to which
Page 5 of 68
he/she is assigned. While making any changes the engineer must always keep in mind the licensing basis of the clients facility. Any changes requiring regulatory approval must be reviewed and approved by the client before the changes are implemented. While engineering processes should always stress economics, plant availability, and plant reliability, the overriding consideration is the health and safety of the public. 1.5 Describe the relationship between the corrective action process and the health and safety of the public. 10CFR50 Appendix B, Criterion XVI, Corrective Action allows continued operation of the plant if degraded or nonconforming conditions are identified. An important restriction is that this allowance applies only to unanticipated events or discovered degraded or nonconforming conditions. It does not apply to desired operating conditions or future anticipated conditions (e.g., proposed procedure or plant changes, surveillances, other tests, etc.). These must be evaluated in accordance with 10CFR50.59 (see Objective 7) prior to implementation. As explained in Regulatory Issue Summary (RIS) 2005-20, the restrictions and conditions of this continued operation allowance within the Appendix B corrective action program are: Assurance of continued safe plant operation must exist Conformance with Technical Specifications requirements must exist The condition or circumstance must be brought back into conformance with the design basis/licensing bases at the first available opportunity
The end point of this regulatory allowance is the end of the first available opportunity to correct the deficiency. If the deficiency cannot be corrected at the first available opportunity, 10CFR50.59 evaluations or special regulatory approval may be required. 2.0 2.1 OBJECTIVE 2: documents. Describe the basic concepts of NRC regulation
Identify compliance documents and their purpose. The only true regulatory requirements are those formal requirements codified in NRC regulations (CFR), those formally incorporated into licenses by orders or license conditions, and formal commitments of the licensee. 2.1.1 Atomic Energy Act The Atomic Energy Act and the Energy Reorganization Act that followed establishes and provides very general direction to the NRC in broad
Page 6 of 68
terms. The NRC carries out its responsibilities under the Atomic Energy Act by creating regulations or rules. 2.1.2 Code of Federal Regulations (CFR) The Energy Reorganization Act, Section 201, gives the NRC the authority to make regulations pertaining to nuclear energy. These regulations have the force of law. The NRC has the authority to relieve any licensee from any 10CFR requirement. The Code of Federal Regulations (CFR) is a compilation of rules published in the Federal Register by the executive departments and agencies of the Federal Government. The CFR is kept up to date by the use of the Federal Register. These two publications are used together to determine the latest version of any given rule. For the nuclear industry, the CFR contains the specific regulations promulgated by the NRC, as required by the Atomic Energy Act. Title 10 Energy, Chapter 1 Nuclear Regulatory Commission is commonly known as 10CFR and is comprised of Parts 0-199. Part 50 (10CFR50) deals with the licensing of domestic, commercial, light-water reactors and has the most impact on nuclear utilities. The following is a list and brief description of the parts of 10CFR that primarily apply to NRC licensed commercial nuclear reactors: Part 2 Policy and procedures related to issuing, amending, or revoking an OL, enforcement actions, and public rule making. Requirements for disseminating information to nuclear plant workers concerning radiological working conditions, enforcement actions, etc. Rules of conduct for NRC inspections. Standards for protection against radiation. Reporting of defects and noncompliance. Rules for license application, content of applications, facility design requirements, and reporting of events to the NRC. Appendix A General Design Criteria Appendix B Quality Assurance Criteria Part 55 Rules and procedures for the licensing of operators.
Part 19
Part 20 Part 21 Part 50
Page 7 of 68
Part 100 -
Reactor site criteria including population density, seismic and geologic evaluations. Appendix A Seismic and Geologic Siting Criteria for Nuclear Power Plants
10CFR20 and 10CFR100 greatly affect day-to-day plant operations. 10CFR20 governs on-site radiation exposures and ALARA (As Low As Reasonably Achievable). 10CFR100 governs offsite radiation exposures from nuclear power facilities to the general public. 2.1.3 Operating License The Operating License (OL) is the document authorizing the licensee to operate the power plant(s). It contains the conclusions resulting from the review of the OL application and the specific authorizations associated with the OL. It also lists the specific conditions upon which the OL is issued (license conditions). Standard license conditions are the maximum authorized power level and the incorporation into the license of the Appendix A Technical Specifications and the Appendix B Environmental Protection Plan. Additional license conditions may consist of issues identified during ongoing license amendment processes or significant safety or environmental issues that were identified in the NRC staff review of the plant. The OL will list any exemptions to the NRC regulations that have been granted under 10CFR50.12. 2.1.4 Technical Specifications 10CFR50.36 requires each application for operation of a nuclear plant to include technical specifications and bases for the technical specifications. The current Technical Specifications include safety limits, limiting safety systems settings, limiting conditions for operation, surveillance requirements, design features and administrative controls. The Technical Specifications establish operating limits for the facilities. Failure to comply with these limits may require the reduction of the allowable operating power level and in some cases even a complete shutdown and cooldown of the plant. 2.1.5 Commitments A Regulatory Commitment is an explicit statement submitted in writing by licensee management to a federal, state, or other regulatory agency to complete or continue to perform a specific action to maintain compliance and/or effective performance. 2.1.6 FSAR The Final Safety Analysis Report (FSAR) is another part of the plants licensing basis. It is a description of the plant configuration, plant operation, and administrative controls. The original version was the
NRC Design and Licensing Fundamentals Page 8 of 68
license application and described how the plant design, maintenance, and operation will protect the health and safety of the public from undue risk due to nuclear power production. The FSAR is updated periodically in accordance with regulatory requirements. 2.2 Identify regulatory guidance documents and their purpose. The NRC staff has developed guidance documents to assist licensees implement the requirements in the regulations (CFR). The guidance provides specific ways, acceptable to the NRC staff, to comply with the general broad requirements in the CFR. It is worth noting the individual staff reviewers sometimes interpret regulatory guidance as being requirements. This is not the case. Guidance documents only represent a way, acceptable to the NRC staff, to meet a regulatory requirement. Other ways may be found equally acceptable after review by the NRC staff. The major sources of regulatory guidance are the Regulatory Guides and the NUREGS (see 2.2.4). 2.2.1 Regulatory Guides The Regulatory Guide Series provides assistance and guidance to licensees and applicants on implementing specific parts of the NRCs regulations, techniques used by the staff in evaluating specific problems or postulated accidents, and data needed by the staff in its review of applications for permits or licenses. These are also known as Reg Guides. Regulatory Guides were initially issued as Safety Guides. The Safety Guide system evolved into Regulatory Guides. Regulatory Guides are divided into the following ten broad divisions: Division 1, Power Reactors Division 2, Research and Test Reactors Division 3, Fuels and Materials Facilities Division 4, Environmental and Siting Guides Division 5, Materials and Plant Protection Division 6, Products Division 7, Transportation Division 8, Occupational Health Division 9, Antitrust and Financial Review Division 10, General Guides
Regulatory Guides are not issued in the Federal Register and do not have the Force of Law. They describe acceptable (to the NRC) methods of
Page 9 of 68
implementing the regulations. Other methods may be employed by the licensee but the burden is upon the licensee to show compliance with the regulations. The purpose of the NRC Regulatory Guides is to: Describe acceptable methods of implementing specific parts of the NRC Regulations. Delineate the techniques that are to be used in evaluating specific areas. Provide guidance concerning information needed for review of applications for OLs. Make available to the public information of what the NRC feels is adequate for licensee compliance to their regulations.
Published Regulatory Guides are not required to be committed to by the licensee and are only recommended methods that may be used to satisfy a requirement. Compliance with Regulatory Guides may become required (mandatory) if: The specific Regulatory Guide is referenced and referred to in an NRC Regulation. A licensee commits to a Regulatory Guide directly in the FSAR or other licensing commitment. A licensee commits to a document that references a Regulatory Guide, such as an industry standard referencing or endorsing a Regulatory Guide. For example, a commitment to American Nuclear Society Standard ANS 3.1 (Standard for Qualification & Training of Personnel for Nuclear Power Plants), which endorses Regulatory Guide 1.8 (Personnel Selection and Training), is a commitment to that Regulatory Guide.
A licensee may commit to the entire Regulatory Guide or just portions of it. Commitments to Regulatory Guides are documented in the FSAR. At times Regulatory Guides directly endorse other industry standards. These standards become a licensee commitment when the licensee commits to the Regulatory Guide. 2.2.2 Inspection Manual An inspection manual is a collection of inspection procedures and criteria on a broad range of subjects. Inspection procedures are not regulation but do tell the licensee how the NRC is directed to review applications for licenses or license amendments and what is considered acceptable.
2.2.3 Standard Review Plan The Standard Review Plan (SRP) for the review of Safety Analysis Reports for Nuclear Power Plants is issued as NUREG-0800. The SRP is prepared for the guidance of NRC staff reviewers in performing safety reviews of applications to construct or operate nuclear power plants. The principal purpose of the SRP is to assure the quality and uniformity of staff reviews and to present a well-defined base from which to evaluate proposed changes in the scope and requirements of reviews. It is also a purpose of the SRP to make information about regulatory matters widely available and to improve communication and understanding of the staff review process by interested members of the public and the nuclear power industry. A licensee may commit to the entire SRP, portions of it, or none of it. SRP commitments are documented in the FSAR. 2.2.4 NUREGS The NRC periodically issues technical reports on regulatory matters. NUREG stands for NUclear REGulatory. These are instructional documents or reports issued by the NRC and cover a variety of subjects. NRC staff-generated reports are given numbers in the NUREG series, e.g., NUREG-0800. NRC consultant-generated reports are issued as NUREG/CR reports. An example is NUREG/CR-2000, L.E.R. Compilation, prepared monthly by Oak Ridge Laboratories (CR stands for Contract Report). These reports contain information about technical or administrative issues and may provide NRC staff guidance on those issues. Depending upon how a NUREG is issued, it may become a regulatory requirement as did NUREG-0588, Interim Staff Position on Environmental Qualification of Safety-Related Electrical Equipment, which was imposed as a requirement by NRC Commission Order. In general, NUREG documents are considered to be guidance only. When a licensee commits, either explicitly or implicitly, to any standard/specification/Reg. Guide/code, etc., in any licensing basis document, that standard/spec/etc. also carries the force of law. A licensee commits explicitly by stating the document by number and the degree of their compliance. A licensee commits implicitly if a document to which it has explicitly committed references, or commits, within its body (not the reference section at the end of the document), another standard. When this occurs, the licensee is also committed to the referenced document, by implication.
Page 11 of 68
2.3
Identify common regulatory correspondence documents and their purpose. Over the operating life of a nuclear power plant, several thousand pieces of correspondence will be exchanged with the NRC and other regulatory agencies. Listed below are the most prevalent types of correspondence and their potential impact. 2.3.1 Information Notices The most common type of correspondence received from the NRC is an Information Notice (IN). An IN is a type of generic communication issued to provide information regarding safety, safeguards, or environmental issues. Licensees are expected to review the information for applicability to their facilities and consider actions, as appropriate, to avoid similar problems; however, no formal response to the NRC for the IN is required. 2.3.2 Bulletins From time to time, the NRC issues bulletins to provide information about events of safety significance at other facilities and to obtain information or require licensees to take specific actions. Bulletins may impose legal requirements on license holders. NRC bulletins are used primarily in matters of serious safety significance or of generic importance and often require licensees to take specific actions and submit a written report to the NRC. However, if licensees do not provide adequate response to a bulletin, the NRC may, after evaluation, choose to impose the actions by order. Commitments made in bulletin responses become requirements until changed. A bulletin does not carry the force of regulation. The allotted time for completion of the bulletin actions will vary depending on the significance of the requested actions and the effort required for completing them. In general, a response is required from addressees requested to take action. The allotted time for response to a bulletin will vary depending on the significance of information to be received and on the effort required to compile the requested information. 2.3.3 Generic Letters A Generic Letter is a type of generic communication that requests that analyses be performed or descriptions of proposed corrective actions be submitted regarding matters of safety, safeguards, or environmental significance. Addressees to the Generic Letter may be asked to accomplish the actions and report their completion by letter with or without prior NRC approval of the action. Information regarding these analyses may be requested on a voluntary basis or in accordance with Section 182a, Atomic Energy Act of 1954, as amended and 10CFR50.54(f).
Page 12 of 68
Usually, this type of Generic Letter requests new or revised licensee commitments or other continuing actions, but may not explicitly or coercively solicit licensee commitments. Generic Letters can also request addressees submit technical information which the NRC needs to perform its function. The information may be requested on a voluntary basis or in accordance with Section 182a, Atomic Energy Act of 1954, as amended and 10CFR50.54(f). Generic Letters can also be used to request or provide the opportunity for addressees to submit proposed changes to technical specifications and to solicit participation in voluntary pilot programs. If an addressee declines to perform an action requested in a bulletin or Generic Letter, a staff evaluation is appropriate to determine whether a requirement for action should be imposed by an NRC order. 2.3.4 Safety Evaluation Reports A Safety Evaluation Report (SER) is prepared in a case-specific context response to a request for an NRC approval (e.g. a license amendment request). The SER sets forth the technical, safety, and legal basis for the NRCs disposition of a license amendment request. The SER should provide sufficient information to explain the staffs rationale to someone unfamiliar with the licensees request. Implicitly, the SER sets forth the Staffs position on the adequacy of the application to establish compliance with applicable NRC requirements. 2.3.5 Administrative Letters In 1993, the NRC developed a type of NRC generic communication called an Administrative Letter to reduce the burden in Generic Letters for subject matter that was purely informational. Administrative Letters are issued to 1. Inform addressees of: Administrative procedure changes being made to implement new regulations, The issuance of a topical report evaluation or a NUREG-type document that does not contain a new or revised staff position and is not appropriate for inclusion in either a generic letter or an information notice, and Changes in internal procedures or organizations.
2.
Request submittal of voluntary information of an administrative nature that will assist the NRC in the performance of its function.
Page 13 of 68
3. 4.
Announce events of interest such as workshops or regulatory information conferences. Fulfill other purposes of a strictly administrative nature.
2.3.6 Inspection Reports Following an inspection of a licensee, the NRC issues a formal Inspection Report. An inspection may result in open items, unresolved items, deviations, or violations. These reports are structured to identify the inspection topic(s), the persons contacted, and a discussion of the inspection results. Inspection Reports may contain Notices of Violation for any issues determined to be violations of NRC requirements that were identified during the inspection. The report identifies open items, unresolved items (URIs), and inspector follow-up items (IFIs) and assigns identifying numbers to them. URIs and IFIs are part of the NRCs tracking system and do not require a formal response, unless specifically requested. Of these two, the URI is of most significance since the potential exists for the issue to result in a deviation or violation. A notice of deviation is the lowest level of enforcement discretion. A deviation is the failure to satisfy a written commitment or to conform to the provisions of applicable codes, standards, guides or accepted industry practices. Violations are divided into five Severity Levels designated as I (most significant) through V (least significant). Level I, II, and III (and in most cases, Level IV) violations may result in the imposition of civil penalties (fines). If the NRC identifies apparent deviation or violations, and internal review substantiates this conclusion, a Notice of Deviation or Notice of Violation is usually issued. A written response is then required, normally within 30 days of the letter transmitting the notice. 2.3.7 10CFR50.54(f) Letters Some NRC letters may request information to be submitted under oath or affirmation and invoke 10CFR50.54(f). 10CFR50.54(f) requires a licensee, upon request of the NRC, to submit written statements to enable the NRC to determine whether the licensees are complying with the provisions of the OL, or whether the license should be modified, suspended or revoked. Reponses to these requests must be signed under oath. 2.3.8 Orders Although rarely used, in response to a serious violation or a potentially hazardous condition, 10CFR2.200-204 gives the NRC authority to issue an order to modify the license. As described in Section 2.202, the order
to show cause requires a response to the allegations of violations or other circumstances described in the order, usually within 20 days of issuance. The licensee may also request a hearing on the matter. An order may also be issued to directly modify the license as described in Section 2.204. In such cases, the licensee may still request a hearing within 20 days. If no hearing request is made, however, the order becomes effective at the end of the 20-day period, 2.3.9 Other Correspondence Other miscellaneous correspondence comes from the NRC including request for additional information relative to license amendments applications, scheduling of operator examinations, and a host of other topics. 2.3.10 Web Access Some of the documents discussed above may be accessed at the NRC web site: http://www.nrc.gov. 3.0 3.1 OBJECTIVE 3: Describe the principle of defense-in-depth. Describe the purpose of defense-in-depth. Defense-in-depth is a design and operational philosophy with regard to nuclear facilities that calls for multiple layers of protection to prevent and mitigate accidents. It includes the use of controls, multiple physical barriers to prevent release of radiation, redundant and diverse key safety functions, and emergency response measures. The majority of radioactive products, other than activation products, are produced in the active fuel. This fuel is contained in the fuel rod cladding (barrier 1), which is contained in the reactor coolant system (barrier 2), which is located in the containment building (barrier 3). This provides three barriers between the radioactive products and the public (See Figure 3-1).
Page 15 of 68
Figure 3-1: Illustration of Defense-in-Depth The satisfactory performance of these physical barriers is assured through design, inspections, testing, operating procedures, maintenance procedures, Technical Specifications, and accident procedures and guidelines. 3.2 Describe the basic method for application of defense-in-depth. All accidents and malfunctions are analyzed with respect to their effects on each of the fission product barriers. Appendix A to 10CFR50 provides General Design Criteria for most nuclear power plants (for pre-Appendix A plants, the criteria are in the FSAR). Section II of 10CFR50 Appendix A includes criteria for protection by multiple fission product barriers. The criteria establish requirements for inherent protection, instrumentation and control, reactor coolant pressure boundary and reactor coolant system design, containment design, control rooms, electric power systems, and related inspection and testing. All of these requirements concentrate on protecting fission product barriers either through inherent or mitigative means.
Page 16 of 68
Section III of 10CFR50 Appendix A establishes extensive requirements on reactor protection and reactivity control systems, the objectives again being the protection of fission product barriers. With similar intent, Sections IV, V and VI provide extensive design, inspection, testing, and operational requirements for the quality of the reactor coolant pressure boundary, fluid systems in general, reactor containment, and fuel and radioactivity control. These requirements ensure inherent and engineered protection of the fission product barriers. Introductory statements of Appendix A address the need for consideration of a single failure criterion and redundancy, diversity and separation of mitigation and protection systems. Section I of Appendix A imposes requirements on the quality of implemented protection and the conditions under which these systems must function without loss of capability to perform their safety functions. These conditions include natural phenomena, fire, operational and accident generated environmental conditions. The extent to which the design must protect against accidents and events is dependent on both the probability of occurrence and the consequences of the accident or event. Figures 3-1 and 3-2 show the relationship between probability and consequences for different condition categories (based on ANSI 18.2, 1973), and typical accidents, events or conditions that are used as the basis for design. The implementation of this design philosophy requires extensive accident analyses to define the correct relationship among nominal operating conditions, limiting conditions for operation and limiting safety system settings in order to prevent safety limits from being exceeded. The FSAR presents the set of limiting analyses required by the NRC. The limiting analyses are utilized to confirm system and equipment design, to identify critical setpoints and operator actions, and to support the establishment of technical specifications. Therefore, the final results of the FSAR accident analyses assume functioning of the equipment (and under the conditions) specified by the NRC regulations or requirements.
Page 17 of 68
Figure 3-1: Summary of ANSI N18.2-1973 Condition Category Probabilities and Consequences
Page 18 of 68
Figure 3-2: Typical Accidents, Events, and Conditions Analyzed for ANSI N18.21973 Condition Categories The plants are designed with inherent, engineered and procedural protection for each of the fission product barriers. Inherent protection features require no equipment to operate or plant operators to take action. A negative moderator temperature coefficient is an example of inherent
Page 19 of 68
protection. As the temperature of the coolant goes up, its ability to moderate neutrons goes down, thus decreasing power. This protects the fuel cladding, barrier 1. An example of an engineered protection feature is a reactor trip that occurs as a result of too high a reactor coolant pressure. This protects the reactor coolant system components and piping from the overpressure that could cause them to fail. This protects barrier 2. Procedurally, licensees test the containment isolation valves for closure time and leak tightness. This protects the containment boundary, or barrier 3. The public health and safety protection functions are analytically demonstrated and documented in the FSAR. The FSAR analyses demonstrate that under the assumed accident conditions, the consequences of accidents challenging the integrity of the barriers will not exceed the criteria established in 10CFR20 or guidelines established in 10CFR100. REFERENCES 1. RIS 2005-20, Operability Determinations and Functionality Assessments for Resolution of Degraded or Nonconforming Conditions Adverse to Quality or Safety NEI 96-07, Revision 1, Guidelines for 10CFR50.59 Implementation
2. 4.0
OBJECTIVE 4: Describe Design and Licensing Basis. The terms Design Basis and Licensing Basis are used extensively in procedures, regulations, correspondence to and from regulators and industry groups, regulatory guidance documents, FSAR and related documents, Technical Specifications and Technical Specifications Bases. However, the context in which these terms are used is different among various documents and, in some cases, even different within the same document. The terms Design Basis and Design Bases appear to relate to design in some way, but may differ in meaning in different contexts, such as: The basic requirements on the engineering design (e.g., the design basis of the Main Condenser), The postulated accidents or events for which plant structures, systems, and components (SSCs) were designed (e.g., Loss of Coolant Accident [design basis accident] or Safe Shutdown Earthquake [design basis event]), The specific functions or values chosen for design purposes to implement and satisfy the applicable General Design Criteria (GDC) or 10CFR50, Appendix A (e.g., design basis of the Auxiliary Feedwater System is to remove decay heat from the
Page 20 of 68
reactor core (function) to ensure that the fuel cladding temperature does not exceed 2200F (value) in accordance with GDC 34). Similarly, the terms Licensing Basis and Current Licensing Basis relate to the facility OL in some way, but may differ in meaning in different contexts, such as: The basis for the OL, The basis for the current OL may be different than the term Current Licensing Basis defined in 10CFR54.3, The relationship between 10CFR50.59 Licensing Basis and the basis for the OL. 4.1 Describe design basis. Terms and phrases related to Design Basis or Design Bases Three terms have been chosen for use in this section to refer to three different contextual uses of the term Design Basis (or its plural, Design Bases): 1. 50.2 Design Bases means that information which identifies the specific functions to be performed by a structure, system, or component of a facility, and the specific values or ranges of values chosen for controlling parameters as reference bounds for design. These values may be 1) restraints derived from generally accepted state of the art practices for achieving functional goals, or 2) requirements derived from analysis (based on calculation and/or experiments) of the effects of a postulated accident for which a structure, system, or component must meet its functional goals. Engineering Design Basis is the entire set of design requirements and design constraints imposed on operation, maintenance, procurement, installation, and construction of structures, systems, and components. Supporting Design Information includes the rationale, or the whys, as well as the design output documents (e.g., drawings, analyses, evaluations, specifications, etc.) that support the engineering design bases and the 50.2 design bases. evaluations, Current
2.
3.
The relationship between these terms is shown in Figure 4-1.
Page 21 of 68
Figure 4-1: Relationship between Design Basis Terms 50.2 Design Basis 10CFR50.2 contains a specific definition of Design Basis. The following definition is a condensed version of the regulatory definition to clarify its use and to clarify its intent relative to practices and procedures and the FSAR. 50.2 Design Bases for the plant are specific functions or related values that are specified as having been chosen for design purposes to implement and satisfy the applicable General Design Criteria of 10CFR50, Appendix A.
The following are important truths about 50.2 Design Basis: 1. 2. 50.2 Design Basis is primarily a regulatory term rather than an engineering term, 50.2 Design Basis refers only to functions or values that were chosen as reference bounds for design to implement General Design Criteria applicable to the plant, 50.2 Design Basis is limited only to safety-related structures, systems, and components, 50.2 Design Bases are specified in the FSAR, 50.2 Design Basis does not include information outside the FSAR, and 50.2 Design Basis normally refers to system-level bases for design, but may also include major components, that relate to overall protection of the health and safety of the public.
3. 4. 5. 6.
Page 22 of 68
The engineer should use the 50.2 Design Basis definition of the term when answering the following questions: Is the plant operating outside its design basis? Is the plant in a condition that is outside the design basis of the plant? Is the design basis (or the design) of the structures, systems, and components at the plant adequate to protect the health and safety of the public? The answers to these questions have direct impact relative to conforming to the requirements of 10CFR50.72 and 10CFR50.73 for making notifications and reports to the NRC. Engineering Design Basis Engineering Design Basis is the entire set of design requirements and design constraints imposed on operation, maintenance, procurement, installation, and construction of structures, systems, and components (SSCs). The following are important truths about Engineering Design Basis: 1. Engineering Design Basis includes system-level bases for design and bases for engineering design related to component or part level requirements. 2. Engineering Design Basis may relate to safety-related SSCs as well as non-safety-related SSCs. 3. Those Engineering Design Bases that relate to overall protection of the health and safety of the public through the applicable General Design Criteria are also 50.2 Design Bases. In other words, the 50.2 Design Bases are a subset of Engineering Design Bases. Since many requirements and constraints imposed on design at nuclear power plants relate ultimately to protection of the health and safety of the public, the engineer should be aware that deviating or not complying with Engineering Design Bases should be reviewed in detail for the potential impact on the following: Complying with descriptions in the FSAR Health and safety of the public Reportability requirements of 10CFR50.72 and 10CFR50.73
Page 23 of 68
Supporting Design Information The term Supporting Design Information refers essentially to all design related information not encompassed in the definitions of 50.2 Design Basis and Engineering Design Basis. Supporting Design Information includes the rationale, or the whys, as well as the design output documents (e.g., drawings, analyses, evaluations, specifications, etc.) that support the engineering design bases and the 50.2 design bases. The following are important truths about Supporting Design Information: 1. 2. 3. 4. Some supporting design information is described in the FSAR, some are not. Some supporting design information has been submitted to the NRC for their reviews, some has not. Supporting design information may relate to safety-related SSCs as well as non-safety-related SSCs. Supporting Design Information is a very broad category of information related to design at a nuclear power plant. Both 50.2 Design Bases and Engineering Design Bases are subsets of Supporting Design Information (See Figure 4-1).
The engineer should be aware that deviating or not complying with Supporting Design Information may or may not have an impact on the following: Complying with descriptions in the FSAR Health and safety of the public Reportability requirements of 10CFR50.72 and 10CFR50.73 4.2 Describe licensing bases. Terms and phrases related to Licensing Basis or Current Licensing Bases NRC regulations and regulatory guidance frequently include the terms Licensing Basis and Current Licensing Basis. It is not always clear, however, whether these terms are intended to be interchangeable. The basis for the current OL may NOT be the same as the term Current Licensing Basis defined in 10CFR54.3. As discussed below, the basis for the plant OL may be a subset of the information included in the 10CFR54.3 definition of Current Licensing Basis. The differentiation is important because regulations, and station procedures which implement the regulations, may encompass one term but not the other. For example, the procedures which implement 10CFR50.59 at some plants require
reviews and evaluations only on the basis for the sites OL and the OL itself, but not necessarily on the 54.3 definition of Current Licensing Basis. An NRC letter issued to all licensees on October 9, 1996, Request for Information Pursuant to 10CFR50.54(f) Regarding Adequacy and Availability of Design Basis Information, included a definition of Licensing Basis in a footnote. The licensing basis for a plant originally consists of that set of information upon which the Commission, in issuing an initial operating license, based its comprehensive determination that the design, construction, and proposed operation of the facility satisfied the Commissions requirements and provided reasonable assurance of adequate protection to public health and safety and common defense and security. The licensing basis evolves and is modified throughout a plants licensing term as a result of the Commissions continuing regulatory activities, as well as the activities of the licensee. Considering the first sentence of this definition, the minimum requirements for the contents of that set of information upon which the Commission based its comprehensive determination is defined in 10CFR50.34(b). As required by 10CFR50.34(b), all of the information reviewed by the NRC for their safety review to grant the original license was either 1) included in the text, tables or figures in the original FSAR, or 2) supplemental information specifically incorporated in the FSAR by reference (i.e., documents that are referenced as part of the description, but not merely listed as references). Since the NRC used ONLY the information in the original FSAR to grant the license, the original FSAR bounds the definition of Licensing Basis for the original OL. Considering the second sentence of the definition of Licensing Basis above, the mechanism by which licensing basis evolves and is modified throughout a plants licensing term is controlled by regulatory requirements. As shown in Figure 4-3, the documents which form the basis for the current OL are the FSAR (which is periodically updated as the UFSAR), license amendment applications, and plant responses to 10CFR2.202, 10CFR2.204 or 10CFR50.54(f) requests. Following issuance of the original OL, the provisions of the OL are modified for a variety of reasons. The plant must request NRC review of a license amendment application. The license amendment application contains an analysis of the overall safety of the proposed change to the OL as well as an explanation of the acceptability of significant issues
affected by the proposed amendment compared to the issues already considered by the NRC when they conducted their safety review for the original OL. At the conclusion of this review the NRC comes to a conclusion that there are no significant safety analysis report considerations that have not already been reviewed, and the license amendment is granted. For each license amendment, the license amendment application is used as the basis for approval. Therefore, after receipt of the original OL, the basis for the OL also includes each license amendment application, in addition to the FSAR. The license amendment itself becomes part of the license, of course, but is not part of the licensing basis. In addition, the NRC may require the plant to respond to requests for information under 10CFR2.202, 10CFR2.204, or 10CFR50.54(f). These regulations are a mechanism for the NRC to require licensees to submit information for the purpose of determining whether the OL should be modified or revoked. Therefore, the plants responses to NRC requests for information under 10CFR2.202, 10CFR20204, or 10CFR50.54(f) also become part of the basis for the current OL. 10CFR50.71(e) required the original FSAR (the original licensing basis) to be updated to incorporate the effects of various changes, evaluations and requirements. 10CFR50.71(e) states: The updated FSAR shall be revised to include the effects of: all changes made in the facility or procedures as described in the FSAR; all safety evaluations performed by the licensee either in support of requested licensee amendments or in support of conclusions that changes did not involve an unreviewed safety question; and all analyses of new safety issues performed by or on behalf of the licensee at Commission request. In summary, the Licensing Basis is the information which formed the NRCs basis for the original OL (See Figure 4-2). In particular, the sets of documents which comprise the bases for the OL are: The FSAR (which is periodically updated), license amendment applications, plant responses to 10CFR2.202, 2.204 and 50.54(f) requests.
Page 26 of 68
Figure 4-2: The Licensing Process Relationship between the 54.3 Current License Basis and the Basis for the Current OL. The following paragraphs discuss the relationship between the 54.3 Current Licensing Basis and the basis for the OL. The definition of Current Licensing Basis from 10CFR54.3 is broken into parts for the discussion as follows:
Page 27 of 68
Current Licensing Basis (CLB) is: 1. 2. The set of NRC requirements applicable to a specific plant and A licensees written commitments for ensuring compliance with and operation within applicable NRC requirements and the plantspecific design basis (including all modifications and additions to such commitments over the life of the license) that are docketed and in effect. NRC regulations contained in 10CFR2, 19, 20, 21, 26, 30, 40, 50, 51, 54, 55, 70, 72, 73, 100 and appendices thereto Orders License conditions; exemptions; and technical specifications Plant-specific design basis information defined in 10CFR50.2 as documented in the most recent FSAR as required by 10CFR50.71 and Licensees commitments remaining in effect that were made in docketed licensing correspondence such as licensee responses to NRC bulletins, generic letters, and enforcement actions, as well as licensee commitments documented in NRC safety evaluations of licensee event reports.
The CLB includes: 1. 2. 3. 1.
It also includes:
2.
The Current Licensing Basis also includes that information provided to the NRC as a part of the regulatory or design change processes that is a part of the ongoing licensing process. Using the description of licensing basis described previously, the relationship between the 54.3 Current Licensing Basis and the basis for the OL is addressed below for each above numbered item: 1. The plant must comply with regulations because the plant possesses the OL and the OL itself requires compliance with all these regulations. However, even though compliance with regulations is required by the license, the regulations are not part of the basis under which the license was granted. Written commitments that are docketed and in effect are part of the basis for the OL if they are included in the Licensing Basis Documents (See Figure 4-3). Conformance to regulatory requirements is described in FSAR Section 1.3.3 and descriptions of the design basis are included throughout the FSAR in accordance with 10CFR40.34(b), therefore this information is part
2.
Page 28 of 68
of the basis for the OL. If this information or any other information in the FSAR changes, the plant must update the information in the FSAR in accordance with 10CFR50.71(e) and the FSAR report would continue to accurately describe the basis for the OL. However, commitments and other information that are docketed and in effect that are NOT also included in the Licensing Basis Document are NOT considered part of the basis of the OL, even though conformance to commitments is required by 10CFR50.9. 3. 4. See Item 1. An order (10CFR2.202) is a proceeding where the NRC demands information for a determination of whether to modify, suspend, or revoke an OL. If the plant receives an order, the response submitted to the NRC would be the basis for modification, suspension, or revocation of the license. In other words, the response to an order is part of the basis for the OL, but the order itself is not. License conditions, exemptions, and technical specifications all relate directly to the OL or existing regulatory requirements. They carry the full weight of regulations and other provisions of the OL, but are NOT part of information used to grant the license, and therefore are not part of the basis for the OL. Plant-specific design basis information is part of the basis for the OL if it is described in any Licensing Basis Document (Figure 4-3) including the FSAR. Design documents or other design related information that may be related to, but does not meet the definition of 50.2 Design Bases, is NOT part of the basis for the license if it is not described in Licensing Basis Documents. Similar to item 2 above, written commitments that are docketed and in effect are part of the basis for the OL if they are included in the Licensing Basis Documents (See Figure 4-3). However, commitments and other information that are docketed and in effect that are NOT also included in a Licensing Basis Document are NOT considered part of the basis of the OL, even though conformance to commitments is required by 10CFR50.9.
5.
6.
7.
Relationship between 10CFR50.59 Evaluations and the Basis for the OL The NRCs determination that it was acceptable to issue the OL was based on the information submitted by the plant as part of the application for the license submitted in compliance with 10CFR50.33, 10CFR50.34, and 10CFR50.36. This information was contained in the site FSAR. The regulatory requirements for the contents of the FSAR have changed from time to time, but the scope of the information in the FSAR was always
limited to things which the drafters of the regulations deemed relevant for consideration in determining whether a license should be issued. After the OL is issued, in order to prevent the licensee from invalidating the basis on which the license was issued, restrictions are placed on the licensees ability to change the facility or the procedures in use at the licensed facility. The function of 10CFR50.59 is to place restrictions on the type of changes that can be implemented without prior review and approval by the NRC. These restrictions fall into three categories: 1. 2. 3. Changes that would modify the OL Changes that would modify NRC requirements Changes that would modify the basis for the OL
Changes to the OL must be made in accordance with 10CFR50.90 with prior NRC approval, so they cannot be made under 10CFR50.59. Similarly, 10CFR50.9 requires that information provided to the NRC be complete and accurate in all material respects, so modifications to commitments may need prior NRC approval. The 10CFR50.59 restrictions on modifications that might change the basis of the OL are evaluated in two steps. The first step (a screening) determines whether the basis for the OL might be changed. If the basis might be changed, the second step (also referred to as a safety evaluation in 10CFR50.59) determines if the basis for the OL is changed. If there are changes to the basis that have not already been reviewed by the NRC, then they must be submitted to the NRC for approval as a license amendment in accordance with 10CFR50.59. Following OL issuance, the basis for the OL continues to evolve as 1) changes allowed under 10CFR50.59 are made to the facility or its procedures, 2) amendments to the OL are requested and approved, and 3) other information is submitted to the NRC under 10CFR50.54(f), 2.202 or 2.204 and reviewed and approved. 4.3 Describe the difference between design basis and licensing basis. As discussed above, the design basis (both 50.2 Design Basis and Engineering Design Basis) is related to: Design to implement and satisfy General Design Criteria, Design requirements and design constraints imposed on operation, maintenance, procurement, installation, and construction of structures, systems, and components, and Design output documents (e.g., drawings, analyses, evaluations, specifications, etc.) that support the engineering design basis and the 50.2 design bases.
Also as discussed above, the basis for the current OL is related to: The FSAR, All license amendment applications, and All responses to 10CFR2.202, 2.204, and 50.54(f) requests. The 50.2 Design Basis is required (by 10CFR50.34) to be included in both the design basis and the licensing basis. Considering this and the above definitions of design and licensing basis, Figure 4-3 below shows the relationship between design basis and licensing basis.
Figure 4-3: Relationship between Design Basis and Licensing Basis 4.4 Describe when one may/should deviate from the design and/or licensing basis. 4.4.1 Normal Operation There are two situations described below in which it is acceptable to continue normal plant operation in a condition that violates or is not consistent with the 50.2 Design Basis and/or licensing basis for the facility: 1) operating a Technical Specification action statement that is allowed during outage times, and 2) operating within the corrective action process, provided the Technical Specifications are met and there is assurance of continued safe plant operation as approved by operations. Other than these two allowed situations, during normal operation, the engineer must never allow or approve plant operation or plant conditions, either temporarily or permanently, that deviate from the 50.2 Design Basis without obtaining prior NRC approval in accordance with 10CFR50.59. Prior NRC approval is required because the 50.2 Design Basis: 1. 2. Is described in the FSAR as required by 10CFR50.34(b), Is part of the Licensing Basis of the plant, and
Page 31 of 68
3.
Relates directly to protection of the health and safety of the public through the General Design Criteria.
The engineer must follow established 10CFR50, Appendix B change processes when allowing or approving plant operation or plant conditions, either temporarily or permanently, that deviate from the Engineering Design Basis or Supporting Design Information. Care should be taken to ensure that, if prior NRC approval is required, the deviation is not implemented (or allowed to continue) until after the NRC approval is received. Prior NRC approval may be required if the Engineering Design Basis or Supporting Design Information is described in the FSAR and changes to this information meet the criteria of 10CFR50.59. 4.4.2 Technical Specifications and the Corrective Action Program Any time plant conditions are discovered or events occur which place the plant in a condition such that there is no longer adequate assurance of protection for the plant, its workers, or the public, the licensed operators must either shut down the plant or put the plant in a safer condition. This responsibility and authority rests with each individual licensed operator. However, as long as adequate assurance of safe operation exists, the plant may be allowed to continue operation. Regulatory requirements which set limits on plant operation and availability of plant SSCs are incorporated into each operation license in the form of Technical Specifications. As long as Technical Specifications compliance is maintained, plant operation is allowed, even if the following conditions are identified: Degraded condition affecting safety-related equipment Nonconforming condition affecting safety-related equipment Safety-related equipment not able to perform part or all its functions Unanalyzed condition affecting plant safety Intermediate condition Unreviewed Safety Question The time limits contained with the Technical Specifications action statements allow continued operation of the plant if the above conditions are identified. The end point of this regulatory allowance is, of course, the end of the allotted time. 10CFR50, Appendix B, Criterion XVI, Corrective Action also allows continued operation of the plant if the above conditions are identified. An important restriction is that this allowance applies only to unanticipated events or discovered degraded or nonconforming conditions. It does not apply to desired operating conditions or future anticipated conditions (e.g.,
proposed procedure or plant changes, surveillances, other tests, etc.). These must be evaluated in accordance with 10CFR50.59 prior to implementation. As explained in RIS 2005-20, the restrictions and conditions of this continued operation allowance within Appendix B correction action program are: Assurance of continued safe plant operation must exist, Conformance with Technical Specifications requirements must exist, and The condition or circumstance must be brought back into conformance with the design/licensing basis at the first available opportunity. The end point of this regulatory allowance is the end of the first availability opportunity to correct the deficiency. If the deficiency cannot be corrected at the first available opportunity, 10CFR50.59 evaluations or special regulatory approval may be required. 4.4.3 Emergencies Actions during emergency conditions for which the plant is designed and licensed are controlled through abnormal and emergency operating procedures. These procedures assure plant structures, systems, and components can safety mitigate the consequences of analyzed accidents and events. During accident conditions, the engineer must never allow or approve plant operation or plant conditions, either temporarily or permanently, that deviate from the established design or operation without also considering the impact on analyzed accidents and events. Regulatory requirements under 10CFR50, Appendix A and Appendix B apply during emergency and accident conditions, except for conditions described below, and may require prior NRC approval in accordance with 10CFR50.59. Regulatory provisions allow deviation from the OL, licensing basis, or the design basis in two special circumstances. 10CFR50.54, Conditions of Licenses, paragraphs (x) and (y) allow deviation from OL provisions in emergencies, but do not allow the nuclear power design engineer to approve or allow this deviation. Section 50.54(x) and (y) is reproduced below: (x) A licensee may take reasonable action that departs from a license condition or a technical specification (contained in a license issued under this part) in an emergency when this action is immediately needed to protect the public health and safety and no action consistent with license conditions and technical
Page 33 of 68
specifications that can provide adequate or equivalent protection is immediately apparent. (y) Licensee action permitted by paragraph (x) of this section shall be approved, as a minimum, by a licensed senior operator, or, at a nuclear power reactor facility for which certifications required under Section 50.82 (a)(1) have been submitted, by either a licensed senior operator or a certified fuel handler, prior to taking the action. The other special circumstance which allows deviation from design and licensing basis is when the plant enters conditions not covered by the analyzed accidents and events. On August 8, 1985, the NRC published a Policy Statement on Severe Reactor Accidents (50FR32138). All nuclear facilities have committed to voluntarily implement Severe Accident Management (SAM) at each nuclear power plant. The formal industry position is included as Section 5 of NEI 91-04, Revision 1, Severe Accident Issue Closure Guidelines, December 1994. Severe Accident Management Guidelines (SAMGs) were developed for each facility to facilitate the decision-making process during severe accident conditions. Since these guidelines apply to reactor plant conditions that are outside the analyzed conditions which formed the basis for the original design of the plant and the original plant OL, there is no expectation of conformance to either the design basis or the licensing basis during severe accidents. Engineering evaluations and decisions during severe accidents are based largely on judgment, which is guided by the SAMGs rather than conformance to specific step-by-step instructions. However, the engineer must not conduct, approve or allow evaluations using SAMGs unless the guidelines have officially been entered. Since accident conditions leading to the use of SAMGs involve inadequate reactor core cooling, the control room operators should be using the emergency procedures prior to entering the SAMGs. Only the control room licensed personnel can declare entry into SAMGs since the emergency operating procedures transition to SAMGs ONLY in the emergency operating procedures. 4.5 Describe the importance engineering processes. of design and licensing basis to
As discussed previously, the terms Design Basis and Licensing Basis are used in numerous regulations and regulatory guidance documents. Inconsistent applications of these terms may impact conformance to regulatory requirements, including NRC reporting requirements. Normal daily activities of the engineer often involve interface with designers, reviewers, evaluators, management, and regulators. As
representatives of the design authority, a thorough knowledge of the design and licensing basis is critical to successfully interfacing with other groups and other personnel, as well as conforming to regulatory requirements. The engineer must have (or be able to determine) a clear answer to the following questions at all times: Is the plant operating outside its design basis? Is the plant in a condition that is outside the design basis? Is the plant in a condition that conflicts with the licensing basis? What is the design basis of a structure, system, and component? What is the licensing basis associated with a modification to a procedure, structure, system, and component? Is the design basis (or the design) of structures, systems, and components adequate to protect the health and safety of the public? Does the proposed activity affect the design basis or the licensing basis? Does the proposed modification to the plant affect the design basis or the licensing basis? Does the proposed procedure change affect the design basis or the licensing basis? The engineer is very often asked to provide guidance and conduct evaluations related to the design of the plant. Thorough knowledge of both the design basis and the licensing basis will result in guidance, output documents, and conclusions that continue to adequately protect the health and safety of the public (i.e., consistent with 50.2 Design Basis) and do not violate or conflict with the OL or the basis under which the NRC granted the OL (i.e., the licensing basis). REFERENCES 1. 2. 3. 4. 5. 6. Reg. Guide 1.70, Rev. 0, A Guide for the Organization and Contents of Safety Analysis Reports, June 1966 10CFR50, Appendix B, Criterion III, Design Control 10CFR50, Appendix B, Criterion XVI, Corrective Action 10CFRPart 50.2 Definitions 10CFR50, Appendix A, General Design Criteria 10CFR50.72 Immediate Notification Requirements for Operating Nuclear Power Reactors
Page 35 of 68
7. 8. 9. 10. 5.0 5.1
10CFR50.73 Licensee Event Report System 10CFR50.59 Changes, Tests, and Experiments 10CFR Part 54 Requirements for Renewal of Operating Licenses for Nuclear Power Plant NEI 97-04, Design Basis Program Guidelines, September, 1997
OBJECTIVE 5: Describe the basic concepts for the application of the Maintenance Rule. Identify the regulatory requirement for the Maintenance Rule. The requirement for the Maintenance Rule program comes from 10CFR50.65. NUMARC 93-01, Revision 2 is endorsed by the NRC by Regulatory Guide 1.160, Revision 2, dated March 1997. The NRC published the maintenance rule on July 10, 1991, as Section 50.65, Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, of 10CFR Part 50, Domestic Licensing of Production and Utilization Facilities. The NRCs determination that a maintenance rule was needed arose from the conclusion that proper maintenance is essential to plant safety. As discussed in the regulatory analysis for this rule, there is a clear link between effective maintenance and safety as it relates to such factors as the number of transients and challenges to safety systems and the associated need for operability, availability, and reliability of safety equipment. In addition, good maintenance is also important in providing assurance that failure of other than safety-related structures, systems, and components that could initiate or adversely affect a transient or accident are minimized. Minimizing challenges to safety systems is consistent with the defense in depth philosophy. Maintenance is also important to ensure that design assumptions and margins in the original design basis are maintained and are not unacceptably degraded. Therefore, nuclear power plant maintenance is clearly important in protecting public health and safety. Paragraph (a)(1) of 10CFR50.65 requires that power reactor licensees monitor the performance or condition of SSCs against licenseeestablished goals in a manner sufficient to provide reasonable assurance that such SSCs are capable of fulfilling their intended functions. Such goals are to be established commensurate with safety and, where practical, take into account industry-wide operating experience. When the performance or condition of an SSC does not meet the established goal, appropriate corrective action must be taken. For a nuclear power plant for which the licensee has submitted the certifications specified in 10CFR50.82(a)(1) (i.e., plants undergoing decommissioning), Paragraph (a)(1) of 10CFR50.65 applies only to the extent that the licensee must
Page 36 of 68
monitor the performance or condition of all SSCs associated with storing, controlling, and maintaining spent fuel in a safe condition, and in a manner sufficient to provide reasonable assurance that such SSCs are capable of fulfilling their intended functions. Paragraph (a)(2) of 10CFR50.65 states that monitoring as specified in Paragraph (a)(1) is not required where it has been demonstrated that the performance or condition of an SSC is being effectively controlled through the performance of appropriate preventive maintenance, such that the SSC remains capable of performing its intended function. Paragraph (a)(3) of 10CFR50.65 requires that performance and condition monitoring activities and associated goals and preventive maintenance activities be evaluated at least every refueling cycle provided the interval between evaluations does not exceed 24 months. The evaluations must be conducted taking into account, where practical, industry-wide operating experience. Adjustments must be made where necessary to ensure that the objective of preventing failures of SSCs through maintenance is appropriately balanced against the objective of minimizing unavailability of SSCs because of monitoring or preventive maintenance. In performing monitoring and preventive maintenance activities, an assessment of the total plant equipment that is out of service should be taken into account to determine the overall effect on performance of safety functions. The Maintenance Rule is related to 10CFR50, Appendix B in that maintenance, surveillances, and other quality-related activities for safetyrelated systems are subject to the requirements of 10CFR50, Appendix B, quality assurance requirements. Other Quality Program features, such as the Corrective Action Program, are also performed in accordance with 10CFR50, Appendix B. These activities and programs also support the Maintenance Rule Program. Performance criteria, goals, programs, and documentation developed for implementation of the Maintenance Rule for SSCs that are outside of Appendix B requirements shall be implemented and performed in a careful and deliberate manner. It is understood that Balance of Plant (BOP) SSCs may have been designed and built with normal industrial quality and may not meet the requirements and standards specified in 10CFR50, Appendix B. 5.2 Describe how the Maintenance Rule affects the engineering process. The goal of the Maintenance Rule Program is to focus maintenance efforts to minimize failures in both safety-related and Balance of Plant SSCs that affect safety operation of the plant. The effectiveness of maintenance programs should be maintained for the operational life of the facility.
Page 37 of 68
5.3
Define Functional Failure, Maintenance Preventable Functional Failure (MPFF), A(1) Status, A(2) Status, and Scoped Components/Systems. 5.3.1 A(1) Status Paragraph (a)(1) of 10CFR50.65 requires monitoring the performance or condition of SSCs against licensee-established goals, in a manner sufficient to provide reasonable assurance that the SSCs covered by the rule are capable of fulfilling their intended functions. Such goals shall be established commensurate with safety and, where practical, take into account industry-wide operating experience. When the performance or condition of an SSC does not meet established goals, appropriate corrective action shall be taken. IF the performance of an SSC is NOT ACCEPTABLE when measured against its performance criteria, THEN it must be monitored under (a)(1) and is, therefore, in an (a)(1) status. This means current processes have not been effective in controlling the performance or condition of the SSC and additional attention is required. 5.3.2 A(2) Status Paragraph (a)(2) of 10CFR50.65 states that monitoring as specified in paragraph (a)(1) is not required where it has been demonstrated that the performance or condition of an SSC is being effectively controlled through the performance of appropriate preventive maintenance, and as such the SSC remains capable of performing its intended function. IF the performance of an SSC is ACCEPTABLE, when measured against its performance criteria, THEN it is demonstrated that the performance or condition of that SSC is being effectively maintained by the plants preventive maintenance program. The SSC is placed in (a)(2) status. 5.3.3 Functional Failure A functional failure is an unintended inability of a Maintenance Rule SSC to perform its intended function. The intended function in this case is that attribute that included the SSC in the scope of the Maintenance Rule. Inability of a component to perform a design function may, or may not, result in a Maintenance Rule functional failure at the system or train level. 5.3.4 Maintenance Maintenance is the aggregate of those functions required to preserve or restore safety, reliability, and availability of plant SSCs. Maintenance includes not only activities traditionally associated with identifying and correcting actual or potential degraded conditions, i.e. repair, surveillance, diagnostic examinations, and preventive measures; but extends to all supporting functions to the conduct of these activities.
Page 38 of 68
5.3.5 Maintenance Preventable Functional Failure (MPFF) 1. MPFF is the failure of an SSC within the scope of the Maintenance Rule to perform its intended function, where the cause of the failure of the SSC is attributable to a maintenancerelated activity. An initial MPFF is the first occurrence for a particular SSC for which the failure results in a loss of function that is attributable to a maintenance-related cause. An initial MPFF is a failure that would have been avoided by a maintenance activity that has not been otherwise evaluated as an acceptable risk (i.e., allowed to run to failure is an acceptable risk). A repetitive MPFF is the subsequent loss of function that is attributable to the same maintenance-related cause that has previously occurred. A second or subsequent loss of function that results from a different maintenance-related cause is NOT considered a repetitive MPFF.
2.
3.
5.3.6 Reliability Reliability is a measure of the expectation (assuming that the SSC is available) that the SSC will perform its function upon demand at any future instant in time. 5.3.7 Risk Risk encompasses what can happen (scenario), its likelihood (probability), and its level of damage (consequences). 5.3.8 Scoped Systems/Components Applies to, and is limited to SSCs that directly affect plant operations. SSCs which meet one or more of the following criteria are within the scope of the program: 1. Safety-related SSCs that are relied upon to remain functional during and following design basis events to ensure: a. b. c. The integrity of the reactor coolant pressure boundary; or The capability to shut down the reactor and maintain it in a safe shutdown condition; or The capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposure comparable to the 10CFR100 guidelines.
2.
Non-safety-related SSCs that are relied upon to mitigate accidents or transients.
Page 39 of 68
3. 4.
Non-safety-related SSCs that are used in the plant emergency operating procedures (EOPs). Non-safety-related SSCs whose failure could prevent safety-related structures, systems, and components from fulfilling their safetyrelated function. Non-safety-related SSCs whose failure could cause a reactor trip or actuation of a safety-related system.
5.
5.3.9 Unavailability Unavailability is the time that an SSC is incapable of performing its intended function(s). An SSC that is required to be available for automatic operation must be available and respond without human action. Unavailability is the numerical complement of availability and may be identified as a fraction or a specific number of hours within a reference period. 5.4 Define the Maintenance Rule relationship to the Probabilistic Safety Assessment (PSA) (or Probabilistic Risk Assessment, PRA). A PSA (or PRA) is a quantitative evaluation of the safety of future plant operation based upon past experience. PSA is a systematic and comprehensive analysis of the potential accidents that can occur at a plant and is a thorough description of the frequency and consequences of potential accidents and incorporates system reliability as well as human involvement in plant safety. Once SSCs within the scope of the Maintenance Rule are identified, the risk associated with the possible failure of the scoped systems is assessed. The plant PSA model identifies which SSCs have significant contribution to the core damage frequency (CDF) in the individual plant evaluation (IPE). For the systems that are included in the PSA model, the unavailability and reliability information included in the PSA are reviewed and serve as the starting point for the performance criteria development for the system. Once the performance criteria are determined, they are put back into the PSA model and a new CDF is calculated. If the CDF is too high, then the performance criteria may be modified. REFERENCES 1. 2. 10CFR50.65 NRC Reg. Guide 1.160, Monitoring the Effectiveness of Maintenance of Nuclear Power Plants, Revision 2, dated March 1997 NUMARC 93-01, Revision 2, Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, April 1996
Page 40 of 68
3.
6.0
OBJECTIVE 6: analysis.
Describe the basic concepts of single failure
Each system required to respond to a design basis event must have a single failure imposed upon it to determine if the system remains capable of performing its intended safety-related function. This single failure must be imposed randomly in the system, regardless of the credibility (with certain exceptions for ASME Section III/XI components) of that failure. Once that single failure is imposed, one is allowed to assume that all other components will perform their intended safety-related function. Note that single failure criteria only apply to safety-related systems and then only to the safety-related components within those systems. One need only apply one single failure to the safety-related portions of systems because one has reasonable assurance that all other safety-related components will perform because one has applied 10FR50, Appendix A and 10CFR50, Appendix B to their design, manufacture, storage, installation, and maintenance. One cannot apply single failure criteria to non-safety-related portions of systems because one does not have the same reasonable assurance. Single failure criteria application in design is the reason that redundant equipment exists in nuclear power plants. 6.1 Definitions 6.1.1 Active Component An active component is a device characterized by a change of state or a discernible mechanical motion in response to a design basis demand imposed upon the system. Examples are switches, relays, powered valves, check and safety valves, pressure switches, turbines, transistors, motors, dampers, pumps, analog meters, etc. 6.1.2 Active Failure An active failure is a failure of an active component to complete its intended function upon demand. Examples of active component failures include the failure of a powered valve to move to its correct position, failure of a pump, fan, or diesel generator to start, and failure of a relay to respond. Certain valves that are provided with a power supply for proper system function must be prevented from unwanted movement in certain situations. Where the proper active function of a component can be demonstrated despite any reasonable postulated condition, then that component may be considered exempt from active failure. Examples of such components
include code safety valves and check valves. Where such exemption is taken, the basis for the exemption shall be documented in the single failure analysis. 6.1.3 Mechanical Systems Active Failure A malfunction, excluding passive failure, of a component that relies on mechanical movement to complete its intended function. Examples include: pump failure, valve fails to change position, diesel generator failures to start. 6.1.4 Electrical/I&C Systems Active Failure A malfunction, including any passive failure (e.g., bus fault), of an electrical or system component required to function to mitigate an event. For these systems, there is no distinction made between active and passive failures. The term Component Failure is appropriate. 6.1.5 Common-Cause Failure Common-Cause failures are multiple failures that occur as a result of a single specific event. These types of failures can occur as the result of a number of causes such as natural phenomena (e.g. earthquake) and environmental effects such as High Energy Line Break (HELB) pipe-whip. 6.1.6 Common-Mode Failure Common-Mode Failures are multiple failures that occur for the same reason or because of the same occurrence. Examples: Loss of a common power supply resulting in several relays failing, an entire instrument loop failing, or the failure of several bistables to the same state. Design, manufacturing, or maintenance errors can also lead to common mode failures. Examples are: Manufacturing Errors Sticky containment solenoid valves due to incorrect coating. Failure was the result of a manufacturing error. Design Errors Software program errors causing multi-failures. May also be considered common-cause failure if a single event causes the problem. Procedure A maintenance procedure is incorrect so that all main steam isolation valves are set incorrectly.
6.1.7 Detectable Failure A Detectable Failure is a failure that can be detected through periodic testing or revealed by an alarm or anomalous indication.
Page 42 of 68
6.1.8 Initial Condition Any plant condition/configuration allowed for indefinite continued operation is an initial condition, which should be considered. Initial condition includes any pre-existing failures. 6.1.9 Operator Error An incorrectly performed or omitted action by an operator attempting to perform a safety-related manipulation, such as the opening of the wrong valve or the failure to rack out a particular breaker. 6.1.10 Passive Component A passive component is a device characterized by an expected negligible change of state or negligible mechanical motion in response to an imposed design basis demand upon the system. Examples are cables, piping, valves in stationary position, resistors, capacitors, fluid filters, indicator lights/lamps, cabinets, cases, etc. 6.1.11 Passive Failure A passive component failure is the structural failure of a static component, which prevents the component from carrying out its design function. When applied to a fluid system, this means a breach of the pressure boundary is postulated, resulting in abnormal leakage. Such leakage is limited to that which results from a single spring flange, a single pump seal failure, a single valve stem packing failure, or other single failure mechanisms considered credible by a systematic analysis of system components. The probability of a large break in a piping system (e.g., rupture of ECCS piping), subsequent to the original large LOCA pipe break, is considered to be sufficiently low that it need not be postulated. A blockage of a process flow path is also a passive failure of that flow path. Initiating pressure boundary failures per HELB rule SRP 3-6 are 1) critical cracks (moderate energy) or 2) rupture (high energy). However, for systems subject to ASME Sections III & XI, one can limit long-term or concurrent passive pressure boundary failure to valve packing and pump shaft mechanical seal failures because of periodic testing and inspection (ANSI/ANS 58.9-1981, ANS 51.7.ANSI N658-1976). Single failures of passive components are assumed in designing electrical systems. 6.1.12 Pre-existing Failure Existing failures that are in addition to any failures that caused the event, or occur as a result of the event. A component whose condition is not indicated, tested, or alarmed is considered indeterminate and assumed failed for purposes of analysis.
Example: boundary valve leakage through valves that are never monitored or tested for seat leakage. 6.1.13 Short Term and Long Term This is the first 24 hours following an initiating event. For purposes of design of the emergency core cooling and containment spray systems, the short term is considered to terminate upon transfer of these systems to the long-term cooling mode (recirculation). Long-term cooling applies to a duration greater than 24 hours. (ANS-51.7/ANSI N658-1976, ANS 58.91981) 6.2 Define Single Failure The single failure criterion is a constraint used in the design of safety systems to improve the ability of the system to perform its safety function following a design basis event or design occurrence. A single failure means an occurrence that results in the loss of the capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure. Fluid and electrical systems are considered to be designed against an assumed single failure if neither 1) a single failure of any active component (assuming that passive components function properly), nor 2) a single failure of a passive component (assuming that active components function properly) results in a loss of the capability of the system to perform its safety functions. Single failures are random occurrences imposed upon safety systems that are required to respond to a design basis event. They are postulated despite the fact that the systems were designed to remain functional under the adverse condition imposed by the accident. No mechanisms for the cause of the single failure need be postulated. Single failures of passive components in electrical systems are assumed in designing against a single failure. A single failure is a random failure and its consequential effects, in addition to an initiating occurrence, that result in the loss of capability of a component to perform its intended safety function (ANSI/ANS 58.9-1981). ANSI/IEEE 379-1988 further expands: common-cause and common-mode failures that occur as a result of a single event and involve failures of other components as a subsequent result of the single event are taken together as a single failure. To successfully meet single failure criteria: 1. A design basis event is imposed on the system. The remaining system configuration includes any equipment failures that are a natural consequence of the design basis event.
Page 44 of 68
2. 3.
A random single failure is then applied to the remaining portion of the system that is used to perform the safety-related function. The system must perform its safety-related function.
Consequential Effects Examples A consequential effect is seen as a failure caused as a result of the first failure encountered. Take, for example, a hypothetical steam line break in a turbine building. The steam impinges on a junction box and destroys it, resulting in multiple electrical shorts. At least one of the shorts causes the opening of a fuse or fuses. The opening of the fuse causes interruption of power to a safety-related circuit, resulting in the failures of all powered portions of that circuit. This sets up the initial condition as a result of the design basis event. These failures are a natural result of the steam line break or design basis event and DO NOT represent the single failure in the system. Now a single random failure must be applied to the remaining portion of the system to determine if it can still perform its intended safetyrelated function (IN 95-10). Take, for example, following a design basis event that a relief valve, open to atmosphere, fails to maintain pressure integrity across the seat and disc. The valve discharges to the environment and sprays onto an electrical fuse box that leaks and causes one or more fuses to open. The subsequent failure of the components, powered by those fuses, is consequential to the single failure and is part of the single failure. It does not represent additional failures. For additional examples, see NRC Information Notice 97-81, Deficiencies in Failure Modes and Effects Analyses for Instrumentation and Control Systems (via the NRC website). 6.2.1 Identify 10CFR50, Appendix A, Single Failure Requirements 10CFR50, Appendix A, General Design Criteria for Nuclear Power Plants, defines a single failure as: A single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure. Appendix A contains general design criteria for SSCs that perform major safety functions. Many of the GDCs contain a statement similar to the following: Suitable redundancy in components and features and suitable interconnections, leak detection, isolation and containment capabilities shall be provided to assure that for onsite electrical power system operation (assuming offsite power is not available)
and for offsite electrical power system operation (assuming onsite power is not available) the system safety function can be accomplished assuming single failure. Additional guidance is provided in Regulatory Guide 1.53. See, for example, GDCs 17, 21, 34, 35, 38, 41 and 44. Capability to withstand a single failure in fluid or electrical systems is a plant-specific design consideration, which ensures that a single failure does not result in a loss of the capability of the system to perform its safety functions. A design deficiency, in which capability to withstand a single failure is lost, should be evaluated and treated as a degraded and nonconforming condition. As with any degraded or nonconforming condition, a prompt determination of operability is required. For any design deficiency in which the capability to withstand a single failure is lost, the licensee must address the quality aspects. If the design deficiency affects the design basis requirements for a particular plant, the licensee must promptly correct the deficiency in accordance with 10CFR50, Appendix B, Criterion XVI, Corrective Action. Criterion 17 Electric Power Systems An onsite electric power system and an offsite electric power system shall be provided to permit the functioning of structures, systems, and components important to safety. The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that 1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences and 2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents. The onsite electric power supplies, including the batteries and the onsite electric distribution system shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure. Provisions shall be included to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies. Criterion 21 Protection System Reliability and Testability The protection system shall be designed for high functional reliability and inservice testability commensurate with the safety functions to be performed. Redundancy and independence designed into the protection
system shall be sufficient to assure that 1) no single failure results in the loss of the protection function and 2) removal from service of any component or channel does not result in the loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. The protection system shall be designed to permit periodic testing of its functioning when the reactor is in operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred. Criterion 34 Residual Heat Removal A system to remove residual heat shall be provided. The system safety function shall be to transfer fission product decay heat and other residual heat from the reactor core at a rate such that specified acceptable fuel design limits and the design condition of the reactor coolant pressure boundary are not exceeded. Suitable redundancy in components and features, and suitable interconnections, leak detection, and isolation capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. Criterion 35 Emergency Core Cooling A system to provide abundant emergency core cooling shall be provided. The system safety function shall be to transfer heat from the reactor core following a loss of reactor coolant at a rate such that 1) fuel and clad damage that could interfere with continued effective core cooling is prevented and 2) clad metal-water reaction is limited to negligible amounts. Suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. Criterion 38 Containment Heat Removal A system to remove heat from the reactor containment shall be provided. The system safety function shall be to reduce rapidly, consistent with the functioning of other associated systems, the containment pressure and temperature following any loss-of-coolant accident and maintain them at acceptably low levels.
Page 47 of 68
Suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. Criterion 41 Containment Atmosphere Cleanup Systems to control fission products, hydrogen, oxygen, and other substances which may be released into the reactor containment shall be provided as necessary to reduce, consistent with the functioning of other associated systems, the concentration and quantity of fission products released to the environment following postulated accidents, and to control the concentration of hydrogen or oxygen and other substances in the containment atmosphere following postulated accidents to assure that containment integrity is maintained. Each system shall have suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) its safety function can be accomplished, assuming a single failure. Criterion 44 Cooling Water A system to transfer heat from structures, systems, and components important to safety, to an ultimate heat sink shall be provided. The system safety function shall be to transfer the combined heat load of these structures, systems and components under normal operation and accident conditions. Suitable redundancy in components and features, and suitable interconnections, leak detection and isolation capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. 6.3 Describe when single failure analysis applies to a new design. New designs must meet all 10CFR50, Appendix A, requirements and regulatory and licensing commitments for the system in which it is installed. This includes single failure analysis. When equipment is added to an existing system, one must consider the original single failure analysis and determine if any new failure modes have been introduced into the system or the room/component in which it is installed. The system
Page 48 of 68
will have to be reanalyzed to determine if it still satisfies single failure criteria. 6.4 Describe when single failure analysis applies to existing design. When equipment is taken out of service for maintenance or is temporarily modified, especially during power operation, the remainder of the system must be looked at in light of single failure criteria and the maintenance rule. 6.5 Describe when single failure analysis need not be applied. Typically the failure of a passive component designed, manufactured, inspected, and maintained in service to an extremely high quality level need not be assumed in single failure analysis. Many passive components designed and constructed to ASME Section III and maintained, tested, and examined to ASME Section XI may be considered to leak before break and have a very low probability of passive failure and need not be considered in the single failure analysis. This is the reason there are many ASME piping sections that are not redundant. As stated earlier, in single failure analysis, all safety-related components are expected to perform their safety function except the one that is considered to have failed in the analysis. Note that if this were strictly applied it would not be possible to have equipment out of service for testing or maintenance. However, Technical Specifications allow times when some equipment is not capable of performing its safety function. Here again, the probability of occurrence of a Design Basis Event (DBE) during that time is considered very small and the equipment need not be considered out of service in the single failure analysis. The frequency limit for damage states, the frequency of initiating events, and the reliability of all the systems needed for each event are considered in calculating allowed outage times. REFERENCES 1. 2. 3. 4. ANSI/ANS 51.1-1983, Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants ANSI N658/ANS 51.7 1976, Single Failure Criteria for PWR Fluid Systems ANSI/ANS 58.9 1981, Single Failure Criteria for Light Water Reactor Safety-Related Fluid Systems Safety Series No. 50-P-1, Application of the Single Failure Criterion, a Safety Practice of the International Atomic Energy Agency, Vienna, 1990
Page 49 of 68
5. 6.
Regulatory Guide 1.53, Application of Single Failure Criterion to Nuclear Power Plant Protection Systems NRC Generic Letter 96-06, Assurance of Equipment Operability and Containment Integrity During Design Basis Accident Conditions Information Notice 97-81, Deficiencies in Failure Modes and Effects Analyses for Instrumentation and Control Systems ANSI/IEEE Std, 379-1988, Standard Application of the SingleFailure Criterion to Nuclear Power Generating Station Safety Systems
7. 8.
7.0 7.1
OBJECTIVE 7: Describe the basic concepts of safety evaluations. Describe how a safety evaluation relates to the safety, or safe operation, of the plant. The term safety evaluation encompasses two distinct and different processes, 1) an evaluation of safety (usually related to nuclear safety), and 2) an evaluation conducted in accordance with 10CFR50.59. The engineer must be able to distinguish between the different processes and must know when to apply each. 1. The evaluation of safety is part of the design process. It is normally conducted for discovered plant conditions (e.g., degraded or nonconforming conditions) or proposed changes to the plant or its procedures. During normal operation, the engineer must never allow or approve plant operation or plant conditions, either temporarily or permanently, that deviate from the 50.2 Design Basis without also obtaining prior NRC approval in accordance with 10CFR50.59 or 50.90. Similarly, the engineer must never allow or approve plant operation or plant conditions, either temporarily or permanently, that would result in the plant response during accidents or events being different than that described in the FSAR. It is that information (in its updated form) that the NRC based their conclusions that the plant could be operated without undue risk to the health and safety of the public. The safety evaluation conducted in accordance with 10CFR50.59 is a regulatory process and not a design process. The conclusions of a safety evaluation under 10CFR50.59 do not relate to safety specifically, but rather conclude whether the NRC must review and approve a proposed change prior to its implementation.
2.
All issues associated with the safety of proposed activities and all pertinent evaluations of the proposed activity for its potential affect on the plant or its operation are completed prior to beginning a 10CFR50.59
Page 50 of 68
evaluation. These analyses and evaluations are conducted in accordance with regulatory requirements such as 10CFR50, Appendix B, Criterion III Design Control (and ANSI N45.2.11 or ASME NQA-1) for design change evaluations; 10CFR50, Appendix B, Criterion V Instructions, Procedures and Drawings for procedure changes; and 10CFR50, Appendix B, Criterion XI Test Control for changes in a testing program. REFERENCES 1. 8.0 NEI 96-07 [Revision 1], Guidelines Implementation, November 2000 for 10CFR50.59
OBJECTIVE 8: determinations.
Describe the basic concepts of operability
The plant is allowed to operate with the following conditions identified: Degraded condition affecting safety-related equipment Nonconforming condition affecting safety-related equipment Safety-related equipment not able to perform its function Unanalyzed condition affecting plant safety Indeterminate condition Unreviewed Safety Question This is allowed by regulatory provisions found in: Technical Specifications 10CFR50, Appendix B, Criterion XVI 8.1 Define OPERABLE and OPERABILITY. A system, subsystem, train, component or device shall be OPERABLE or have OPERABILITY when it is capable of performing its specified function(s), and when all necessary attendant instrumentation, controls, electric power, cooling or seal water, lubrication or other auxiliary equipment that are required for the system, subsystem, train, component, or device to perform its function(s) are also capable of performing their related support function(s), and all of this equipment has all required surveillance testing current and successfully passed. Equipment is operable or has operability, when a piece of equipment meets all of the operating, testing, and surveillance requirements of the Technical Specifications and is capable of performing its safety-related function(s). It means that the equipment meets all of the conditions imposed upon it in the Technical Specifications. It means more than it is capable of being operated.
Page 51 of 68
RIS 2005-20 says: If an SSC described in the T[echnical] S[pecification]s is determined to be operable even though a degraded or nonconforming condition is present, the SSC is considered operable but degraded or nonconforming. An SSC that is determined to be operable but degraded or nonconforming is considered to be in compliance with its TS LCO, and the operability determination is the basis for continued operation. This is consistent with the plants TSs controlling decisions on plant operations. The basis for continued operation should be frequently and regularly reviewed until corrective actions are successfully completed. SSCs that have been determined operable through an operability determination remain operable as long as the reasonable expectation of operability established by the operability determination remains valid. While performing modifications or evaluations on equipment used to prevent or mitigate the consequences of accidents, design engineers must remember that this equipment must remain operable during the applicable modes of nuclear power plant operation. 9.0 OBJECTIVE 9: analysis. Describe the basic concepts of the Appendix R
Fire protection in the nuclear industry prior to 1975 was primarily governed by 10CFR50, Appendix A, General Design Criteria 3 and nuclear insurance requirements. General Design Criteria 3 required that structures, systems, and components shall be designed and located to minimize the probability and effects of fires. On March 22, 1975 a fire occurred at the Browns Ferry Nuclear Power Plant. A combustible used as a penetration seal material was ignited by a candle during air leak testing. The fire started in the electrical penetration room and spread quickly into safety-related cable trays containing control signal and power cables. It spread 30 to 40 feet into containment where it burned for about 7.5 hours. The fire resulted in: damage to approximately 1600 cables (684 of them safety-related) smoke and fumes entering the control room power loss to multiple control boards safety-related pumps started and stopped due to hot shorts
Page 52 of 68
control room indicating lights and annuciators coming in and out so that the control room operators could not determine the actual plant status Contributing factors to the fires were: poor design (inadequate separation of redundant systems) partial or limited fire detection and suppression polyurethane foam used as a seal/fire stop no formal qualified in-house fire protection program In response, the NRC impaneled a special review group to deal with fire protection. They developed additional guidance for implementation of general design criteria. They also conducted a detailed review of fire protection programs at operating plants comparing them to their developed guidance. In 1976, the NRC issued Standard Review Plan (SRP) 9.5.1, Appendix A. It was the criteria used by the NRC for review of plant designs with respect to 10CFR50, Appendix A, General Design Criteria 3. In 1981, 10CFR50.48 set forth requirements that each operating facility shall have a fire protection program that satisfied General Design Criteria 3. This section also invokes 10CFR50, Appendix R, Section IIIG, J, L, and O for plants licensed before 1/1/1979. 10CFR50 Appendix R sets forth fire protection features required to satisfy General Design Criteria 3. For many plants, the requirements for fire protection were included in the Technical Specifications. In 1988, the NRC issued Generic Letter 88-12 which allowed licensees to remove the fire protection requirements from the Technical Specifications provided there was a condition added to the OL. 9.1 Describe Appendix R. 10CFR50, Appendix A, Criterion 3 specifies that structures, systems, and components important to safety shall be designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions. Appendix R of 10CFR50 outlines some requirements that will assist in complying with that requirement.
Page 53 of 68
9.2
Identify the equipment to which Appendix R applies. Per Criterion 3 of Appendix A, it applies to structures, systems, and components important to safety (safety-related). 9.2.1 Definitions 9.2.1.1 Rated In order to be considered a rated fire barrier, the item must undergo a test at a recognized laboratory. Underwriters Laboratories (UL) is a recognized laboratory most people are familiar with. A large gas-fired furnace is used to subject the assembly to a fire that meets the ASTM E-119 Time-Temperature Curve (See figure below).
9.2.1.2 Assemblies For an assembly to retain its fire rating when installed in the plant, its configuration must be identical to that which was tested. Any differences from the tested configuration must be evaluated. The key is that when the item is installed in the plant, it must be installed in a configuration just like the assembly or specimen was when it was tested. If after installation, changes are made to the assembly, a fire protection engineer must also evaluate those changes.
Page 54 of 68
9.2.1.3 Tested Not all fire barriers can be tested. In the plant there are many examples of what are termed non-rated features. These include watertight doors, hatches, valve encapsulations, equipment floor hatches, and others. These features have been evaluated by a fire protection engineer as providing an equivalent level of protection as an X hour rated configuration. Note that this evaluation must be based on the fire detection and suppression in the area and the fire loading and fire hazards in the area. If plant changes are made in the area of those non-rated features, a new analysis may be required. 9.3 Explain how Appendix R affects the engineering process. The engineer needs to understand what the fire protection requirements are and must ensure that changes to the plant do not invalidate previous analyses. New buildings or equipment must be properly evaluated with respect to fire. Temporary modifications to the facility must be evaluated keeping in mind the fire evaluations and analyses that have been performed. Bear in mind both the active and passive fire suppression systems are installed in the plant. When evaluating a change or modification, consider: Combustible loading Lighting for fire fighters Lighting for egress/ingress Ingress/egress pathways Location and spray pattern of sprinklers Location and aiming of emergency lights Ignition sources Flame retardency Fire coatings Location and type of floor drains Communications Penetration seals Ceilings and walls Failure modes of installed equipment Failure modes of new equipment
Page 55 of 68
If parts are replaced on equipment that has been fire rated by UL, the replacement part must not invalidate that rating (see definition of fire rating). REFERENCES 1. NRC Generic Letter 86-10, Supplement 1, Fire Endurance Test Acceptance Criteria for Fire Barrier Systems Used to Separate Redundant Safe Shutdown Trains within the Same Fire Area 10CFR50, Appendix R Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979
2. 10.0 10.1
OBJECTIVE 10: Describe the basic concepts of electrical separation analysis. Regulatory Background NRC-approved nuclear reactor fire protection programs require that at least one set of systems needed to achieve and maintain hot shutdown is free from damage. To ensure that electrical cables and components are not damaged by fire, NRC regulations require that redundant safe shutdown trains (systems that can provide the same safety function) be separated. Separation can be achieved by one of the following: 1. 2. A fire barrier having a three-hour rating A horizontal distance of more than 20 feet with no combustibles or fire hazards in that space with fire detection and automatic fire suppression systems in the fire area. This is electrical separation. A fire barrier having a one-hour fire rating with fire detection and automatic fire suppression systems in the fire area
3.
Specifically, Criterion 24, Separation of Protection and Control Systems, to 10CFR50, Appendix A, General Design Criteria for Nuclear Power Plants requires separation of protection and control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel that is common to the control and protection systems, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems is to be limited to ensure that safety is not significantly impaired. Electrical separation should incorporate physical and electrical separation to prevent faults in one cable/channel from degrading any other cable/channel. Some of the methods that may be used to achieve this include:
Separate wireways Separate cable trays Separate conduit runs Separate containment penetrations Locating modules in different locations Energizing from a separate AC power feed Installing cable runs and redundant equipment in different fire areas separated by fire barriers 10.2 Describe the importance of Electrical Separation. When modifying existing electrical components, installing temporary modifications, or authorizing transient electrical equipment, electrical separation must be maintained if safety-related electrical equipment is to remain operable. In evaluating nonconforming plant conditions, it must be remembered that electrical separation is a GDC requirement and necessary for Technical Specification operability (within LCO allowances). REFERENCES 1. 2. 3. 4. 5. ANS/IEEE Std 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations NRC Generic Letter 86-10, Implementation of Fire Protection Requirements IEEE Std 384-1992, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits IEEE Std 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations NUREG 0800, Appendix 7.1-A, Acceptance Criteria and Guidelines for Instrumentation and Control Systems Important to Safety NUREG-0737, Clarification of TMI Action Plan Requirements Regulatory Guide 1.153, Criteria for Safety Systems Regulatory Guide 1.75, Physical Independence of Electrical Systems Regulatory Guide 1.97, Instrumentation for Light Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident USNRC TIP 26 Fire Barrier Issues
6. 7. 8. 9.
10.
Page 57 of 68
11.0 11.1
OBJECTIVE 11 Describe the basic concepts of seismic II/I analysis. Define Seismic II/I (pronounced 2 over 1) Seismic II/I items (also called II/I items) are those portions of SSCs whose continued function is not required but whose failure could reduce the functioning of any Category I plant feature to an unacceptable safety level or could result in incapacitating injury to occupants of the control room. Seismic Category I items are those items that must remain functional during and after a design basis seismic event. Seismic Category II items are all those that are not Category I. Seismic II/I items are Category II items that could fail in a way that could prevent a Category I item from performing its intended safety function. For example, a 15 lb. non-safetyrelated air accumulator tank is mounted to a wall, 5 feet above and directly over a safety-related pressure transmitter. If the tank mounting were to fail, the tank would fall and cause the pressure transducer to fail. The tank and its mounting are therefore Seismic II/I.
11.2
Identify the equipment to which Seismic II/I applies. The types of equipment that II/I may apply to are (not all inclusive): Unit heaters Piping and supports Ductwork and supports Block walls Stairwells Control room ceiling Grating, handrails, ladders and toeplates Conduit, cable tray and associated equipment Hoists Piping Insulation
REFERENCES 1. NRC Generic Letter 87-03, Verification of Seismic Adequacy of Mechanical and Electrical Equipment in Operating Reactors, Unresolved Safety Issue (USI) A-46 NRC Regulatory Guide 1.29, Positions C.2 and C.3
2.
Page 58 of 68
12.0 12.1
OBJECTIVE 12: Describe the basic concepts of loss of offsite power and station blackout analysis. Identify the requirements for a station blackout program. The complete loss of AC electrical power to the essential and nonessential switchgear buses in a nuclear power plant is referred to as a Station Blackout. Because many safety systems required for reactor core decay heat removal are dependent on AC power, the consequences of a station blackout could be a severe core damage accident. The technical issue involves the likelihood and duration of the loss of all AC power and the potential for severe core damage after a loss of all AC power. The issue of station blackout arose because of the historical experience regarding the reliability of AC power supplies. There had been numerous reports of emergency diesel generators failing to start and run in operating plants. In addition, a number of operating plants experienced a total loss of offsite electrical power. In almost every one of these loss of offsite power events, the on-site emergency AC power supplies were available to supply the power needed by vital safety equipment. However, in some instances, only one of the redundant emergency power supplies had been available. In a few cases, there was a complete loss of AC power, but during these events AC power was restored in a short time without any serious consequences. The results of WASH-1400 showed that, for one of the two plants evaluated, a station blackout accident would be an important contributor to the total risk from nuclear power plant accidents. Although this total risk was found to be small, the relative importance of station blackout accidents was established. This finding and the concern for diesel generator reliability based on operating experience raised station blackout to an Unresolved Safety Issue (USI) in the 1979 NRC Annual Report. A detailed action plan for resolving this issue was published in NUREG1649, Revision 1. The final evaluation of station blackout accidents at nuclear power plants was performed by the NRC and published in NUREG-1032. The regulatory requirement for protection against a station blackout is found in 10CFR50.63.
12.2
Define station blackout. Station blackout is the complete loss of AC electrical power to the essential and nonessential switchgear buses in a nuclear power plant. The 10CFR50.2 definition is: Station blackout means the complete loss of alternating current (AC) electric power to the essential and nonessential switchgear buses in a nuclear power plant (i.e., loss of offsite electrical
Page 59 of 68
power system concurrent with turbine trip and unavailability of the onsite emergency AC power). Station blackout does not include the loss of available AC power to buses fed by station batteries through inverters or by alternate AC sources defined in this section, nor does it assume a concurrent single failure or design basis accident. At single unit sites, any emergency AC power source(s) in excess of the number required to meet minimum redundancy requirements (i.e. single failure) for safe shutdown (non-DBA) is assumed to be available and may be designated as an alternate power source(s) provided the applicable requirements are met. At multi-unit sites, where the combination of emergency AC power sources exceeds the minimum redundancy requirements for safe shutdown (non-DBA) of all units, the remaining emergency AC power sources may be used as alternate AC power sources provided they meet the applicable requirements. If these criteria are not met, station blackout must be assumed on all the units. Safe Shutdown (non-design basis accident (non-DBA)) for station blackout means bringing the plant to those shutdown conditions specified in plant technical specifications as Hot Standby or Hot Shutdown, as appropriate (plants have the option of maintaining the RCS at normal operating temperatures or at reduced temperatures). Alternate AC source means an alternating current (AC) power source that is available to and located at or nearby a nuclear power plant and meets the following requirements: 1. 2. 3. 4. Is connectable to but not normally connected to the offsite or onsite emergency AC power systems; Has minimum potential for common mode failure with offsite power or onsite emergency AC power sources; Is available in a timely manner after the onset of station blackout; and Has sufficient capacity and reliability for operation of all systems required for coping with station blackout and for the time required to bring and maintain the plant in safe shutdown (non-design basis accident). 10CFR50.63, Loss of All Alternating Current Power Federal Register Notice, 53FR23203, 10CFR50, Station Blackout, June 21, 1988 NUREG-1032, Evaluation of Station Blackout Accidents at Nuclear Power Plants, (Draft) May 1985, (Final) June 1988
REFERENCES 1. 2. 3.
Page 60 of 68
4. 5.
NUREG-1109, Regulatory/Backfit Analysis for the Resolution of Unresolved Safety Issue A-44, Station Blackout, June 1988 NUREG-1649, Task Action Plans for Unresolved Safety Issues Related to Nuclear Power Plants, February 1980, (Revision 1), September 1984 Regulatory Guide 1.9, Selection, Design, and Qualification of Diesel-Generator Units Used as Onsite Electrical Power Systems at Nuclear Power Plants Regulatory Guide 1.155, Station Blackout, June 1988 WASH-1400 (NUREG-75/014), Reactor Safety Study, An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants, October 1975 NUMARC 87-00 NUREG/CR-0660 Describe the basic concepts of high energy line
6.
7. 8.
9. 10. 13.0 13.1
OBJECTIVE 13: break analysis.
Identify the requirements for high energy line break analysis. Pipe failure protection must be provided to comply with the requirements of 10CFR50, Appendix A, GDC 4. NRC Branch Technical Position (BTP) MEB 3-1 and NRC Branch Technical Position ASB 3-1, Protection Against Postulated Piping Failures in Fluid Systems Outside Containment, November 24, 1975 provide additional information on regulatory understanding of the GDC requirement. High Energy Line Breaks (HELBs) are an important consideration in determining where to locate equipment. A break in a high energy line can cause: The line to directly impact (contact) safety-related equipment (pipe whip) Steam/high temperature water/high pressure water to directly impinge on safety-related equipment The temperature and humidity of a compartment that can affect the environment for safety-related equipment Release of corrosive fluids Release of gases Release of energy in the form of heat
Page 61 of 68
These effects may be from a line break or from a crack in the line. The energy may be released as a flood or as a spray or as steam. One must consider whether a whipping pipe has a constant energy source or a limited energy source. A piping section breaking downstream of an isolable valve could be considered to have a limited energy source. A non-isolable break could be considered to have a constant energy source. A line with a constant energy source could continue to whip about with the hinge located at the nearest restraint. Some of the ways to minimize HELB impact are: Maximize the physical separation of redundant or diverse safetyrelated components and systems from each other and from nonsafety-related items Pipe whip restraints Barriers, such as walls, floors, columns and abutments Equipment shields Physical separation of piping, equipment, and instrumentation 13.2 Define high energy line break. A postulated HELB is defined as a sudden, gross failure of the pressure boundary either in the form of a complete circumferential severance (guillotine break) or as the development of a sudden longitudinal crack (longitudinal split), and is postulated for the high energy fluid system only. High energy fluid systems are defined as those systems or portions of systems that during normal plant conditions are either in operation or are maintained pressurized under conditions where either or both of the following are met: Maximum temperature exceeds 200F, or Maximum pressure exceeds 275 psig NRC Branch Technical Position (BTP) MEB 3-1 may be used as the basis of the criteria for the postulation of HELBs. 13.3 Identify to which equipment high energy line break analysis applies. The HELB analysis applies to all safety-related equipment in rooms that contain high energy lines and all safety-related equipment that could be impacted by pipe whip. One must assure that equipment subject to HELB effects can continue to perform its intended safety function: Subsequent access to any areas, as required, to cope with the postulated pipe rupture
Page 62 of 68
Habitability of the control room The ability of essential instrumentation, electric power supplies, components, and controls to perform their safety function REFERENCES 1. 2. 14.0 NRC Branch Technical Position (BTP) ASB 3-1 NRC Branch Technical Position (BTP) MEB 3-1 Describe the basic concepts of the flooding
OBJECTIVE 14: analysis.
In case of a pipe failure, flooding might jeopardize the function of safetyrelated equipment required to mitigate the consequences of the pipe break or to maintain the plant in a safe shutdown condition. If the site is not dry (Probable Maximum Flood is above site grade), flood water evaluations are required. Evaluation includes postulated roof drain failures due to seismic events and moderate energy pipe failures where required. The floor drainage system is a part of flood protection design. 14.1 14.2 Identify the requirements for flooding analysis. See 10CFR50, Appendix A, Criterion 2 and 4. Identify equipment/features/rooms applies. to which flooding analysis
All rooms containing safety-related equipment and flooding sources. These sources may be local tanks or any piping line connected to a pumped source of water or a large body of water that could gravity drain into the room. For purposes of analysis, typically all non-seismic lines are considered to undergo a guillotine break during a seismic event. 15.0 15.1 OBJECTIVE 15: wind analysis. Describe the basic concepts of the tornado and
Identify the requirements for tornado and wind analysis. 15.1.1 Historical Background The AEC first established missile protection requirements in 1967. GDC-2 and GDC-4 of 10CFR50, Appendix A, require in part that SSCs important to safety be designed to be able to withstand the effects of tornado missiles. Specific design acceptance criteria to meet the requirements of GDC-2 and GDC-4 and recommended methods of satisfying the
Page 63 of 68
acceptance criteria are detailed in SRP Sections 3.3.2 and 3.5.1.4 and in Regulatory Guides 1.76 and 1.117. 15.1.2 Safety Significance Missiles generated by tornadoes could potentially damage systems or components containing radioactivity or those systems or components necessary for the safe shutdown of a reactor. This damage may directly result in core damage or melting. Tornado missile protection includes structural strengthening of potential safety-significant targets of tornado missiles; concrete missile protection for spent fuel pools, and increased concrete wall thickness around safetyrelated structures other than containment to stop tornado missiles. 15.2 Identify the equipment to which tornado and wind analyses apply. Buildings that house safety-related equipment are barriers to the tornado missiles in addition to being a target to a direct hit from a tornado. Safety-related, seismic category 1 buildings have installed in them: Missile doors to prevent externally generated missiles from penetrating the building Walls that prevent the penetration of an externally generated missile Walls that can withstand internal pressurization due to decreased atmospheric pressure on the outside due to the tornado Dampers to the outside that will prevent over-pressurization 15.3 Describe the purposes of an Internal Missile Analysis. Rotating equipment and pressurized component failure can generate internal missiles. If a piece of rotating equipment has a credible failure mechanism which will allow a part of the rotating assembly to become detached and escape the housing that contains the rotating assembly, that part of piece becomes a missile in that room. Its effect on surrounding safety-related equipment must be analyzed. The severance of a circumferential weld could cause the ejection of an unrestrained pipe section or dead end flange. REFERENCES 1. 2. 3. 10CFR50, Appendix A, Criterion 2 and 4 Regulatory Guide 1.76, Design Basis Tornado for Nuclear Power Plants Regulatory Guide 1.117, Tornado Design and Classification
Page 64 of 68
16.0 16.1
OBJECTIVE 16: Describe the concept of Codes and Standards. Describe the difference between a Code and a Standard. A Standard is a rule formally endorsed by an organization. A Code is a standard that has been incorporated into law. Specific Codes and Standards are mandated by law which requires the plants to design, construct or operate in accordance with particular privately written documents. 10CFR50.55(a), Codes and Standards, prescribes many of the applicable Codes. Codes and Standards are developed for Standardization Safety Regulatory Compliance
16.2
Describe some of the more popular Codes and Standards that are used in the U.S. nuclear industry. The following examples of industry codes/standards organizations are not meant to be all inclusive. Rather, it is a short list of some of the more popular organizations and their respective codes/standards that are used in the U.S. nuclear power industry. 16.2.1 American Society of Mechanical Engineers (ASME) ASME is a professional body, specifically an engineering society, focused on mechanical engineering. The organization is known for promoting science and practice of mechanical engineering throughout the world and setting codes and standards for mechanical devices. Examples of ASME codes used in the nuclear industry are: ASME Boiler and Pressure Vessel Code Section V: NonDestructive Testing ASME Boiler and Pressure Vessel Code Section VIII: Pressure Vessels ASME Boiler and Pressure Vessel Code Section XI: Rules for Inservice Inspection of Nuclear Power Plant Components ASME B31.1: Power Piping 16.2.2 American National Standards Institute (ANSI) ANSI is an administrator and coordinator of the United States private sector voluntary standardization system for more than 80 years. Founded in 1918, the Institute remains a private, nonprofit membership organization supported by a diverse constituency of private and public sector organizations. Examples of ANSI standards used in the nuclear industry are:
Page 65 of 68
ANSI/ANS3.1: American National Standard for the Selection and Training of Nuclear Power Plant Personnel ANSI 4.5: Criteria for Accident Monitoring Function in Light Water Cooled Reactors ANSI/ANS-5.1: Decay Heat Power in Light Water Reactors ANSI/ANS-6.4: Nuclear Analysis and Design of Concrete Radiation Shielding for Nuclear Power Plants ANSI 18.2: Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants ANSI 56.2: Containment Isolation Provisions for Fluid Systems After a LOCA ANSI 56.5: PWR and BWR Containment Spray System Design Criteria ANSI/ISA-67.02.01: Nuclear Safety-Related Instrument Sensing Line Piping and Tubing Standard for Use in Nuclear Power Plants ANSI B16.5: Steel Pipe Flanges, Flanged Valves and Fittings ANSI/ASME-N509: Nuclear Power Plant Air Cleaning Units and Components ANSI N658: Single Failure Criteria for PWR Fluid Systems 16.2.3 American Nuclear Society (ANS) A not-for-profit, international, scientific and educational organization. It was established by a group of individuals who recognized the need to unify the professional activities within the diverse fields of nuclear science and technology. Standards are now published under ANSI (See previous examples). 16.2.4 Institute of Electrical and Electronics Engineers (IEEE) This organization advances the engineering process of creating, developing, integrating, sharing and applying knowledge about electrical and information technologies and sciences for the benefit of humanity and the profession. IEEE is a central source of standardization in both traditional and emerging fields, particularly telecommunications, information technology and power generation. Examples of IEEE standards used in the nuclear industry are: C135.3: Power Transmission and Distribution C27.119: Protective Relaying C37.74: Switchgear, Circuit Breakers and Fuses
Page 66 of 68
279: Criteria for Protection Systems for Nuclear Power Generating Stations 308: Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations 323: General Guide for Qualifying Class One Electric Equipment for Nuclear Power Generating Stations 344: IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations 383: Qualifying Class 1E Electric Cables and Field Splices for Nuclear Power Generating Stations 384: Criteria for Separation of Class 1E Equipment and Circuits 603: Criteria for Safety Systems for Nuclear Power Generating Stations 16.2.5 American Society for Testing Materials (ASTM) The organization is the foremost developer and provider of voluntary consensus standards for testing materials, related technical information and services having internationally recognized quality and applicability. Examples of ASTM standards used in the nuclear industry are: ASTM 12.02: Nuclear Energy ASTM 05.01: Petroleum Products and Lubricants ASTM E185: Standard Practice for Conducting Surveillance Tests for Light Water Cooled Nuclear Power Reactor Vessels ASTM A312: Specification for Seamless and Welded Austenitic Stainless Steel Pipes ASTM A182: Specification for Forged or Rolled Alloy-Steel Pipe Flanges, Forged Fitting, and valves and parts for High-Temperature Service 16.2.6 American Concrete Institute (ACI) A non-profit technical and educational society dedicated to improving design, construction, manufacture and maintenance of concrete structures. ACIs members are made up of structural designers, architects, civil engineers, educators, contractors, concrete craftsman, etc., from around the globe. Examples of ACI standards used in the nuclear industry are: ACI-3: Code Requirements for Nuclear Safety-Related Concrete Structures
Page 67 of 68
ACI-318: Building Code Requirements for Structural Concrete ACI-301: Specification for Structural Concrete 16.2.7 American Institute for Steel Construction (AISC) A non-profit association representing and serving the structural steel industry in the U.S. Its purpose is to expand the use of fabricated structural steel through research and development, education, technical assistance, standardization and quality control. Examples of AISC standards used in the nuclear industry are: AISC 325: Steel Construction Manual AISC 327: Seismic Design Manual 16.2.8 American Welding Society (AWS) An international body devoted to promoting welding and related processes, and to supporting all those who contribute to the industry, with links to related sites and services. Examples of AWS standards used in the nuclear industry are: AWS D1.1: Structural Welding Code Steel AWS D1.6: Structural Welding Code Stainless Steel AWS A2.4: Standards Symbols for Welding, Brazing and Nondestructive Examination 16.2.9 International Society of Automation (ISA) ISA is an organization of engineers, technicians, and others who work in the field of instrumentation, measurement, and control of industrial processes. Examples of ISA standards used in the nuclear industry are: ISA-RP67.04.02: Methodologies for the Determination of Setpoints for Nuclear Safety-Related Instrumentation ISA67.06.01: Performance Monitoring for Nuclear Safety-Related Instrument Channels in Nuclear Power Plants
Page 68 of 68

NRC Design and Licensing Fundamentals - Rev - 2

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NRC Design and Licensing Fundamentals - Rev - 2

Uploaded by

Copyright:

Available Formats

Revision Date 1/16/2009 9/15/2009 11/30/2009