110 likes | 246 Views
Configuration Management in NRC’s Reactor Inspection Program. Rebecca Nease, Region II/DRS/EB1. Regulations. 10 CFR 50, Appendix B, Criterion III, “Design Control”
E N D
Configuration Management in NRC’s Reactor Inspection Program Rebecca Nease, Region II/DRS/EB1
Regulations • 10 CFR 50, Appendix B, Criterion III, “Design Control” Measures shall be established to assure that applicable regulatory requirements and the design basis, as defined in § 50.2 and as specified in the license application, for those structures, systems, and components to which this appendix applies are correctly translated into specifications, drawings, procedures, and instructions. …. Design changes, including field changes, shall be subject to design control measures commensurate with those applied to the original design and be approved by the organization that performed the original design unless the applicant designates another responsible organization. • 10 CFR 50.59, “Changes, Test, and Experiments” (c)(1) A licensee may make changes in the facility as described in the FSAR, make changes in the procedures as described in the FSAR analysis report, and conduct tests or experiments not described in the FSAR without obtaining a license amendment only if: • (i) A change to the technical specifications incorporated in the license is not required, and • (ii) The change, test, or experiment does not meet any of the criteria in paragraph (c)(2) of this section. • more than minimal increase in the frequency of occurrence of an accident previously evaluated; • more than a minimal increase in the likelihood of occurrence of a malfunction of a SSC previously evaluated • more than a minimal increase in the consequences of an accident previously evaluated; • minimal increase in the consequences of a malfunction of an SSC important to safety previously evaluated • create a possibility for an accident of a different type than any previously evaluated • create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated • result in a design basis limit for a fission product barrier as described in the FSAR being exceeded or altered • Result in a departure from a method of evaluation used in establishing the design bases or in the safety analyses
Leading up … • SSFIs and SSOMIs: Mid to late 80s, the NRC identified concerns that DB were not being maintained. • NUMARC 90-12, “Design Basis Program Guidelines” to provide a stdframework for industry members to use in improving DB information • NRC recommended making the DB reconstitution a formal initiative. • NUMARC responded this was not needed - most licensees were already conducting DB reconstitution. • NUREG-1397, Feb 1991 – some results of NRC survey of 6 utilities include • DB docs should be a top-level and define the current plant configuration • Re-establishment of DB w/o reconstitution may not provide sufficient LOD for future modifications, plant operation, or event response • Minor changes should be tracked to ensure that changes in the aggregate do not affect validity of existing calcs and ability of a system to perform it’s design functions.
Leading up …. • Aug 1992 - NRC issued a Commission policy statement “Availability and Adequacy of Design Bases Information at Nuclear Power Plants” • DB docs should be sufficient to show the current plant configuration is consistent with the DB • DB should be understood and documented to spt operability determinations and 50.59s • NRC will continue SSFI-like inspections • GL will be issued • Mar 1993 – draft GL issued for comment • Requested licensees to describe their DB reconstitution efforts, and schedules, • Licensees not reconstituting their DB requested to provide rationale • Most commenters concluded that the GL was unnecessary. • NUMARC: this request would have a negative effect on ongoing efforts and undermine licensees’ abilities to manage these efforts. • Oct 1993, in SECY 93-292, the NRC staff told the Commission that the policy statement and proposed GL conveyed the Commission’s concern and recommended the GL not be issued. The NRC would continue to perform design-related inspections.
After … • Time magazine article was released in March 1996 • May 1996 - NRC IG investigations found fault with the NRC for failing to recognize the problems at Millstone and impose CAs much earlier • Oct 1996 - NRC issued 50.54(f) letters to all licensees requiring information that ensures plants are operated and maintained iaw DB. • 1999 - NRC issued a revised 10 CFR 50.59 which clarified the conditions to allow licensees to make changes without prior NRC approval. • Baseline design basis inspections were implemented • SSFI, revised in 1996 – included engr design, configuration control, and 50.59/mods • SSD&PC team inspections– safety system design and performance capability • CDBIs • Mods/50.59 inspections
Millstone • 1995, NEU was granted a license amendment that expressly permitted full-core offloading at Millstone. • Sept 1996, NRC internal task force determined that the “safety significance of Millstone’s refueling practices was low” • NRC expanded inspections/licensee performed assessments • many examples of performance and procedural deficiencies. • ICAVP established by Order Oct 1996 • NRC required a formal vote of the Commission before restart • Unit 1 was permanently shutdown • Unit 2 restarted in 1999 and Unit 3 in 1998
Examples of Configuration Control Findings • Failure to recognize adverse effects of downgrading of safety-related equipment to non-safety • The EDG control air at the licensee utilizes air from the starting air accumulators to block non-emergency generator trip signals. The licensee performed a modification to downgrade (from safety-related to non-safety-related) the starting air compressors and all downstream system piping. Non-safety-related air compressors cannot be credited for use in accident analyses. The licensee failed to fully evaluate effects of the failure of these non-safety-related air compressors on the EDG control air. During certain accident scenarios, control air could bleed down and activate non-emergency generator trips, which is not allowed by TS and FSAR. • Failure to fully analyze effects of modifications to the plant • The licensee made modifications to replace transformers for the safety-related shutdown boards. The new transformers included non-safety-related cooling fans. The transformers are in a harsh environment. The licensee failed to evaluate the effects of the harsh environment on the non-safety-related cooling fans. As a result, because the cooling fans and had not been evaluated for harsh environment and because they are not safety-related, the licensee also failed to evaluate the effects of the failure of these cooling fans on the function of the transformer.
Examples of Configuration Control Findings • Deleting documents needed to ensure component reliability • TS required actions for either restoring ASME Code Class 1, 2, or 3 components to within their limit or isolating the component if the structural integrity was not in conformance with the Code. These requirements were later relocated to the TRM. The licensee deleted the requirements from the TRM using the 50.59 process in 2009. The deletion of the TRM actions could result in an adverse effect on the component reliability because the licensee could continue operations without isolating the non-conforming component or restoring it to within its Code limits. • Failure to analyze effects of modifications to the plant • Modifications of the hydrogen monitoring system resulted in installing two compressed bottles containing 100% hydrogen and two compressed bottles containing 100% oxygen at each containment atmosphere monitor panel located. These bottles were installed near a safety-related MCC (which controlled LPCI Loop 1 isolation valves). The licensee failed to evaluate how failure of the flammable hydrogen gas bottles and the resulting fire or explosion at the installed location could impact nearby safety-related SSCs.