ML003739150
ML003739150 | |
Person / Time | |
---|---|
Issue date: | 06/30/1997 |
From: | Office of Nuclear Regulatory Research |
To: | |
References | |
DG-1065 | |
Download: ML003739150 (39) | |
Text
R b0 U.S. NUCLEAR REGULATORY COMMISSION June 1997 OFFICE OF NUCLEAR REGULATORY RESEARCH Division 1 0 - Draft DG- 1065 DRAFT REGULATORY GUIDE
Contact:
B. Hardin (301)415-6561 DRAFT REGULATORY GUIDE DG'- 10615 AN APPROACH FOR PLANT S7PECIFIC, RISK-INFORMED DECISIONMAKING: TECHNICAL SPECIFICATIONS This regulatory guide is being issued in draft form to involve the public in the early stages of the development of a regulatory position in this area. It has not received complete staff review and does not represent an official NRC staff position.
Public comments are being solicited on the draft guide (including any implementation schedule) and its associated regulatory analysis or value/impact statement. Comments should be accompanied by appropriate supporting data. Written comments may be submitted to the Rules and Directives Branch, Office of Administration, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001. Copies of comments received may be examined at the NRC Public Document Room, 2120 L Street NW., Washington, DC. Comments will be most helpful if received by September 30, 1997.
Requests for single copies of draft or active regulatory guides (which may be reproduced) or for placement on an automatic distribution list for single copies of future draft guides in specific divisions should be made in writing to the U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, Attention: Printing, Graphics and Distribution Branch, or by fax to (301)415-5272.
- 1. INTRODUCTION
1.1 Background
Section 182a of the Atomic Energy Act requires that applicants for nuclear power plant operating licenses state:
[Sluch technical specifications, including information of the amount, kind, and source of special nuclear material required, the place of the use, the specific characteristics of the facility, and such other information as the Commission may, by rule or regulation, deem necessary in order to enable it to find that the utilization ... of special nuclear material will be in accord with the common defense and security and will provide adequate protection to the health and safety of the public. Such technical specifications shall be a part of any license issued.
In 10 CFR 50.36, the Commission established its regulatory requirements related to the content of technical specifications (TS). In doing this, the Commission placed emphasis on those matters related to the prevention of accidents and the mitigation of accident consequences; the Commission noted that applicants were expected to incorporate into their TS "those items that are directly related to maintaining the integrity of the physical barriers designed to contain radioactivity" (33 FR 18610). Pursuant to 10 CFR 50.36, TS are required to contain items in the following five specific categories: (1) safety limits, limiting safety system settings, and limiting control settings; (2) limiting conditions for operation; (3) surveillance requirements; (4) design features; and (5) administrative controls.
Since the mid-1 980s, the NRC has been reviewing and granting improvements to TS based, at least in part, on probabilistic risk assessment (PRA) insights. Some of these improvements have been proposed by the NSSS owners groups to apply to an entire class of plants. Many others have been proposed by individual licensees. Typically, the proposed improvements involved a relaxation of one or more allowed outage times (AOTs) or surveillance test intervals (STIs) in the TS.
In its July 22, 1993 final policy statement on TS improvements (58 FR 39132), the Commission stated that it:
...expects that licensees, in preparing their Technical Specification related submittals, will utilize any plant-specific PSA or risk survey and any available literature on risk insights and PSAs . . . Similarly, the NRC staff will also employ risk insights and PSAs in evaluating Technical Specifications related submittals. Further, as a part of the Commission's ongoing program of improving Technical Specifications, it will continue to consider methods to make better use of risk and reliability information for defining future generic Technical Specification requirements.
The Commission reiterated this point when it issued the revision to 10 CFR 50.36 in July 1995.
Risk-informed TS submittals primarily deal with permanent changes to TS requirements, i.e.,
as the name suggests, the requirement is permanently changed when approved, and is 3
applicable to all future occurrences. A one-time change to a TS requirement, where a different requirement is requested for a particular incident, also can use risk-informed ji evaluations, but it involves slightly different scope and considerations. This regulatory guide J focuses on permanent changes to TS.
1.2 Purpose of this Regulatory Guide This regulatory guide describes an acceptable approach for applying risk-informed methods to the changing of nuclear power plant TS allowed outage times (AOTs) and surveillance test intervals (STIs) in order to assess the impact of such proposed changes on the risk associated with plant operation in a consistent manner.
1.3 Scope of this Regulatory Guide This regulatory guide describes an acceptable approach for assessing the nature and impact of proposed permanent TS changes in AOTs and STIs by considering engineering issues and applying risk insights. Assessments should consider relevant safety margins and defense-in depth attributes, including consideration of success criteria as well as equipment functionality, reliability and availability. Acceptance guidelines for evaluating the results of such evaluations are provided also.
This regulatory guide also describes development of acceptable TS change implementation strategies and performance monitoring plans that are sensitive to uncertainties.
Finally, this regulatory guide indicates an acceptable level of documentation that will enable the staff to reach a finding that the licensee has performed a complete and scrutable TS change analysis and that the results of the engineering evaluations support the licensee's request for the TS change.
1.4 Relationship to Other Guidance Documents Regulatory guides are issued to describe to the public methods acceptable to the NRC staff for implementing specific parts of the NRC's regulations, to explain techniques used by the staff in evaluating specific problems or postulated accidents, and to provide guidance to applicants. Regulatory guides are not substitutes for regulations, and compliance with regulatory guides is not required. Regulatory guides are issued in draft form for public comment to involve the public in developing the regulatory positions. Draft regulatory guides have not received complete staff review; they therefore do not represent official NRC staff positions.
This regulatory guide does not duplicate material in Draft Regulatory Guide DG-1 601, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant Specific Changes to the Current Licensing Basis," 1 which should be consulted for topics common to all risk-informed regulatory applications. Additionally, the companion draft NUREG-1 602, "Use of PRA in Risk-Informed Applications," contains reference material on 1
Requests for single copies of draft or active regulatory guides (which may be reproduced) or for placement on an automatic distribution list for single copies of future draft guides in specific divisions should be made in writing to the U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001,Attention: Printing, Graphics and Distribution Branch, or by fax to (301)415-5272.
4
issues and methods for PRA that can be used to support regulatory decisionmaking. This regulatory guide provides only that guidance needed specifically for risk-informed TS changes over and above that given in Draft Regulatory Guide DG-1 061.
The information collections contained in this draft regulatory guide are covered by the requirements of 10 CFR Part 50, which were approved by the Office of Management and Budget, approval number 3150-0011. The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number.
- 2. PROCESS OVERVIEW This regulatory guide describes a four-element approach (illustrated in Figure 2.1) for evaluating risk-informed TS changes that encompasses each of the following five key principles of the staff's philosophy of risk-informed decisionmaking applied to TS changes.
- 1. The proposed change meets the current regulations. Applicable rules and regulations that form the regulatory basis for TS are discussed in Section 4.1, "Compliance with Current Regulations."
- 2. Defense-in-depth is maintained. The guidance contained in Section 4.2, "Traditional Engineering Considerations," applies the various aspects of maintaining defense-in depth to the subject of changes in TS.
- 3. Sufficient safety margins are maintained. The guidance contained in Section 4.2, "Traditional Engineering Considerations," applies various aspects of maintaining sufficient safety margin to the subject of changes to TS.
- 4. Proposed changes in risk, both individual and cumulative, are small or are reductions and should not cause the NRC Safety Goals to be exceeded.
- 5. Performance-based implementation and monitoring strategies are proposed that address uncertainties in analysis models and data and provide for timely feedback and corrective action. The three-tiered implementation approach discussed in Section 5.1, and Maintenance Rule control discussed in Section 5.2 provide guidance in meeting this principle.
Given the principles of risk-informed decisionmaking discussed above, the staff expects that a certain evaluation approach and acceptance guidelines that follow from those principles will be followed by licensees in implementing these principles, and the staff has identified a four element approach to evaluating proposed CLB changes, as described in DG-1061, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant Specific Changes to the Current Licensing Basis.' 1 Those detailed discussions regarding the evaluation approach and acceptance guidelines are not repeated here; instead, specific application of the four-element approach for risk-informed TS is discussed.
Element 1: Define the Proposed TS Change The licensee needs to explicitly identify the particular technical specifications that are affected by the proposed change, and identify available engineering studies, methods, codes, 5
and PRA studies that are related to the proposed change. The licensee should consider how such changes will affect conformance with the plant's current licensing basis (CLB). 2 The licensee should also determine how the affected systems, components, or parameters are modeled in the PRA and should identify all elements of the PRA that the change impacts.
The licensee should utilize PRA insights to both determine the impact of the change on plant safety and to understand the impact on the licensing basis. Chapter 3 describes element 1 in more detail.
Element 2: Conduct engineering evaluations The licensee should examine the proposed change to verify that it meets existing applicable rules and regulations. In addition, the licensee should determine how the change impacts defense in depth aspects of the plant's design and operation, and should determine the adequacy of safety margins following the proposed change. Finally, the licensee should consider how plant and industry operating experience relates to the proposed change, and what potential compensatory measures could be taken to offset any negative impact from the proposed change.
The licensee should also perform risk-informed evaluations of the proposed change to determine the impact on plant risk. The evaluation should explicitly consider the specific plant equipment affected by the proposed TS changes and the effects of the proposed change on the functionality, reliability, and availability of the affected equipment. The necessary scope and level of detail of the analysis depends upon the particular systems and functions that are affected, and it is recognized that there will be cases for which a qualitative, rather than quantitative, risk analysis is acceptable.
The licensee should provide the rationale that supports the acceptability of the proposed changes by integrating probabilistic insights with traditional considerations to arrive at final determination of risk. The determination should consider the continued conformance to existing applicable rules and regulations, the adequacy of the traditional engineering evaluation of the proposed change, and the change in plant risk relative to the acceptance guidelines. All of these areas should be adequately addressed before the change is considered acceptable. The specific guidance for an acceptable approach for performing engineering evaluations of changes to TS is found in Chapter 4.
Element 3: Develop implementation and monitoring program The licensee should develop an implementation and performance monitoring program formulated to confirm the assumptions and analyses that were conducted to justify the CLB
'This regulatory guide adopts the 10 CFR 54.3 definition of current licensing basis. That is, "Current Licensing Basis (CLB) is the set of NRC requirements applicable to a specific plant and a licensee's written commitments for ensuring compliance with and operation within applicable NRC requirements and the plant-specific design basis (including all modifications and additions to such commitments over the life of the license) that are docketed and in effect. The CLB includes the NRC regulations contained in 10 CFR Parts 2, 19, 20, 21, 26, 30, 40, 50, 51, 54, 55, 70, 72, 73, 100 and appendices thereto; orders; license conditions; exemptions; and technical specifications. It also includes the plant-specific design-basis information defined in 10 CFR 50.2 as documented in the most recent final safety analysis report (FSAR) as required by 10 CFR 50.71 and the licensee's commitments remaining in effect that were made in docketed licensing correspondence such as licensee responses to NRC bulletins, generic letters, and enforcement actions, as well as licensee commitments documented in NRC safety evaluations or licensee event reports."
6
change, to ensure that plant operational safety can be maintained consistent with the assumptions in the PRA analysis of Element 2, and to ensure that the process provides criteria for taking actions based on the results of the monitoring efforts. Specific guidance for element 3 is provided in Chapter 5.
Element 4: Submit Proposed Change The final element involves documenting the analyses and submitting the license amendment request. NRC will review the submittal according to NRC Standard Review Plan (SRP)
Chapter 16.1, "Risk-Informed Decisionmaking: Technical Specifications," and in accordance with the NRC regulations governing license amendments (10 CFR 50.90, 50.91, and 50.92).
Documentation and submittal guidance for risk-informed TS change evaluations are provided in Chapter 5 of this draft regulatory guide.
Traditonal~~
Analysis Define Sbi Perform Implementationl Define l4Engineering Mofatn Change Analysis Moniograin Chg Figure 2.1 General description of an acceptable approach to risk-informed applications.
- 3. ELEMENT 1: DEFINE THE PROPOSED CHANGES 3.1 Reason for Proposed Changes The reasons for requesting the TS change or changes should be stated in the submittal along with information that demonstrates that the extent of the change is needed. Generally acceptable reasons for requesting TS modifications fall into one or more of the categories below.
3.1.1 Improvement in Operational Safety The reason for the TS modification may be to improve operational safety; that is, a reduction in the plant risk or a reduction in occupational exposure of plant personnel in complying with the requirements.
3.1 .2 Consistency of Risk Basis in Regulatory Requirements The TS modifications requested can be supported on their risk implications. TS requirements can be changed to reflect improved design features in a plant or to reflect equipment reliability improvements that make a previous requirement unnecessarily stringent or ineffective. TS may be changed to establish consistently based requirements across the industry or across an industry group. It must be ensured that the risk resulting from the change remains acceptable.
7
3.1.3 Reduce Unnecessary Burdens The change may be needed to reduce unnecessary burdens in complying with current TS requirements, based on the operating history of the plant or industry in general. For example, in specific instances, the repair time needed may be longer than the AOT defined in the TS. The required surveillance may lead to plant transients, result in unnecessary equipment wear, result in excessive radiation exposure to plant personnel, or place unnecessary administrative burdens on plant personnel that are not justified by the safety significance of the surveillance requirement. In some cases, the change may provide operational flexibility, and, in those cases, the modification might allow an increase in the allocation of the plant personnel's time to more safety-significant aspects.
- 4. ELEMENT 2: ENGINEERING EVALUATION The second element of an acceptable approach to risk-informed TS modifications involves assessing the impact of the proposed TS change on postulated design basis accidents and transients and on potential core damage accidents, using both traditional engineering methods and PRA techniques and insights.
Licensees are expected to provide strong technical bases for any TS change. The technical bases should be rooted in traditional engineering and system analyses. TS change requests based on PRA results alone should not be submitted for review. TS change requests should give proper attention to the integration of considerations such as conformance to Standard Technical Specifications, generic applicability of the requested change if it is different from Standard Technical Specifications, operational constraints, manufacturer recommendations, and practical considerations for test and maintenance. Standard practices used in setting AOTs and STIs should be followed, e.g., AOTs nominally used are 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, 7 days, 14 days, etc. STIs nominally used are 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, 7 days, 1 month, 3 months, etc. Using such standards greatly simplifies implementation, scheduling, monitoring, and auditing. Logical consistency among the requirements should be maintained, e.g., AOT requirements for multiple trains out of service should not be longer than that for one of the constituent trains.
4.1 Compliance With Current Regulations In evaluating proposed changes to TS, the licensee must ensure that the current regulations are met, consistent with principle #1 of risk-informed regulation. The NRC regulations specific to TS are stated in 10 CFR 50.36, "Technical Specifications." Additional information with regard to the NRC's policies on TS is contained in the "NRC Final Policy Statement on Technical Specification Improvements for Nuclear Power Reactors" (58 FR 39132). These documents define the main elements of TS and provide criteria for items to be included in the TS. The final policy statement and the statement of considerations for 10 CFR 50.36 (60 FR 36953) also discuss use of probabilistic approaches to improve TS. Regulations regarding application for and issuance of license amendments are found in 10 CFR 50.90, 50.91, and 50.92. In addition, the licensee should ensure that the TS change does not result in non-compliance with any other portion of the current licensing basis.
4.2 Traditional Engineering Considerations 8
4.2.1 Maintenance of Defense-in-Depth One aspect of the engineering evaluations is to show that the fundamental safety principles on which the plant design was based are not compromised. Design basis accidents (DBAs) play a central role in nuclear power plant design. DBAs are a combination of postulated challenges and failure events against which plants are designed and design features that ensure adequate and safe plant response. During the design process, plant response and associated safety margins are evaluated using assumptions which are intended to be conservative. National standards and other considerations such as defense-in-depth attributes and the single failure criterion constitute additional engineering considerations that influence plant design and operation. Margins and defenses associated with these considerations may be affected by the licensee's proposed TS change and, therefore, should be reevaluated to support a requested TS change. As part of this evaluation, the impact of the proposed TS change on affected equipment functionality, reliability, and availability will be determined.
The licensee should assess whether the proposed TS change meets the defense-in-depth principle (principle #2). Defense-in-depth consists of a number of elements as summarized below. These elements can be used as guidelines for making that assessment. Other equivalent acceptance guidelines are acceptable.
- Defense-in-depth is maintained when:
"* A reasonable balance among prevention of core damage, prevention of containment failure, and consequence mitigation is preserved, e.g., the proposed change in a TS AOT or STI has not significantly changed the balance among these principles of prevention and mitigation. TS change requests should consider whether the anticipated operational changes associated with a change in an AOT or STI could introduce new accidents or transients or could increase the likelihood of an accident or transient.
"* Over-reliance on programmatic activities to compensate for weaknesses in plant design is avoided, e.g., a programmatic configuration control process should not be relied upon to account for a large risk increase associated with a TS AOT extension .0
"* System redundancy, independence, and diversity are maintained commensurate with the expected frequency and consequences of challenges to the system, e.g.,
there are no risk outliers. The following items should be considered:
- There are appropriate restrictions in place to preclude simultaneous equipment outages that would erode the principles of redundancy and diversity;
- Compensatory actions to be taken when entering the extended AOT for pre planned maintenance are identified;
- Voluntary removal of equipment from service during plant operation should not be scheduled when adverse weather conditions are predicted or at times when the plant may be subjected to other abnormal conditions; and 9
_L _ 1
- The impact of the TS change on the safety function should be taken into consideration. For example, what is the impact of a change in the AOT for the low pressure safety injection system on the overall availability and reliability of the low pressure injection function?
"* Defenses against potential common cause failures are maintained and the potential for introduction of new common cause failure mechanisms is assessed, e.g., TS change requests should consider whether the anticipated operational changes associated with a change in an AOT or STI could introduce any new common cause failure modes not previously considered.
"* Independence of barriers is not degraded, e.g., TS change requests should address the licensee's overall configuration risk management system which will provide a means of ensuring that the independence of barriers has not been degraded by the TS change.
"* Defenses against human errors are maintained, e.g., TS change requests should consider whether the anticipated operation changes associated with a change in an AOT or STI could change the expected operator response or introduce any new human errors not previously considered.
4.2.2 Maintenance of Safety Margins The engineering evaluation conducted should assess whether the impact of the proposed TS change is consistent with the principle that sufficient safety margins are maintained (principle
- 3). An acceptable set of guidelines for making that assessment are summarized below.
Other equivalent decision guidelines are acceptable.
Sufficient safety margins are maintained when:
"* Codes and standards or alternatives approved for use by the NRC are met, e.g.,
the proposed TS AOT or STI change is not in conflict with approved codes and standards relevant to the subject system.
"* Safety analysis acceptance criteria in the FSAR are met, or proposed revisions provide sufficient margin to account for analysis and data uncertainties, e.g., the proposed TS ACT or STI change does not adversely affect any assumptions or inputs to the safety analysis, or, if such inputs are affected, justification is provided to ensure sufficient safety margin will continue to exist. For TS ACT changes, an assessment should be made of the effect on the FSAR acceptance criteria assuming the plant is in the ACT (i.e., the subject equipment is inoperable), and there are no additional failures. Such an assessment should result in the identification of all situations where entry into the proposed ACT could result in failure to meet an intended safety function.
4.2.3 Additional Engineering Considerations Additional considerations that are unique to risk-informed TS changes should be taken into account in an engineering evaluation. These items can be summarized as follows.
10
(1) TS AOT and STI modifications should be supported by the overall safety benefit.
(2) Justification for TS AOT modifications should be based on the need for extended equipment outage time and the demonstrated availability of redundant equipment.
The AOT defined should be adequate to complete the majority of the component repairs or post-maintenance activities intended to be performed during power operation; however, AOTs should not be based solely on preventative maintenance activities that require long outage times but occur infrequently (e.g., once every five years). In addition, the AOT should be adequate to conduct any required surveillance tests that render the component or system inoperable. The burden of testing and maintenance can place a stress on the crew, which can affect the quality of the testing or maintenance and thereby the component reliability. Crew burden should be part of the consideration in deciding changes to requirements.
(3) Regardless of the AOT, the actual time equipment is removed from service should be minimized. The removal should be performed during stable plant conditions and should not result in repeated TS entries.
(4) TS change requests should consider both plant-specific and industry-wide operational experience on systems important for coping with transients or accidents.
(5) Some systems may not be modeled by the plant's PRA, but could affect the best estimate of the performance or availability of systems that might provide a backup function for the system for which the TS change is being requested (this could change the required performance or availability of the system for which the TS change is being sought). The review should, therefore, consider systems beyond those modeled in the PRA.
(6) TS change requests should consider the occupational exposure to test and maintenance personnel to conduct required test and maintenance on the subject TS system.
4.3 Evaluation of Risk Impact The staff has identified a three-tiered approach for licensees to evaluate the risk associated with proposed TS AOT changes. The first tier is an evaluation of the impact on plant risk of the proposed TS change as expressed by the change in core damage frequency (ACDF), the change in the incremental conditional core damage probability (ICCDP), 3 and the incremental conditional large early release probability (ICLERP) . The second tier is an evaluation of the process used to address potentially high risk configurations that could exist if equipment in addition to that associated with the change were to be taken out of service simultaneously, or other risk significant operational factors such as concurrent system or equipment testing were also involved. The objective of this part of the review is to ensure that appropriate restrictions on dominant risk-significant configurations associated with the change are in place. The third tier is an evaluation of the overall configuration risk management system to ensure that adequate programs and procedures are in place to identify and compensate for other potentially lower probability, but nonetheless risk-significant configurations resulting 3ICCDP
= [(conditional CDF with the subject equipment out of service) - (baseline CDF with nominal expected equipment unavailabilities)] X (duration of single AOT under consideration).
11
from maintenance and other operational activities. Although defense in depth is protected to some degree by most current TS, the three-tiered approach to the evaluation of risk-informed TS modifications discussed in the following section provides additional assurance that defense in depth will not be significantly impacted by such changes to the licensing basis.
Tier 1: PRA Capability and Insights In the first tier, the licensee should assess the impact of the proposed TS modification on core damage frequency (CDF), ICCDP, and ICLERP. To support this assessment, two aspects need to be considered: 1) the validity of the PRA, and 2) the PRA insights and findings. The licensee should demonstrate that its PRA is valid for assessing the proposed TS modifications and identify the impact of the TS change on plant risk.
Tier 2: Avoidance of Risk-Significant Plant Configurations The licensee should also provide reasonable assurance that risk-significant plant equipment outage configurations will not occur when specific plant equipment is out of service consistent with the proposed TS modification. An effective way to perform such an assessment is to evaluate systems and/or components according to their contribution to plant risk (or safety) while the plant is in a limiting condition for operation (LCO) for equipment AOT. Once system equipment is so evaluated, an assessment can be made as to whether certain enhancements to the TS, or procedures, are needed to avoid risk-significant plant configurations. In addition, compensatory actions which can mitigate any corresponding increase in risk (e.g., backup equipment, increased surveillance frequency, or upgrading procedures and training) should be identified and evaluated. Any changes made to the plant design or operating procedures as a result of such a risk evaluation (required backup equipment, increased surveillance frequency, or upgraded procedures and training required before certain plant system configurations can be entered) should be incorporated into the analyses utilized for TS modifications as described under "Tier 1 " above.
Tier 3: Risk-Informed Plant Configuration Control and Management In the third tier, the licensee focuses on programs that ensure that the risk impact of out-of service equipment is appropriately evaluated prior to performing any maintenance activity. A viable program would be one that is able to uncover risk-significant plant equipment outage configurations as they evolve during real-time, normal plant operation. This can be accomplished by quantitatively evaluating the impact on plant risk of equipment unavailability, operational activities like testing or load dispatching, or weather conditions.
The need for this third tier stems from the difficulty of identifying all possible risk-significant configurations under Tier 2. Tier 2 programs typically result in a table or set of tables that assume certain systems are unavailable, and specify other systems that cannot be out of service under the assumed conditions. This third tier is needed because of the difficulty of providing a set of tables under Tier 2 that cover all plant configurations that will ever be encountered over extended periods of plant operation.
Sections 4.3.1 through 4.3.7 and Appendix A discuss various issues related to the three tiered approach described above. In general, Sections 4.3.2 through 4.3.5 and Appendix A outline issues associated with Tier 1, and Sections 4.3.6 and 4.3.7 outline issues associated with Tiers 2 and 3, respectively.
12
There may be situations where a non-quantitative assessment of risk (either alone or accompanied by quantitative assessment) is sufficient to justify TS changes. The licensee is expected to use its judgment of the acceptability (to support regulatory decisionmaking) of the risk argument being considered, including the appropriate blend of quantitative and qualitative assessments.
4.3.1 Quality of the PRA The quality of the PRA must be compatible with the safety implications of the TS change being requested. That is, the more the potential change in risk and/or the greater the uncertainty in that risk due to the requested TS change, the more rigor that must go into ensuring the quality of the PRA. The licensee should ensure that the quality of the PRA is compatible with its intended use. DG-1061 provides guidance regarding the expected quality of PRAs for risk-informed regulatory applications, including TS. With regard to TS in particular, it should be noted that some licensees may elect to use the PRA underlying their individual plant examination (IPE) to analyze the risk impact associated with requested TS changes. The NRC staff's review of the IPE submittal alone does not suffice as an adequate review for TS applications.
4.3.2 Scope of the PRA for TS Change Evaluations The scope and the level of PRA necessary to support the evaluation of a TS change depend on the type of TS change being sought. To define the needed scope, a full-power, internal event PRA is first considered, and other aspects (e.g., operating modes, types of events, Level 2) are added as needed.
The level of PRA that should be conducted depends on the type of TS change involved.
Minimally, for systems used to prevent core damage (i.e., most of the TS systems modeled in a PRA other than the containment systems), Level 1 evaluations should be performed. For containment systems, Level 2 evaluations are likely to be needed at least to the point of assessing containment structural performance. When only a Level 1 PRA is available but additional Level 2 information is desirable, one acceptable method for approximating the needed information is proposed in Appendix B to DG-1 061.
For modifications to TS requirements defined for the power operation mode, full-power internal-event PRAs, for which the scope includes internal fires and flooding, should be used.
When modifications to requirements for systems needed for decay heat removal are considered, then an assessment of shutdown risk should also be considered. Examples of such systems are auxiliary feedwater, residual heat removal, emergency diesel generator, and service water. Also, when AOTs are being modified to facilitate online maintenance (that is, transferring scheduled preventive maintenance (PM) from shutdown to power operation), the impact on the shutdown modes should also be evaluated. Using both power operation and shutdown models, a comparative evaluation may be presented to decide the appropriate condition for scheduling maintenance based on risk evaluations.
When AOTs are being modified in anticipation of the need for additional time for corrective maintenance, then an assessment of transition risk which could be incurred under the current, shorter AOT is also desirable. Also, TS changes to requirements for a controlled shutdown (i.e., the time allocated to transit through hot standby to hot shutdown to cold 13
shutdown, or to the final state that should be reached) should be evaluated using a model for the transition risk covering these periods.
4.3.3 PRA Modeling 4.3.3.1 Detail Needed for TS Changes To evaluate a TS change, the specific systems or components involved should be modeled in the PRA. The model should also be able to treat the alignments of components during periods when testing and maintenance are being carried out.
Typically, LCOs and surveillance requirements (SRs) relate to the system trains or components and are modeled in the system fault trees of a PRA. System fault trees should be sufficiently detailed to specifically include all the components for which surveillance tests and maintenance are performed and are to be evaluated.
For AOT evaluations, system train-level models are adequate as long as all components belonging to the train are clearly identified (i.e., the failure of all those components that cause the train to fail). In using train-level models, common-cause contributions must be adequately treated.
For evaluating STIs, individual component-level models are necessary.
Since, typically, PRAs are done at the component level, they are directly used to analyze both AOTs and STIs.
Component unavailability models should include significant contributions from random failure, common-cause failure (CCF), test downtime, and maintenance downtime.
The component unavailability model for test downtime and maintenance downtime should be based on a realistic estimate of expected surveillance and maintenance practices after the TS change is approved and implemented, e.g., how often the AOT is expected to be entered for preplanned maintenance or surveillance.
The component unavailability model for test downtime and maintenance downtime should also be based on plant-specific and industry-wide operating experience.
The component unavailability model for test downtime and maintenance downtime should be developed with consideration for an appropriate balance between prevention of failures of the subject system or component through maintenance and minimizing unavailability of the system or component due to testing or maintenance.
The component unavailability model should have the flexibility to separate contributions from test and maintenance downtime. For evaluating an AOT, the contribution from maintenance downtime can be equated to zero to delete it. For an STI evaluation, the contribution from test downtime determines a contribution to risk from carrying out the test.
14
Additional details in terms of separating the failure rate contributions into cyclic demand-related and standby time-related contributions can be incorporated, if justifiable, for evaluating surveillance requirements.
The CCF contributions should be modeled so that they can be modified to reflect the condition in which one or more of the components is unavailable. It should be noted, however, that CCF modeling of components is not only dependent on the number of remaining in-service components, but is also dependent on the reason components were removed from service, i.e., whether for preventive or corrective maintenance. For appropriate configuration risk management and control, preventive and corrective maintenance activities need to be considered. Tier 3 PRA models should, therefore, have the ability to address the subtle difference that exists between maintenance activities.
To account for the effects of test placements for redundant components in relation to each other (e.g., staggered or sequential test strategy), time-dependent models and additional evaluations using specialized codes may be needed. Time-dependent evaluations can be made using system fault-tree models to decide on the test strategy for the redundant components in the system. The corresponding system unavailability can be used to determine the core damage frequency.
If the PRA does not model the system for which the TS change is being requested, then certain limits should apply for requesting changes to the TS for these systems. Examples of these situations are given below:
(1) When a system is modeled in the event tree, but a detailed fault tree model is not provided (direct estimate of system unavailability from experience data or expert judgment is used), then the TS evaluation can proceed in one of two ways:
(a) A separate fault tree can be developed for the system for TS evaluation and used to complement the existing PRA model without directly modifying the PRA, or (b) A bounding evaluation can be conducted based on impact of system failures that are modeled in the PRA event trees; that is, failure of any component in the system can be assumed to cause system failure.
(2) When a separate fault tree is developed, then specific TS requirements within the system can be changed, and changes in the system unavailability can be measured which can then be used in the PRA model to obtain the corresponding Level 1 and Level 2/3 measures, as appropriate. Such evaluations can be considered similarly as those evaluations made directly using PRA models, but should satisfy the following conditions:
(a) Failures within the system should not affect any other system/component failure; (b) The effect of system failure should not influence any initiating event frequency (or it should have a minimal/negligible effect); or (c) The system should not share components with another system.
15
(3) When bounding evaluations are performed assuming any failure in the system as a system failure, then the calculated risk impacts for TS changes are expected to be overestimated. The corresponding changes that may be acceptable will also be fewer than those that could have been justified using a detailed model. When considering the incorporation of non-PRA factors, this perspective should be kept, while at the same time considering the lack of a detailed model. Here also, the above three conditions discussed for the previous case apply.
(4) When a TS change is being considered for a system in which some of the components in the system have been modeled as part of other system components, but detailed system modeling was not done (such systems are not expected to be modeled in the event tree), the risk impact of the TS changes can then be evaluated on the basis of this limited modeling. The risk impact of the TS changes can be underestimated for the following reasons:
(a) Additional components may be affected by the failure of the components, and that failure may not have been considered; or (b) CCF of redundant components may not have been considered.
Usually, the most risk-important components have been modeled and other components in the system are the same or lower in the risk-importance ranking. When making judgments on the TS requirements for the components in the system based on another component that has been modeled, an evaluation should be performed to ensure that the impact of its failure is not greater than the component which is being used as its surrogate.
In these cases, since the risk-informed evaluation will be limited, and as discussed, some overestimation of the risk may have been incorporated, then non-risk related, engineering considerations gain importance in the overall decision. In such cases, arguments for the change also must be for very small increments from current requirements.
4.3.3.2 Modeling of Initiating Events Some initiating events resulting from support system failure (e.g., service water, component cooling water, instrument air) are modeled explicitly in the logic model, i.e., fault tree models are developed in the PRA. Any TS change for these systems will affect the corresponding initiating event frequency as well as the system unavailability. The effect of TS changes on these initiating event frequencies should be considered.
Some test and maintenance activities can contribute to some transients. Initiating-event frequencies used in the PRA do not separate out this contribution. Such a separation may be needed during TS change evaluations. For example, the effect of test-caused transients may be evaluated in deciding an STI. Initiating-event frequencies from conduct of the test (i.e.,
test-caused transients) are modeled separately to evaluate the risk contribution from test caused transients. Data needs for estimating initiating event frequencies from test-caused transients are discussed in section A.2 of the appendix.
16
4.3.3.3 Screening Criteria The main qualitative consideration regarding the screening of sequences in TS change evaluations is the inclusion of sequences directly affected by the TS change that would have been truncated by frequency-based screening alone. For example, if the TS change involves accumulators in a pressurized-water reactor (PWR), qualitative considerations imply that sequences that contain the accumulators should be included, even if these sequences do not meet the frequency criteria. Excluding these sequences would result in an underestimate of the risk impact of the TS changes.
4.3.3.4 Truncation Limits Truncation levels should be appropriately used to ensure that underestimation, due to truncation of cutsets, does not occur. Additional precautions, as discussed below, are needed to avoid truncation errors in calculating risk measures.
When failure or outage of a single component is considered, as in the case of an AOT or STI risk evaluation, the truncation levels in evaluating R1 and R, are of concern. [Rj is the increased CDF, with the component assumed to be inoperable (or equivalently the component unavailability set to "true"), and R, is the reduced CDF, with the component assumed to be operable (or equivalently, the component unavailability set to "false")]. If cutsets generated in the base case PRA are used to calculate R, and Ro, then it first has to be ensured that the component in question appears in the cutsets being used. If the component in question appears in the cutsets near the truncation limit (e.g., all appearances are in cutsets within a factor of 10 of the truncation limit), it may be necessary to reduce the truncation limit. If R1 is marginally larger than the base case value, then one order of additional cutsets should be generated to ensure that any underestimation did not take place.
Typically, a truncation level set below the base case CDF by an amount that corresponds to the basic event unavailability for the component in question can be considered adequate; that is, consider that a plant base case CDF of 10.6 and R, is being calculated for a component whose unavailability is 10.3, then cutsets up to 10.9 may be adequate. Cutsets should be regenerated for selected cases to ensure that the truncation level being used is adequate.
When risk from plant configurations involving multiple components is being considered, a cutset with a relatively small frequency can become a significant contributor to the CDF.
This is because more than one of the affected components may appear in the same minimal cutset, and if the availability of more than one of these components is decreased by the TS change, this can cause a significant increase in the cutset's frequency. For such cases, truncation levels have to be reduced by an amount corresponding to the product of the unavailabilities of the components involved in the outage configuration, to ensure that the base case's cutsets can be used.
4.3.4 Assumptions in AOT and STI Evaluations Using PRAs to evaluate TS changes requires consideration of a number of assumptions made within the PRA which can have a significant influence on the ultimate acceptability of the proposed changes. Such assumptions should be discussed in the submittal requesting the TS changes.
17
Assumptions that should be considered for AOT change evaluations can be summarized as follows:
(1) AOT risk evaluations are usually performed using the PRA for power operation (i.e.,to calculate the risk associated with (a) the equipment being unavailable during power operation for the duration of the AOT and (b) any change in the AOT). The risk associated with shutting the plant down because of AOT violations usually is not considered. In most cases, this risk is considered negligible, or such consideration is assumed to further justify the requested change. For some situations (e.g., for residual heat removal systems, service water systems, and auxiliary feedwater systems), comparative risk evaluations of continued power operation vs. plant shutdown should be considered.
(2) When calculating the risk impacts (i.e., a change in CDF due to AOT changes), the change in average CDF should be estimated using the mean outage times for the current and proposed AOTs. Usually, data for outage times correspond to the current AOT, but not to the proposed AOT. Different assumptions are made to estimate the outage time corresponding to the proposed AOT. Usually, the assumption used implies that the same policy of repairing a failed component will remain in effect when the AOT extension is granted, as will the waiting period to start a repair, and the number of maintenance personnel engaged in a repair.
(3) When the risk impact of an AOT change is evaluated, the yearly risk impact that is calculated takes into account the outage frequency. An AOT extension may imply that the maintenance of the component is improved, which may reduce the component's failure rate, and consequently, the frequency of outages needed for correcting degradations or failure. Again, there are no experience data for the extended AOT; therefore, the assumption should be made that both the frequency of outage for corrective maintenance and the component's failure rate remain the same.
Here, the beneficial aspect of maintenance is not quantified and this may give a slightly higher estimate of the yearly AOT risk measure for the proposed AOT.
(4) Often, AOT extensions are requested to facilitate on-line (or at-power) preventive maintenance of safety-system components. Their frequency and duration may be estimated and the risk impact due to the resulting unavailability of such equipment can be calculated.
(5) When AOTs of multiple safety system trains are extended, the likelihood of simultaneous outages of multiple components increases (resulting from combinations of failures, testing, and maintenances) because the increased duration increases the probability of the individual events which constitute the simultaneous multiple outages; hence, overlapping of routinely scheduled activities and random failures becomes more likely. The impact of such occurrences on the average plant risk, e.g.,
CDF, is small, but the conditional risk can be large. This issue is addressed as part of the implementation considerations (see Sections 4.3.7 and 6.1).
Assumptions that should be considered for STI evaluations can be summarized as follows:
(1) Surveillance tests usually are assumed to detect failures that have occurred in the standby period. The component failure rate A, in the formulation of component 18
unavailability, represents these failures. In estimating the test-limited risk, it usually is assumed that a surveillance test of a component detects the failures, and that after the test, the component's unavailability resets to zero or "false" in the Boolean expression. A few component failures, depending on a component's design and the test performed, may not be detected by a routine surveillance test. Usually, their contribution to risk is considered negligible.
(2) Regular surveillance testing of a component, as performed for safety-system components, is considered to influence its performance. Generally, for most components, the increase of a surveillance interval beyond a certain value may reduce the component's performance (i.e., increase the failure rate). Experience data are not available to assess the STI values beyond which the component failure rate A increases. In a risk-informed evaluation of surveillance requirements, the failure rate is assumed to remain the same (i.e., unaffected by a change in the test interval). This assumption implies that the STIs are not being changed beyond the value where A may be affected. Care should be taken not to extend the STIs beyond such values using risk-informed analyses only.
(3) The timing of surveillance tests for redundant components relative to each other (i.e.,
the test strategy used) has an impact on the risk measures calculated. Staggered or sequential test strategies are commonly used. In most PRAs, no specific test strategy is modeled; tests are assumed to be conducted independently at specified intervals.
Separate system-level time-dependent evaluations should be carried out to evaluate the effect of different test strategies where it can impact the evaluation of the change being considered.
(4) Notwithstanding the beneficial aspects of testing to detect failures that occur in a standby period, a number of adverse effects may be associated with the test:
downtime to conduct the test, errors of restoration after the test, test-caused transients, and test-caused wear of the equipment. Downtime and errors of restoration are usually modeled in a PRA, unless they are negligible. Test-caused transients and wear of the equipment are applicable to a few tests, but they are not generally modeled separately in a PRA. However, they can be evaluated using PRA models supplemented with additional data and analysis. Methods are available to quantitatively address these aspects; however, qualitative arguments can also be presented to support the extension of a test interval. Where the adverse impact of testing is considered significant, such cases should preferably be addressed quantitatively.
4.3.5 Sensitivity and Uncertainty Analyses Relating to Assumptions in TS Change Evaluations As in any risk-informed study, risk-informed analyses of TS changes can be affected by numerous uncertainties regarding the assumptions made during the PRA model's development and application.
Sensitivity analyses will be necessary to address the important assumptions in the submittal made with respect to TS change analyses. They should include:
19
- Impact of variation in repair/maintenance policy due to AOT changes (e.g., scheduling a PM of longer duration at power). 4 Impact of variation in assumed mean downtimes or frequencies.
Effect of separating the cyclic demand vs. standby time-related contribution to the component's unavailability in deciding changes to an STI.
Effect of details regarding how CCFs are modeled in the PRA.
Sensitivity analyses performed previously for risk-informed TS changes have shown that the risk resulting from TS AOT changes is relatively insensitive to uncertainties (compared to the effect on risk due to uncertainties in assumptions regarding plant design changes, or regarding significant changes to plant operating procedures, for examples). Licensees are expected to justify any deviations from this expectation. This is because the uncertainties associated with AOT changes tend to similarly affect the base case (i.e., before the change) and the changed case (i.e., with the change in place). That is, the risks result from similar causes in both cases (i.e., no new initiating transients or subsequent failure modes are likely to have been introduced by relatively minor AOT changes). AOT changes subject the plant to a variation in it's exposure to the same type of risk, and the PRA model is able to predict, with relative surety based on data from operating experience, how much that risk will change based on that changed exposure. Similar results are expected for STI changes.
The above argument may be more difficult to justify in cases where the effects of multiple outages may become significant during relatively large increases in AOTs or STIs. In those cases, however, the Tier 2 and Tier 3 aspects of TS changes (i.e., configuration monitoring, risk predictions, and configuration control based on the risk predictions) are expected to be robust and will be relied upon to control the resulting potential for significant risk increases.
4.3.6 Use of Compensatory Measures in TS Change Evaluations Consistent with the fundamental principle that changes to TS result in very small increases in the risk to the health and safety of the public (principle #4, as described in Section 2.4.2.1 of DG-1061), as part of proposed TS change evaluations, certain compensatory measures (discussed below) that balance the calculated risk increase due to the changes may be considered. This consideration should be made in light of the acceptance guidelines given in DG-1061. Also, note that these considerations may be part of Tier 2 or Tier 3 programs.
When the licensee wishes to reduce the risk increase resulting from a proposed change even though the individual change is judged by the licensee to meet the "very small" guideline, the licensee might consider taking compensatory measures such as those suggested below.
These compensatory measures can be acceptable if they are proposed and evaluated as part of the overall application for the TS change. However, compensatory measures should not be relied upon to compensate for weaknesses in plant design. Compensatory measures included in the submittal for a TS change should be measures not already included in the current licensing basis, but which would become part of the licensing basis if the TS change were approved. Examples of compensatory measures are:
Adding a test of a redundant train before initiating a scheduled maintenance activity as part of an AOT extension 20
- Limiting simultaneous testing and maintenance of redundant or diverse systems as part of an AOT extension
- Incorporating a staggered test strategy as part of STI extension
- Improving test and maintenance procedures to reduce test and maintenance related errors
- Improving operating procedures and operator training to reduce the impact of human errors
- Improving system designs, which reduces overall system unavailability and plant risk When compensatory measures are part of the TS change evaluation, then the risk impact of these measures should be considered and presented, either quantitatively or qualitatively.
When a quantitative evaluation is used, the total impact of these measures should be evaluated by comparison to the "very small" guideline (principle #4, as described in Section 2.4.2.1 of DG-1061). This includes:
(1) Evaluation of the proposed TS changes without the compensatory measures (2) Evaluation of the proposed TS changes with the compensatory measures (3) Specific discussion of how each of the compensatory measures is credited in the PRA model or during the evaluation process 4.3.7 Contemporaneous Configuration Control Consistent with the fundamental principle that changes to TS result in very small increases in the risk to the health and safety of the public (principle #4, as described in Section 2.4.2.1 of DG-1 061), certain configuration controls need to be utilized. The need for the controls discussed in this section is described at the beginning of Section 4.4 in the discussion regarding Tier 3.
Licensees should describe their capability to perform a contemporaneous assessment of the overall impact on safety of proposed plant configurations prior to performing and during performance of maintenance activities which remove equipment from service. Licensees should explain how these tools or other processes will be used to ensure that risk-significant plant configurations will not be entered and that appropriate actions will be taken when unforeseen events put the plant in a risk-significant configuration.
The staff has determined that the Technical Specifications Administrative Controls section should describe the licensee's program for performing a real-time assessment as described above and that the Bases for TS for which an extended AOT is granted should reference this program description. The following items should be addressed in such a configuration control program:
- a. The assessment applies prior to entering an LCO for pre-planned maintenance activities and while in an LCO to perform either preventive or corrective maintenance activities.
- b. The assessment is a risk-informed assessment using the current version of the licensee's PRA and reflects the as-built, as-operated plant.
21
- c. The assessment looks at the real-time or contemporaneous plant configuration.
- d. The purpose of the assessment is to assess the overall impact on plant risk and to ij take any actions necessary to minimize risk.
- e. The process for performing the assessment is documented in plant procedures.
- f. The capability and validity of the real-time PRA configuration control process, if different from the PRA used to assess the AOT extensions.
- g. Containment (PRA Level 2) concerns and external events are considered.
Each submittal for a risk-informed TS AOT extension should contain appropriate changes to the Administrative Control section which incorporate description of a program incorporating these items.
4.4 Acceptance Guidelines for TS Changes The guidelines discussed in Sections 2.4.2.1 and 2.4.2.2 of DG-1061 are applicable to TS AOT and STI change requests. Numerical acceptance guidelines are presented in those subsections as a function of the result of the licensee's risk analysis in terms of total CDF predicted for the plant and the change in CDF and LERF predicted for the TS change(s) requested by the licensee. In addition, those sections discuss cases where the scope oy the licensee's PRA does not include a Level 2 (containment performance) analysis, and where, according to the guidelines presented in this draft regulatory guide and in DG-1061, such an analysis is needed. Application of those guidelines to individual proposals for TS modifications will be done in a manner consistent with the fundamental principle that changes to TS result in very small increases in the risk to the health and safety of the public (principle #4, as described in Section 2.4.2.1 of DG-1061).
TS change evaluations may involve some very small increase in risk as quantified by PRA models. Usually, it is argued that such a very small increase is offset by the many beneficial effects of the change that are not modeled by the PRA. The role of numerical guidelines is to ensure that the increase in risk is very small, and to provide a quantitative basis for the risk increase based on aspects of the TS change that are modeled or quantified.
The numerical guidelines used to decide an acceptable TS change are taken into account along with other traditional considerations, operating experience, lessons learned from previous changes, and practical considerations associated with test and maintenance practices. The final acceptability of the proposed change should be based on all of these considerations and not solely on the use of PRA-informed results compared to numerical acceptance guidelines.
As discussed previously, the numerical guidelines are used to ensure that any increase in risk is within acceptable limits; traditional considerations are used to ensure that the change satisfies rules and regulations which are in effect; practical considerations judge the acceptability of implementing the change; and lessons learned from past experience ensure that mistakes are not repeated.
22
Using the risk measures discussed in this regulatory guide, the increase in risk should be calculated for the TS changes and compared against the numeric guidelines referenced above in this subsection. In calculating the risk impact of the changed case, additional changes to be implemented as part of the change can be credited. For example, in seeking an STI change, if the test strategy is also to be changed, the effect of this should also be incorporated in the risk evaluation.
However, it should be noted that this TS-specific regulatory guide, as well as DG-1 061, are applicable only to permanent (as opposed to temporary, or "one time") changes to TS requirements. TS AOT changes are permanent changes, but, because AOTs are entered infrequently and are temporary by their very nature, the following TS-specific acceptance guidelines are provided in addition to those given in DG-1 061. That is:
- 1. The licensee has demonstrated that the TS AOT modification has only a very small quantitative impact on plant risk. An ICCDP of less than 5.0E-7 is considered very small for a single TS-AOT modification. An ICLERP of 5.OE-8 or less is also considered very small. Also, the ICCDP contribution should be distributed in time such that any increase in the associated instantaneous risk is very small and within the normal operating background (risk fluctuations) of the plant (Tier 1).
- 2. The licensee has demonstrated that there are appropriate restrictions on dominant risk-significant configurations associated with the modification (Tier 2).
- 3. The licensee has implemented a risk-informed plant configuration control program.
The licensee has implemented procedures to utilize, maintain, and control such a program (Tier 3).
4.5 Comparison of Risk of Available Alternatives In some cases, in support of a TS modification, available alternatives are compared to justify the TS change. For changes in TS AOTs, such cases primarily involve comparing the risk of shutting down with the risk of continuing power operation, given that the plant is not meeting one or more TS LCOs. Such comparisons can be used to justify that the increase in at-power risk associated with the TS change is offset by the averting of some transition or shutdown risk.
In the case of an STI change, the beneficial and adverse impacts can be similarly compared.
The modified STI should be chosen so that the benefit of testing is at least equal to, or greater than, the adverse effects of testing. For example, if the calibration of relays in the reactor protection system causes plant transients, the risk from the test-caused transients is then estimated and compared with the test-limited risk of an extended STI.
In using such guidelines, the following considerations apply.
(1) The uncertainty associated with the two measures being compared can differ, and should be considered in deciding on an acceptable change (2) When the risk measures associated with all alternatives are unacceptably large, ways to reduce the risk should be explored, instead of only extending the TS requirement.
That is, a large risk from one of the alternatives should not be the justification for TS 23
relaxation without giving appropriate attention to risk-reduction options. If the risk from test-caused transients is large, attention may then be given to exploring changes in test procedures to reduce such risk, rather than only extending the test interval.
However, a combination of the two also may be appropriate.
4.6 Cumulative Effect of TS Changes The cumulative impact of the proposed TS changes should be calculated and presented, in addition to the individual impacts. The total, cumulative impact is estimated using the average value of the risk measures. The conditional measures, i.e., CDP and LERP, do not directly apply in evaluating the total impact from multiple changes. As discussed earlier, conditional measures are used in deciding changes to individual requirements.
In presenting the cumulative risk impact, the base case PRA model should be used consistently. It should not contain any of the proposed changes, but should reflect any other recent changes to the plant. The same model used for evaluating the individual changes should be used for assessing cumulative impact. Plant practices proposed for implementation as part of the TS changes should not be credited in the base case.
Previously approved TS changes also should be discussed as part of the cumulative impact evaluation. When the base case PRA model has been updated incorporating the previously approved TS changes, then it should be so stated. If the base case does not include previously approved changes, they should then be included as part of the cumulative impact evaluation of the proposed changes.
- 5. ELEMENT 3: DEVELOP IMPLEMENTATION AND MONITORING STRATEGIES 5.1 Three-Tiered Implementation Approach As described in Section 4.3, the staff expects licensee to use a three-tiered approach in evaluating the risk associated with proposed TS changes. Application of the three-tiered approach is in keeping with the fundamental principle that performance-based implementation and monitoring strategies be employed to account for uncertainties in analysis models and data (principle #5). Because of such uncertainties, these methods are used to avoid, or severely limit, the time durations during which plant operation is allowed with high-risk configurations of plant equipment (i.e., with excessive unavailability of critical safety equipment).
5.2 Maintenance Rule Control In order to ensure that extension of a TS AOT or STI does not degrade operational safety over time, the licensee should ensure performance monitoring mechanisms are in place to identify negative trends in availability or reliability of equipment impacted by TS changes. As part of implementing the maintenance rule (10 CFR 50.65), each licensee will likely have developed target goals for the majority of TS equipment, which could provide such a performance monitoring mechanism. The effect of TS changes should be considered if any adverse trends in meeting established goals are identified through implementation of the maintenance rule. If the licensee concludes that the performance or condition of a TS system or component affected by a TS change does not meet established goals, appropriate 24
corrective action shall be taken to reverse the trend, in accordance with the maintenance rule. Such corrective action may include submittal of another TS change to shorten the revised AOT or STI, if the licensee determines this is an important factor in reversing the negative trend.
- 6. ELEMENT 4: DOCUMENTATION The evaluations performed to justify the proposed TS changes should be documented and included in the license amendment request submittal. Draft Regulatory Guide DG-1061 provides guidance on acceptable documentation and submittal materials to support risk informed decisionmaking. Specifically, documentation to support risk-informed TS change requests should include:
(1) A description of the TS changes being proposed and the reasons for seeking the changes, (2) A description of the process used to arrive at the proposed changes, (3) Traditional engineering evaluations performed, (4) Changes made to the PRA for use in the TS change evaluation, (5) Review of the applicability and quality of the PRA models for TS evaluations, (6) Discussion of the risk measures used in evaluating the changes, (7) Data additional to the plant's PRA database developed and used, (8) Summary of the risk measures calculated including intermediate results, (9) Sensitivity and uncertainty analyses performed, (10) Summary of the risk impacts of the proposed changes and any compensating actions proposed, (11) A tabulation of equipment outage configurations that could threaten the integrity of important safety functions and that are prohibited by TS or plant procedures (Tier 2).
(12) A description of the capability to perform a contemporaneous assessment of the overall impact on safety of proposed plant configurations including an explanation of how these tools will be used to ensure that risk-significant plant configurations will not be entered and that appropriate actions will be taken when unforeseen events put the plant in a risk-significant configuration (Tier 3).
(13) A marked up copy of the relevant TS and Bases. The level of detail provided in the TS Bases should include adequate information to provide the technical basis for the revised AOT or STI.
(14) All other documentation required to be submitted with a license amendment request.
25
BIBLIOGRAPHY USNRC, Statement of Considerations, "Technical Specifications for Facility Licensees; Safety Analyses Reports," FederalRegister, 33 FR 18612, December 17, 1968.
USNRC, "Final Policy Statement on Technical Specifications Improvements for Nuclear Power Reactors," FederalRegister, 58 FR 39132, July 22, 1993.
USNRC, Final Rule, 10 CFR 50.36, "Technical Specifications," FederalRegister, 60 FR 36953, July 19, 1995.
USNRC, "Standard Review Plan for Risk-Informed Decisionmaking: Technical Specifications,"
NUREG-0800, Draft Chapter 16.1, June 1997.
NUREG-1430, "Standard Technical Specifications, Babcock and Wilcox Plants" (latest revision).
NUREG-1431, "Standard Technical Specifications, Westinghouse Plants" (latest revision)
NUREG-1432, "Standard Technical Specifications, Combustion Engineering Plants"(latest revision).
NUREG-1 433, "Standard Technical Specifications, General Electric Plants, BWR/4" (latest revision)
NUREG-1434, "Standard Technical Specifications, General Electric Plants, BWR/6" (latest revision).
USNRC, "Use of PRA in Risk-Informed Applications," Draft NUREG-1 602, June 1997.
Copies of NUREG-series documents are available at current rates from the U.S. Government Printing Office, P.O. Box 37082, Washington, DC 20402-9328 (telephone (202)51 2-2249);
or from the National Technical Information Service by writing NTIS at 5285 Port Royal Road, Springfield, VA 22161. Copies are available for inspection or copying for a fee from the NRC Public Document Room at 21 20 L Street NW., Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555; telephone (202)634-3273; fax (202)634-3343.
Requests for single copies of draft or active regulatory guides, or for draft NUREGs, (which may be reproduced) or for placement on an automatic distribution list for single copies of future draft guides in specific divisions should be made in writing to the U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001,Attention: Printing, Graphics and Distribution Branch, or by fax to (301)415-5272.
APPENDIX A OTHER CONSIDERATIONS AND DATA NEEDS IN TS CHANGE RISK EVALUATIONS A.1 Other Considerations in TS Change Risk Evaluations A.1.1 Risk Measures for TS Changes to AOTs and STIs In this section, a list of the risk-informed measures used in AOT and STI evaluations is presented. A more detailed discussion of these measures can be found in NUREG/CR-6141, "Handbook of Methods for Risk-Based Analyses of Technical Specifications (March 1995).'"
The measures applicable for AOT evaluations are:
- conditional risk given the LCO
- single-event AOT risk
- yearly AOT risk When comparing the risk of shutting down with the risk of continuing power operation for a given LCO, the applicable measures are:
risk of continued power operation for a given downtime, similar to single-event AOT risk risk of shutting down for the same downtime The measures applicable for STI evaluations are:
- test-limited risk
- test-caused risk Similar to the AOT evaluations, the risk contributions associated with preventive maintenance (PM) are:
- single PM risk
- yearly PM risk The risk associated with simultaneous outages of multiple components, called configuration risk, is calculated as part of AOT changes. The three-tier approach discussed at the beginning of this Section 4 includes calculations of risks associated with multiple components that may be taken down together. The applicable measures are similar to the AOT measures stated above:
- conditional risk (e.g., CDF) caused by the configuration
- increase in risk, [e.g., CDP (obtained by multiplying the increase in CDF by the duration of the configuration for the occurrence of a given configuration)].
1Copies are available for inspection or copying for a fee from the NRC Public Document Room at 2120 L Street NW., Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555; telephone (202)634-3273;fax (202)634-3343.
A-1
A.1.2 Measures for Multiple TS Changes When multiple TS changes are being considered, then the combined impact of the changes should be considered, in addition to the individual impacts. The considerations relating to the calculation of total impacts are discussed here.
A.1.2.1 Measures That Can Be Combined for Multiple TS Changes When considering risk contributions from several AOTs, the risk measures can be combined according to the following guidelines:
The single-event AOT risks from several AOTs do not generally interact nor do they accumulate to give a total contribution because the single ACT risks are conditional risks per event, and the downtime events for the different AOTs are different events. The only time that single-event AOT risks need to be simultaneously considered is when multiple components can be down at the same time, constituting the same event. Such a case is referred to as "downed configuration," or simply a "configuration." The risk contribution associated with a configuration is referred to as the configuration risk, and is evaluated separately as a multiple component downtime. Conducting maintenance on several components is a principal cause of potentially high configuration risks.
Yearly AOT risk contributions from several AOTs can interact and need to be accumulated to give the total yearly contribution from all the AOTs being considered. When the AOTs do not interact, that is, when the downed components are not in the same minimal cutset, the yearly AOT risk contribution from several AOTs is then the sum of the individual yearly AOT risk contributions. When the AOTs do interact, that is, when two or more of the downed components are in the same minimal cutset, interaction of the AOT risk contributions then needs to be considered.
When calculating the test-limited risk for changes in multiple STIs, the total test-limited risk then needs to be properly evaluated. Simple addition of individual test-limited risks will not provide the combined test-limited risk. In a simple addition, the total test-limited risk contribution is underestimated because the interacting terms are neglected.
A.1.2.2 Total Impact of Multiple Changes When multiple changes are requested, the total collective risk impact from all the changes then needs to be evaluated. For example, for a group of AOT and STI changes, this includes the total impact of all the requested:
- AOT changes
- STI changes
- AOT and STI changes If multiple changes are made, the impact of each change is assessed individually, then as a check, the plant PRA should be used to quantify the total impact.
A-2
A.1.3 Quantification of Risk Measures A.1.3.1 Alternative Ways of Calculating TS Change Risk Measures In calculating the measures discussed for evaluating TS changes, two specific risk levels are discussed, which need to be quantified using a PRA. Focusing on the CDF level, they are R 1, the increased risk level (e.g., CDF) with the component assumed down or equivalent component unavailability set to "true," and R., the reduced CDF with the component assumed up; that is, the component unavailability is set to "false."
Using PRA To Obtain AOT, PM, and Configuration Risk Contributions R1 can be calculated by setting the component-down event to a true state in the PRA.
Similarly, R. can be calculated by setting the component-down event to a false state in the PRA. The component-down event in the PRA is the event describing that the component is down for repair or maintenance. If the component-down event is included in the existing minimal cutsets, then these minimal cutsets can be used to determine R1 and R. provided the minimal cutsets sufficiently cover the contribution of the down event. The existing minimal cutsets are sufficient if those containing the down event are not all near the truncation limit (i.e., are not all within a factor of 10 of the truncation limit). Alternatively, the minimal cutsets are sufficient if those containing the down event have a non-negligible contribution (i.e., have a contribution greater than or equal to 1 %). If the existing minimal cutsets are sufficient, then the increased risk level R, can be determined by setting the component-down unavailability to 1 and deleting larger minimal cutsets that contain smaller minimal cutsets (i.e., are absorbed by the smaller minimal cutsets). If there are any minimal cutsets containing complementary events, they also need to be removed if they are inconsistent with the component being down. The reduced risk level Ro can be determined analogously by setting the down unavailability to zero.
If the component-down event is not contained in the existing minimal cutsets, or if there is a question on the coverage of the existing minimal cutsets, the minimal cutsets will then need to be regenerated. R, is determined by setting the down-component event in the PRA models to a true state. The truncation limit of the minimal cutset can be reduced by at least a factor of 10 to give added assurance of sufficient coverage. The minimal cutsets which are generated subsequently can then be used to determine R, by setting the down unavailability at zero.
Contributions from CCFs need special attention when calculating the increased risk level Rl.
If the component is down because of a failure, the common-cause contributions involving the component need to be divided by the probability of the component being down due to failure since the component is given to be down. If the component is down because it is being brought down for maintenance, the CCF contributions involving the component then need to be modified to remove the component and to only include failures of the remaining components (also see Section 4.3.1).
If other components are reconfigured while the component is down, these reconfigurations can then be incorporated in estimating R, or AR, using the PRA. If other components are tested before repair or if maintenance is carried out on the downed components, the conduct of these tests and their outcomes also can be modeled. If other components are more frequently tested when the component is down for the AOT, this increased frequency of A-3
testing also can be incorporated. These modeling details are sometimes neglected in the PRA because of their apparently small contribution. However, when isolating the AOT risk contributions and in justifying modified AOTs, these details can become significant.
Use of PRA Minimal Cutsets When It Is Appropriate As indicated, a PRA computes the yearly AOT risk contribution to the yearly core-damage frequency (CDF). Basically, the yearly AOT risk contribution is the sum of the minimal cutset contributions containing the component-downed unavailability (typically, for maintenance) qm, qm = f d where f is the downtime frequency and d is the downtime associated with the AOT. The downtime d usually is estimated as an average downtime associated with the AOT. If the minimal cutsets sufficiently cover the downed unavailability, those which contain the downed unavailability q, can be summed to give the yearly AOT risk contribution Ry.
Using the PRA To Determine the Test-Limited Risk Contribution The PRA can be used to calculate the increase in the risk level AR and to obtain the component unavailability, q, the contributing factors in calculating the test-limited risk contribution. The considerations involved in calculating R, and Ro to obtain AR are those discussed above and in the next section.
When the effect of change in STI for one or more components is being evaluated, the PRA can be directly used to calculate the change in the risk measure, (e.g., in the CDF). The calculation of PRA results where changed STIs are included incorporates interactions among the STIs. The differences between the results (i.e., CDF when the STIs are changed from the baseline CDF) provides the test-limited risk contribution for changing the STIs.
In such a calculation, the contributions of CCFs need to be appropriately modified. The common failure terms modeled as a function of the test interval should be modified to reflect the new STI. Typically, CCFs are modeled using afl-factor or Multiple Greek Letter model where the CCF of multiple components is a function of the STI. When changing STIs, care should be taken to change this term within the common-cause contribution. The common cause of failing multiple components resulting from human error following a test is not a function of the STI, but may be affected by the test strategy used.
When different test strategies are being evaluated, the human error term needs to be evaluated. Specific assumptions that were used in quantifying the human error common cause term should be identified and checked if they apply for the test strategy being analyzed. For example, if the term was developed assuming a sequential test strategy, but a staggered test strategy is being analyzed, the term then needs to be modified to reflect this change. The failure probability from a common-cause human error for a staggered test strategy is expected to be significantly lower than that for the sequential test strategy.
Using Minimal Cutsets To Calculate Test-Limited Risks The test-limited risk for a component or a set of components also can be determined by i identifying those minimal cutsets which contain one or more of the STI contributions. The A-4
sum of the relevant minimal cutset contributions is then equal to the test-limited risk. To evaluate changes in the test-limited risks for changes in the STIs, the difference between the minimal cutset contributions with and without the STI changes will be the difference between the test-limited risks. In using the minimal cutsets, one should ensure that the STI contributions are all included in the set of minimal cutsets used. Even though use of the minimal cutsets gives the same results, the above basic formulas for the test-limited risks are useful, since they show the basic contributing factors to the STI risk.
Specific Considerations for Evaluating Multiple Test-Limited Risks When multiple STIs are modified or are defined, the total test-limited risk from the multiple STI changes or definitions needs to be properly evaluated. Instead of using the PRA to evaluate all the modifications in a given run, the individual test-limited risks can be evaluated one at a time, provided that the updated STIs are used for the other relevant components.
An iterative procedure can then be used in which individual STIs are successively updated, using the formulas given above for individual component STI risk contributors. These one-at a-time evaluations, or "iterative" evaluations, are useful if acceptable guidelines on test limited risks are defined, and the STIs are to be selected to satisfy the risk guidelines.
A.1.3.2 Appropriate Calculation of Conditional CDF Conditional CDF for Failure of a Component To calculate the conditional CDF when a component is failed (typically represented by R1 in this document), the component unavailability is changed to the "true" or "T" state.
However, the component unavailability may be modeled in terms of many contributors:
random failure, maintenance downtime, test downtime, and CCF. The CCFterm represents the failure probability of two or more redundant components which include the failed component in question. The CCF term is modeled as a product of multiple terms (e.g., using the fl-factor model for two redundant components, the CCF term is / times the component unavailability from random failures), but may be represented by one parameter.
Consider a component Q in Train A of a safety system, letting QLA, QMA, and QTA represent the component's unavailability from random failures, maintenance downtimes, and test-downtimes, respectively. Also, let QC(=fl.QL) be the term for CCF of the redundant components in Trains A and B, where QL is numerically equal to QLA and represents QLA or QLB. QLB is the unavailability of a component in Train B from random failure. Usually, the terms QLA, QMA, QTA, and QC will be part of the PRA input data.
To calculate the conditional CDF given that the component is failed, the component unavailability should be represented by the "T" state. This means that QLA, QMA, and QTA should be changed to the "T" state and QC should be divided by QLA since the component is down because of failure. In principle, changing one of the three conditions (QLA, QMA, QTA) to the "T" state should suffice. However, in many cases, truncated cutsets are used to calculate the conditional CDF, and changing all three will ensure that the failed state of the component is represented. For this example, QC will be changed to /, which represents the conditional failure probability of the redundant component. When QC represents the failure of more than two components, QC will be converted to the failure probability of the remaining components, in this case, two components.
A-5
Conditional CDF When a Component Is Down (but Not Failed) for PM To calculate the conditional CDF when a component is taken down for PM (R1 for PM analyses), the CCF term needs to be treated differently from that described above for the failure of the component.
Considering the same example as above, the down state of the component is represented by changing QLA, QMA, and QTA to "T" and by changing QC to QL, which is numerically the same as QLB or QLA. The CCF term is changed to represent the unavailability of the remaining component and not/f, since the initial component is already down for PM and is not down due to failure. If the redundant component is successfully tested before taking the component down for PM, QC can then be equated to zero for a short-duration PM (i.e., when the duration of the PM is much less than the test interval).
Conditional CDF When the Component Is Not Down for Maintenance or Is Tested Operable The conditional CDF is reduced when the component is not down for maintenance or when it has just successfully been tested. The calculation of AOT and STI risk contributions involve calculating this conditional CDF (R.). For evaluating the ACT risk contribution, Ro signifies that the component is not down for test or maintenance, and this condition is represented by setting test and maintenance downtime unavailabilities to the "false" or "F" state. In this example, QMA and QTA should be changed to the "F" state. For STI evaluations, R.
signifies that the component is up, which is known from the test and is represented by setting its unavailability to "false." In this example, QLA, QMA, and OTA should be changed to the "F" state. In many cases, the reduction in CDF from the baseline CDF is negligible.
Conditional CDF When Multiple Components Are Involved To calculate conditional CDFs (R 1 and Ro) when multiple components are involved, the corresponding terms relating to each of the components should be changed to the "T" or "F" state. For each component, the corresponding terms relating to random failures, CCFs, test downtimes, and maintenance downtimes should be converted, as discussed above. When all the components modeled by a common-cause term are failed, this term changes to the "T" state for calculating R1. Otherwise, it is modeled as discussed above, representing the unavailability of the remaining components. In many PRA computer codes, the CCF term does not retain the specific component designator (for example, a unique notation identifying the specific component involved may not be part of the name of the CCF term), and the relevant term cannot directly be identified by searching the names of the input parameters of the PRA. The description of the CCF terms modeled in the PRA may need to be examined to identify the relevant term or the input parameter.
A.1.3.3 Treatment of CCF and Recovery Factors The treatment of CCF in estimating the conditional CDF for ACT and STI evaluations was discussed earlier. Appropriate considerations in modifying CCF terms modeled in the PRA (to include the effect of a component being unavailable because of failure, maintenance, or testing and for implementing a staggered test strategy) have been discussed. In addition, since the CCF contributions can be a dominant contributor, sensitivity analyses with respect to these parameters are suggested in Section 4.5. Recovery factors used in the PRA model may need to be reviewed to learn if the component assumed to be down because of failure is A-6
credited to be recovered. For example, consider that a TS change for an emergency diesel generator (EDG) is being evaluated, and conditional CDF for the EDG being down is being calculated. Then, if the cutsets used to calculate the conditional CDF take credit for the same EDG being recovered, such recovery factors should be modified. In such cases, no credit should be taken.
A.1.3.4 Calculations of Transition Risk Transition risk is calculated to compare the risk of continuing operation in a given LCO to that of a transition to plant shutdown. Such companions can be used to decide which option is preferable and which other alternatives may be used. Such evaluations particularly apply for systems used to remove decay heat. The following considerations apply in calculating transition risk:
(1) Various stages of the shutdown cooling phases and the operator's interactions, should be modeled to assess the impact on the CDF of shutting down the plant in a LCO.
(2) Any initiating event not modeled in the basic PRA, but important during the shutdown phases, should be modeled. Specific examples are those events that challenge the residual heat removal (RHR) system and that can render part of it unavailable. Also, the frequency of initiating events during the transition to shutdown may have to be reassessed, since it may differ from that during power operation (e.g., more frequent loss of offsite power or loss of main feedwater during the transition to shutdown).
(3) Different recovery paths applicable at various stages of shutdown should be modeled to realistically quantify the risk of shutting down, considering the diminishing levels of decay heat.
(4) Available time margins for uncovering the reactor core and heating up the suppression pool [in a boiling water reactor (BWR)] or drying out the steam generator [in a PWRI need to be modeled to evaluate specific accident sequences.
A.2 Data Needs for TS Change Evaluations A request for plant-specific TS changes should use plant-specific data and not rely solely on generic data or data from similar plant designs. Usually, TS changes are requested because plant operation indicates that such changes are needed and accordingly, plant-specific data are expected to be available. For the components or systems for which TS changes are being considered, plant-specific data should be evaluated and assurance should be obtained that the data used are consistent with the plant experience. The use of other than plant specific data should be justified.
When a generic analysis is being performed using a representative plant model, the use of generic data from similar plants is acceptable. The generic data should bound the specific plants under consideration, not an average plant.
A.2.1 Care in Using Plant-Specific Data When plant-specific data are used to update input parameters of the PRA during a TS change evaluation (additional to that used during the latest update of the PRA), care should be taken A-7
that such data are consistently used both for the base case, where existing TS requirements apply, and the change case, where TS changes are incorporated. This is done to ensure that the increase in the risk measure obtained is due to the TS change only and not to the use of plant-specific data in aspects of plant operation.
This situation typically arises when recent plant-specific data are evaluated and reduced values of the parameters are obtained. Use of the reduced values may negate the risk increase from the TS change and may give an erroneous impression that the TS change has reduced the risk. When the base case is also updated, such difficulties are avoided.
Sensitivity and uncertainty analyses should also be performed using the same set of input data.
A.2.2 Considerations When Generic Data Are Used When generic data are used for the TS parameters in evaluating TS changes, focus should be on justifying very small changes which do not strongly depend on the data parameters.
Reasons why generic data are being used and why generic data apply for plant-specific evaluations should be presented. In many cases, because of limited experience, use of plant specific data may result in very optimistic values justifying use of generic data.
A.2.3 Specific Data Needs Basic data needed for a PRA-informed TS change evaluation for risk-informed regulation are those collected as part of the PRA.Comparative risk calculations for LCO changes require no additional data beyond those in the Full-power Operations Level 1 and the Low Power/Shutdown Level 1 PRAs. The additional data needs for evaluating changes in surveillance requirements [such as surveillance test intervals (STI)1 and allowable outage times (AOT) are discussed in this subsection.
A.2.3.1 Maintenance-Downtime Data The maintenance downtime data require partitioning it into plant-specific unplanned unavailability for unscheduled maintenance and planned unavailability for preventive maintenance or testing. For this purpose, data are needed on the frequency of events leading to planned and unplanned maintenance, i.e., the number of occurrences of each type of downtime event during a given time period, and the time interval that the component was out of service for each occurrence. These data are also needed for judging whether an adequate AOT is being provided to complete a repair. The distribution of downtimes also can be used to estimate the expected risk for a given AOT.
The distribution of time for unscheduled maintenance may shift when an AOT is being changed. For this reason, information about such an influence on the distribution is not expected to be available when the AOT modification is being evaluated. The average downtime can be assumed to proportionally increase with the increase in the proposed AOT for downtimes associated with unscheduled maintenance. For scheduled (preventive) maintenance, the downtime assumed can be representative of plant practices (e.g., one-half of the AOT).
A-8
A.2.3.2 Maintenance Schedules and Frequency These data include the maintenance scheduling used by the plant for defining the situations in which multiple equipment or system trains may be taken down for PM. These schedules are important to ensure that high risks from components being simultaneously down, implicitly allowed by the TS change, do not occur.
The maintenance frequency or frequency of downtime for a component may be from 3 to 10 times higher than the failure frequency. Since AOTs can be used for maintenance, the frequency of maintenance should be incorporated in estimating the downtime frequency.
A.2.3.3 Data Relating to Component Testing The following data related to component testing, in addition to those available as part of the PRA study, form part of a TS change evaluation relating to surveillance requirements:
A list of the components being tested, any component realigned from the safety position during a test, duration of the test, and the test frequency recommended by the manufacturer The efficiency of the test (i.e., the failure modes detected by the test in regard to components, support system interfaces, and so forth). Bounding assumptions can be made if obtaining detailed data or related information is costly.
Any potential for negative effects of surveillance testing (e.g., that may cause the potential for introducing plant transients, or that may cause unnecessary wear of the equipment) should be taken into account by the analyses. Preliminary evaluations can be used to determine if a more detailed analysis should be performed.
The test strategy used for the redundant components in a system (i.e., whether staggered or sequential testing is performed) should be stated. The standard PRA quantification assumes that components follow no specific schedule and are randomly placed with regard to one another. By staggering the test times of components in different trains, the test-limited risk contribution will be reduced for the same STIs as compared to the PRA assumption. Conversely, if the tests are carried out sequentially, the test-limited risk will increase compared to the PRA assumptions.
A.2.3.4 Parameters for Component Unavailability The component unavailabilities used in a PRA contain a number of parameters that are relevant for evaluating TS changes. These parameters should be delineated, as modeled, to facilitate evaluations to be conducted and reviewed by the regulatory authority. The following desirable parameters contributed to the estimated component unavailability:
0 Component failure rate 0 Component test interval 0 Maintenance/repair downtime contribution (maintenance frequency, downtime for scheduled and unscheduled maintenance) 0 Test downtime, if applicable A-9
T I¸
- Human errors following test or maintenance, if modeled
- Separation of cyclic-demand vs. standby time contribution, if modeled A.2.3.5 Separating Demand and Standby Time Contributions to Unavailability Since the test-limited risk (typically defined as RD) is associated with a failure occurring between tests, the failure rate that should be used in calculating the test-limited risk should be the standby time-related failure rate, which is associated with what can occur while the component is in standby between tests. Test-limited risk contributes to increases in risk associated with longer test intervals due to the longer time to detect standby-stress failures.
The time-related failure rate is expressed in units per time period, such as per hour. For estimating RD, the data needed are the standby stress failure rate of the component and the proposed test interval.
The failure probability of a component consists of a time-related contribution (the standby time-related failure rate), and a cyclic, demand-related contribution (the demand stress failure probability). The latter is the probability contribution associated with failures which are caused by demanding, starting, or cycling the component, which include (but are not necessarily limited to) test-caused transients as discussed below in subsection 5.4.3.6.
Since the test-limited risk, R0, is associated with a failure occurring between tests, the failure rate that should be used in calculating the test-limited risk is the time-related standby stress failure rate. From the total number of failures on demand, the number of failures due to standby stress and the number of failures from demand stresses can be partitioned by either an engineering analysis of failure causes or by a graphical method based on the relationship between the observed number of failures and the test interval lengths from which the failures came. [ {
The test caused contribution to risk is primarily composed of Rdow,,, the risk contribution due to the unavailability of equipment resulting from aligning equipment away from its preferred position/state to conduct a test, when there is no automatic return to the preferred position.
The additional data needed for estimating this parameter are the surveillance test interval and the out-of-service time needed for each test.
Dividing the failure probability into a time related and cyclic demand-related contribution results in a lower test-limited risk because only part of the component's failure rate is treated as time related. However, treating only part of the failure rate as being time related when this is not the case underestimates the test limited risk; therefore, such a breakdown of the failure rate needs to be justified through data analysis or engineering analyses.
Also, sometimes only the failure probability (i.e., the component unavailability q) may be provided without giving a failure rate. In such a case, the effect of a change in the test interval cannot be evaluated unless the component test interval previously used for true T is used to convert the unavailability q in terms of A and T. When the breakdown between time related and cyclic demand-related contribution is unknown, all failures can be assumed to be time related to obtain the maximum test-limited risk contribution.
In summary, the data required for measuring a change in risk with a change in the surveillance test interval are a breakdown of the failure probability of the component into its time-related and demand-related components, the proposed test interval, and the out-of service time for surveillance testing for the component.
A-10
A.2.3.6 Test-Caused Transients To evaluate and identify the test-caused transients risk (typically defined as Rc), transient events should be analyzed and those caused by a test should be identified. In most cases, this requires reading through the description of transients that have occurred and noting those caused by the test. When longer test intervals are allowed, the resulting reduction in test-caused transients per unit time tends to cause decreases in risk due to fewer adverse effects of testing over that longer test interval (which, however, will be partially or wholly balanced by increased in RD that are caused by the longer time period before detection and correction of failures).
The transient events are obtained from the following plant operating data:
(1) Performance indicator reports: These reports list the number of reactor trips and safety system actuations at each plant, the date of the events, and the numbers of the relevant licensee event reports (LERs).
(2) LER system: Reactor trips are described in LERs.
When test-caused transients for a single plant are evaluated, the plant-specific data may be sparse unless the plant's operating experience covers a substantial period. When this is the case, more data may be used from the operating experience of other plants of similar vintage (for example, other BWR/4s) assuming that the likelihood of occurrence of test-caused transients is similar for all the plants in the data base. (The performance indicator reports categorize plants according to design classes.)
A.2.3.7 Data for Evaluating Transition Risk Data available in a PRA for full-power operation provide the basic information for evaluating the transition risks when a plant is being shut down for an LCO. In addition, the PRA for low-power and shutdown operations, if available, will significantly ease the acquisition of the data necessary for evaluating the risk of shutdown. The low-power and shutdown PRAs typically contain relevant data, such as the durations of shutdown phases and the frequencies of initiators that may occur during shutdown operation (e.g., loss of RHR).
The full-power PRA is available for most operating plants, but the low-power and shutdown PRAs may be available only for some plants. Hence, the data needed to evaluate transition risk are discussed here, assuming that only data from a full-power PRA are available:
(1) Plant-specific data on shutdown operations: To analyze shutdown phases in detail, plant-specific information may be needed, such as operating and abnormal procedures, shift supervisor's log books, or monthly operating reports. From this information, data on timing of the plant shutdown and operational preferences of equipment during plant shutdown can be extracted.
(2) Plant-specific traditional data: The evaluation of heatup and recovery scenarios, including estimates of heatup time, requires some design data on the plant, such as the temperature of the ultimate heat sink, or the cooling capacity of the RHR system.
These data typically are available from the plant's final safety analysis report (FSAR).
A-11
(3) Frequency of transients during controlled shutdown: The LERs for the plant may need to be reviewed in order to evaluate the likelihood of transients during controlled shutdown. The likelihood of a transient during a shutdown may be different from that during power operation (this should be considered).
A-12
Regulatory Analysis
- 1. Statepment of the prohlem During the past several years, both the Commission and the nuclear industry have recognized that probabilistic risk assessment (PRA) has evolved to the point that it can be used increasingly as a tool in regulatory decisionmaking. In August 1995 the Commission published a policy statement that articulated the view that increased use of PRA technology would 1) enhance regulatory decisionmaking, 2) allow for a more efficient use of agency resources, and
- 3) allow a reduction in unnecessary burdens on licensees. In order for this change in regulatory approach to occur, guidance must be developed describing acceptable means for increasing the use of PRA information in the regulation of nuclear power reactors.
- 2. COhip e To provide guidance to power reactor licensees and NRC staff reviewers on acceptable approaches for utilizing risk information (PRA) to support requests for changes in a plant's current licensing basis (CLB). It is intended that the regulatory changes addressed by this guidance should allow a focussing of both industry and NRC staff resources on the most important regulatory areas while providing for a reduction in burden on the resources of licensees. Specifically, guidance is to be provided in several areas that have been identified as having potential for this application. These applications include risk-informed inservice testing, technical specifications, and graded quality assurance.
- 3. Altarnatives The increased use of PRA information as described in the draft regulatory guides being developed for this purpose is voluntary. Licensees can continue to operate their plants under the existing procedures defined in their CLB. It is expected that licensees will choose to make changes in their current licensing bases to use the new approaches described in the draft regulatory guides only if it is perceived to be to their benefit to do so.
- 4. rnn.saqtienre Acceptance guidelines included in the draft regulatory guides state that only small increases in overall risk are to be allowed under the risk-informed program. Reducing the test frequency of valves identified to represent low risk as provided for under this program is an example of a potential contributor to a small increase in plant risk. However, an improved prioritization of industry and NRC staff resources, such that the most important areas associated with plant safety receive increased attention, should result in a corresponding contributor to a reduction in risk. Some of the possible impacts on plant risk cannot be readily quantified using present PRA techniques and must be evaluated qualitatively. The staff believes that the net effect of the risk changes associated with the risk-informed programs, as allowed using the guidelines in the draft regulatory guides, should result in a very small increase in risk, maintain a risk-neutral condition, or result in a net risk reduction in some cases.
- 5. Dpe..inn R itionnlep It is believed that the changes in regulatory approach provided for in the draft regulatory guides being developed will result in a significant improvement in the allocation of resources both for the NRC and for the industry. At the same time, it is believed that this program can be implemented while maintaining an adequate level of safety at the plants that choose to implement risk-informed programs.
- 6. Implementation It is intended that the set of risk-informed regulatory guides be published by the end of CY 1997.
"A'
____I UNITED STATES FIRST CLASS MAIL NUCLEAR REGULATORY COMMISSION POSTAGE AND FEES PAID WASHINGTON, DC 20555-0001 USNRC PERMIT NO. G-67 OFFICIAL BUSINESS PENALTY FOR PRIVATE USE, $300