Text

Response to NRC Probabilistic Risk Assessment (PRA) Branch Requests for Additional Information (Rais) Dated December 5, 2008
	ML090360545
Person / Time
Site:	Monticello
Issue date:	02/04/2009
From:	O'Connor T; Northern States Power Co, Xcel Energy
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	L-MT-09-002, TAC MD9990
	Download: ML090360545 (117)
	v • d • e

February 4,2009 L-MT-09-002 10 CFR 50.90 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 Monticello Nuclear Generating Plant Docket 50-263 Renewed Facility Operating License License No. DPR-22 Response to NRC Probabilistic Risk Assessment (PRA) Branch Requests For Additional Information (RAls) dated December 5,2008 (TAC No. MD9990)

Pursuant to 10 CFR 50.90, the Northern States Power Company, a Minnesota corporation (NSPM), requested in Reference 1 of Enclosure I , an amendment to the Monticello Nuclear Generating Plant (MNGP) Renewed Operating License (OL) and Technical Specifications (TS) to increase the maximum authorized power level from 1775 megawatts thermal (MWt) to 2004 MWt.

The U. S. Nuclear Regulatory Commission (NRC) Environmental Branch provided eight RAls in Reference 2 of Enclosure 1. Enclosure 1 provides the MSPM response to these RAls. Enclosures 2 through 6 are provided for information.

In accordance with 10 CFR 50.91, a copy is being provided to the designated Minnesota Official.

Summaw of Commitments This letter makes no new commitments and does not change any existing commitments.

Document Control Desk Page 2 of 2 I declare under penalty of perjury that the foregoing is true and correct.

clear Generating Plant cc: Administrator, Region Ill, USNRC Project Manager, Monticello, USNRC Resident Inspector, Monticello, USNRC Minnesota Department of Commerce

ENCLOSURE 1 MONTICELLO NUCLEAR GENERATING PLANT NSPM Response To PRA Branch RAls dated December 5,2008

Enclosure 1 NSPM Response To PRA Branch RAls dated December 5,2008 RS-001, Attachment Ito Matrix 13, Section 3.1, requires the licensee to address the impacts of extended power uprate (EPU) on component and system reliability and response times. Enclosure 15 Section 4.1.5 of the LAR addresses the reliability impacts, but does not identify impacts on response times.

NSPM Response Minor variations in system or component design response times that may be postulated or planned due to the EPU would not impact the PRA risk profile. A review of the MNGP EPU System Task Reports that affect systems modeled in the PRA was performed. These task reports identify the EPU effects on the subject system. There are no significant changes to system and component response times due to the EPU for any of these systems, and thus, there is no impact on the MNGP PRA risk profile or EPU risk assessment.

NRC Review Item (2)

RS-001, Attachment Ito Matrix 13, Section 3.1, requires the licensee to justify the applicability of the generic andlor plant-specific data used to derive initiating event frequencies. Enclosure 15 states that there is no direct significant impact for general transients without any justification.

NSPM Response The current generic and plant specific data that were used to derive initiating event frequencies remain applicable for the MNGP EPU PRA evaluation. The potential impacts on the frequencies of the initiating events in the MNGP PRA due to the EPU were assessed.

The modifications and the plant configuration for the EPU do not result in changes to the MNGP PRA initiating event frequencies.

Consistent with Section 10.5 of the CLTR (NEDC-33004P-A), the MNGP EPU is not expected to have a material effect on component or system reliability as equipment operating limits, conditions, and ratings are not exceeded.

The MNGP EPU plant modifications are largely characterized by equipment upgrades or by replacement of components with upgraded components. New trains of equipment are not being added or removed. Although there are significant upgrades planned for the AC distribution system, the system will remain functionally similar to the existing configuration, and the changes will not have a significant impact on transient initiating event frequencies.

Page Iof 12

Enclosure 1 NSPM Response To PRA Branch RAls dated December 5.2008 Other upgrades that affect equipment modeled in the PRA are effectively a replacement of current components with new, more capable components.

Consequently, no significant impact on the long-term average of initiating event frequencies, or equipment reliability during the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months PRA mission time due to the replacement or modification of plant components is anticipated. i ~ n d eEPU r operating conditions, NSPM will continue to evaluate equipment degradation and reliability using the existing plant monitoring programs.

Note: Quantitative sensitivity studies were performed by artificially increasing various initiating event frequencies (Turbine Trip, MSlV Closure, and Large LOCA). Refer to Section 5.7 of the MNGP EPU risk assessment (Enclosure 15 to the MNGP EPU LAR dated November 5, 2008) for the results of these studies. Although the studies involve postulated increases in initiating event frequencies that were based on conservatism and not on fault tree models and component failure rates, the results show that the risk remains acceptable.

NRC Review Item (3)

RS-001, Attachment Ito Matrix 13, Section 3.1, requires the licensee to describe how it ensures that the PRA adequately models the as-built, as-operated plant, and that the analyses supporting the EPU adequately reflects how the plant will be operated and configured for EPU conditions. Enclosure 15,Section I.4 of the LAR identifies an assumption that the plant and procedure changes identified represent the as-built, as-operated post-EPU plant, but there is no discussion of how this is assured in the PRA model. Appendix C further states that the PRA is routinely updated, but does not confirm that the current model (identified as a 2005 version) used to support the analyses of this LAR is up-to-date and adequately reflects the planned configuration of the plant post-EPU.

NSPM Response The MNGP 2005 PRA used for the EPU was the fully documented Model of Record. In addition, the MAAP thermal hydraulic model supporting the MNGP PRA was updated for EPU.

As stated in Appendix C of the MNGP EPU risk assessment, the MNGP PRA is systematically updated to ensure that it properly reflects the as-built, as-operated plant.

Controlled processes are in place at MNGP to identify plant modifications that impact the PRA. FP-PE-PRA-02, PRA Guideline for Model Maintenance and Update and PEI-05.01.03, PRA Guideline for Model Maintenance and Update, provide the processes and guidance for MNGP PRA model maintenance and periodic updates. These procedures are included as Enclosures 2 and 3 to this letter. In addition, plant changes and other relevant issues are assessed by the PRA group, and non-periodic updates are performed by PRA

Enclosure '1 NSPM Response To PRA Branch RAls dated December 5,2008 personnel if an identified plant change is assessed to involve a change to a system credited in the PRA or to significantly impact the calculated risk profile. PRA personnel are advised of pertinent plant modifications per procedure.

Planned or implemented modifications that were not represented in the MNGP PRA Model of Record used in the MNGP EPU risk assessment are summarized in Table 3-1 below.

Table 3-1 summarizes the plant modifications, the installation status, the revisions made to the MNGP PRA models (to both the base CLTP version of the PRA and the EPU version of the PRA) for this RAI response, and the resulting change in calculated risk metrics compared to those reported in the MNGP EPU risk assessment. As can be seen from Table 3-1, when the plant modifications summarized in the table are incorporated into the PRA models used in the MNGP EPU risk assessment the calculated delta CDF and delta LERF results are not significantly changed.

In addition to outstanding modifications, the EPU modification (AC System), which had not been included in the MNGP PRA Model of Record, also has a non-significant impact on the calculated risk metrics. Please see the NSPM response to Question 6 below.

Consequently, it is reasonable to conclude that the model used to support the analyses of the EPU LAR is sufficiently updated and adequately reflects the planned configuration of the plant post-EPU.

Page 3 of 12

Enclosure I MSPM Response To PRA Branch RAls dated December 5,2008 Table 3-1:

SUMMARY

OF IMPACT ON MNGP EPU RISK ASSESSMENT FROM OUTSTANDING PRA MODS PRA Model Changes Made Mod. ID Description Summary Mod. Status for this RAI Response EC-9561 Instrument/Service This upgrade replaces the Not Yet The following model changes made to both the CLTP Air System Upgrade existing three air compressors, Installed version of the MNGP PRA and the EPU version of the three air receivers, and two MNGP PRA for this RAI response:

dryers with three full capacity compressed air trains each Q SW inputs in air compressor subtrees removed consisting of a compressor dryer and receiver. Q MCC 134 feeds into " A compressor subtree replaced with LC-103 feeds The new system will be installed in a new building adjacent to the Q MCC 142 feeds into "C" compressor subtree replaced Hot Machine shop. with LC-107 feeds Each new compressor has a Q Panel P I 05 feeds into " D compressor subtree replaced dedicated ethylene-glycol with LC-?08 feeds cooling system; the existing compressors are cooled by a No significant change to Loss of IA initiator frequency Service Water. expected. No change made.

Power supplies for the three No change to receiver and dryer subtrees of IA fault compressors will be changed tree. Any such changes would represent a (new K-I E compressor to be non-significant impact to the IA system fault tree and the supplied by LC-103, new K-1F impact on the delta risk calculation for the EPU would compressor to be supplied by be negligible (i.e. dryer plugging and receiver rupture LC-107, and new K-1G failure modes are non-significant risk contributors).

compressor to be supplied by LC-108).

EC-0778 SRVs E, F, G, and H The ability to control SRVs E, F, Installed Improvement. Operator error basic events related to travel Div. 11 250 VDC G, and H was either from the to the ASDS panel were removed from under gate HEP-control from Control control room panel using SRV-ASDS.

Room Division 1 250 VDC, or the ASDS panel using Division II 250 VDC. A modification was completed to allow control of these four SRVs from the control room using Division II 250 VDC. These SRVs could be operated using Division II VDC prior to this modification; however, that capability existed via controls at the ASDS panel and not via controls in the main control room.

EC-0746 Power Supply All three Service Water pumps Installed LC-103 feed into SW pump P-102A gate replaced with LC-Change for SW have been replaced. The power 107 feed.

Pump #1I supply for Service Water pump

I 1 has been changed from LC-103 to LC-?07.

Delta CDF from MNGP EPU Delta CDF after incorporating the above changes into models: 5.63 E-7lyr Risk Assessment (Sect. 5.1):

5.67E-7/yr Impact on MNGP EPU risk results: Delta LERF from MNGP EPU Delta LERF after incorporating the above changes into models: 2.99E-8lyr Risk Assesment (Sect. 5.6):

3.00E-8lyr Page 4 of 12

Enclosure 'l NSPM Response To PRA Branch RAls dated December 5,2008 NRC Review Item (4)

RS-001, Attachment 1 to Matrix 13, Section 3.1, requires the licensee to specifically address vulnerabilities, weaknesses, or review findings identified in the Individual Plant Examination (IPE), the staff or contractor evaluation reports on the IPE, and(or) and independentlindustry peer review findings, that could impact the PRA results and conclusions. It further requires the licensee to present the overall findings of the peer review (by element) and to discuss low-rated elements, and any findings and observations that could potentially impact the licensee's proposed EPU. Enclosure 15, Appendix C of the LAR discusses the peer review findings, but does not address the other IPE reviews, nor is the overall results of the peer review discussed as required. Further, subsequent recent assessments of the PRA model against the internal events standard are identified, but there is no discussion of the results of such assessments, or the disposition of any findings from those assessments.

NSPM Response The Monticello IPE report, the related NRC Staff Evaluation Report (SER) dated May 26, 1994, and the Monticello IPE Summary Report have been reviewed to identify references to vulnerabilities, weaknesses, and review findings. The results of the review, including the disposition of each topic are documented in the following table. These findings have been previously incorporated into the PRA model where applicable and do not involve material impacts to the EPU risk assessment.

Element Disposition The IPE summary of major findings indicates that no new or unusual Not Applicable means were discovered by which core damage or containment failure could occur. No vulnerabilities, including internal flooding vulnerabilities, were identified as part of the IPE process for Monticello. No specific Unresolved Safety Issues or Generic Safety Issues were proposed for resolution as part of the IPE.

The demineralizer bypass valve may not open upon a loss of A modification to the demineralizer bypass valve was instrument air. performed to assure faster operation of the valve upon loss of instrument air.

Modification to the bottled N2 supply for the SRV solenoid valves Modification of alternate N2 supply to drywell pneumatics, was considered in order to preclude dependency on non-essential including SRV solenoid valves, removed dependency on AC AC power. power. The PRA model reflects this in the current plant design.

Importance of reactor depressurization has been recommended for Depressurization is a critical task that is assigned an reinforcement in operator training. associated Job Performance Measure in simulator scenarios.

Also, the importance of depressurization is captured in EOP training.

The plant was encouraged to pursue relaxation of the drywell spray The Drywell Spray Limit curve was modified subsequent to initiation limit through BWROG Severe Accident Working the IPE submittal to be consistent with restrictions that are Committee. intended to maintain primary containment integrity and protect equipment located within the primary containment.

Page 5 of 12

Enclosure 1 NSPWI Response To PRA Branch RAls dated December 5,2008 Element Disposition Procedures were drafted to upgrade steps to load shed station The site Station Blackout procedure and other operating batteries to extend battery life. Recommendations were made to procedures provide guidance to preserve battery capacity as develop alternate methods to supply station essential battery well as provide alternate methods to support battery charger chargers. operation using alternate power sources such as the # 13 Diesel Generator, the Security Diesel, or a portable generator.

Consider an AC independent means of decay heat removal in the Monticello has installed a Hard Pipe Vent and has form of the Hard Pipe Vent. procedures to implement its use.

Improve capability of manually aligned, backup low pressure Procedures to provide makeup to the reactor vessel using injection systems such as RHRSW through LPCI, Condensate low pressure alternate injection systems including RHRSW, vs. 1.31E-05)when quoted for Level 2 and Level 1. damage (level 1) model as input by using event trees that start with initiating events which are gates representing all core damage sequences. If asked the frequency of radioactive release model input, one would actually quantify the CDF gate. As a check, a new gate was created which is an OR gate of the release model event tree initiating events (CONT-FAILED, CONT-INTACT-NONSBO, CONT-INTACT-SBO) and quantified. Results match that of gate CDF.

A formal Peer Review of the MNGP PRA was conducted in October 1997 following the BWROG PSA Peer Review Certification Process. Elements that received a summary grade of 3 included Initiating Events, Thermal Hydraulic Analysis, Systems Analysis, Data Analysis, Human Reliability Analysis, Dependency Analysis, and Maintenance and Update Process. Technical elements are graded using a scale,of 1 to 4 (4 being the highest grade and 3 being generally comparable to Capability Category II of the current ASME PRA Standard). The remaining elements: Accident Sequence Evaluation, Structural Response, Quantification and Results Interpretation, and Containment Performance Analysis, received a summary grade of 2 with average grade no lower than 2.5 for any element. Subsequent to the assignment of these grades, all A and B priority peer review comments for all eleven elements have been addressed by MNGP personnel and incorporated into the PRA model Page 6 of 12

Enclosure f NSPM Response To PRA Branch RAls dated December 5,2008 as appropriate. The most significant peer review comments (F&Os) are explicitly addressed in the above table. Addressing these A and B F&Os from the October 1997 peer review are understood to increase the associated element grades to 3.

Three comparisons to the ASME PRA standard have been performed over the past five years. The first was completed in early 2004 by an independent PRA consultant against a draft version of the standard and prior to a major model update that incorporated several important plant modifications and procedural changes as well as PRA model improvements.

The other two comparisons were performed using the current model of record applied to perform the EPU risk assessment. One, completed by MNGP PRA staff in early 2006, identified several Supporting Requirements (SRs) that may be considered by a formal peer review to fall short of meeting Capability Category II. A majority of these SRs are specifically related to uncertainty analysis and documentation deficiencies which are not expected to have a significant potential impact on quantification results. The other SRs that were identified are related to the use of shorter mission times (< 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) for a limited number of components, human actions related to inducing and terminating internal flooding, and comparison of quantification results with similar plants. None of these are expected to impact the results of the EPU assessment. The last comparison to the ASME standard was performed primarily to determine resource requirements anticipated to address gaps to Capability Category II of the standard in anticipation of a formal peer review. This Gap Assessment did not identify any items that were expected to impact the model in a significant and non-conservative direction (Significance Level A), but were primarily directed toward enhancing documentation.

NRC Review Item (51 RS-001, Attachment 1 to Matrix 13, Section 3.1, requires the licensee to address modifications or improvements credited in the IPEIPRA but not yet implemented by specifically indicating if the improvements have been implemented in accordance with the assumptions and conditions identified in the IPEIPRA. Enclosure 15 Section 2 of the LAR simply states that all IPE commitments have been resolved.

NSPM Response The PRA model that was used for the EPU risk assessment does not credit any capability that is not currently available or supported by approved procedures.

Enclosure I NSPM Response To PRA Branch RAls dated December 5,2008 A review of the Monticello IPE and supporting documents was performed to determine if there were any modifications or improvements credited in the IPEIPRA but not yet implemented. The engineers involved with the IPE development were also consulted to determine if there was any recollection of cases where modifications or improvements were credited in the IPEIPRA but not implemented at the time of the IPE submittal. No instances of credited, but not yet implemented capabilities were identified.

NRC Review Item (6)

RS-001, Attachment 1 to Matrix 13, Section 3.1, requires the licensee to address plant modifications which are not completely finalized as to their potential risk impact. Enclosure 15 Section 3.3.1 of the LAR identifies that the AC distribution system modifications are not finalized, and that risk will be assessed as part of the modification process, which is inconsistent with the requirement to identify how the risk analyses are bounding.

NSPM Response The modifications to the AC distribution system were not finalized at the time of the MNGP EPU risk assessment, as noted in Section 3.3.1 of the MNGP EPU risk assessment. The modifications to the AC distribution system for the EPU are still in development and are not completely finalized, however, the following are the key changes expected at this time.

Please note that these changes are being accomplished with the intention of improving power supply reliability.

e The existing 4kV bus 1Iand bus 12 will be abandoned and replaced with new 13.8kV bus IIand bus 12.

The 2R and 1R transformers will be replaced with new transformers that will feed the new 13.8 KV buses. The existing sources and feeders to IR and 2R will be used.

The new 2R and 1R transformers will continue to step-down voltage to 4kV to supply existing buses 13 and 14, but will also supply 13.8 kV power to new buses 1Iand 12.

Q The new 13.8kV buses 1Iand 12 will each feed a Feedwater pump, a Condensate pump, a Recirculation Pump MG Set, and a load center. With this change, the 11 and 12 condensate motors will be moved from buses 13 and 14 to new buses 11 and 12.

The existing non-essential480VAC MCCs 131 and 141 will be moved from LC103 and LC104 to new load centers LC1IIand LC112.

The proposed AC System modifications described above were analyzed using the revised PRA model of RAI Question # 3 above, and these modifications do not change the

Enclosure 'I NSPM Response To PRA Branch RAIs dated December 5,2008 conclusions of the risk assessment. The delta CDF incorporating the above changes is 1.54E-7lyr (compared to 5.67E-7/yr calculated in the base MNGP EPU risk assessment).

The resulting delta LERF is 2.55E-8lyr (compared to 3.00E-8lyr calculated in the base MNGP EPU risk assessment). The reduction in delta CDF is due primarily to changes in internal flooding scenario impacts which result from moving buses 11 and 12 to new separate rooms. The results remain within the very small risk category (Region Ill) of Regulatory Guide 1.I 74.

NRC Review Item (7)

RS-001, Attachment Ito Matrix 13, Section 3.2, requires the licensee to specifically address vulnerabilities, outliers, anomalies, or weaknesses, or review findings identified in the Individual Plant Examination of External Events (IPEEE), the staff or contractor evaluation reports on the IPEEE, and(or) and independenttindustry peer review findings, that could impact the risk results and conclusions. This is not addressed in the submittal.

NSPM Response The Monticello IPEEE report and the NRC Staff Evaluation Report (SER) have been evaluated to identify vulnerabilities, outliers, anomalies, weaknesses, and review findings.

There have been no peer reviews conducted subsequent to the IPEEE submittal that have directly addressed external events.

The results of the NRC review are documented in the staff SER dated April 14, 2000. The staff identified some minor additional analyses that might yield more accurate and smaller risks to external events. These items are listed below.

( I ) Perform additional analysis to identify if a single pump success is adequate for the Service Water system.

(2) Revise the PRA to eliminate dependency of the SRVs on AC power (3) Additional consideration of seismic effects on the turbine and generator lube oil tank.

(4) Consider bypass of the load shed logic for the control rod drive pumps Of these, the MNGP EPU could feasibly be affected by items 1, 2, and 4; these items have previously been properly incorporated into the PRA model. The current internal events MNGP PRA Model of Record assumes that a single Service Water pump is adequate to successfully accommodate post transient cooling requirements. It properly mimics the SRV dependency requirements as not requiring AC power except for long term operation to Page 9 of 12

Enclosure f NSPM Response To PRA Branch RAls dated December 5,2008 maintain battery charger operation. It also credits a procedure that provides the capability for CRD pump operation following successful load shed bypass.

NRC Review Item (8)

RS-001, Attachment 1 to Matrix 13, Section 3.3, requires the licensee to describe the plant's shutdown risk management philosophies, processes, and controls relied upon to ensure that the risk impacts of EPU on shutdown operations is not significant. It also requires the licensee to address shutdown risk impacts of longer times to shutdown. Enclosure 15, Section 4.6 of the LAR does not provide this information.

NSPM Response Shutdown Risk Management Procedural controls are in place to ensure the risk impacts of EPU on shutdown operations are not significant. Shutdown Risk Management at the MNGP is described in instructions 4AWI-08.15.03, Risk Management for Outages, and SWI-14-01, Risk Management for Outage and On-Line Activities, and Section 9.2, Outage Scheduling and Outage Risk Significance, of EWI 05.02.01, Monticello Maintenance Rule Program Document. These documents are included as Enclosures 4 through 6 to this letter.

The requirements of NUMARC 91-06, "Guidelines for Industry Actions to Assess Shutdown Management", and Section 1Iof NUMARC 93-01 Rev. 3, "Assessment of Risk Resulting from Performance of Maintenance Activities," are implemented to assure nuclear risk is assessed and that structures, systems, and components that perform key safety functions are available when needed. A defense-in-depth strategy is implemented to enforce minimum equipment availability for critical safety functions such as Decay Heat Removal, Reactivity Control, Inventory Control, Containment, and Electrical Power Distribution. The goal of this strategy is to maintain at least the minimum systems and equipment required by MNGP Technical Specifications plus an additional component or system for each critical safety function. Guidelines cover outage management, level of activities, defense-in-depth, contingency planning, training, safety review, and effective communications.

In addition to the defense-in-depth strategy, NSPM implements at the MNGP a detailed quantitative Internal Events, Level I outage risk assessment for refueling and other planned outages. This assessment utilizes a model similar to the on-line PRA tool, but incorporates various changes and additional capabilities to make it applicable to shutdown conditions.

Consideration is given to variable water inventory, decay heat levels, equipment unavailability, as well as status of fuel pool gates, reactor vessel and containment pressure integrity. Quantitative risk thresholds are established to determine appropriate actions, and since the evaluation is performed as part of the planning process, elevated risk configurations are re-evaluated and often re-designed to minimize overall risk exposure.

Page 10 of 12

Enclosure 1 MSPM Response To PRA Branch RAls dated December 5,2008 Risk Impacts of Longer Times to Shutdown The time to achieve shutdown conditions during a planned and methodical shutdown for the EPU condition will not significantly increase compared to the CLTP condition.

The planned shutdown time is an operational goal that is subject to a number of factors (e.g., plant resources, equipment outage windows, etc.). The time to transition from Power Operation, to Cold Shutdown, and then to Refuel is controlled by a shutdown schedule. For the EPU condition, the scheduled time to reach Refuel would not materially differ from pre-EPU shutdown schedules. At power, the reactor coolant will be at the same temperature and pressure for the pre-EPU and the EPU condition. In either case, the operators follow cooldown rates and have some operational flexibility within those cooldown rates to achieve scheduled shutdown milestones. For EPU, the operators would increase shutdown cooling flow as necessary to achieve the same or similar Refuel milestone as for the CLTP case.

The impact on the MNGP shutdown risk profile is discussed in Section 4.6 and Appendix B of the MNGP EPU risk assessment. The total change in shutdown risk due to the EPU was estimated at a 2% change in shutdown CDF.

The above estimate was calculated in the MNGP EPU risk assessment assuming a generic simplified outage schedule. By artificially assuming an increase in the time to reach shutdown conditions for the EPU, the impact on the MGNP risk profile can be estimated using the simplified outage schedule and the associated shutdown risk calculations documented in Table B-4 of the MNGP EPU risk assessment. The calculation summarized in Table B-4 was adjusted as follows to artificially create longer times to reach shutdown milestones at EPU.

The first two phases of the simplified outage schedule were assumed to be extended

( I 3%, EPU increase from the CLTP). The remaining three phase milestones of the simplified outage schedule were assumed to be dominated by schedule issues (not decay heat) and the lengths remained unchanged (which is reasonable).

e The 13% increase in length of the two initial 'outage phases results in a 13% higher exposure period for a random LOOP event during the phase.

s The increase in the LOOP frequency for each of the first two.phases was then factored with the increase in LOOP recovery failure probability due to the lower time available due to the higher decay heat of the EPU.

The result is an increase to approximately 3% (shutdown CDF increase due to EPU) compared to the assessment in the MNGP risk assessment report of 2% increase, which is acceptably small.

Enclosure 1 NSPM Response To PRA Branch RAls dated December 5,2008 I.NSPM letter to NRC, "License Amendment Request: Extended Power Uprate (L-MT-08-052) dated November 5, 2008 (TAC MD9990)

2. Email from P. Tam (NRC) to G. Salamon, K. Pointer, and T. Blake dated December 5, 2008, "Monticello - Request to supplement the 11/5/08 EPU application on PRA issues (TAC MD9990),11(ADAMS Accession No. ML083400402)

Page 12 of 12

ENCLOSURE 2 MONTICELLO NUCLEAR GENERATING PLANT FP-PE-PRA-02, Rev. 2 PRA Guideline for Model Maintenance and Update

INFORMA TION USE e Procedure should be available, but not necessarily at the work location.

0 Procedure may be performed from memory.

User remains responsible for procedure adherence.

Table of Contents Pane PURPOSE .......................................................................................................................3 APPLICABILITY ..........................................................................................................3 RESPONSIBILITIES ......................................................................................................... 3 DEFINITIONS ...................................................... .........................................................

i 4 REQUIREMENTS ............................................................................................................. 4 RECORDS ...................................................................................................................... 7 REFERENCES .................................................................................................................. 7 7.1 SOURCE DOCUMENTS .......................................................................................7 7.2 REFERENCE DOCUIUENTS .................................................................................. 7 7.3 COMMITMENTS ......................................................................................................

8 REVISION

SUMMARY

..................................................................................................... 8 ATTACHMENTS ............................................................................................................. 8

d.0 PURPOSE

1. T h e purpose of this guideline is t o identify requirements for maintaining a n d upgrading the Probabilistic Risk A s s e s s m e n t (PRA) model to e n s u r e that its representation of the as-built, as-operated plant is sufficient to support t h e applications for which it is being used.

2.1 This guidance is applicable to the PRA model a n d to t h e personnel performing PRA model maintenance and update activities for e a c h of t h e NMC sites.

3.1 PRA GROUP SUPERVISOR 3.9.1 T h e supervisor responsible for PRA personnel shall b e responsible for t h e following:

1. Ensure PRA personnel a r e qualified to perform the t a s k s in this guideline.

2. Ensure that t h e PRA model used for applications reasonably reflects t h e as-built, a s -

operated plant.

3.2 PRA ANAYIST 3.2.1 T h e PRA analyst shall b e responsible for performing t h e following:

1. Analysis of c h a n g e s in plant-specific d a t a inputs to t h e PRA model for periodic updates.

2. Evaluation of plant c h a n g e s to determine t h e potential impact of t h e change on the PRA model and determine t h e acceptable time frame for model update that may result.

3. Track pending c h a n g e s to t h e PRA model and documentation a n d evaluate their cumulative impact.

4.0 DEFINITIONS 4.1 Probabilistic Safety Assessment (PSA) and Probabilistic Risk Assessment (PRA) -

PSA and PRA are identical and interchangeable terms used to describe activities associated with evaluating the risks and impact upon safety associated with the operation of a nuclear power plant. This evaluation may be either qualitative or quantitative and might or might not involve the use of a formal PRA model of the plant or plant systems.

4.2 PRA Model of Record - This term refers to the fully documented, reviewed, and approved PRA model that has been released for use in plant applications.

4.3 PRA Maintenance Model or PRA Working Model - These terms refer to an interim PRA model that.contains proposed changes. This model may not yet have been documentea, reviewed, or approved.

4.4 Maintenance Update - An update of the PRA model that is performed between scheduled periodic updates to include significant changes to the as-built, as-operated plant, or to include significant corrections to the PRA model.

4.5 Periodic Update - An update of the PRA model that occurs in accordance with a set schedule to include changes to plant equipment and operation that take place on a continual basis. An example of such a change is plant-specific equipment reliability and availability. A periodic update might also include such changes to the as-built, as-operated plant or corrections that were determined to be of lesser significance than what would require a maintenance update of the PRA model.

5.0 REQUIREMENTS 5.1 PRA SOFTWARE AND MODEL CONTROL 5.1 Computer software used to generate and quantify PRA models SHALL be controlled in accordance with the computer sofhware management program in effect at the plant.

5.1.2 The computer files for the PRA model of record SHALL be controlled such that accidental or unauthorized changes are not made. The PRA model of record SHALL be backed up or stored in a location separate from the working model files. Past PRA model revisions SHALL be archived.

5.1.3 Revisions to the PRA model of record SHALL be uniquely identified by a revision number, release date, or similar scheme.

5.1.4 The changes incorporated in each revision to the model of record SHALL be tracked. This can be accomplished by a simple list stored in a secure location, a database, or by tracking which pending changes are closed out with each revision.

5.2 TRACKING PENDING CHANGES TO THE PRA MODEL 5.2.q Each site is to utilize the non-CAP Action Request (AR) process for tracking proposed or pending changes to the PRA model. This process is most likely to be initiated because of a plant modification, a procedure change, or change to a calculation credited in the model.

This method can also be used to track resolution of model errors or suggested enhancements. Note that errors in the model that significantly affect PRA results for applications should be documented using the CAP AR process.

5.2.2 The tracking record should include the following information:

1. A description of the proposed change including any references that would be helpful (modification number, procedure number, and revision, etc.).

2. An evaluation by a PRA Analyst as to whether the change should be implemented as soon as practical (within the next 90 days, for example), or if it can wait until a periodic update. Included in this evaluation should be a consideration of the cumulative impact of other pending changes. This evaluation can be either quantitative using the working PRA model or qualitative.

3. Documentation of the final disposition of the proposed change. This should include the PRA model revision if a model change was implemented as a result.

5.2.3 After a change to the PRA model has been implemented, the associated AR record of the pending change should be closed out.

5.3 PRA MODEL PERIOIDBC UPDATE 5.3.1 Periodic updates of the PRA model will be performed approximately every other operating cycle (i.e., every three [3] or four [4] years).

5.3.2 The periodic update should include the following, as appropriate:

1. An update of basic event data resulting from current plant equipment availability and reliability data (could be limited to a subset of risk-significant equipment).

2. An update of selected initiating event frequencies considering plant history for these initiating events.

3. A review of plant procedures that may impact Human Error Probability (HEPs) or equipment test frequencies used to support the PRA analysis.

4. A review of internal and external operating experience associated with the PRA systems. Include any changes performed as a result of this review in the appropriate PRA model documentation.

5. A review of changes to technical specifications and design basis or other calculations that may affect assumptions in the PRA model. Any changes identified should be documented in the appropriate PRA model documentation.

6. A review of industry experience and changes to Nuclear Regulatory Commission (NRC) requirements on issues related to PRA model quality.

7. A review of the currently open proposed and pending PRA model changes to include as many of these in the periodic update as is practical.

8. An assessment of current industry issues that could affect the PRA model and its use for applications.

5.4 PWA MODEL MAINTENANCE 5.4.1 The PRA model of record and documentation will be updated between periodic updates as necessary due to significant changes identified by the process for tracking proposed and pending changes.

5.4.2 Other proposed or pending changes can also be implemented during a maintenance update of the model, It would be efficient, for example, to implement any minor pending changes to a system-model that requires the significant change.

5.5 llMPLEMENTATlON OF A P M MODEL REVlSlON 5.5.1 Prior to releasing the revised model for record, the following should be performed:

1. Revise any other PRA model documentation affected by the change.

2. Revise the CDF and LERF baseline, if necessary, for use in trending

3. Record the changes made for this revision of the model as described in Section 5.1.

5.5.2 Following release of the revised model of record, these steps should be performed:

1. Review the impact of the change on the overall PRA model and determine if new vulnerabilities should be addressed. GL 88-20, Individual Plant Examination for Severe Accident Vulnerabilities, and NUMARC 91-04, Severe Accident lssue Closure Guidelines can be used as a guide. New vulnerabilities which need to be addressed SHALL be documented in the Corrective Action Program.

2. Following a periodic update, review the impact of the change on PRA applications.

Attachment I , PRA Application Checklist Form, may be used as a guide for this review.

3. Perform any required additional plant-specific actions to notify plant personnel of the change to the PRA model and results.

6.1 The PRA model documentation (notebooks or calculations) SHALL be official plant records and SHALL be controlled in accordance with an appropriate plant records management process.

6.2 The record of PRA model changes for each revision SHALL be retained in accordance with an appropriate plant records management process.

7.0 REFERENCES

7.A SOURCE DOCUMENTS 7 . . NUMARC 91-04, Severe Accident lssue Closure Guidelines, Revision 1, ~ e c e m b e 1 r 994 7.1.2 ASME RA-S-2002, Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications 7.1 .3 EPRl TR-105396, PSA Applications Guide, August 1995 7.11.4 NEI 00-02, Probabilistic Risk Assessment (PRA) Peer Review Process Guidance 7.2 REFERENCE DOCUMENTS 7.2.1 GL 88-20, Individual Plant Examination for Severe Accident Vulnerabilities

7.2.2 NUMARC 91-04, Severe Accident Issue Closure Guidelines, Revision 1, December 1994 7.3 COMMITMENTS None 8.0 REVISION

SUMMARY

Section Change 7.1 Added 7.1.3 and 7.1.4 Moved EPRI TR-105396 and NEI 00-02 to Section 7.1. They

~ ~

are not referenced in the procedure. Added NUMARC 91-04 to Section 7.2. 1.t is referenced in the procedure.

Attachment 1 Added Work Week System Table and Heat Exchanges 9.0 ATTACHMENTS 9.1 Attachment 1, "PRA Application Checklist Form"

ATTACHMENT 1 PRA APPLICATION CHECKLIST FORM (Example Only - Use Current Revision)

The purpose of this checklist is to ensure that each on-going application of PRA results is re-evaluated if necessary following the release of a revised PRA model of record.

Plant: PRA Modell Revision:

Date Date of Most Reviewed Date Application Recent for Impact Application Required?

Revision Revision of New P M Revised Model Maintenance Rule Scope Maintenance Rule Risk Significance Maintenance Rule Performance Criteria Basis Maintenance Rule Paragraph (a)(4) Tool Operator Training Basis AOV Ranking MOV Ranking Check Valve Ranking Risk-Informed IS1 Risk-Informed IST Work Week System Table Heat Exchanges

ENCLOSURE 3 MONTICELLO NUCLEAR GENERATING PLANT PEI-05.011.03, Rev. 4 PRA GUIDELINE FOR MODEL MAINTENANCE AND UPDATE

Approval: PCR 01 100657 lljao

The Monticello probabilistic risk analysis (PRA) model is maintained in accordance with Nuclear Management Company (NMC) fleet procedure FP-PE-PRA-02, PRA Guideline for Model Maintenance and update. Following are clarifications of how the procedure is implemented at Monticello.

1 Changes incorporated in each PRA model of record are characterized in a calculation file generated after the updated model is implemented. The Monticello PRA group does not intend to maintain a list of specific changes implemented for each version of the PRA model. These finer details can be identified by reviewing calculations that document each version of the model.

Pending changes to the model are tracked in the PRA model enhancement database instead of being entered as non-CAP action requests. This enables the group to more readily perform searches, modify the enhancements, delete ones determined to be unnecessary, re-prioritize implementation dates, and otherwise self-manage the process of PRA model maintenance. The CAP and action request system is used as appropriate to supplement the enhancement database. When the model is updated, the calculation file that characterizes changes includes a list of enhancements implemented, and those entries are deleted from the database.

3 Periodic updates of the Monticello PRA model are performed as necessary. This may be more or less frequent than every three or four years.

4 The model uses data (failure rates, operator error probabilities, initiating event frequencies, equipment unavailability due to testing or maintenance) that is based on data collected over a fairly long time. These values are not expected to change significantly over time, so updating the data every few years is not justified.

Furthermore, results are relatively insensitive to values used. Monticello occasionally reviews data failure rates and updates the data as appropriate. In addition, if plant changes or external operating experience significantly changes a value (change testing frequency of a component, for example), the effects are added to the enhancement database and implemented as appropriate.

5 The process of identifying PRA model enhancements is a continuous process. As such, the process of performing periodic updates does not explicitly include a review of external operating experience, site procedures, tech specs, etc. Those reviews are performed as an ongoing effort in support of PRA model maintenance. Following is a list of methods the PRA group uses to identify needs for model enhancements:

Routinely attend work planning meetings, outage planning meetings, and staff meetings. Interact with personnel from work planning, design engineering, program engineering, and systems engineering. Review maintenance schedules, modification packages identified as possibly affecting risk, maintenance rule data and reports, piping and instrumentation diagrams and operations manual changes, and operator work-around summaries. Resolve corrective action program issues, as assigned. Review operating experience reports provided to the group.

6 A list of applications the Monticello model has been used for is maintained in a calculation file. When a new PRA application is implemented, the calculation file is revised or a new calculation file is created with an updated list. This list is used to ensure that no applications are missed when reviewing an updated model for its impact on PRA applications.

ENCLOSURE 4 MONTICELLO NUCLEAR GENERATING PLANT Administrative Work instruction 04 Awl-08.15.03, Rev. 3 RISK MANAGEMENT FOR OUTAGES

RISK MANAGEMENT FOR OUTAGES ADMINISTRATIVE WORK INSTRUCTION .TABLE OF CONTENTS SECTION PAGE 1.0 PURPOSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.0 APPLICABILITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3.0 PERSONNEL WITH RESPONSIBILITIES DEFINED IN THIS DOCUMENT . . . 2 4.0 INSTRUCTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 4.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 4.2 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4.3 Integrated Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.4 Level of Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.5 Contingency Planning Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.6 Scheduled Outages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4.7 Unscheduled Outages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.8 Record Retention Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 5.1 Shutdown Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 5.2 Critical Safety System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5.3 Source Document Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 5.4 Summary of Significant Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 I Approval: PCR 01096562 I

i.0 PURPOSE The purpose of this instruction is to provide direction for the implementation of nuclear risk management for outages and to establish the requirements for contingency planning.

This instruction applies to all site personnel, defines processes, and designates responsibilities for the application of nuclear risk and corporate risk management practices for scheduled and unscheduled outages at the Monticello Nuclear Generating Plant (MNGP).

3.0 PERSONNEL WITH RESPONSIBlLlTlES DEFINED IN THIS DOCUMENT e NMC Site Vice President (SVP Assumes ultimate responsibilit$ for the implementation of the Risk Management Program.

Q Plant Manaqer (PM)

Assumes directional and managerial responsibility for the Risk Management Program. This position is responsible for program oversight and for the application of those portions of this document that pertain to that position.

Q Probability Risk Assessment Project Manager (PRAPM)

Provides on-going risk evaluation support to Plant Scheduling for scheduled and unscheduled outages.

e Fire Protection Enqineer Is responsible for developing a fire protection analysis of operating versus non-operating differences prior to a scheduled refuel outage.

o Production Planninq Manager (PPM)

Is responsible for the application of approved risk management practices and processes to the planning and execution of MNGP scheduled and unscheduled outages.

4.1 Definitions 4.1 . I AVAILABLE (AVAILAB1111W): The status of a system, structure or component that is in service or can be placed in service in a functional or operable state by immediate manual or automatic actuation.

4.1.2 CONTA1NMENT CLOSURE: The action to secure secondary containment and its associated structures, systems, and components as a functional barrier to fission product release under existing plant conditions.

4.1.3 CONTINGENCY PLAN: ~n approved plan of compensatory actions:

A. To maintain DEFENSE IN DEPTH by alternate means when pre-outage planning reveals that preferred systems, structures or components will be unavailable; B. To restore DEFENSE IN DEPTH when system AVAILABILITY drops below the planned DEFENSE IN DEPTH during the outage; C. To minimize the likelihood of a loss of KEY SAFETY FUNCTIONS during HIGHER RISK EVOLUTIONS.

4.1.4 DEFENSE IN DEPTH: For the purpose of managing risk during shutdown, defense in depth is the concept of:

A. Providing systems, structures and components to ensure backup of KEY SAFETY FUNCTIONS using redundant, alternate or diverse methods; B. Planning and scheduling activities in a manner that optimizes safety system AVAI LAB1LITY; C. Providing administrative controls that support and/or supplement the above elements.

4.1.5 HlGWER RllSK EVOLUTIONS: Outage activities, plant configurations or conditions during shutdown where the plant is more susceptible to an event causing the loss of a key safety function.

4.1.6 KEY SAFETY FUNCTIONS: During shutdown, they are decay heat removal (reactor and spent fuel pool), inventory control, power availability, reactivity control, and containment.

4.1.7 RISK MANAGEMENT Integrated process of assessing and reducing the likelihood and/or consequences of an adverse event. For the purpose of this procedure, risk management refers to both nuclear risk and corporate risk.

4.2 General 4.2.1 Implementation Basis A. The MNGP Risk Management Program is designed to implement to the requirements of NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management, and NUMARC 93-01, Section 11, Assessment of Risk Resulting From Performance of Maintenance Activities, requirements for shutdown conditions.

4.2.2 Philosophy A. The MNGP Risk Management program will assess nuclear risk and will ensure that systems and components that perform key safety functions are available when needed. The objectives of this program are to provide backup to Key Safety Functions, to optimize safety system availability, and to provide administrative controls that support the functionality of key equipment in order to mitigate the loss of Key Safety Functions. The MNGP Risk Management program will also assess corporate risk to ensure plans are established to limit Company, NMC and Xcel, exposure to emergent issues which may negatively impact critical path activities. The overall objectives are to create and execute a planned outage safely and within established goals.

4.2.3 Transition between On-line and Outage Risk Models I A. The outage risk model should normally be implemented when reactor coolant temperature is less than 212°F. Each model carries advantages, disadvantages and conservatisms, and thus depending on the specific circumstances of the application (e.g.

forced shutdown, planned shutdown, etc.), and with the concurrence of the PPM and PRAPM, either model may be used beyond the normal transition point. The method being used should be communicated to the Operations Manager for dissemination to the operating crews.

4.3 Integrated Manaqernent 4.3.1 Development and Implementation Schedules will be developed through interaction with involved organizations and disciplines to assure that the outage schedule planning provides Defense-in-Depth. Activities will be controlled and implemented in accordance with the approved schedule.

4.3.2 Schedule Changes The logic and basis used to develop a schedule will also be applied to any safety significant schedule changes that might occur.

4.3.3 Communication of Plant Status The current plant status, including, if applicable, the availability of key safety systems or equipment, will be communicated on a regular basis to personnel who perform or affect work within the plant. The status of higher risk evolutions will also be conveyed in the same manner, including any appropriate precautions or compensatory actions necessary during their execution.

4.4 Level of Activities 4.4.1 Resource Allocation The work scope and schedule should match resources to activities and time constraints. If emergent scope is anticipated, additional resources should be available to meet these needs. The work scope should be accurately prioritized to facilitate appropriate decisions when a scope change is required.

4.4.2 Activity Detail Activities in the schedule should be sufficiently detailed and organized to accurately convey the impact on complex evolutions, plant conditions and equipment availability.

4.4.3 Higher Risk Evolutions During higher risk evolutions or infrequently performed evolutions, any activity that may negatively impact an associated key safety function should be limited and strictly controlled.

4.4.4 Compensatory Measures If appropriate, planning and execution should consider the potential introduction of hazards (e.g. fire, flood, etc.) posed by the level and scope of activities in a given area of the plant and establish compensatory measures as appropriate.

4.4.5 Personnel Overtime 4 Awl-08.1 0.01 (OVERTIME RESTRICTIONS AND FITNESS FOR DUTY REQUIREMENTS) establishes limits and approval authority for overtime. These limits are important since excess overtime can result in an increase in risk, via potential human performance errors.

4.5 Continsency Plannins Requirements 4.5.1 Higher Risk Evolutions Contingency plans should be developed when entering a higher risk evolution.

4.5.2 System Availability Contingency plans should be developed when system availability drops below the acceptable (N+l) level Defense-in-Depth.

4.5.3 Critical Path Impact Contingency plans should be developed when it is determined that an activity has a credible potential to adversely affect the outage critical path.

4.5.4 Considerations and Documentation Contingency plans should consider the use of alternate equipment to respond to the loss of dedicated safety and monitoring equipment, and should consider additional monitoring or controls to minimize the potential for unplanned equipment unavailability. These plans may be documented in any normal work process or as a separately approved procedure.

4.5.5 Implementation Personnel Personnel who may be required to implement a contingency plan should be identified and be familiar with the plan.

4.6 Scheduled Outages 4.6.1 Planning Elements In addition to Sections 4.3, the following elements are employed in the application of risk management to scheduled outages:

A. Defense-in-Depth Administration

1. Backup for Key Safety Functions The outage schedule should establish the systems, structures and components (SSCs) needed to provide backup for key safety functions. The SSCs tracked on the outage Shutdown Safety Sheet should be consistent with the Maintenance Rule SSCs. The backup capabilities provided should be commensurate with plant conditions.

2. Safety System Availability The availability of systems and components should be optimized. Dependent on whether functionality or operability is being determined, this can be accomplished through post maintenancelreturn-to-service testing, plant modification acceptance testing, monitoring of key parameters while the system is in service, verification of system alignment, administrative control by Operations personnel, etc.

3. Defense-in-Depth Control Systems, structures or components required to provide Defense-in-Depth during periods of the outage should be controlled such that they remain available during these periods.

4. Plant Procedures Plant procedures should ensure that they minimize the loss of a Key Safety Function, and that the consequences of a loss of a Key Safety Function is minimized to the extent practical.

4.6.2 Refuel Outage Training A. Operator Refuel Outage Training

1. Operator training should provide knowledge of the applicable shutdown safety issues, including the six Key Safety Functions:

a. Decay heat removal

b. Spent fuel pool cooling

c. Inventory control

d. Electrical power

e. Reactivity control

f. Containment

2. To the extent practical, simulator training for shutdown conditions should also be included.

B. General Employee Outage Training Contractors and others temporarily assigned to support the outage should be trained on outage safety philosophy as it applies to their job. The training should also emphasize considering possible contingencies if a work activity does not proceed as expected.

4.6.3 Refuel Outage Risk Assessment A. Risk Management Committee Prior to each refueling outage a Risk Management Committee should be selected by the Production Planning Manager. The members of this committee should possess composite expertise in a variety of work disciplines in addition to possessing sound backgrounds in plant operational processes. Initial Committee composition should include Scheduling personnel, PRA personnel, a Senior Reactor Licensed (SRO) Operations Department person, Engineering personnel from the Nuclear, Electrical, or Mechanical disciplines, a Fire Protection Engineer, Maintenance representation and other personnel as deemed appropriate by the Production Planning Manager. The Committee should be familiarized with industry and Monticello plant efforts, initiatives and guidance in the shutdown risk area.

RISK MANAGEMENT FOR OUTAGES B. Probabilistic Risk Assessment (PRA)

Plant Scheduling should commission the Monticello PRA Project Manager to develop a Probabilistic Risk Assessment (PRA) of the upcoming outage, including Reactor and Spent Fuel Pool time-to-boiling, as applicable, in order to identify any outage segments that may require adjustment.

C. Risk Management Review Criteria and Analysis

1. Prior to shutdown, the Shutdown Risk Committee should complete an independent review of the refuel outage schedule, in conjunction with an analysis of the PRA, and planning and scheduling processes, on a point-by-point basis against industry guidance NUMARC 91-06 Guidelines. Additionally, the fire protection analysis of operating versus non-operating differences, developed by the Plant Fire Protection System Engineer, per section

4. I.3, should be reviewed. FP-PA-SA-03 (SNAPSHOT EVALUATION) instruction and guidance should be utilized for the Shutdown Risk Committee Assessment.

2. The PORC should review the shutdown safety assessment including the shutdown safety plan and any required contingency plans.

3. If required, because of significant schedule changes, or at the discretion of the Production Planning Manager, the Shutdown Risk Committee may be recalled for further schedule, project or task analysis at any time prior to, or during the outage.

4. Following scheduled outages, outage performance from a risk management perspective should be included in the Post-Outage Critique.

4.6.4 Shutdown and Refueling Mode Configuration Requirements Minimum system and off-site power availability for shutdown conditions are assessed using Figure 5.2.

4.6.5 Plant Configuration Direction and Status Control A. Plant configuration shutdown safety should be provided, specifying time-to-boiling for the Reactor, and Spent Fuel Pool, if applicable. Time-to-boiling should be extracted from the subject outage PRA study, or an equivalent methodology/ technology made available by the PRA Project Manager. Time-to-boiling should be provided by Plant Scheduling in the Critical Safety System Checklist which is distributed for Operations personnel awareness and general staff information. The Operations Outage Manager is responsible for ensuring emergent mid-shift requirement changes are communicated to Plant Operation's Management and the Shift Outage Managers.

B. The Control Room Supervisor should ensure current plant shutdown configuration shutdown safety direction, as outlined on the most recent Critical Safety System Checklist, is reflected on the Main Control Room Shutdown Status Board and in the Work Control Center (WCC).

C. The Control Room Supervisor should ensure signage prohibiting entry to equipment required for Defense-in-Depth is appropriately placed, and removed, on accesses to the following areas at a minimum:

1. Designated 4KV Switchgear Room

2. Designated Emergency Diesel Generator Room

3. Designated Residual Heat Removal Room The signage should specify entry to be allowed by permission of the Shift Supervisor only.

Operations Control Room Supervisors and Control Room personnel should ensure that any oncoming, or relief, Operations staff are briefed on the current risk management profile (e.g.

Outage Risk Condition zone, plant configuration shutdown safety direction, and near-term upcoming evolutions that may affect either of the first two), as directed in Form 3139 (CONTROL ROOM SHIFT TURNOVER CHECKLIST) and Form 3151 (CONTROL ROOM SUPERVISOR'S OUTAGE TURNOVER CHECKLIST).

E. Shift Outage Managers should ensure that any on-coming or relief Shift Outage Managers are briefed on the current risk management profile (e.g. Outage Risk Condition Zone, Technical Specification action statements, current Infrequent Tests and Evolutions, plant configuration shutdown safety direction and near-term upcoming evolutions that may affect the aforementioned), as directed in Form 3772 (SHIFT OUTAGE MANAGER TURNOVER CHECKLIST).

4.6.6 Outage Risk Condition Zone Color Codes A. Shutdown risk should be assessed using the'shutdown risk assessment guidelines in Figure 5.1.

B. Color codes utilized to represent outage risk condition zones, and plant conditions resulting from unexpected actions, are:

1 Green - Non-risk significant, no actions are necessary.

2. Orange - Potentially risk significant, contingency plans SHALL be developed.

3. Red - Risk significant, do not enter this zone voluntarily.

Prioritize the restoration of risk significant equipment.

C. The Outage Risk Condition Zone color code is displayed in the Outage Control Center (OCC), Work Control Center and Main Control Room. The Operations Outage Manager should ensure the OCC risk board outage risk condition color code is current for routine outage status meetings. The Control Room Supervisor should ensure the Main Control Room and WCC Outage Risk Condition color zone indicators always reflect any changes, as directed by continuing execution of the outage schedule, or provided by Scheduling, in a timely manner.

D. Every attempt should be made to build outage schedules with Outage Risk Condition Zone level of green throughout the outage period. Planned entries into safety level orange should be minimized. Entry into the orange zone SHALL require a contingency plan. The Operations Manager should review and concur with any planned orange zone entry and the associated contingency plan.

E. Entries into the red zone may be planned if the activity must be performed and there are no viable plant configurations that would reduce the levels to below red. Entry into the red zone SHALL require a contingency plan to minimize risk. The Plant Manager should review and concur with any planned red zone entry and the associated contingency plan.

4.6.7 Emergent Work A. Emergent work is likely to become necessary between the completion of the PRA and the end of an outage. It is critical that these activities be reviewed for PRA impacts. As an initial screen that review can be performed by Plant Scheduling. This review should be conservative. If indeterminate, or risk significant, contact PRA personnel for assistance.

B. Work performed within a defined system window is covered by the outage PRA. If work to be performed outside of a system window impacts a system that has been modeled in the PRA, the details should be presented to Plant Scheduling and subsequently the PRA group for a complete assessment. The performance of emergent work should satisfy the Critical Safety System Requirements of Figure 5.2.

C. Performance of risk assessment on emergent work should not interfere with or delay plant personnel from taking timely actions to restore equipment to service or taking compensatory actions.

4.6.8 Xcel Energy System Condition Zone Color Codes A. Color codes, whose foundation is a combination of economic and grid stability factors, are utilized to indicate the general condition of the Xcel Energy electrical transmission and distribution system. In response to notification of a degrading system condition, MNGP Control Room Operator should inquire the following:

1. Forecasted duration.

2. Is the change a result of:

a. Placing "Peaking" generation on-line or purchasing power at higher than normal prices,

b. The Network Transmission System operating near, at or outside of operating limits.

B. the condition change is required due to 2.b. above, THEN Scheduling and/or the PRA Group SHALL be notified by the Control Room Supervisor.

C. The following guidelines should apply during System Conditions other than GREEN (regardless of reason for escalation, i.e.,

economic or stability concerns):

I. YELLOW (Warning):

a. Technical Specification required surveillance testing should continue per the schedule.

b. Work Orders on the schedule or those about to be initiated should be evaluated as to potential plant risk.

c. Operations should consult with Plant Scheduling, Maintenance and Engineering personnel as deemed necessary.

d. Allow only required substation access.

2. OPANGE (Danger):

a. Allowable grace periods should be invoked for risk significant Technical Specification surveillances and the tests should be delayed until the GRID is returned to YELLOW status if possible.

b. All work in progress or planned for the duration of this System Condition should be carefully scrutinized by Operations, Scheduling, Maintenance and Engineering personnel prior to continuing or proceeding.

c. Substation access only by Operations personnel or critical support personnel.

3. RED (Emergency):

a. Strict Plant Status Controls should be initiated per 4 Awl-04.01.01 (GENERAL PLANT OPERATING ACTIVITIES).

b. ONLY Operations personnel or organizations responding to repair critical components are allowed in the Substation.

c. Allowable grace periods should be invoked for risk significant Technical Specification surveillances and the tests should be delayed until the GRID is returned to YELLOW status if possible.

Consideration may be given to a Notice of Enforcement Discretion (NOED) as determined by the Shift Manager and Site Management.

D. The System Condition Zone color code is displayed in the WCC and Main Control Room.

E. The Control Room Supervisor is responsible for ensuring the Main Control Room and WCC system condition color zone indicators reflect any changes indicated by System Operations in a timely manner and that they also match each other.

F. The Control Room Supervisor is responsible for determining whether any change to the system condition color code is based upon economic considerations or grid stability issues. If a change is based upon grid stability, the Control Room Supervisor is responsible for notifying Plant Scheduling for possible risk assessment evaluation.

4.7 Unscheduled Outaqes 4.7.1 Planning Elements The duration of unscheduled outages, by their very nature, may be difficult to predict. Because of this uncertainty, the immediate implementation of risk management processes assumes greater importance. The tools for risk management for outages of any type and duration are contained within this document. The selective utilization of applicable processes will ensure a safe, controlled and efficient unscheduled outage.

In addition to Sections 4.3-4.5, the following elements are employed in the application of risk management to unscheduled outages.

A. Risk Control, Planning and Execution 1 The Planning and execution of unscheduled outages of minimal, long-term and/or unknown duration, should be governed by those portions of Section 4.3 deemed applicable by the Production Planning Manager. At a minimum the following should be implemented:

a. An immediate "hold" placed on any activities which could challenge shutdown risk management until an outage schedule is developed, and/or an application of PRA, as described within this document, has been performed.

b. The immediate initiation of Plant Configuration Direction and Status Control, as defined within this document.

4.8 Record Retention Requirements None

5.0 FIGURES FIGURE 5.7 Shutdown Risk Assessment MOTE: In the event a condition exists while performing this procedure and the procedure requirements are found to be in confPict with MNGP Technical Specifications, the Technical Specifications SHALL be adhered to.

PLANNING GUIDELINES The guidelines in this section provide Defense-in-Depth requirements associated with the following Key Safety Functions: Decay Heat Removal, Reactivity Control, lnventory Control, Containment and Electrical Power Distribution.

Decav Heat Removal (DHR)

The DHR function is the ability to maintain reactor coolant system temperature and fuel pool temperature below specified limits following a shutdown. During normal refueling operations, the shutdown cooling system and its supporting systems are the primary means of removing decay heat when fuel is in the reactor vessel. The normal and standby fuel pool cooling system is the primary means of removing decay heat from the fuel pool. Upon loss of normal shutdown cooling, or if normal shutdown cooling is electively removed from service, alternate systems should be available to remove decay heat depending on a variety of factors. These factors include the status of cavity water level, fuel pool gates in or out, decay heat level after shutdown, and the ability of the operators to diagnose and recover decay heat removal systems when there is significant time to boil. The status of these systems is tracked during the outage to support the decay heat removal key safety function.

Reactivity Control The Reactivity Control function is to maintain positive controls on shutdown margin within the reactor vessel and fuel pool. Proper reactivity control management is assured by demonstrating that adequate shutdown margin exists, planning and controlling all fuel handling, control blade movements, core alterations, and associated monitoring activities.

lnventorv Control The lnventory Control function is to control reactor coolant inventory during shutdown conditions to prevent core uncovery and for maintaining the overall decay heat removal function. During reduced inventory operations, boiling and potential core uncovery can occur in a relatively short time period. The reactor coolant system boundary expands during shutdown periods to include the decay heat removal piping, spent fuel pool, and other connected support systems. This represents a significant number of potential inventory loss flow paths that are normally isolated during power operations. Reactor coolant inventory makeup is provided by high quality water systems including the Condensate Service Water system, Control Rod Drive Hydraulic system, and the Core Spray and Residual Heat Removal systems aligned to the torus or condensate storage tanks.

5.4 Shutdown Risk Assessment (Cont'd)

Containment During shutdown plant conditions, it is necessary to ensure that Secondary Containment Operability is maintained as defined in the Technical Specifications. The purpose of Secondary Containment is to provide a functional barrier to limit fission product release to the environment in the event of a fuel handling accident. This function is accomplished via Reactor Building HVAC (normal and emergency) delivering to the plant stack or off-gas stack (elevatedldiluted release) with administrative control of the Reactor Building envelope. Administrative control of the Reactor Building envelope is required during periods when Secondary Containment is not required. This control should consist of tracking containment openings and development of plans to close those openings in the event of a fuel handling accident per Form 8136 (SECONDARY CONTAINMENT PENETRATIONS).

Electrical Distribution (AC and DC)

Electrical power availability (both AC and DC) is a fundamental element of shutdown safety. The purpose of the Electrical Distribution function is to manage the plant configuration of all power sources (offsite and onsite) to the station 4KV buses to support the frontline system functions needed for DHR, Reactivity Control, Inventory Control, and Containment. It is necessary to maintain control over switchyard activities as this directly affects offsite power availability.

CRITERIA FOR SHUTDOWN RISK ASSESSMENT The goal for the outage is to be in the "N-t-I"condition, where "N" is the minimum number of systemslequipment required by MNGP Technical Specifications. The systems credited for compliance with "N" need to be available for operation and not necessarily operable in accordance with Tech Specs.

OUTAGE CONDITION DESIGNATIONS Green = N* + Irequirements met. This is the outage Defense-in-Depth goal. In this condition the plant can sustain the most limiting active single failure and, taking credit for Operator action if required, be restored to a safe condition.

Orange = N* requirements met. This level satisfies at least the minimum number of systemslequipment required by MNGP Technical Specifications. Generally, in this condition there is a backup piece of equipment available to sustain a single failure of the primary equipment in service; however, the electrical buses may not be single failure-proof (i.e., both primary and backup equipment may be powered from the same safety train).

Red = <N* requirements met. This level is below the minimum number of systems/equipment required by MNGP Technical Specifications. This condition should not normally be entered on a voluntary basis.

5.d Shutdown Risk Assessment [Cont'dll MONITORING SHUTDOWN SAFETY SYSTEM STATUS Shutdown safety depends in large measure on the operator's ability to monitor and control the status of safety and support systems required to be available as plant conditions change during the outage. The status of redundant systems should be reviewed prior to changing safety trains, changing electrical work sequences or authorizing work on electrical power distribution equipment. Critical Safety Systems are monitored frequently to ensure that Defense-in-Depth is maintained.

Form 2270 (CRITICAL SAFETY SYSTEM CHECKLIST) , is developed twice a day by the Duty j Operations Shift Manager. The purpose of the Critical Safety Systems Checklist is to track the status of safety systems required to meet Defense-in-Depth with regards to the Key Safety Functions. The requirements can be found on Figure 5.2 (CRITICAL SAFETY SYSTEM REQUIREMENTS). The Critical Safety Systems Checklist will include as a minimum, Mode switch position, time to boil calculation results, and the status of safe shutdown equipment.

lljao

5.2 Critical Safetv System Requirements Key Safety Function: Decay Heat Removal - Reactor Cavity

Purpose:

Provide adequate decay heat removal to prevent coolant boiling and thereby prevent inventory loss and eventual fuel uncovery.

Outage State Mode 4 Low water level Mode 5 and RPV level < 21'11" above the vessel fiange.

(Gates in) Systems Required Preferred: Green ( N i l ) Three cooling subsystems need to be available to meet this requirement. Systems considered:

0 RHR shutdown cooling subsystem" Q RWCU in heat reject mode""

Minimum: Orange (N) Two cooling subsystems need to be available to meet this requirement. Systems considered:

Q RHR shutdown cooling subsystem*

Q RWCU in heat reject mode**

Unacceptable: Red ( < N) Less than two cooling subsystems available.

Outage State Mode 5 and RPV level >21'11" above the vessel flange.

High water level (Gates out) Systems Required Preferred: Green (N+l) Two cooling subsystems available. Systems considered:

RHR shutdown cooling subsystem" RWCU in heat reject mode'"

Q Fuel pool cooling*""

Minimum: Orange (N) One cooling subsystem available. Systems considered:

RHR shutdown cooling subsystem" Q RWCU in heat reject mode*"

o Fuel pool cooling"**

Unacceptable: Red ( < N) Less than one cooling subsystems available.

NOTE I: A subsystem consists of q RHR pump, RHRSVW pump and heat exchanger with associated valves.

- NOTE 2: RWCU use in heat reject mode may be limited by decay heat load.

- - NOTE 3: Fuel pool cooling may be limited by decay heat load.

5.2 Critical Safetv System Requirements (ContJd)

I Key Safety Function: Reactivity Control I

Purpose:

Maintain adequate shutdown margin in the reactor and fuel pool.

Outage State Mode 4 Mode 5 Systems Required Preferred: Green (N+l ) Adequate SDM exists AND All control rods (except one) are inserted to position 00 in cells containing fuel.

Minimum: orange (N) MOTE: The requirements to meet "N+I" in regards to this Key Safety Function are the same as those to meet "N" due to the limited systems available to perform this function. Therefore the JJmimlmumJ' requirement is not applicable.

Unacceptable: Red ( < N) Adequate SDM does not exist OR More than one control rod is withdrawn in cells containing fuel.

RISK MANAGEMEVT FOR OUTAGES 5.2 Critical Safeetv Svstem Requirements (Cont'd)

Key Safety Function: Inventory Control

Purpose:

Control of reactor coolant inventory during shutdown conditions to prevent core uncovery and for maintaining the overall decay heat removal function.

Outage State Mode 4 Mode 5 (except if RPV level > 21'1 1" above the vessel flange and fuel pool gates removed.)

Systems Required Preferred: Green (N+1) Three low pressure injection sources* need to be available to meet this requirement. Systems considered:

Core Spray system 0 RHR system (including the subsystem operating as SDC) o Cond & Feedwater system Q Condensate service system via a bypassed pressurizing station 0 Control Rod Drive system Minimum: Orange (N) Two low pressure injections sources* need to be available to meet this requirement. Systems considered:

o Core Spray system 0 RHR system (including the subsystem operating as SDC)

Cond & Feedwater system Condensate service system via a bypassed pressurizing station 0 Control Rod Drive system Unacceptable: Red ( < N) Less than two injection sources available.

"NOTE 'I: The source should be high quality water.

5.2 Critical Safetv System Requirements (Cont'd)

Key Safety Function: Secondary Containment Control Pur~ose: Provide a functional barrier to limit airborne fission product release to the environment (elevated/monitored/diluted release) commensurate with the potential likelihood for a release of radioactive products to the Reactor Building.

Outage State During movement of irradiated fuel assemblies in the secondary containment.

During core alterations.

During operations with a potential for draining the reactor vessel. (OPDRVs)

Systems Required Preferred: Green (N+l) Secondary Containment needs to be available to meet this requirement.

Two SGT subsystems need to be available to meet this requirement.

Two CREF subsystems need to be available to meet this requirement.

Two control room ventilation subsystems need to be available to meet this requirement.

Two refuel floor radiation monitors need to be available to meet this requirement.

Minimum: Orange (N) Secondary Containment needs to be available to meet this requirement.

Less than two of any individual subsystem listed above is available.

Unacceptable: Red ( < N) Secondary Containment unavailable or less than one of any individual subsystem listed above is available.

NOTE: During movement of non-recently irradiated fuel in the secondlay containment or during core alterations utilize Form 8"13 60 evaluate secondary containment closure contingency requirements.

5.2 Critical Safety System Requirements (Cont'd)

/ Key Safety Function: Electrical Control

Purpose:

Maintain DC and AC electrical power available to support Key Safety Functions.

Outage State I Mode 4 Mode 5 Systems Required DC Electrical Control Pur~ose: Maintain DC electrical power available as required to provide DC instrument and control power necessary to support essential and vital systems which provide Key Safety Functions.

I Preferred: Green (N+l ) Two divisions of the 125VDC batteries (including the dis-tribution bus and battery charger(~)necessary to maintain voltage) needs to be available to meet this requirement.

NOTE: One of the divisions may be supplied by a 0 Minimum: Orange (N) temporary battery.

One division of the 125VDC batteries (including the dis-tribution bus and battery charger(~)necessary to maintain voltage) needs to be available to meet this requirement.

Unacceptable: Red ( < N) able.

AC Electrical Control

Purpose:

Manage the configuration of all AC power sources (offsite and onsite) to the station 4KV buses to support Key Safety Functions.

Preferred: Green (N+l ) Two offsite power supplies and one emergency diesel generator (including the associated distribution buses) are required to be available to meet this requirement.

Minimum: Orange (N) One offsite power supply and one emergency diesel generator (including the associated distribution buses) are I required to be available to meet this requirement.

Unacceptable: Red ( < N) Less than one offsite power supply or less than one emergency diesel generator (including the associated I distribution buses) available.

RISK MANAGEMENT FOR OUTAGES 5.3 Source Document Index 5.3.1 The following references were used to prepare this Instruction:

A. 4 Awl-01 .O1.O1 (ADMINISTRATIVE CONTROLS PROGRAM)

B. 4 Awl-02.03.13 (WRITERS MANUAL) I C. 4 AWI-04.01 .O1 (GENERAL PLANT OPERATING ACTIVITIES)

D. 4 Awl-08.10.01 (OVERTIME RESTRICTIONS AND FITNESS FOR DUTY REQUIREMENTS)

E. 4 Awl-08.1 5.02 (REFUEL OUTAGE MANAGEMENT)

I F. 1'0CFR50.65, Maintenance Rule G. INPO-97-005 "Guidelines for the Management of Planned Outages at Nuclear Power Stations H. MNGP Operations Manual C.3 (SHUTDOWN PROCEDURE)

I. MNGP OVVI-02.01 (OPERATIONS SHIFT TURNOVER)

J. NMC Outage Planning Policy K. NUMARC 93-01, Section 11 "Requirement for Shutdown Conditions" L. NUMARC 91-06, "Guidelines for Industry Action to Assess Shutdown Management" M. NRC Commitment M04003A Section(s) Source Source Section(s) 4.2.3 GAR 01085660 4.6.6.B.2. Site Management 4.6.6.C. Site Management 4.6.6.D. Site Management 4.6.8.B. Site Management

FIGURE 5.4 Summary of Significant Changes Section Chanue and Reason for the Chanqe 4.2.3 Added new section on transition between on-line and outage risk models.

Various Updated document number references and titles. I

ENCLOSURE 5 MONTICELLO NUCLEAR GENERATING PLANT Scheduling Work Instruction SWI-114.011, Rev. 5 Risk Management For Outage and On-line Activities

SCHEDULING WORK lNSTRUCTlONS .TABLE OF CONTENTS SECTION PAGE 1.0 PURPOSE . . . . . . . .

2.0 APPLICABILITY . . .

3.0 RESPONSIBILITIES 3.1 On-Line Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3.2 Work Week Coordinators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3.3 Risk Analysis Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4.0 INSTRUCTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4.2 Scope of (a)(4) Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4.3 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.4 Assessment Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.0 FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 5.1 Risk Significant SSCs Not Modeled in the PRA . . . . . . . . . . . . . . . . . . . . . . 8 5.2 Monticello Critical Safety Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5.3 Source Document Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 5.4 Summary of Significant Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1 Approval: PCR 01 132667

1 9.0 PURPOSE 10CFR50.65 states in paragraph (a)(4) the following:

"Before performing maintenance activities (including but not limited to surveillance, post-maintenance testing, and corrective and preventive maintenance), the licensee shall assess and manage the increase in risk that may result from the proposed maintenance activities. The scope of the assessment may be limited to those structures, systems, and components that a risk-informed evaluation process has shown to be significant to public health and safety."

The purpose of this guideline is to describe the method for assessing risk during power operation and shutdown conditions. Generally, assessments will be performed utilizing EOOS for online activities. As an alternative, the PRA organization can be requested to perform an analysis, either quantitative or qualitative, using the models and/or insights from the PRA in place of the analyses described in this guideline. This guideline is intended to conform to Section I 1 of NUMARC 93-01, "Assessment of Risk Resulting from Performance of Maintenance Activities", as endorsed by Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants."

This instruction applies to performance of on-line and shutdown risk assessments Although Work Week Coordinators and/or the risk analysis group provides recommendations for managing risk based upon the outcome of the risk assessment process, it is the responsibility of Shift Operations Personnel to apply insights from the assessment to aid in risk management.

3.9 On-Line Manaaer 3.1 .I Provide the necessary oversight and direction to assure the Work Week Coordinators comply with the intent of this Scheduling Work Instruction.

3.1.2 Maintain this instruction, SWI-14.01, such that it complies with the intent of the current revision of section 11, I\IUMARC 93-01 as endorsed by NRC Regulatory Guide I.I 82.

3.2 Work W e k Coordinators 3.2.1 Follow the guidance provided in this instruction to assess and manage risk of maintenance and/or emergent activities for power operating conditions at Monticello.

3.2.2 Provide results of the risk assessments generated as specified by this instruction, to the duty operations staff. Analysis should be sufficient to allow operations staff the flexibility required to efficiently carry out the proposed workweek schedule.

3.2.3 Consult the PRA group when necessary to determine risk when it is not apparent based on appropriate past information and/or use of the EOOS tool.

3.3 Risk Analvsis Group 3.3.1 Periodically review risk assessments performed by Work Week Coordinators to ensure accuracy.

3.3.2 Perform quantitative and qualitative risk assessments as necessary to support operations and Work Week Coordinators.

3.3.3 Perform outage risk assessments in support of scheduled and unscheduled outages.

4.1 Introduction Maintenance activities must be performed to provide the level of plant equipment reliability necessary for safety, and should be carefully managed to achieve a balance between the benefits and potential impacts on safety, reliability and availability.

This instruction outlines the method for performing risk evaluations, using the results of the Monticello risk analysis model. The guideline is intended for use by Work Week Coordinators and/or the risk analysis group in planning maintenance activities. This guideline may also be used for the evaluation of emergent work or conditions. Risk evaluations may be performed using quantitative, qualitative, or blended approaches as appropriate. The assessment process should not interfere with or delay operations and/or maintenance crews from taking timely actions to restore equipment to service or take compensatory actions. This instruction does not allow deviation from technical specifications or any other legal requirement.

4.2 Scope of (a)(4! Assessments 4.2.1 Structures, Systems, and Components (SSCs) considered to be within the scope of the (a)(4) assessment process include:

A. All SSCs modeled within the current EOOS model, and B. Additional SSCs considered to be risk significant by the Maintenance Rule Expert Panel as listed in Figure 5.1.

4.2.2 Additional considerations in determining risk should include as appropriate:

A. Significant potential impacts resulting from external factors such .

as severe weather conditions or degraded power grid conditions.

B. Significant potential for an increase in frequency of an accident initiating event.

C. Duration of configuration.

D. Heavy Load Movements 1 4.2.3 For emergent conditions, a risk assessment need not be conducted if the plant is restored to within a previously analyzed condition before an assessment can be reasonably performed.

4.3 Definitions 4.3.1 Available An SSC is considered available if it is capable of performing its intended function. An SSC may be inoperable and still considered available for the purposes of satisfying (a)(4). If an SSC is slightly degraded, it is reasonable to consider it available. If an SSC is severely degraded, it should, under most circumstances, be considered completely failed. If an SSC is moderately degraded, the PRA staff may be consulted to determine if the equipment should be assessed as available, available with an elevated failure rate, or unavailable. Considerations related to ease in restoration of SSCs, time required and time available to restore SSCs, compensatory actions, and availability of personnel to restore equipment may be utilized to determine availability.

4.3.2 Slightly Degraded Equipment is considered slightly degraded if it is likely capable of being able to perform its function. Examples of slightly degraded equipment may include an EDG that has one of its air bank compressors out of service, or an MOV with a torque switch that has drifted out of specification.

4.3.3 Moderately Degraded Equipment is considered moderately degraded if it is not clearly either slightly degraded or severely degraded, but is somewhere in between these conditions.

4.3.4 Severely degraded Equipment is considered severely degraded if it is likely to fail when called upon to perform its function. An example of severely degraded equipment is an MOV that has emitted a burning odor following a closure.

4.3.5 Core Damage Frequency (CDF)

CDF is the estimated frequency (per year) of a significant core damage event for a given plant configuration.

4.3.6 System, Structure, Component (SSC)

For purposes of satisfying the (a)(4) requirement of the maintenance rule, a SSC is generally considered to be the system, subsystem, or train level of equipment included in the high-level logic structure of the PRA model rather than individual components.

4.3.7 Allowed Out of Sewice Time (AOT)

AOT is displayed on the EOOS screen for a given plant configuration and is usable as an indication to the user to give a sense of h o \ long

~

the plant can be operated while in that configuration without incurring unacceptable risk. AOT is calculated by dividing the risk limit of 1.0 E-06 by the difference between the evaluated risk and the baseline risk (ACDF).

4.3.8 Critical Safety Function (CSF)

CSFs are safety functions that ensure integrity of the reactor coolant j/

pressure boundary, ensure capability to shut down and maintain the reactor in a safe shutdown condition, and ensure capability to prevent or mitigate consequences of accidents that could result in potentially significant off-site exposures. CSFs for Monticello Reactivity Control, reactor coolant system boundary integrity, reactor coolant inventory makeup, and containment operability. See Figure 5.2 for systems credited to each CSF.

4.3.9 Action Level Action Levels are CDF thresholds that specify actions to complete if exceeded. YELLOW threshold is exceeded if the plant configuration results in a CDF greater than or equal to two times baseline CDF. The ORANGE threshold is exceeded if CDF is greater than or equal to ten times baseline CDF. The RED threshold is exceeded if CDF is greater than or equal to twenty times the baseline CDF. CDF values below the YELLOW threshold are considered to be GREEN. The PRA group determines the Action Level thresholds and incorporates them into the EOOS model to automatically reflect the appropriate Action Level for evaluated plant configurations.

4.4 Assessment Process 4.4.1 Determine the plant configuration to be evaluated Note all appropriate SSCs that are unavailable, or severely degraded. 1 Determine if moderately degraded SSCs are to be considered available, unavailable or degraded. The PRA group may be useful in making decisions related to the disposition of moderately degraded SSCs. Give consideration to any external factors that may have a significant impact on risk (weather, system grid condition, etc.). Take into account the potential impact from temporary plant modifications such as from jumpers and bypasses. Consider potential increase in the likelihood of initiating events. Consider potential degradation in primary containment operability and HELB, fire, and internal flooding barriers.

4.4.2 Determine quantitative risk and action level For on-line risk analysis utilize the current version of EOOS to quantify CDF. Consult the PRA group if needed, to disposition any SSCs or other factors with a potential significant impact on risk that are not quantifiable using EOOS. Note the action level presented by EOOS for the analyzed configuration. The risk analysis group generally performs all risk assessments for shutdown conditions.

4.4.3 Consider non-quantifiable impacts For those factors that are not quantifiable by EOOS, determine availability of systems for each of the CSFs under the evaluated condition. Consider the impact on these CSFs given the occurrence of an initiating event such as a loss of Bus 16 or loss of 125V DC.

4.4.4 Consider AGT For on-line assessments evaluated with EOOS, note AOT and verify that the expected duration of that configuration does not approach the AOT (Less than 112 AOT). If the expected duration approaches or exceeds the AOT, consider increasing the action level to the next higher level. Consult the PRA group for direction if needed.

4.4.5 Assure appropriate actions A. For the GREEN action level, follow normal work practices. No additional risk management actions are necessary.

6. For the YELLOW action level, elevate the level of risk awareness by gaining a thorough understanding of the basis for the elevated risk, assuring appropriate pre-job briefs are scheduled, assuring effective use of resources to accomplish the maintenance tasks, and assuring operations staff is aware of the condition.

C. For the ORANGE action level, consider reasonable contingency actions that will aid in the recovery effort should an emergent issue arise while at this action level. Consider reasonable actions to minimize the time spent in the ORANGE action level.

D. Do not intentionally enter a configuration that results in a RED action level. If emergent issues occur that place the plant at or above the RED action level threshold, apply contingency actions to reduce the level of risk as soon as practical.

4.4.6 Present Results to Operations Make all applicable risk assessment results available to the operations staff in a form that allows them enough flexibility to effectively carry out the maintenance plan. Provide operations the opportunity to comment on the workweek risk results prior to implementation, and the ability to obtain updated risk analysis results in a reasonable timeframe should emergent issues arise over the course of implementation of the plan.

FIGURE 5.1 Risk Sisnificant SSCs Not Modeled in the PRA The following SSCs are considered to be risk significant by Monticello's Maintenance Rule Expert Panel and are not explicitly modeled in the risk analysis model.

Q Control Rod Drive Mechanisms (not included in the PRA individually) a Alternate Shutdown Panel (not included in the internal events PRA)

Q Reactor and Vessel Assembly Standby Gas Treatment System Secondary Containment Site Structures including the following:

Plant Control and Cable Spreading Structure Turbine Building - Housing Class IE Equipment EFT and Underground Duct Bank

I 3 Diesel Generator Building Non-1E Electrical Equipment Room Intake Structure Standby Diesel Generator Building & Diesel Oil Transfer House Reactor Building Portions of Primary Containment Spent Fuel Storage Pool High Pressure Coolant Injection Building 345 KV Substation House

FIGURE 5.2 Monticello Critical Safety Functions Critical Safety Function Associated Critical Safety Modeled systems that can Functions in PRA Model perform the safety function Reactivity Control Reactivity Control RPS, SBLC, ATWS (ARI, RPT)

Reactor Coolant System Reactor Overpressure SRVs Boundary Integrity Protection Reactor Coolant Inventory Feedwater, HPCI, RCIC, Makeup Reactor Depressurization SRVs Low Pressure Make-up Condensate, RHR (LPCI),

Core Spray, CRDH, CSW, RHRSW*, Fire Pumps*

Containment Operability Decay Heat Removal Condenser, RHRIRHRSW (SPC, SDC, DWS)

Containment Venting Hard Pipe Vent, Drywell Vent, Torus Vent Containment Isolation Primary Containment Isolation System

RHRSW and the Fire Pumps require the LPCI injection path to be available for use as a source of low pressure makeup.

FIGURE 5.3 Source Document Index Sections Source Source Section(s1 All NUMARC 93-01, Rev. 3 II 1.O, 3.0 NRC Regulatory Guide 1.182 A 4.2.2.D. NEI Industry Initiative on Heavy Load Lifts (dated 09/14/07)

FIGURE 5.4 Summary of Siqnificant Chanaes Section Chanae and Reason for the Chanue Various Removed CTS information.

4.2.2.D. Added Section D. Heavy Load Movements as an additional consideration in determining risk.

FIGURE 5.3 Added source document "NEI Industry Initiative on Heavy Load Lifts (dated 09114/07)" for section 4.2.2.0.

ENCLOSURE 6 MONTICELLO NUCLEAR GENERATING PLANT Engineering Work Instruction 05.02.01, Rev. 11 Maintenance Rule Program Document

OMTICELLO MAINTENANCE RULE PROGRAM DOCUMENT ENGINEERING WORK INSTRUCTION .TABLE OF CONTENTS SECTION PAGE 1.0 PURPOSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.0 PROGRAMSCOPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1 Definitions And Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.0 RESPONSIBILITIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.1 Program Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2 System Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.3 Risk Analysis Group (PRA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.4 Scheduling Department . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.5 Operations Department . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.6' Expert Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.0 DETERMINATION OF SYSTEMS WITHIN THE SCOPE OF THE RULE . . . . . . 10 4.1 Identification of Initial MNGP System Listing . . . . . . . . . . . . . . . . . . . . . . . . 10 4.2 Safety Related Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1 4.3 Non-Safety Related Systems used to Mitigate Accidents or Transients . 11 4.4 Non-Safety Related Systems used in the Emergency Operating Procedures (EOPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.5 Non-Safety Related Systems Whose Failure Could Prevent Safety Related SSCs From Fulfilling Their Safety Related Function . . . . . . . . . . 12 4.6 Non-Safety Related Systems That "Could Cause" a Scram or SSA . . . . 12 4.7 Use of Industry Experience for Scoping Process . . . . . . . . . . . . . . . . . . . . 13 5.0 RISK SIGNIFICANCE DETERMINATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5.1 Risk Significance Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5.2 Risk Significance Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 5.3 Use of Industry ~ x ~ e r i e n cineRisk Significance Determination . . . . . . . . 15 6.0 PERFORMANCE CRITERIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 6.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 6.2 Plant Level Performance Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 6.3 Individual (System) Level Performance Criteria . . . . . . . . . . . . . . . . . . . . . 21 6.4 Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Approval: PCR 01083736

SECTION PAGE 7.0 PERFORMANCE MONITORING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 . .

7.1 Data Collection and Disposition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 7.2 Maintenance Rule Access Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 7.3 Repetitive Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 7.4 Cause Determinations and Dispositioning SSCs from (a)(2) to (a)(l) . . . 28 7.5 Dispositioning SSCs from (a)(l ) to (a)(2) . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 8.0 PERIODIC ASSESSMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 8.1 Frequency and Conduct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 8.2 Balancing Unavailability and Reliability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 8.3 (a)(l) Goal-Setting Action / Performance Improvement Plans . . . . . . . . . 31 8.4 Reporting . . . . . . . . . . . . ,. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 EVALUATION OF SYSTEMS REMOVED FROM SERVICE AND EMERGENT CONDITIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 9.1 On-Line Equipment Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 9.2 Outage Scheduling and Outage Risk Significance . . . . . . . . . . . . . . . . . . . 33 MAINTENANCE RULE EXPERT PANEL DETAILS . . . . . . . . . . . . . . . . . . . . . . . . 36 II Expert Panel Composition and Qualifications . . . . . . . . . . . . . . . . . . . . . . . 36 10.2 Functions of the Expert Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 10.3 Review Method and Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 10.4 Meeting Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 10.5 Quorum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 10.6 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 MAINTENANCE RULE DOCUMENTATION REQUIREMENTS . . . . . . . . . . . . . . 37 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 RETENTION OF RECORDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 14.1 Monticello Maintenance Rule System Identification . . . . . . . . . . . . . . . . . . 41 FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 15.1 FORM 3784 "Maintenance Rule (a)(l ) Action Performance Improvement Plan" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 15.2 Source Document Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 15.3 Summary of Significant Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 ATTACHMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 16.1 Monticello Maintenance Rule Program Development . . . . . . . . . . . . . . . . . 51

MONTICELLO MAIMT PROGRAM DO 1.0 PURPOSE This document provides an overall description of the implementation and operation of the Maintenance Rule Program at the Monticello Nuclear Generating Plant (MNGP),

including implementation of the requirements of 10CFR 50.65, industry guidance provide by NUMARC and EPRI, and the NMC Maintenance Rule Program Fleet Standard.

2.0 PROGRAM SCOPE Implementation of the Maintenance Rule at MNGP meets all 10CFR 50.65 requirements by using the guidance provided in NUMARC 93-01, Rev 3. Deviations from the NUMARC 93-01 guidelines are addressed in this EWI along with a description of the bases for those deviations, as applicable.

NOTE: Appendix "A9'tothis document contains the background description of how Monticello's Maintenance Rule Program evolved.

2.1 Definitions And Acronvms The following definitions I acronyms have been adopted for Monticello's Maintenance Rule Program:

2.1 .I (a)(l): SSCs in the scope of the Maintenance Rule determined to have unacceptable performance. An (a)(l) SSC requires goal setting to ensure its performance returns to acceptable levels. The purpose of placing poor performing SSCs in (a)(l) status is to heighten management awareness of actual and potential problems. (a)(l) refers to the applicable paragraph in 10CFR50.65. An SSC in (a)(l) is in Evaluation, Action, or Monitoring Status.

(a)(l ) Evaluation Status: When an SSC exceeds its performance criteria, an evaluation is undertaken to determine if the SSC should have corrective actions and goals (a)(l) Action Status: The SSC performance has been evaluated and goals have been approved, but actions to correct the condition have not been fully implemented.

(a)(l) Monitoring Status: Corrective actions have been completed and effectiveness of the actions is being monitored against the goals.

2.1.2 (a)(2)

SSCs in scope of the Maintenance Rule determined to have acceptable performance. Existing performance monitoring and preventive maintenance should continue. (a)(2) refers to the applicable paragraph in 10CFR50.65.

2.1.3 Birnbaum

A PRA importance term used to measure the range (or difference) in CDF when the failure probability of an SSC is varied between I(always fails) and 0 (never fails). Birnbaum = (CDF when the SSC always fails) - (CDF when the SSC never fails).

Condition ~ o ' n i t o r i n ~

Monitoring

of performance parameters below the functional level (i.e., the term "Functional Failure" does not apply) that are used to detect degrading conditions.

Core Damage Frequency (CDF): The expected frequency (probability of.occurrence 1year) of core damage events (e.g. the uncovering and heat-up of the reactor core to the point where severe fuel damage is anticipated).

CDF colors are associated with the following general types of situations:

GREEN: Baseline Value YELLOW: Increased Awareness ORANGE: Contingency Plans Required RED: Restricted - Never Entered Intentionally -

Expedite Departure Cutsets: Accident sequence failure combinations.

EOOS: Equipment-Out-Of-Sewice (Risk Monitoring Software).

Function (or Maintenance Rule Function): The scoped function is that attribute (e.g. safety related, mitigates accidents, causes a scram, etc.)

that included the SSC within the scope of the Maintenance Rule. For example, the condenser is within the scope of the Maintenance Rule because its total failure could cause a scram and not because of the design function of pulling a vacuum on the condenser.

Functional Failure: An unintended event or condition such that a SSC within the scope of the Rule is not capable of performing its intended function.

Fussell-Vesely (FV): A PRA importance term used to measure the percent decrease in core damage frequency if the SSC never fails.

Goals: Specific targets established when a system becomes (a)(l).

Goals should be measurable and may incorporate specific component, train, system, structure, or plant level performance measurements.

Goals should be set commensurate with the SSCs or plant level criteria's effect on plant safety. Goals should monitor the effectiveness of the corrective action(s) taken.

Industry-wide Operating Experience: Information included in NRC, industry and vendor equipment information that is applicable and available to the nuclear industry with the intent of minimizing adverse plant conditions through shared experience. Industry wide operating experience, for the purposes of Maintenance Rule implementation, also includes comparison of the results of the implementation of the Maintenance Rule activities at MNGP to the results from other utilities.

lljao

2.1 .I 3 Maintenance: The aggregate of those functions required to preserve or restore safety, reliability, and unavailability of plant structures, systems, and components. Maintenance includes not only activities traditionally associated with identifying and correcting actual or potential degraded conditions, (i.e.,repair, surveillance, diagnostic examinations, and preventive measures) but extends to all supporting functions for the conduct of these activities.

2.1 . I 4 Maintenance Preventable Functional Failure (MPFF) - (Initial or Repetitive): An MPFF is the failure of an SSC (structure, system, train, or component) within the scope of the Maintenance Rule to perform its intended function (i.e., the function performed by the SSC that required its inclusion within the scope of the rule), where the cause of the failure of the SSC is attributable to a maintenance-related activity. The maintenance-related activity is intended in the broad sense of maintenance as defined above. A design deficiency is not an MPFF.

The loss of function can be either direct ( i.e., the SSC that performs the function fails to perform its intended function) or indirect (i.e., the SSC fails to perform its intended function as a result of the failure of another SSC) - either safety related or non-safety related.

An "initial" MPFF is the first occurrence for a particular SSC for which the failure results in a loss of function that is attributable to a maintenance related cause. An initial MPFF is a failure that would have been avoided by a maintenance activity that has not been otherwise evaluated as an acceptable result (i.e., allowed to run to failure due to an acceptable risk).

NOTE: Per NUMARC 93.01, the look back periodicity for repetitive failures is the 2 year review cycle. Monticello's program looks back 2 years from the event date for repetitive failures.

A "repetitive" MPFF is the subsequent loss of function (as defined above) that is attributable to the same maintenance related cause that has previously occurred (e.g., an MOV fails to close because a spring pack was installed improperly - the next time this MOV fails to close because the spring pack is installed improperly: the MPFF is repetitive and the previous corrective action did not preclude recurrence). A second or subsequent loss of function that results from a different maintenance related cause is not considered a repetitive MPFF (e.g.,

an MOV initially fails to close because a spring pack was installed improperly -- the next time it fails to close, its failure to close is because a set screw was improperly installed: the MPFF is not repetitive).

2.1 . I 5 Maintenance Rule Evaluation (MRE) - A cause evaluation of any in-scope SSC failure or event that caused significant unavailability of a system, or significantly impacted a performance criterion. This cause evaluation may be an extension of an already completed cause determination. The cause evaluations should determine if the events were maintenance related and if performance is now acceptable as inputs for the (a)(l) determination. All of the cause evaluations should consider maintenance activities, cause determinations already performed, corrective actions (or lack thereof) and the effectiveness of such activities in precluding recurrence of the identified event(s).

2.1 . I 6 Maintenance Rule Functional Failure (MRFF): Same as MPFF without any restriction on the cause.

2.1 .I 7 Probabilistic Risk Assessment (PRA): PRA is a quantitative assessment of the risk associated with plant operation and maintenance. The risk is measured in terms of the frequency of occurrence of different events including severe core damage.

2.1 . I 8 Risk Achievement Worth (RAW): A PRA importance term used to express the ratio by which risk increases due to an SSC that is assumed to be failed at all times.

2.1 . I 9 Risk Reduction Worth (RRW): A PRA importance term used to express the ratio by which risk decreases due to an SSC that is assumed to be perfectly reliable. Monticello normally uses Fussell-Vesely instead of RRW.

2.1.20 Standby: If an SSC only performs its intended function wheri initiated by either an automatic or manual demand signal, the SSC is in standby.

In this case, failures would only become apparent during the next demand, actuation, or surveillance.

2.1.21 Structure, System, and Component (SSC): SSC is an acronym used to designate groupings of components for monitoring and control purposes. Where possible, Maintenance Rule activities will be implemented at the system or train level. Where necessary, implementation of the Maintenance Rule will be at the component level.

Component level implementation significantly increases the resources necessary to manage the ongoing requirements of the Maintenance Rule. In this document, "SSC" is typically referred to as "system" or "train."

2.1.22 System: A collection of equipment that is configured and operated to serve some specific plant function(s) (e.g., provides cooling water to the RHR heat exchanger, sprays water into the containment, injects water into the reactor), as defined in the System Basis Documents.

MOTE: In this program document the use of the terms "system", "system function",

and "SSC" are used interchangeably.

2.1.23 Unavailability - Unavailability is considered in two cases:

A. Maintenance Activities - equipment out of service (e.g. tagged out) for corrective or preventive maintenance is considered unavailable. Support system unavailability may be counted against either the support system, or the front line systems served by the support system. The treatment of support system unavailability for the maintenance rule should be consistent with its treatment in the plant PSA. Performance criteria should be established consistent with whichever treatment is chosen.

B. Testing - SSCs out of service for testing are considered unavailable, unless the test configuration is automatically overridden by a valid starting signal, or the function can be promptly

. .. .restored

- nenica~en

. - r -. either

- - - .- - - - - onerator

. by an stationea a . ..

operator.- in,,the, control room or by

. - - .localiv

' Tor tnar Duroose.

a.

a - - - --

I- - - - I -

Restoration actions must be contained in a written procedure, must be uncomplicated (a single action of a few simple actions),

and must not require diagnosis or repair. Credit for a dedicated local operator can be taken only if (s)he is positioned at the proper location throughout the duration of the test for the purpose or restoration of the train should a valid demand occur.

The intent of this paragraph is to allow licensees to take credit for restoration actions that are virtually certain to be successful (i.e.,

probability nearly equal to I ) during accident conditions."

The way this is used in Monticello's MR Program is that the total Unavailable Time is determined by reviewing the out of service or LC0 times from the control room andlor pump room logs to determine the time that a system or train (if performance criteria established for the system on a train level) was not able to perform its intended Maintenance Rule function. Taking the "total unavailable I LC0 time" from the control room Ipump room logs, unless specified as part of a surveillance procedure, is conservative.

2.1.24 Unplanned Capability Loss is defined as the percentage of maximum energy generation that the plant was not capable of supplying to the electrical grid because of unplanned energy losses (forced outages, unplanned power reductions, etc.).

NOTE: Appendix "A" to this document contains the background description of how Monticello's Maintenance Rule Program evolved.

3.0 RESPONSIBILITIES 3.d Program Engineering 3.1 . I Ensure Maintenance Rule Coordinator has completed appropriate qualifications prior to performing independent work (see section 12.0 for references).

3.1.2 Provide overall coordination of the requirements for Maintenance Rule implementation and operation. Maintain the basis of decisions made regarding implementation and operation.

3.1.3 Prepare and maintain System Basis Documents for all MNGP systems, whether in-scope or out of scope.

3.1.4 Provide data of historical performance to support the establishment of performance criteria.

3.1.5 Coordinate performance monitoring.

3.1.6 Maintain the Maintenance Rule Access Database.

3.1.7 Facilitate the creation of the Expert Panel and oversee the operation of the Panel.

3.1.8 Prepare and submit appropriate periodic assessment reports to the Expert Panel and to Senior Plant Management.

3.1.9 Ensure the Maintenance Rule Program is maintained consistent with appropriate plant, PRA, and EOP changes.

3.1 . I 0 Coordinate goal setting efforts when required.

3.11 Provide necessary insights into the planned maintenance schedule.

3.1 . I 2 Make initial MPFF determinations with the help of the system engineer.

3.1 .I 3 Notify the Monticello Training Center (MTC) of scoping changes that may affect MTC Lesson Plans.

3.1 . I 4 Routine duties and responsibilities of the Maintenance Rule Coordinator as detailed in engineering group procedure(s).

Svstem Enuineering 3.2.1 Ensure completion of appropriate Maintenance Rule qualifications prior to independently performing MREs or activities associated with monitoring and resolving category (a)(?) items (see section 12.0 for references).

3.2.2 Review the initial and any subsequent revisions to scoping, risk significance determinations, and the performance criteria established for their system(s).

3.2.3 Review performance data for input into the Maintenance Rule Access Database as requested.

3.2.4 Provide representation on the Expert Panel for review and approval of Maintenance Rule documents and methodologies.

3.2.5 Participate in the development of goal setting action plans when applicable.

3.2.6 Make the determination if a Maintenance Rule Functional Failure (MRFF) has occurred and document the failure in the Corrective Action Process (CAP) through completion of an MRE. Request assistance from the Maintenance Rule Coordinator as needed.

3.2.7 Make initial MPFF determinations with the help of the Maintenance Rule Coordinator.

3.2.8 Provide data entry / maintenance associated with the INPO Equipment Performance Information Exchange (EPIX) system.

3.2.9 Provide system unavailability data to the Maintenance Rule Coordinator as an input to the Maintenance Rule Access Database.

3.3 Risk Analvsis Group [PRA) 3.3.1 Provide necessary inputs, using the PRA and other analyses, to decisions related to Maintenance Rule scoping, risk significance, performance criteria and action plans when requested.

3.3.2 Provide representation on the Expert Panel for review and approval of Maintenance Rule documents and methodologies as requested by the Maintenance Rule Coordinator.

3.3.3 Provide necessary PRA insights into the planned maintenance schedule when requested.

3.3.4 Provide PRA insights for emergent work activities and emergent conditions when requested.

3.4 Schedulinu Department 3.4.1 As required by Scheduling Department Work Instructions (SWlls) and applicable Awl's, schedule equipment outages taking into consideration the total plant equipment that is out of service and its effect on performance of plant safety functions (core damage frequency). This includes both on-line and outage scheduling.

3.4.2 Provide representation on the Expert Panel for review and approval of Maintenance Rule documents and methodologies as requested by the Maintenance Rule Coordinator.

3.4.3 Review emergent work activities and emergent conditions for risk as requested.

3.5 Operations Department 3.5.1 As required by 4 Awl-04.01 .O1 (GENERAL PLANT OPERATING ACTIVITIES), remove equipment from service or assess emergent work activities or conditions taking into consideration the effect on overall plant risk through the use of the weekly schedule and the use of Scheduling andlor PRA input as needed.

3.5.2 Provide representation on the Expert Panel for review and approval of Maintenance Rule documents and methodologies as requested by the Maintenance Rule Coordinator.

3.6 Expert Panel 3.6.1 Review and approve initial and subsequent revisions to system scoping and risk significance determinations.

3.6.2 Review and approve initial and subsequent revisions to the performance criteria.

3.6.3 Review and approve (a)(l)/(a)(2) determinations and goal-setting action plans.

3.6.4 Review and approve periodic assessments.

3.6.5 Review other Maintenance Rule items as necessary.

NOTE: See section 10.0 of this document for additional information on the Expert Panel 4.0 DETERMINATION OF SYSTEMS WITHIN THE SCOPE OF THE RULE The Maintenance Rule states:

"(b) The scope of the monitoring program specified in paragraph (a)(l) of this section shall include safety-related and non-safety related structures, systems, and components, as follows:

(I) Safety-related structures, systems, and components that are relied upon to remain functional during and following design basis events to ensure the integrity of the reactor coolant pressure boundary, the capability to shut down the reactor and maintain it in a safe shutdown condition, and the capability to prevent or mitigate the consequences of accidents that could result in potential off site exposure comparable to the IOCFR part 100 guidelines.

(2) Non-safety related structures, systems, and components: (i) That are relied upon to mitigate accidents or transients or are used in plant emergency operating procedures (EOPs); or (iv Whose failure could prevent safety-related structures, systems, and components from fulfiling their safety-related function; or (iii) Whose failure could cause a reactor scram or actuation of a safety-related system. "

For licensees that have adopted an Alternate Source Term (AST), including MNGP, the dose guidelines of 10CFRI 00 are superseded by 10CFR50.67. I 4.1 Identification of Initial MNGP System Listinq A listing of all the MNGP systems was obtained by reviewing the CHAMPS Master Systems List. This list was compared against the Ops ManualISystern Engineering Assignment Listing from the Monticello Plant Bulletin Board on the VAX Computer System. The functions for each system were then determined based on Ops Manual, Design Basis Documents, etc. Each function was then reviewed against the Maintenance Rule scoping criteria by the Expert Panel for inclusion in or exclusion from the Maintenance Rule scope.

lljao

4.1.2 NUMARC 93-01, Section 8.2.1, states that it is necessary to "identify and document the functions of SSCs that cause the SSCs to be within the scope of the Rule. This implies that scoping by function is acceptable. However, the-use of system functions instead of structures, systems, and components in the scoping process was considered an exception to NUMARC 93-01 at the Cooper Nuclear Station inspection as documented in report 50-298196-12. The approach was still found to be acceptable during the Cooper inspection. Regulatory Guide 1.I 60, Revision 2,Section I.I .3, also states that "scoping by function is acceptable". Therefore, since Monticello scopes by function, this could be considered a deviation from NUMARC 93-01, but is considered acceptable based on the above information.

4.1.3 Since the Monticello Maintenance Rule Program is primarily focused on the functions that individual systems provide rather the individual system components, some system boundaries were modified. While the boundaries of most systems are the same as those contained in other MNGP documents (Ops Manual, DBD, etc.), some system boundaries are defined differently for Maintenance Rule purposes. A Maintenance Rule "Boundary Definition Guidance Document" was prepared to outline general guidelines for defining system boundaries.

The individual System Basis Documents may also contain specific system boundaries.

4.1.4 Table 14.1 of this document contains a complete listing of MNGP systems and annotates which systems were determined to be in scope.

For a complete description of each system's scoping basis, see the associated System Basis Document.

4.2 Safetv Related Systems 4.2.1 A determination of safety-related systems and functions was completed by review of the following documents:

A. 4 Awl-01.03.01 (QUALITY ASSURANCE PROGRAM BOUNDARY),

B. Q-List Extension (color coded P&IDJs),and C. Individual system Design Basis Documents (DBDs).

4.2.2 All safety-related systems were included within the scope of the Maintenance Rule 4.3 Non-Safety Related Systems used to Mitiaate Accidents or Transients 4.3.1 Non-safety related system functions that are within scope because they mitigate accidents or transients were determined mainly by review of the Monticello USAR Chapter 14, "Safety and Accident Analysis." DBD T.3 "Design Basis Accidents and Event Analysis" was also used as a reference.

4.3.2 A Maintenance Rule USAR Review Document was prepared which sorted each system separately with its USAR Chapter 14 references.

This review was attached to each of the associated System Basis Documents for consideration by the Expert Panel and for future reference.

4.4 Non-Safetv Related Svstems used in the Emerqency Operating Procedures fEOPs) 4.4.1 NUMARC 93-01 states "this step requires an evaluation be performed to identify important non-safety related SSC's under utility control that

'are used in EOP's, For a non-safety related SSC to be considered important, it must add significant value to the mitigation function of an EOP by providing the total or a sianificant fraction of the total functional ability required to mitigate core damage or radioactive releaseJJ.

4.4.2 A significant fraction is not defined further by NUMARC 93-01 or other guidance documents. This determination was left to the individual plant's Expert Panel. To aid in the Expert Panel's determination, the Maintenance Rule Expert Panel "interpreted Significant Fraction of an EOP Document" to be those "First Choice" systems that would be used for each of the EOPs. A Maintenance Rule EOP Review Document was created which listed each system with its associated EOP references.

The EOP Review Document section is provided as an attachment to each of the associated System Basis Documents for Expert Panel consideration and future reference.

4.5 Non-Safety Related Systems Whose Failure Could Prevent Safety Related SSCs From Fulfillinq Their Safety Related Function MNGP systems whose failure would prevent a safety related system from performing its safety-related function were identified through plant history, industry-wide operating experience, and prior engineering evaluations such as the PRA, IPE, Appendix R, HELB, etc.

4.6 Non-Safety Related Systems That "Could Cause" a Scram or SSA 4.6.1 Systems included within the scope of the Maintenance Rule based on this criterion are those that have actually caused or have been reasonably shown to be able to cause a scram or saTety system actuation (SSA) at MNGP or a similar facility.

4.6.2 The determination of unusual hypothetical failures, including those that could result from system interdependencies that have not been previously experienced, was not performed based on guidance provided by NUMARC 93-01.

4.6.3 To aid the Expert Panel in their determination of systems that meet this criterion, the Maintenance Rule "Could Cause" Review Document was completed. This document reviewed the following sources:

A. NRC NUREG-0200 "Status Summary Report" (Typically referred to as "The NRC Gray Book") for dates 1/92 through 12194.

Iljao

B. All Monticello Scrams from 1/80 through 6196.

C. BWR Owners Group SCRAM Frequency Reduction Committee report "Maintenance Work Control Practices" which summarized BWR industry scrams from Oct I,1969 through Sept 30, 1987.

D. The Critical Components Study for Monticello dated 12/30191.

This study reviewed all non-safety but "critical" components for possible improvements to surveillance tests or preventative maintenance. This review was completed as recommended by the Prairie Island Forced Outage Review Team.

The above sources along with the Expert Panel's system knowledge were used to determine those systems that "could cause" a Scram or Safety System Actuation (SSA). In addition, the System Engineer for each system reviewed their associated System Basis Document for concurrence with the final scoping determination.

4.7 Use of Industrv Experience for Scopinq Process 4.7.1 To aid individual utilities in their scoping process, NEI developed a database of utility scoping decisions. This database was sorted by Monticello personnel for BWR 314 plants and compared on an individual system basis with Monticello's scoping matrix. Significant differences were followed up with telephone conversations with other sites' Maintenance Rule Coordinators. This was performed as an independent check of Monticello's scoping to ensure major items were not originally omitted. Deviations were reported to the Expert Panel for further scoping re-consideration.

5.0 RISK SIGNIFICANCE DETERMINATION The Maintenance Rule states:

"(a)(l) Each holder of an operating license under paragraph 51.21 (b) or 50.22 shall monitor the performance or condition of structures, systems, and components against licensee established goals, in a manner sufficient to provide reasonable assurance that such structures, systems, and components, as defined in paragraph (b), are capable of fulfilling their intended functions.

Such goals shall be established commensurate with safety and, where

.practical, take into account industry-wide operating experience. When the performance or condition of a structure, system, or component does not meet established goals, appropriate corrective action shall be taken."

5.1 Risk Significance Methodolouy 5.1 I A risk significance determination is required by the Maintenance Rule to ensure that monitoring activities are focused on the "most important" systems/functions.

5.1.2 Risk significance was determined by the Expert Panel using the results of the Internal Events PRA (updated version of the IPE), NUMARC 93-01 guidance, and their own personal experience and knowledge.

PRA Level II, IPEEE, and outage shutdown PRA insights were also provided to the Expert Panel. Each system was reviewed for risk significance regardless of whether it was already in scope or not. This ensured that all risk significant systems/functions were considered. A few systems were included within the scope of the Maintenance Rule solely based on risk significance. If the Expert Panel determined the system was risk significant, it was included in scope and designated as risk significant even if the scoping criteria in Section 4.0 above were not met.

5.2 Risk Significance Inputs 5.2.1 NUMARC 93-01 states that "The panel should review input from all three specific risk importance calculational methods listed ... in making its judgment regarding risk significant systemsJJ.

5.2.2 The three methods listed are Risk Reduction Worth (RRW), Risk Achievement Worth (RAW), and 90% Cutsets. At Monticello three methods were provided to the Expert Panel, however Fussell-Vesely (FV) was used instead of RRW since FV is measuring the same effect but only expressing it in different units. Also, FV is more familiar to Monticello personnel because it is used in other site PRA applications.

This could be considered a deviation from NUMARC 93-01, but is acceptable for the reasons stated above.

5.2.3 All raw data including the actual PRA values for all components within the PRA cutsets for each system was provided to the Expert Panel. In addition, two types of plots were provided to help clarify the PRA input.

The first plot was a component level plot of all modeled components within a system plotted with RAW on one axis and Fussell-Vesely on the other. The second plot was of all systems together on the same graph.

This plot was generated by rolling up all the component risk data into a system risk value in order to address the concern with using a single, individual component importance as a surrogate for system importance.

.2.4 Four quadrants were then drawn using the values in the table below to help determine high and low risk significance. Expert Panel members were informed that the component level plots should be given preference over the system level plots. System level plots were provided for additional information.

Four Quadrant Plot Divisions Component Level Plot System Level Plot RAW >2* > I O**

FV >.005* >.05***

Consistent with NUMARC 93-01

- Regulatory Review Group, Volume 4

- - EPRI, BWROG 5.2.5 PRA Level Ill IPEEE, and outage shutdown PRA insights were provided to the Expert Panel for use in determining a system's total risk significance. In addition, System Engineers reviewed the final risk significance determination for their associated system.

5.2.6 The Expert Panel was free to classify a system as risk significant even if the qualitative numbers indicated otherwise.

5.2.7 The final risk significance determinations and bases for these decisions are included in the System Basis Document for each system.

5.3 Use of Industry Experience in Risk Significance Determination During the original scoping effort, the NEI utility database was sorted for BWR 3 and 4 facilities by system. A comparison of the results of risk significance determinations of other utilities with plants similar to MNGP was made.

Appropriate follow-up was completed and forwarded to the Expert Panel for consideration (see the "Comparison With Other Similar Sites" binder).

6.0 PERFORMANCE CRITERIA The Maintenance Rule states:

"(a)(l) Each holder of an operating license under paragraph 51.21 (b) or 50.22 shall monitor the performance or condition of structures, systems, and components against licensee established goals, in a manner sufficient to provide reasonable assurance that such structures, systems, and components, as defined in paragraph (b), are capable of fulfilling their intended functions.

Such goals shall be established commensurate with safety and, where practical, take into account industry-wide operating experience. When the performance or condition of a structure, system, or component does not meet established goals, appropriate corrective action shall be taken.

(a)(2) Monitoring as specified in paragraph (a)(?) of this section is not required where it has been demonstrated that the performance or condition of a structure, system, or component is being effectively controlled through the performance of appropriate preventive maintenance, such that the structure, system, or component remains capable of performing its intended function."

6.1 General All SSCs determined to be within the scope of the Maintenance Rule are monitored via some level of performance criteria. There are two levels at which performance criteria can be set: plant level or individual. To ensure the Maintenance Rule Program is maintained manageable and the appropriate attention is placed on the significant SSCs, monitoring will be performed at the highest or plant level if possible. SSCs that meet any of the following criteria below have been determined to not be adequately monitored at the plant level and therefore have individual performance criteria established. Individual perforrnance criteria will be monitored at the highest level, preferably the system or train level.

1) Risk Significant SSCs

2) Non-Risk Significant SSCs:

a.) that are normally in standby as defined in NUMARC 93-01 and Reg Guide I.I60 or b) that would not be captured by plant level criteria.

6.1 .I In general, unavailability and reliability will be monitored for all risk significant SSCs unless a sufficient justification exists for not monitoring both. Condition monitoring may be used in lieu of unavailability and reliability when appropriate (such as with structures). For non-risk significant SSCs, unavailability or reliability or condition monitoring or a combination of these will be used.

6.1.2 The Maintenance Rule requires that performance criteria be set so that continuing plant or system performance can be compared against a set value to determine if further goal setting is required. These values have been set for Monticello and are referred to as Red or (a)(l) values

[(a)(l) refers to the paragraph in 10CFR50.65 that discusses SSCs not performing acceptably].

6.1.3 Monticello also developed Yellow or Alert values for its performance criteria so that appropriate "heightened awareness" is placed on SSCs that are approaching their Maintenance Rule Performance Criteria.

Typically Yellow values were placed at 90% of the Red or (a)(l) criteria for unavailability and typically 1 or 2 failures away for reliability values.

6.1.4 Data for performance monitoring is collected and trended typically on a two year rolling average basis. Two years was selected as an appropriate value since it was felt one year did not allow for statistically significant variations to be averaged out and three years may allow adverse trends or potential problems to be masked or exist for an unacceptable amount of time. For some values, such as ILRT, LLRT, Fuel Reliability Index, etc.; the two year rolling averaging of data does not provide meaningful information and is therefore tracked by the last available value. Also, the monitoring of structures involves condition monitoring and a periodic inspection so the two year rolling average is not used.

Plant Level Performance Criteria General:

Overall plant level performance criteria are broad-based and are supported by many SSCs that could be safety or non-safety related. Since overall equipment performance is a major contributor to meeting plant performance criteria, it is useful in determining maintenance program effectiveness.

Establishment of the plant level performance criteria was completed by considering the plant performance history, existing plant goals, industry goals, and comparison to similar BWR 314 plants' performance criteria. Per the guidance in NUMARC 93-01, these criteria were not developed to be overly aggressive or based on the expectation of continuing improvement in plant performance (existing non-Maintenance Rule plant goals can be used to drive improved performance).

The following Plant Level Performance Criteria have been established for Monticello:

Yellow (Alert Value) Red or (a)(l )

Performance Criteria (Still (a)(2)) Value Unplanned Rx Scrams >llyr >2/yr Unplanned Capability Loss -

> 3.5 % I y r > 4.5

- % 1 yr Unplanned ESF Actuations -

>4/yr >5/yr Safety System Failures > 1.5 Iyr

- > 2.0

- 1 yr Unplanned Shutdown Deviations >l/yr >2/yr

NOTE: Values are averaged for a two year rolling period.

6.2.1 Unplanned Reactor Scrams.

A n.

IL JInnlqnnnrl Dncirtni C r r~~IICI

~ I I ~ G ~ U L U I u u UI I I ~ I11 IGU mc lVVUQ rr~ecnlnrtnri c QGIGVLVU in~n thic rlntnrtc 0 1 1 I V V LI 11- u-LVULQ significant failures of operating SSCs that can result in a plant transient and cause a challenge to the plant operators and/or to plant equipment. IOCFR 50.65 requires monitoring those SSCs that could cause a reactor scram; therefore, this is a direct way of meeting this monitoring requirement for various systems. Values were selected based on initiating event assumptions in the PRA, historical review, and comparison to typical industry values.

Each scram is currently investigated for root cause and corrective actions are identified prior to restart. This investigation would include any additional maintenance-related activities which were deemed appropriate.

B. NUMARC 93-01 states that "unplanned automatic scrams per 7,000 hours0 days 0 hours 0 weeks 0 months critical should be used as a plant level criterionJ'.

Monticello chose to monitor unplanned scrams per year without taking into account hours critical since the "per year" approach is consistent with other existing plant monitoring programs. This could be considered a deviation from NUMARC 93-01. However, since NUMARC 93-01 encourages the use of existing plant programs to meet the requirements of the Rule, this is an acceptable (and conservative) deviation.

C. Unplanned manual scrams (not single rod scrams) are also counted under this criterion.

D. Exceeding the established criterion, listed above, warrants an overall review of scrams to identify common mode items or significant degradation in maintenance activities which could have contributed to this trend. Tracking of scrams is readily accomplished since scrams are reported as an ESF actuation in accordance with the LER process under 10CFR50.73(a)(2)(iv).

E. Each periodic assessment includes a historical summary of all Unplanned Scrams for review.

6.2.2 Unplanned Capability Loss A. Unplanned Capability Loss is defined as the percentage of maximum energy generation that the plant was not capable of supplying to the electrical grid because of unplanned energy losses (forced outages, unplanned power reductions, etc.).

B. Unplanned Capability Loss is a broad-based performance indicator that reflects the effectiveness of plant programs and practices in maximizing available electrical generation. It provides an overall indication of how well plants are operated and maintained. This parameter is monitored in a manner consistent with the INPO reporting data collection process. Data for this criterion is collected from the Nuclear Engineer's Monthly Plant Performance Report for entry into the Maintenance Rule Access Database.

C. Each periodic assessment includes a historical monthly summary of the Unplanned Capability Loss Factor for review.

6.2.3 Unplanned Engineered Safety Feature (ESF) Actuations A. It is difficult to set an exact numerical value of the number of unplanned ESF actuations beyond which plant performance is unacceptable. On average, GE plants experience a number of such events per year.

9. Individually these events tend not to be very safety significant; however, a large number of events could be indicative of other plant problems which merit further review. Each ESF actuation is currently evaluated under the Corrective Action Process. This evaluation would include any additional maintenance-related activities which were deemed appropriate. Exceeding the above established criteria warrants an overall review of ESF Actuations to identify any common mode items or significant degradation in maintenance activities which could be contributing to this trend.

C. Tracking of Unplanned ESF Actuations is readily accomplished since these are reported in accordance with the LER process under IOCFR50.73(a)(2)(iv).

D. Each periodic assessment includes a historical summary of Unplanned ESF Actuations for review.

6.2.4 Safety System Failures A. Safety System Failures are any events or conditions that prevented the fulfillment of the safety function of structures or systems. This is a complete failure of that safety structure or system. Failure of one train in a two train system is not counted as a failure since the other train is available to complete the same design function. The Safety System Failures indicator is intended to capture significant equipment failures.

B. Although the majority of equipment failures captured by this indicator will overlap with individual system performance criteria, the potential exists to identify equipment failures in systems which do not by themselves normally warrant system specific monitoring.

C. This indicator also provides an opportunity for detection of broad trends affecting multiple systems which may not result in exceeding any system specific criteria.

D. Tracking of Safety System Failures is readily accomplished since these are reported in accordance with the LER process under IOCFR50.73(a)(2)(v) and 10CFR50.73(a)(2)(vii).

E. Each periodic assessment includes a historical summary of Safety System Failures for review.

6.2.5 Unplanned Shutdown Deviations A. Unplanned Shutdown Deviations from Operations Manual C.3.Vlll (SHUTDOWN AND REFUELING MODE REQUIREMENTS) was developed to monitor overall outage maintenance activities. During plant operations the overall risk significance of an individual system can be readily determined, but during plant outages the risk significance of an individual system can vary greatly based on the plant configuration (such as vessel flooded up, core off-load, etc.) and what other systems are available to perform the same function. C.3.Vlll provides guidance on which combination of systems should remain available during different outage configurations. This criteria was selected due to Monticello past experience and plant management emphasis of this guidance. The use of C.3.Vlll along with the use of the Outage Risk Management Team (including Shutdown PRA) has resulted in outage CDF values that are consistent with the at-power CDF values.

B. Deviations from C.3.VIII would not necessarily result in unacceptable plant risk; however to ensure risk is properly managed, these deviations should be planned ahead of time to ensure appropriate compensatory actions or controls are established. Therefore, unplanned deviations was selected to allow adequate flexibility while still managing plant risk during outages.

C. Monitoring of the appropriate individual systems that are required by Tech Specs to be operable during outages is continued when those systems are required by Tech Specs. In addition, other appropriate monitoring such as Shutdown Cooling mode of RHR is monitored during the condition when this system would be necessary during an outage. This plant level criteria provides an overall indication of how well outage risk is being managed.

D. Tracking of Unplanned Shutdown Deviations is performed through the review of the Corrective Action, WO, and LER Processes and communications with the Scheduling Department.

E. Each periodic assessment includes a historical summary of Unplanned Shutdown Deviations.

F. See Section 9.2 for additional information on outage scheduling and risk significance.

6.3 individual (Svstem) Level Performance Criteria 6.3.1 Setting of Initial Unavailability Values A. Initial starting values for systems1functions were developed by calculating the delta probability change when a set change in baseline Core Damage Frequency (CDF) is divided by the Birnbaum value. The NEllEPRl PSA Application Guide was used to select this set change in baseline CDF of -27%. These initial values were then compared against similar BWR 314 individual performance criteria to establish a draft set of performance criteria. A PRA sensitivity study was then performed on the draft performance criteria by requantifying with all SSCs' unavailability set at the perforrnance criteria value to determine the overall effect and also the major core damage contributors. After several minor adjustments in the draft performance criteria as a result of the sensitivity study, they were reviewed by the Expert Panel for consistency between systems and appropriateness of absolute values.

B. The performance criteria were finally reviewed by the associated System Engineer and compared against Monticello historical data from 1/92 through 6196. A final PRA sensitivity study was then completed with the finalized performance criteria.

C. In general, the final SSC unavailabilities are set higher than the values used in the baseline PRA model. The values in the PRA were developed with the assumption that very little on-line maintenance would be performed. Therefore, the PRA values are relatively small when compared to values at other similar plants where significant on-line maintenance was assumed.

Also, the PRA values represent average values which indicate that an SSC could be performing above that value approximately half of the time. The final SSC unavailabilities are higher than the PRA values since they account for the current practice of performing more on-line maintenance and the values in the PRA being average values.

D. The final PRA sensitivity study showed that the CDF increased by a factor of approximately 2 with all the SSC unavailabilities set at their performance criteria limits simultaneously. The results of this study were considered acceptable for the following reasons:

It is extremely unlikely that all of the SSCs would be at their performance criteria limit simultaneously.

The Maintenance Rule Database supplies input to the Equipment-Out-Of-Service (EOOS) Risk Monitor which then plots actual risk on both a cumulative and an instantaneous basis for the cycle. These risk plots are produced by the PRA group and are included with the periodic assessments. The plots provide a means of tracking the risk due to unavailability so that it can be maintained at an acceptable level.

The Maintenance Rule ultimately should reduce unavailability and improve reliability compared to past performance. .

E. For some systems that did not contain data in the PRA, a qualitative comparison was made to a system determined by the Expert Panel to have a similar risk.

NOTE: See the individual System Basis Documents for the actual individual unavailability performance criteria values.

6.3.2 Setting of Initial Reliability Values A. Reliability traditionally is defined as the number of successful times a system has operated divided by the total number of demands on this system. To obtain the traditional reliability values a record would be required to be tracked for each time a system demand took place. This record keeping would result in a significant additional burden for little gained insight. An alternative is to establish an acceptable number of failures over a given period of time, then track only the failures. Since most risk significant systems at Monticello are typically only operated for routine surveillances, the number of demands on a system should remain fairly constant and can be closely approximated.

Therefore, the Expert Panel determined that Maintenance Rule Reliability will be monitored with the use of Maintenance Preventable Functional Failures (MPFFs). An MPFF is the failure of a system to perform the function that required its inclusion within the scope of the Maintenance Rule due to inadequate or improper maintenance.

B. An initial benchmark of the Emergency Diesel Generator System was selected due to the data collection required per Reg Guide I.155, Reg Guide 1.9, and NUMARC 87-00 "Station Blackout".

NUMARC 87-00 specifies acceptable reliability values for a 95%

reliable Diesel Generator System as follows:

3 failures out of last 20 attempts 5 failures out of last 50 attempts 8 failures out of last 100 attempts

C. These values and the relative importance of the Diesel Generator were compared to other Monticello systems to establish an initial reliability MPFF value. Initial values were then reviewed by the Expert Panel for consistency between systems and appropriateness of absolute values.

D. The performance criteria were reviewed by the associated System Engineer and compared against Monticello historical data from 1/92 through 6/96. Finally, MPFF values were compared against system unavailability values for overall consistency.

6.3.3 Methodology Used to Ensure that the Initial Reliability Criteria Is Consistent with the PRA A. Based on the initial NRC Maintenance Rule implementation inspections conducted in the later half of 1996, it became apparent that a statistical link between the PRA and the reliability criteria was needed.

B. Monticello adopted the following methodology to provide that link and to modify the criteria as necessary:

1. Identify systems with individual performance criteria that are modeled in the PRA.

2. Estimate the number of demands per year for standby systems.

a. Calculate the failure probability per year by multiplying the PRA failure probability per demand by the number of demands per year.

b. Calculate the failure prabability per year for normally operating systems by multiplying the PRA failure probability per hour by 7,000 hours0 days 0 hours 0 weeks 0 months (from NUMARC 93-01) for systems that are not in service during plant shutdowns and 8,000 hours0 days 0 hours 0 weeks 0 months (a conservative estimate of the number of hours in a year) for systems that may be required to be in service during plant shutdowns.

3. As described in EPRI Technical Bulletin 96-11-01, "Monitoring Reliability for the Maintenance Rule", dated November, 1996, and its addendum, EPRl Technical Bulletin 97-3-0 1, "Monitoring Reliability for the Maintenance Rule - Failures to Run", dated March, 1997, perform the following actions:

a. Apply the binomial density function to standby systems to obtain the probability of incurring 0, 1, 2, 3 or more failures over a two-year period.

b. Apply the Poisson density function to normally operating systems to obtain the probability of incurring 0, 1, 2, 3 or more failures over a two-year period.

4. If the probability of a given number of failures over the two-year time period is greater than or equal to five percent, this number of failures is an acceptable number of failures over the two-year time period for the associated SSC. In general, the probability closest to five percent yields the maximum number of allowable failures and is used to set the reliability criteria.

5. For systems where the results of the steps above did not provide predictive criteria (such as zero allowed failures) or were not realistic, a sensitivity study must be performed with these systems using more appropriate reliability criteria as determined by the Maintenance Rule Coordinator. This sensitivity study must include the effects of:

a. The Maintenance Rule Coordinator - selected reliability criteria set to their maximum acceptable values and

b. All of the availability criteria set to their maximum acceptable values for risk-significant systems modeled in the PRA. The result should be a CDF of less that IE-4 which is generally recognized as the acceptance limit.

C. See the individual System Basis Documents for the actual individual reliability performance criteria values.

6.4 Structures 6.4.1 Monitoring of structures at Monticello is in accordance with NEI 96-03 "Guidance for Monitoring the Condition of Structures at Nuclear Power Plants".

6.4.2 An evaluation of critical concrete structures was performed in 1986 as part of Monticello's Pilot Plant License Renewal efforts in cooperation with the Electric Power Research Institute (EPRI) and the U. S.

Department of Energy (See References 12.19 and 12.20). These evaluations were considered inputs to the structural initial baseline evaluation since they were used to provide insights as to where structural concrete problems may exist. A structural walkdown by a registered civil engineer was completed in June, 1996, of all structures included within the scope of the Maintenance Rule at that time. This walkdown, using the inputs from the 1986 evaluations, fulfilled the "initial baseline" inspection requirement for the in-scope structures as discussed in NEI 96-03.

6.4.3 Periodic (5 year) structural inspection is performed using Surveillance Test 1385 (PERIODIC STRUCTURAL INSPECTION). This inspection documents the periodic review of plant Maintenance Rule structures for possible long term degradation. Form 4266 (STRUCTURAL DEFICIENCY IDENTIFICATIONAND EVALUATION FORM) is used within the procedure to document significant deficiencies noted during the inspection. In addition, the Corrective Action Process documents deficiencies if evaluated as "Acceptable with Deficiencies" or "Unacceptable" (see 6.4.5 below).

Separate work orders may be generated and maintained to perform inspections in a ready backlog for those areas which are on the surveillance checklist, but which are not normally accessible due to high radiation, confined space entry requirements or other plant operational limitationslconditions. When plant conditions allow and those areas become accessible, they are inspected.

6.4.4 An inspection report is generated from the results of Surveillance Test 1385 and submitted to the Expert Panel for review and for (a)(l) determinations.

6.4.5 Each structure is categorized as follows:

Acceptable Acceptable structures are capable of performing their structural functions, including the protection and support of Maintenance Rule systems and components. Acceptable structures are free of deficiencies or degradation which could lead to possible failure. The presence of minor defects which are determined to be acceptable and which would not affect the intended function of the structure is acceptable. Minor defects include items such as concrete pitting, minor coating flaking, and small cracks in the concrete.

Acceptable with Deficiencies Structures which are acceptable with deficiencies are those which are capable of performing their structural functions, including the protection and support of Maintenance Rule systems and components, but are degraded or have deficiencies which could deteriorate to an unacceptable condition, if not analyzed or corrected prior to the next scheduled examination. The Maintenance Rule Expert Panel should review structures listed in this category for possible (a)(l) classification.

A CAP documenting a deficiency with this evaluation is required.

Unacceptable Unacceptable structures are those which are damaged or degraded such that they are not capable of performing their structural functions.

An unacceptable structure should be classified as a functional failure in accordance with the Maintenance Rule Program. The Maintenance Rule Expert Panel should review structures which fall into this category.

It is expected that structures in this category would be classified as (a)(l) structures. A CAP documenting a deficiency with this evaluation is required.

6.4.6 Between performances of Surveillance Test 1385, normal operator rounds, and other procedures and programs described in the Structures System Basis Document are relied upon to identify any significant structural degradation. These structural deficiencies would be identified by the Maintenance Rule Coordinator through the Maintenance Rule reviews performed on work orders and significant CAPs, selected operator logs, and design changes which may affect the function of a structure.

6.4.7 The Expert Panel may also declare a structure (a)(l) at their own discretion.

NOTE: See the Maintenance Rule Program Structures System Basis Document for additional information.

7.0 PERFORMANCE MONlTORING 7.9 Data Collection and Disposition 7.1 .I Data for unavailability is primarily collected from the operators' logs and the SOMS system. This data is compared against data collected for MPFFs and the System Engineers notes (if needed) for omissions.

Data is then reviewed by the Maintenance Rule Coordinator for the final determination of system unavailability.

7.1.2 Data for MPFF's is collected from a periodic review of Work Orders, CAPs, and LER's. This data is compared against unavailability data and the System Engineers notes (if available) for any possible omissions. Data is then reviewed by the responsible System Engineer and the Maintenance Rule Coordinator for preliminary determination of MPFF's. In general, a functional failure will be considered an MPFF unless it is intuitively obvious that it is not.

7.1.3 Preliminary MPFF determinations are forwarded to the Expert Panel for final determination during the periodic meeting or sooner if deemed necessary by the Maintenance Rule Coordinator.

7.1.4 Plant level data is collected and reviewed by the Maintenance Rule Coordinator by review of CAPs, LER's and the Monthly Plant Performance Report provided by Nuclear Engineering. Unplanned Shutdown Deviations may also be obtained from the Plant Scheduling Department.

7.1.5 Hours for unavailability are tracked whenever the SSC is required to be operable per the Plant Technical Specifications or is required to perform a specific function(s) that placed the SSC within the scope of the Rule.

MPFFs are tracked continuously. MPFFs that occur when a SSC is not required to be available that could have occurred when it was required are included within the database.

7.1.6 When adverse trends are identified, appropriate corrective action will be promptly initiated. This includes the possibility of declaring an SSC (a)(l) before a performance criterion is exceeded.

7.1.7 Data for SSCs that have been determined to be MPFFs are reported to INPO via the Equipment Performance Information Exchange (EPIX) system.

7.1.8 For monitoring of structures, see Section 6.4, Structures.

Maintenance Rule Access Database Upon collection of data, the Maintenance Rule Coordinator will ensure it is entered into the Maintenance Rule Access Database. This Access database was developed to provide a centralized, automated method of processing and presenting Maintenance Rule information. All appropriate site personnel have access to this program for reviewing purposes only. The database contains screens which use colors to indicate the status of SSCs with individual performance criteria and the status of the plant level criteria. The colors are defined as follows:

Green: Meeting Performance Criteria [(a)(2)]

Yellow: Approaching Performance Criteria Limit - still (a)(2), but heightened awareness is warranted Red: Exceeding Performance Criteria [(a)(l)]

7.2.2 The Maintenance Rule Access Database compares the entered data to the established associated performance criteria and assigns the appropriate Green, Yellow, or Red status to each system with individual performance criteria and the plant level criteria. The assignment of Yellow or Red by the Access Database is only a preliminary determination. Final determinations of system status are made by the Expert Panel.

Repetitive Failures 7.3.1 NUMARC 93-01 requires a review of Maintenance Preventable Functional Failures for any repetitive failures. The review should establish whether there are generic implications to the failure and ensure appropriate corrective actions are initiated. Repetitive failures of significant plant equipment are primarily tracked using the Corrective Action Process.

lljao

7.3.2 The Maintenance Rule Periodic Assessment review also looks for repetitive failures. The Expert Panel members are provided a printout of all Maintenance Preventable Functional Failures for at least the past rolling two year period. This data will be reviewed for any failures which appear to be repetitive in nature. The Expert Panel reviewed all MPFF's from 1/92 through 6/96 for an initial Repetitive MPFF determination.

7.3.3 Repetitive failures may also be identified by the Equipment Reliability Coordinator per EWI-10.01.04 (EQUIPMENT RELIABILITY TRENDING PROCESS).

7.3.4 A failure due to a repetitive MPFF would require the SSC to be placed in the (a)(l) or Red status and an appropriate goal-setting action plans developed.

7.4 Cause Determinations and Dispositioninq SSCs from !a)(2) to (a)(lj 7.4.1 A corrective action process document of appropriate depth is required for the following conditions:

- A goal not being met; or A performance criteria not being met: or A functional failure of any SSC within the scope of the Rule, even if the goals or performance criteria are met; or A repetitive functional failure of any SSC within the scope of the Rule, even if the goals or performance criteria are met.

A preliminary determination will be made whether or not the failure constitutes a need to change the system/component status to (a)(l).

This is the (a)(l) Evaluation Status period (see NMC Fleet Maintenance Rule Program Document Definitions). The cause determination will identify the cause of the failure or unacceptable performance. If applicable, it will identify any corrective action(s) to preclude recurrence.

The Maintenance Rule Coordinator along with system engineering will make the determination as to whether the failure was an MPFF and if the SSC requires (a)(l) goal setting and monitoring.

7.4.3 Cause determinations for MPFFs and repetitive MPFFs that occurred prior to July 10, 1996, were made by the Maintenance Rule Coordinator and the system engineer(s) using the best documentation available.

7.4.4 If the determination is made that the SSC should be changed to (a)(l) status, an action plan SHALL be completed. Form 3784 (See Figure 15.1) was established to capture the information required by the Maintenance Rule and industry guidance for (a)(l) action plans. The (a)(?)action plan contains the following information:

NOTE: Detailed instructions for completion of this form are included in the form (see Figure 15.1)

A. Description of the issue 1 condition which put the SSC into (a)(l)

NOTE: Since the information contained in the action plan is a reflection of the information contained in the associated CAP(s), the action plans themselves are not required to be tracked by a separate CAP within the Corrective Action Process.

B. Cause Determination C. Applicable Industry Operating Experience and references NOTE: Specific OE items to review when completing the form are addressed i n the form's detailed instructions D. Evaluation of the balancing between Availability and Reliability E. Statement of Impact on the Plant F. List of actions to correct the condition / improve performance and the schedule for completion G. Additional Actions NOTE: If additional actions are identified by the Expert Panel review, they are entered into the Corrective Action Process and listed in this section of the Form.

H. Goals and methods of determining action(s) effectiveness of returning the equipment to (a)(2) status (e.g. Monitoring Plan)

I. Anticipated date when the Maintenance Rule Matrix System Performance Indicator statuslcolor will improve J. Other comments / references 7.4.5 Once completed and signed, the form is reviewed by the Expert Panel for concurrence. An electronic copy of the approved (a)(l) action plan is attached to and can be viewed within the Maintenance Rule Database under System Information (Action Plans).

7.4.6 The action plans should be reviewed and updated periodically to reflect corrective actions taken or as changes occur.

7.5 Dispositioning SSCs from (aj(1) to (a)(2) 7.5.1 An (a)(l) Action / Performance Improvement goal may be determined to have been met and monitoring of SSC performance against specific goals may be discontinued provided the following criteria have been satisfied and the approval of the Expert Panel has been obtained.

A. Performance is acceptable for three surveillance periods where the surveillance periodicity is equal to or less than a six month interval;

B. Performance is acceptable for two successive surveillances where the surveillance periodicity is greater than six months but no greater than two fuel cycles; or C. An approved and documented technical assessment assures the cause is known and corrected and thus monitoring against goals is unnecessary.

7.5.2 For SSCs that are normally ope'rating, the Expert Panel will specify the conditions for return to (a)(2).

7.5.3 Once the corrective actions have been completed and the effectiveness of the actions has completed the monitoring period, the SSC can return to (a)(2) status.

8.0 PERlODlC ASSESSMENTS The Maintenance Rule states:

"(a)(3) Performance and condition monitoring activities and associated goals and preventive maintenance activities shall be evaluated at least every refueling cycle provided the interval between evaluations does not exceed 24 months.

The evaluations shall be conducted taking into account, where practical, industry-wide operating experience. Adjustment shall be made where necessary to ensure that the objective of preventing failures of structures, systems, and components through maintenance is appropriately balanced against the objective of minimizing unavailability of structures, systems, and components due to monitoring or preventive maintenance."

8.1 Frequencv and Conduct Periodic (a)(3) Assessments (as defined by the Maintenance Rule) should be performed by the Maintenance Rule Expert Panel (as determined by the Maintenance Rule Coordinator. See Section 10.4).

The following areas should be reviewed and addressed as part of the Periodic (a)(3) Assessment:

1) Scoping changes identified through plant, procedure, or industry identified changes. Notify Monticello Training Center of any scoping changes that may affect maintenance rule lesson plans.

2) Risk significance changes identified.

3) Monticello-applicable industry operating experience as determined by the Maintenance Rule Coordinator.

4) Plant level performance criteria, individual performance criteria (as needed), RedNellow systems, EOOS data, and the balancing of unavailability and reliability concerns.

5) Initial MPFF determinations.

6) Listing of the previous two year rolling average of MPFF's for any repetitive MPFF's and common causes.

7) Finalize (a)(l) / (a)(2) determination and review and approve goal-setting action plans (Form 3784).

8) Review and approve written summary reports as described in Section 8.4.

8.2 Balancinca Unavailability and Reliabilitv The Maintenance Rule states:

"(a)(2) Monitoring as specified in paragraph (a)(?) of this section is not required where it has been demonstrated that the performance or condition of a structure, system, or component is being effectively controlled through the performance of appropriate preventive maintenance, such that the structure, system, or component remains capable of performing its intended function."

8.2.1 The effectiveness of the Maintenance Program for each system within the scope of the Maintenance Rule is monitored by plant and/or individual performance criteria. Performance criteria were established with input from the PRA and other sources that have taken into account the acceptable performance of the system/function.

8.2.2 Unavailability and reliability are balanced when these performance criteria are being met. If the performance criteria are not being met, goal setting action plans are established to restore this balance.

8.2.3 Regulatory Guide 1.I60 states that "nuclear power plant maintenance is clearly important in protecting public health and safety" . . . and that "Adjustments must be made where necessary to ensure that the objective of preventing failures of SSCs though maintenance is appropriately balance against the objective of minimizing unavailability of SSCs because of monitoring or preventive maintenance". Effective maintenance must be maintained and evaluated both when on-line and during outage periods. The periodic (a)(3) reports address how this balance has been maintained during the reporting period.

8.3 [a)(l) Goal-Settinu Action / Performance Improvement Plans 8.3.1 When a SSC has unacceptable performance, the Maintenance Rule requires that goals be established which are commensurate with safety and, where practical, take into account industry wide operating experience. Goals are established to bring about the necessary improvements in performance to restore these SSCs to (a)(2) status.

Form 3784 "Maintenance Rule (a)(l) Action / Performance Improvement Plan" (Figure 15.1) is used to document the required information for these plans. The form is available on-line and contains detailed instructions for completion of the required information.

8.3.2 Insights into establishing goals commensurate with safety are obtained from inputs from the PRA, system engineer, Maintenance Rule Coordinator, Expert Panel, Corrective Action Process, and industry-wide operating experience.

8.3.3 Industry-wide operating experience is obtained from numerous sources, such as:

A. Monticello's Operating Experience database B. NPRDSIEPIX C. Nuclear Network items.

D. Direct contact with Utility Peers E. BWR Owners Group membership F. Specific Industry Groups (i.e. Terry Turbine, MOV Users Group, etc:)

G. Equipment Manufacturers (i.e. Recirc Seal Improvement Group) or also just direct contact with OEM's.

H. INPO and/or EPRI supplied information.

8.3.4 When applicable, the system engineer is expected to have current knowledge of industry-wide operating experience for his or her system which can be used in the development of goal-setting action plans.

8.3.5 The Expert Panel reviews the completed action Iperformance improvement plans to ensure that sufficient information is obtained to create accurate goal-setting action plans.

8.3.6 Once approved, these forms are attached to the appropriate system information in the Maintenance Rule Database.

8.4 Reporting 8.4.1 NUMARC 93-01 and Section (a)(3) of 10CFR 50.65 (Maintenance Rule) requires a written periodic assessment at least once every refueling cycle, but not to exceed 24 months.

8.4.2 Monticello's implementation of this requirement is to prepare mid-cycle and end-of-cycle written Periodic (a)(3) Assessment Summary Reports (approximately annually for a 24 month fuel cycle). These reports are drafted by the Maintenance Rule Coordinator and reviewed by the Expert Panel. The approved report is forwarded to site management to ensure that they remain appraised of Maintenance Rule Program activities.

8.4.3 Reports regarding the status of the Maintenance Rule Program are provided upon request to Monticello plant management. These updates are performed periodically as a presentation to the Plant Health Committee which reviews programs that are part of the Sites System Health Reporting Process.

Iljao

9.0 EVALUATION OF SYSTEMS REMOVED FROM SERVICE AND EMERGENT CONDITIONS The Maintenance Rule states:

"(a)(4) Before performing maintenance activities (including but not limited to sun/eillance, post-maintenance testing, and corrective and preventive maintenance),

the licensee shall assess and manage the increase in risk that may result from the proposed maintenance activities. The scope of the assessment may be limited to structures, systems, and components that a risk-informed evaluation process has shown to be significant to public health and safety."

9.1 On-Line Equipment Scheduling 9.1 .I Planned removal of equipment from service during plant operation is managed by the Plant Scheduling Department and assessed in accordance with Scheduling Work Instruction SWI-14.01 (RISK MANAGEMENT FOR OUTAGE AND ON-LINE ACTIVITIES) and FP-OP-RSK-01 (RISK MONITORING AND RISK MANAGEMENT).

On-line maintenance activities are performed in a manner to enhance reliability and plant safety while minimizing the equipment out-of-service time.

9.1.2 Development of the weekly plan is completed with heavy involvement of the PRA methods and PRA personnel. Scheduling also utilizes a PRA computer modeling tool called EQUIPMENT-OUT-OF-SERVICE (EOOS) to aid in plant risk considerations.

9.1.3 Emergent conditions, including unplanned equipment failures, are assessed and managed by Operations Duty Shift Supervision per 4 Awl-04.01 .O1 (GENERAL PLANT OPERATING ACTIVITIES) with the assistance of Scheduling and/or PRA personnel when necessary.

9.2 Outaae Scheduling and Outage Risk Siqnificance 9.2.1 Owl-02.07 (OPERATIONS WORK CONTROL), incorporates the defense-in-depth concept discussed in NUMARC 91-06 "Guidelines for Industry Actions to Assess Shutdown Management".

9.2.2 Prior to each refueling outage or extended outage, an Outage Risk Management Team is assigned. This team consists of experienced individuals from key site departments which review the outage schedule with the aid of a shutdown PRA developed specifically for each segment of the outage being planned.

9.2.3 Appropriate recommendations are then incorporated into the outage schedule as necessary to minimize times with high risk. If significant changes emerge during the outage, PRA sensitivity studies are performed and/or the Outage Risk Management Team is reconvened as necessary.

9.2.4 During plant operations the overall risk significance of an individual SSC can be readily determined, but during plant refueling and extended outages, the risk significance of an individual system can vary greatly based on the plant configuration (such as vessel flooded up, core off-load, etc.) and what other systems are available to perform the same function. In order to ensure the appropriate amount of emphasis is placed on SSCs during the appropriate times, Monticello maintains a minimum number of required SSCs for power availability, water addition and cooling in accordance with Operations Manual C.3.Vlll.

9.2.5 Reactivity control and containment requirements are governed by the Monticello Technical Specifications. Also, an outage specific (shutdown) PRA model is used to determine risk levels of plant configurations of interest. Outage system maintenance windows are developed and maintained within these guidelines by the Plant Scheduling Department (Scheduling). The system windows are then incorporated into the outage risk assessment. If a change to a particular system window is required due to emergent work, a reassessment is completed and other windows are modified if necessary to manage overall risk throughout the outage.

9.2.6 SSCs can be normally not risk significant during plant operations or during normal outages, however due to the numerous different outage configurations, a previously non-risk significant system may develop a high importance during a given outage configuration.

9.2.7 Failure of any SSC during the period in which it is being relied upon is closely monitored by the Maintenance Rule Coordinator and Scheduling. Any such failures are promptly reviewed. The SSC is quickly returned to service, or acceptable alternate SSCs are returned to service or held as available. These SSCs are individually monitored by the Maintenance Rule Coordinator who tracks them via the Maintenance Rule Database or other acceptable means.

9.2.8 Equipment failure events are identified through reviews of CAPS, work orders, and the operations log book (SOMS Narrative Logs). These reviews are performed by the Maintenance Rule Coordinator, System Engineers, Scheduling, and/or the PRA group.

9.2.9 Individual SSC and total combined SSC reliability performance criteria (MPFFs) for SSCs relied upon during outage conditions are as specified below. The individual SSC criteria are used to control the color

((a)(l)/(a)(2) status) of specific system windows in the Maintenance Rule Access Database. The total combined SSC criteria is used to control the color of the plant level window "Unplanned Shutdown Deviations" in the database. These failures are also counted against the normal non-outage reliability criteria in the Maintenance Rule Database. All criteria are based on a two-year rolling average.

Yellow Red or a(1)

Each SSC >O.O >0.5 Total of all SSCs -

> I .O -

>2.0 In addition, the failure of any SSC which causes the outage risk color (level) to unexpectedly change to Orange or Red will undergo an (a)(l) review by the Maintenance Rule Expert Panel to determine if the failed SSC should be placed in (a)(l) status. This review will take into consideration'the significance of the increase in risk as well as the SSC's historical performance.

Unavailable hours for required risk-significant SSCs will be tracked by the Maintenance Rule Coordinator against the existing unavailability criteria. Unavailable hours are typically obtained from Control Room or Pump Room logs based on entries made when taking equipment out of service for surveillance testing, maintenance or L C 0 conditions. The Maintenance Rule database contains the information related to SSC unavailable hours as well as the comments Ireasons that the equipment was considered to be unavailable. Using this methodology to determine unavailability may be conservative, however, it simplifies data gathering for use and assessment. Unavailable hours may be challenged and changed in the database if appropriate to do so (e.g. if it is later discovered that the SSC was actually available during a portion of that period).

9.2.11 For required SSCs that do not have unavailability criteria in the Maintenance Rule Database (normally non-risk significant SSCs), the unavailable hours will be tracked by the Maintenance Rule Coordinator outside the database. The unavailability performance criterion for these SSCs will conservatively be set at 2 percent of the required hours of operation during the outage. The 2 percent criterion is based on the Red (a)(l) Emergency Diesel Generator (DGN) unavailability criterion which is very conservative. The Expert Panel will review the appropriateness of the 2 percent criterion versus the specific SSC unavailable hours on a case-by-case basis to determine if placement in (a)(l ) status is warranted.

9.2.12 The use of the Shutdown PRA (with the Outage Risk Management Team), Operations Manual C.3.Vl11 and the Monticello Technical Specifications ensures that the intent of the Maintenance Rule is met by requiring the appropriate individual monitoring of risk significant SSCs when such SSCs are required to be available for the assumed outage condition.

10.0 MAINTENANCE RULE EXPERT PANEL DETAILS I Expert Panel Composition and Qualifications 0 .I The panel should consist of personnel experienced with the plant PRA and with operations and maintenance. Ideally, members would have previously held an SRO license or certification. It should be noted that all of the initial Expert Panel members held an NRC SRO License or NSP SRO certification. As a minimum, at least one person from each of the following areas should be members of the panel:

A. Operations B. Scheduling C. System Engineering D. Risk Analysis group E. Maintenance 10.1.2 The Maintenance Rule Coordinator will function as the chairman of the panel. Other personnel from other departments may be added to the panel at the discretion of the chairman.

10.1.3 A department may choose to have a permanent alternate panel member to ensure representation when the primary panel member is unavailable. Panel members may also designate a temporary alternate with the approval of the chairman. The chairman would need to consider the qualification of the temporary alternate and the items on the meeting agenda before granting approval.

10.1.4 In general, if a member takes a new job and will no longer be able to serve on the panel as determined by the chairman, the member will be replaced by the alternate (if one exists) or by the person who fills the member's previous job.

10.1.5 Training for new members to the panel will be determined by the chairman and documented in the meeting minutes. As a minimum, the Expert Panel Members should have a good knowledge of the plant and general knowledge of the Maintenance Rule and PRA processes. Until training is completed, new members will be allowed to participate in discussions, but will not have any voting privileges.

10.2 Functions of the Expert Panel 10.2.1 The panel will be responsible for using their personal knowledge and experience along with PRA insights to perform the functions described in Section 3.6 of this document.

110.3 Review Method and Decision Making 10.3.1 The interactive group method will be used unless circumstances make it necessary to use some other method. The chairman will make this determination. Also, see the "Maintenance Rule Expert Panel Document" for additional information on various types of review methods.

10.3.2 Decisions are normally reached by consensus. Majority voting may be used if a consensus cannot be reached.

10.4 Meetinq Frequencv 10.4.1 Meetings are held as required to perform periodic assessments, review of action plans and/or changes to system basis documents. Other meetings will be held at the discretion of the chairman.

10.5 Quorum 10.5.1 A quorum will consist of a simple majority of the members, one of which must be the chairman or his designee. No more than 2 alternates SHALL be used to satisfy the quorum requirement. Alternates SHALL be designated as such in the meeting minutes. If no PRA member or alternate is present and the chairman determines that PRA representation is needed, the items requiring PRA input should be tabled.

10.6 Documentation 10.6.1 Meeting minutes will be taken by the Expert Panel Chairman or someone appointed at the meeting. Handouts will be attached to the official minutes for filming. See Section 13.0, Retention of Records, for filming details.

0 MAINTENANCE RULE DOCUMENTATION REQUIREMENTS

11. I Per NUMARC 93-01 the documentation developed to support implementation of the Maintenance Rule is not within the scope of the quality assurance program unless previously defined. NUMARC 93-01 does provide a listing of those activities that should be documented.

11.2 Documentation generated as described in this Program Document meets the guidelines identified in NUMARC 93-01.

NOTE: See Section 13.0 for Maintenance Rule Programmatic documents that are to be retained and microfilmed.

12.0 REFERENCES

I I 10CFR50.65, "Monitoring the Effectiveness of Maintenance at Nuclear Power Plants" (Maintenance Rule) 12.2 Regulatory Guide 1.I 60, "Monitoring the Effectiveness of Maintenance at Nuclear Power Plants" 12.3 Regulatory Guide I.I 82, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants" 12.4 NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants" 12.5 NUMARC 93-02, "A Report on the Verification and Validation of NUMARC 93-01

'Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants"'

12.6 NRC Letter to Nuclear Energy Institute, dated June 29, 1994, "Final NRC Staff Review of Questions and Answers from the August 1993 NUMARC Maintenance Workshops" 12.7 4 Awl-01.03.01 (QUALITY ASSURANCE PROGRAM BOUNDARY) 12.8 Monticello Updated Safety Analysis Report (USAR) 12.9 Monticello Emergency Operating Procedures (C.5's) 12.10 Monticello GL 88-20 Individual Plant Examination (IPE) Submittal 12.1I Monticello Shutdown Risk Assessments Conducted for Refueling Outages 12.12 Monticello Design Basis Documents (DBDs) 12.13 NUREG 1526, "Lessons Learned from Early Implementation of the Maintenance Rules at Nine Nuclear Power Plants" 12.14 10CFR50.73, "Licensee Event Report System" 12.15 NUREG 0200, "Status Summary Report" 12.16 NUREG I.I 55, "Station Blackout" 12.17 NUMARC 87-00, "Guidelines and Technical Bases for NUMARC Initiatives Addressing Station Blackout" 12.18 FP-PA-ARP-01 (CAP ACTION REQUEST PROCESS) 12.19 EPRl TR-I 038425, Class I Structures License Renewal Industry Report Iljao

12.20 NSPE-I 2-4312, MNGP PLEX Topical Report for Critical Concrete Structures 12.21 NEI 96-03, "Guidelines for Monitoring the Condition of Structures at Nuclear Power Plants" 12.22 Owl-02.07 (OPERATIONS WORK CONTROL) 12.23 SWI-14.01 (RISK MANAGEMENT FOR OUTAGE AND ON-LINE ACTIVITIES) 12.24 FP-OP-RSK-01 (RISK MONITORING AND RISK MANAGEMENT) 12.25 NUMARC 96-01, "Guidelines for Industry Actions to Assess Shutdown Management" 12.26 Maintenance Rule Historical & Basis Documents: 1) Plant Level Basis Document, 2) System Basis Documents, 3) Boundary Definition Guidance Document, 4) Definition of "Signification Fraction of an EOP" Document, 5) EOP Review Document, 6) "Could Cause" Review, 7) Maintenance Rule Expert Panel Document.

12.27 4 Awl-04.0 1.O1 (GENERAL PLANT OPERATING ACTIVITIES) 12.28 EPRl Technical Bulletin 96-11-01, "Monitoring Reliability for the Maintenance Rule", dated November, 1996.

12.29 EPRl Technical Bulletin 97-3-01, "Monitoring Reliability for the Maintenance Rule

- Failures to Run", dated March, 1997.

12.30 4 Awl-04.02.02 (PLANT INSPECTION PROGRAM) 12.31 Owl-02.03 (OPERATOR ROUNDS) 12.32 Monticello Operations Manual, Section C.3.VlllI Shutdown and Refuel Mode Requirements 12.33 EPRI Maintenance Rule User Group White Papers (Volume 2) 12.34 CD 5.22 "Maintenance Rule Program Standard" (NMC Fleet Corporate Directive) 12.35 NRC lnspection Manual - Inspection Procedure - IP 71111-12 "Maintenance Effectiveness" 12.36 NRC Enforcement Manual - Chapter 8 "Guidance on Activity Areas", Section 8.1 . I 1 "Actions Involving the Maintenance Rule" 12.37 Maintenance Rule Self Assessment (December 2002) - CR# 02011754 "Program Engineering Maintenance Rule Self Assessment Report" and its associated actions 12.38 EWI-I 0.01.04 (EQUIPMENT RELIABILITY TRENDING PROCESS) 12.39 FL-ESP-PGM-023M (MAINTENANCE RULE PROGRAM OWNER) 12.40 FL-ESP-PGM-024M (MAINTENANCE RULE PROGRAM SUPPORT ACTIVITIES)

12.41 FL-ESP-SYS-003 (SUPPORT MAINTENANCE RULE ACTIVITIES BY EVALUATINGIADDRESSING MAINTENANCE PREVENTABLE FAILURES) 12.42 FL-ESP-SYS-004 (SUPPORT MAINTENANCE RULE ACTIVITIES BY MONITORING AND ADVOCATING RESOLUTION OF MAINTENANCE RULE CATEGORY (a) I ITEMS) 13.0 RETENTlON OF RECORDS 13.1 The following documents are microfilmed for future retrieval:

0 System Basis Documents Written Periodic (a)(3) Assessment Reports Expert Panel Meeting Minutes and Attachments 13.2 Historical documents (See Reference 12.26) which are not microfilmed are retained in a fireproof cabinet. Historical information dealing with the development of each individual System Basis Document is retained with the individual system binders.

94.0 TABLES 94.1 Monticello Maintenance ' ~ u l Svstem e Identification MA1NT RULE RISK OPS MAN SYS SYSTEM SCOPE SIGN B.09.10 125 125 V DC System Yes Yes*

B.09.09 250 250 V DC System Yes Yes*

B.09.07 480 480 V Station Auxiliary Yes Yes*

B.09.05 I 15 I 15 KV Substation Yes Yes*

B.09.04 230 230 KV Substation Yes No B.09.03 345 345 KV Substation Yes Yes*

B.09.11 24V 24 V DC System Yes No*

B.09.06 4KV 4.1 6 KV Station Auxiliary Yes Yes*

B.08.04.01 AIR Instrumentation & Service Air Yes Yes*

B.08.04.03 AN2 Alternate Nitrogen System Yes No B.05.13 ANN Annunciators Yes No B.03.03 APR Reactor Pressure Relief Yes Yes B.05.12 ARM Area Radiation Monitoring System Yes No B.05.17 ASD Alternate Shutdown System Yes Yes B.08.01.05 BIS Biocide Injection Yes No B.08.14 CAT Cathodic Protection System Yes No B.06.06 CDM Condensate Demineralizer Yes No B.06.03 CDR Main Condenser Yes No*

B.06.05 CFW Condensate & Reactor Feedwater Yes Yes*

B.05.10 CMP Process Computer Yes No B.08.08 COM Plant Communications Systems Yes No B.01.02 CRD Control Rod Drives Yes Yes 8.01.03 CRH CRD Hydraulic System - -

Yes Yes*

B.08.15 CRN Cranes Yes No B.03.01 CSP Core Spray Yes Yes*

8.08.09 CST Condensate Storage System Yes Yes*

B.06.04 CWT Circulating Water System (and SHC) Yes No B.08.16 DAC Drywell Atmosphere Cooling Yes No B.09.08 DGN Diesel Generators Yes Yes*

B.08.11 DOL Diesel Oil System Yes No B.08.10 DWS Demineralized Water Storage No No B.08.13 EFT Main Control Room H&V & Emergency Filtration Yes No Train lljao

4 Monticello Maintenance Rule System Identification (cont'd)

MA1NT RULE RISK OPS MAN SYS SYSTEM SCOPE SIGN B.08.01.02 ESW EDG Emergency Service Water Yes Yes*

B.08.05 FIR Fire Protection Yes Yes*

B.02.01 FPC Fuel Pool Cooling and Cleanup Yes No*

B.08.01.04 FSW Emergency Service Water System Yes No B.06.05.01 FWS Reactor Feedwater Pump Seal System I\l o No B.09.021 GENIGEL GenerationlPhysical Design & Construction Yes No 06.02.01 (Generator)

B.02.07 GZP Gen EIec Zinc Injection Passivation (GEZIP) No No B.06.02.02 H2C Hydrogen Cooling System Yes No B.06.02.03 H2S Hydrogen Seal Oil System Yes No B.04.03.01 HOA H2/02Analyzing System Yes No B.03.02 HPC High Pressure Coolant Injection Yes Yes B.08.03 HTB Heating Boiler Yes No B.08.07 HTV Heating and Ventilation Yes Yes B.02.06 HWC Hydrogen Water Chemistry No No B.07.01 LRW Liquid Radwaste Yes No B.09.14 LTG Lighting Yes No B.05.16 MET Meteorological Monitoring Systems Yes No B.02.04 MST Main Steam Yes No B.08.02 MUD Plant Makeup No No B.09.15 NDG Non-Essential Diesel Generator Yes Yes*

B.05.01.O1 NISINIP Startup Range MonitorsIPower Range Monitors Yes No

&02 B.07.02.02 OGH Off-Gas Holdup System Yes No B.07.02.01 OGR Recombiner System Yes No B.05.18 PAS Post Accident Sampling System No No B.05.09 PCS Main Steam Pressure Control Yes No B.04.01 PCT Primary Containment Yes Yes*

B.05.06 PPS Plant Protection System - ATWS-Alt Rod Yes Yes Insertion & Recirc Pump Trip B.05.06 PPS Plant Protection System - Reactor Protection Yes Yes System B.05.06 PPS Plant Protection System - Primary Containment Yes No*

Isolation System B.05.11 PRM Process Radiation Monitoring System Yes No lljao

14.1 Monticello Maintenance Rule System Identification (cont'd)

MAINT RULE RISK OPS MAN SYS SYSTEM SCOPE SIGN B.02.05 RBC Reactor Building Closed Cooling System Yes No*

0.2 RCH Reactor Components Handling Equipment Yes No 8.02.03 RCI Reactor Isolation Cooling System Yes Yes B.01.04 REC Recirculation System Yes No 8.05.08 RFC Recirculation Flow Control Yes No B.03.04 RHR Residual Heat Removal Yes Yes*

B.05.07 RLC Reactor Level Control Yes No B.05.05 RMC Reactor Manual Control Yes No B.05.04 RPI Rod Position Information System Yes No B.09.12 RPP Reactor Protection System Power Supply Yes No 8.01.01 RPV Reactor and Vessel Assembly Yes Yes B.08.01.03 RSW RHR Service Water Yes Yes*

B.02.02 RWC Reactor Water Cleanup Yes No*

B.05.02 RWM Rod Worth Minimizer Yes No B.08.04.02 SAB Service Air Blower No No B.04.02 SCT Standby Gas Treatment Yes Yes B.04.02 SCT Secondary Containment Yes Yes*

B.08.12.X SEC Security System No No B.03.05 SLC Standby Liquid Control Yes Yes B.05.14 SMC Seismic Monitoring System No No B.07.03 SRW Solid Radwaste Handling No No B.08.01 .O1 SSW Service Water Yes Yes*

B.06.02.04 STC Stator Cooling System Yes No NA STR Structures Yes Some*

B.05.03 TIP Traversing In-Core Probe (TIP) No No B.06.01 TRB Turbine Yes No B.09.13 UAC Instrument AC & Uninterruptible AC Distribution Yes Yes*

System 8.08.06 WDW Wells and Domestic Water No No

NOTE: May be risk-significant during some outage configurations. See the shutdown P W for outage specific information.

15.0 FIGURES 5 FORM 3784 "Maintenance Rule (a)(i) Action Performance Improvement Plan" (Use Current Revision)

$?.ti(~ ~ ~ ~ r ~ ~ ~ ~ ~ ~ ~ g ~ ' g ~ ~ H ~ 8 j ~ m ~ m ~ ~ ~ ~

.a..c.*+.!

g f@:&-dggQ;ar$ymr&F

,'.3 ~ ~ - , z , ' , ~ , ~ s . . . ~ . !>~zk<~=., .~>>~,,.:3: ~

g$! &~$~@~$g~~~$&tg$9~~~~~@&,g~g~@;~$:&,~~g~~i t, ...,

~~~$~&;$.~b@,&~~~&~~&~@&gq~~{g$~~yB,~k~f&@&~

LC- -bi

& ~ s ~ ~ & ~ ~ ~ ; ~ . ~ E ; w ~ ~ ~ ~ 7 ~ , ~ g ~

FIGURE l5.1. FORM 3784 "MairPtenance Rule (a)(l) Action Performance Improvement Plan" (ContJd)

(Use Current Revision) lljao

FIGURE 15.1 FORM 3784 Maintenance Rule (a)(l) Action Performance lrnprovernent Plan" (Cont'd)

(Use Current Revision)

FIGURE 15.2 Source Document Index Source Source Section(s)

CD 5.22 NUMARC 93-01 Appendix B CD 5.22 4.0 AND 5.1 IOCFR 50.65 (b)

CD 5.22 NUMARC 93-01 NUMARC 93-01 NUMARC 93-01 NUMARC 93-01 NUMARC 93-01 10CFR 50.65 10CFR 50.65 CD 5.22 NUMARC 93-01 NRC Commitment M97048A NEI 96-03 NRC Commitment M97050A NUMARC 93-01 NUMARC 93-01 9.4.4 4.5 and 5.6 AR 00627965-03 NUMARC 93-01 10CFR 50.65 CD 5.22 AR 0062 1405-04 5.6 and 5.13

MBNTICELLO MAINTENANCE RULE P R O G M M DOCUMENT FIGURE q5.2 Source Document Index fCont'd)

Source Source Section(sj

5. II NUMARC 93-01 AR 00631953 13.2 AR 00631953-1I Table 14.1 Monticello Maintenance Rule Scoping Sections System Basis Documents Figure 15.1

FIGURE

.4 5.3 Summaw of Siqnificant Chanqes Section 4.0 Added reference to 10CFR50.67 as required by License Amendment 148 (Full Scope Alternate Source Term).

16.0 ATTACHMENTS APPENDIX A 16.1 Monticello Maintenance Rule Program Development On July 10, 1991, the Nuclear Regulatory Commission (NRC) published in the Federal Register (56 Fed. Reg. 31324) its final Maintenance Rule entitled "Requirements for Monitoring the Effectiveness of Maintenance Activities at Nuclear Power Plants". The Commission stated, in the supplemental information published with the notice that, "it believes that effectiveness of maintenance must be assessed on an ongoing basis in a manner which ensures that the desired result, reasonable assurance that key Structures, Systems, and Components (SSCs) are capable of performing their intended function, is consistently achieved." This document provided the NRC with the regulatory authority and framework for evaluating the overall continuing effectiveness of licensee maintenance programs. IOCFR50,65(c) stated that "The requirements of this section shall be implemented by each licensee no later than July 10, 1996".

The industry and the NRC recognize that effective maintenance provides reasonable assurance that key'structures, systems, and components are capable of performing their intended function. NUMARC, with the support of nuclear industry utilities and the NRC, developed an implementation guideline for the Maintenance Rule titled "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants" (NUMARC 93-01, dated May 1993). This guideline provides focus on maintenance activities and manpower used to ensure the performance of safety functions by maximizing the use of proven existing industry and individual plant maintenance programs and minimizing the dilution of critical resources to modify maintenance programs when established performance criteria are being met.

In June 1993, the NRC staff issued Regulatory Guide I.I 60, "Monitoring the Effectiveness of Maintenance at Nuclear Power Plants," which endorsed the May-1993 version of NUMARC 93-01.

Initial Verification and Validation (V&V) Projects were conducted at nine utilities prior to the required implementation of the Maintenance Rule to evaluate the best methods for implementation using this guideline. Lessons learned from this early implementation of the Maintenance Rule are contained in NUREG-1526, dated June 1995.

In January 1995, the NRC staff issued Revision Ito Regulatory Guide 1.I60 to reflect the amendment to IOCFR5OS65(a)(3)that changed the requirement for performing the periodic evaluation from annually to once per refueling cycle, not to exceed 24 months between evaluations. Regulatory Guide 1.I 60, Revision 2 was issued to endorse Revision 2 of NUMARC 93-01, "lndustry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plant" (April 1996), which had been updated by the Nuclear Energy Institute (NEI). This regulatory guidance provides flexibility for a licensee to structure its maintenance program in accordance with the safety significance of those SSCs within the scope of the rule.

MONTICEEEO MAlMTENANCE RULE P R O G M M DOCUMENT APPENDIX A 16.4 Monticello Maintenance Rule Proaram Development (Cont'd)

The NRC issued another final rulemaking modifying the Maintenance Rule on July 19, 1999 (64 Fed. Reg. 38551). This rulemaking established requirements under paragraph (a)(4) which requires nuclear power plant licensees to assess and manage the increase in risk that may result from proposed maintenance activities and clarified the applicability of the Maintenance Rule to all modes of plant operation. These changes were required to be implemented by November 28, 2000.

Section I 1 of NUMARC 93-01 "Assessment of Risk Resulting from Performance of Maintenance Activities" was substantially modified in February 2000 to reflect this new rulemaking. Additionally, a new Appendix El addressing Probabilistic Risk Assessment attributes, was created and clarifications were provided to the definition of "unavailability" contained in Appendix B of the NUMARC document. These changes were reflected in issuance of Revision 3 to NUMARC 93-01, Revision 3, dated July 2000.

The NRC staff issued Regulatory Guide I. I 82, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants," in May of 2000 as a companion guide to Regulatory Guide I.I 60. Regulatory Guide 1.I 82 provides guidance on methods acceptable to the NRC for assessing and managing the increase in risk that may result from maintenance activities and for implementing the optional reduction in scope of SSCs considered in the assessments. Regulatory Guide I. I82 endorses the methodology addressed in NUMARC 93-01, Section 11 as acceptable for meeting the regulatory requirements of IOCFR 50.65 (a)(4).

v t e Letter Sequence Other
TAC:MD9990, Clarify Application of Setpoint Methodology for LSSS Functions (Approved, Closed)
Initiation Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request Acceptance, Acceptance Supplement, Supplement, Supplement, Supplement, Supplement, Supplement, Supplement, Supplement, Supplement, Supplement, Supplement, Supplement, Supplement, Supplement, Supplement, Supplement, Supplement Administration Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance Meeting, Meeting, Meeting, Meeting, Meeting, Meeting Questions 16 December 2008 11 February 2009 11 March 2009 12 March 2009 18 March 2009 18 March 2009 19 March 2009 20 March 2009 23 March 2009 29 March 2009 28 March 2009 28 March 2009 6 April 2009 6 April 2009 29 April 2009 26 June 2009 2 July 2009 2 July 2009 14 July 2009 14 July 2009 5 November 2009 16 March 2011 12 September 2011 4 October 2012 8 November 2012 28 March 2013 17 May 2013 9 July 2013 26 November 2013 18 December 2008 18 December 2008 19 March 2009 25 October 2009 15 February 2013 12 March 2013 10 May 2013 24 April 2013 Answers 25 January 2010 28 September 2010 13 January 2012 21 December 2012 7 March 2013 21 March 2013 10 April 2013 18 July 2013 18 July 2013 2 August 2013 18 May 2016 19 July 2012 31 January 2013 29 March 2013 10 April 2013 Results Approval, Approval, Approval, Approval, Approval, Approval Other: L-MT-08-091, Calculation 0801040.301, Steam Dryer Outer Hood Submodel Analysis., L-MT-09-002, Response to NRC Probabilistic Risk Assessment (PRA) Branch Requests for Additional Information (Rais) Dated December 5, 2008, L-MT-09-003, Response to NRC Environmental Branch Requests for Additional Information (Rais) Dated December 18, 2008, L-MT-09-004, Enclosure 1 (Continued) to L-MT-09-004, NSPM Response to Containment & Ventilation Branch RAI Number 2, Copy of MNGP Appr T0406 Data Transmittal Pages 1 of 538 Through Pages 538 of 538, L-MT-09-026, Calculation 0000-0081-6958 MNGP-PRNMS-APRM Calc-2008-NP, Rev. 1, Average Power Range Monitor Selected Prnm Licensing Setpoints - EPU Operation (Numac), L-MT-09-027, Extended Power Uprate: Response to Instrumentation and Controls Branch RAI No. 3 Dated April 6, 2009, L-MT-09-044, Extended Power Uprate: Response to NRC Mechanical and Civil Engineering Review Branch (Emcb) Requests for Additional Information (Rais) Dated March 28, 2009, L-MT-09-049, Drawing C.5-2007, Revision 15, Failure to Scram, L-MT-09-073, Extended Power Uprate: Response to NRC Containment and Ventilation Review Branch (Scvb) Requests for Additional Information (Rais) Dated July 2, 2009 and July 14, 2009, L-MT-09-083, Extended Power Uprate: Limit Curves Requested by the Mechanical and Civil Review Branch (Emcb) Associated with Requests for Additional Information (Rais) Dated March 20, 2009, L-MT-09-088, Extended Power Uprate: Revision to Clarify Text in Enclosures 5 and 7 of L-MT-08-052, L-MT-09-097, Extended Power Uprate: Acknowledgement of NRC Review Delay, L-MT-10-025, Extended Power Uprate (Epu): Response to NRC-NSPM February 25, 2010 Conference Call, L-MT-10-072, Extended Power Uprate: Updates to Docketed Information, L-MT-11-044, Uprate (Epu): Update on EPU Commitments, L-MT-12-056, WCAP-17549-NP, Rev. 0, Monticello Replacement Steam Dryer Structural Evaluation for High-Cycle Acoustic Loads Using ACE, L-MT-12-090, Westinghouse, LTR-A&SA-12-8, Rev. 1, Attachment B, Recommendations for Inspections of the Monticello Replacement Steam Dryer., L-MT-12-114, Drawing C.5-2007, Rev. 17, Failure to Scram, L-MT-13-020, Enclosure 1 - Responses to the Gap Analysis, L-MT-13-029, Enclosure 14 to L-MT-13-029 - WCAP-17716-NP, Revision 0, Benchmarking of the Acoustic Circuit Enhanced Revision 2.0 for the Monticello Steam Dryer Replacement Project., L-MT-13-091, WCAP-17716-NP, Revision 1 - Benchmarking of the Acoustic Circuit Enhanced Revision 2.0 for the Monticello Steam Dryer Replacement Project, Enclosure 14, L-MT-13-092, Extended Power Uprate (Epu): Completion of EPU Commitments, Proposed License Conditions and Revised Power Ascension Test Plan, L-MT-13-096, GE-MNGP-AEP-3304R1, Enclosure 4, NEDC-33435 Corrected Pages, L-MT-13-126, Enclosure 3, GE-MNGP-AEP-3306, Enclosure 2 GEH Response to Mella+ Eicb RAI and Affidavit, L-MT-14-023, Maximum Extended Load Line Limit Analysis Plus: Technical Specification Clarifications, L-MT-15-074, Enclosure 7, WCAP-18604-NP, Revision 0, Monticello EPU Main Steam Line Strain Data Evaluation Report., L-MT-16-017, Revised Commitment to Reconcile Analysis of Bypass Voiding for Transition to Areva Analysis Methodology, L-MT-16-071, Submittal of 2016 Annual Report of Changes in Emergency Core Cooling System Evaluation Models Pursuant to 10 CFR 50.46, ML083230111, ML083400402, ML083500575, ML083570610, ML083590127, ML090710680, ML090710683, ML090710684, ML091120578, ML091140470, ML091410121, ML091410122, ML091410123, ML091410124, ML091760769, ML092290250, ML092810554, ML093160816, ML093220925, ML093220964, ML093620024, ML100280558... further results
MONTHYEAR2009-02-24 [Table View]

L-MT-09-002, Response to NRC Probabilistic Risk Assessment (PRA) Branch Requests for Additional Information (Rais) Dated December 5, 2008

Text

SUMMARY

SUMMARY

7.0 REFERENCES

SUMMARY

Purpose:

Purpose:

Purpose:

Purpose:

Purpose:

2.1.2 (a)(2)

2.1.3 Birnbaum

12.0 REFERENCES

Navigation menu

Search