Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON , D .C. 20555 October 24, 1995 OFFICE OF THE SECRETARY MEMORANDUM TO : James M. Taylor Exe?Acutive ; .

• rector for Operations

~ -~

FROM : Johp C. Hoye, Secretary

SUBJECT:

SECY-95-215 - PROPOSED RULEMAKING FOR REPORTING EQUIPMENT RELIABILITY DATA The Commission (Chairman Jackson, exercising delegated authority pursuant to a delegation from the Commission*, in accordance with NRC Reorganization Plan No . 1 of 1980) has approved publication of the proposed rule for public comment. Prior to publication, the staff should address the following apparent inconsistencies in the statement of considerations (SOC) .

1. Since the staff has endorsed an NEI process for identifying risk-significant systems, structures and components (SSCs) in the context of the maintenance rule, why is there a need to develop another process for the data collection rule? Conceivably, a different process could identify SSCs that are not within the scope of the maintenance rule. (e.g., SOC at page 25)

2. In providing support on the need for the rule, the staff states that for most risk-significant systems, plant specific data are too sparse to support a meaningful evaluation of system reliability and availability. At the same time, in providing support on the need for plant specific data, the staff states that plant-specific data are needed because of the wide plant-to-plant variations in the design, importance, reliability and availability of particular systems and equipment . (e.g., SOC at pages 9 and 17)

• This decision was made after consultation with Commissioner Rogers, who has stated his agreement with the result announced here.

SECY NOTE: THIS SRM, SECY-95-215, AND THE VOTE SHEETS OF CHAIRMAN JACKSON AND COMMISSIONER ROGERS WILL BE MADE PUBLICLY AVAILABLE 5 WORKING DAYS FROM THE DATE OF THIS SRM.

The staff should incorporate the changes in the attachment.

Since unavailability and availability are probabilistic concepts, they should be defined accordingly.

The notice of proposed rulemaking should be provided to the Commission for information at least 10 days prior to being sent to the Federal Register.

(EDO) (SECY Suspense: 12/8/95)

The staff should continue to work with industry to try to arrive at a mutually acceptable program for providing data of interest.

Attachment:

As stated cc: Chairman Jackson Commissioner Rogers OGC OCA OIG Office Directors, Regions, ACRS, ACNW, ASLBP (via E-Mail)

19 whether or not the operation was terminated because of equipment failure. with the dates of any such failures; Cc) The number of hours e# §Q4]/pt,IQ~i/J§! unavailab]~ility, characterized according to the identification of the train affected . the plant mode at the time gqgJ Pfil@Dfi:!1§ of the unavailabJ/g-i-1-+t:Y- (operating or shutdown) .

@r~irn§@P@r1?~P:1gn:! 2m the type of unavailabj§ility R§R1R@cp1anned. unplanned.

or support system unavai l ab]§-i-1-+t:Y-) . and. if due to support system Q§Ji@ij unavailaoJ@-i-1-+t:Y-. identification of the support system ;

(d) For each P§B}QQ i@ 94J PW~Qpirn § unavai l ab]pi 1ity due to component failure(s). a failure record identifying the component(s) and providing the failure date . duration. mode. cause. and effect; and Ce) The number of hours when two or more trains from the same or different systems were concurrently unavailable. characterized according to the identifi cation of the train s that were unavailable .

The summary information would be reported annually and compiled on the basis of calendar quarters. or on a more frequent basis at the option of each individual licensee. Records and documentation of each occurrence of a demand . failure . or unavailab]J~ility P@R!}RP: that provide the basis for the summary data reported to the NRC would be required to be maintained on site and made available for NRC inspection.

In developing these data elements the NRC has. over the past three years. reached a consensus on the minimum data needed to support risk-based

20 applications and enhance implementation of the maintenance rule . During this period NRC staff has also interacted extensively with INPO and NEI in an effort to define the minimum reliability and availability data needed to satisfy the needs of both NRC risk-based regulatory applications and industry (licensee) uses of PRA .

The number of demands and the number of successful starts are needed to

• determine ~§PJm~~@ demand reliability. i.e . . the fraction of demands that result in successful starts . (The complement of this fraction pijqijiii!i n g$pJrµ~;f;~@t: is often called the probability of failure on demand). The actual number of demands and successes. as opposed to the ratio . is needed to compute confidence bounds on demand reliability.

The type of demand is needed to determine whether or not the demand reliability estimated by testing is approximately the same as the demand reliability for actual demands . Sometimes it is not. indicating a need for ijgpi~}Q@~rn more sophisticated data analysis in making reliability estimates.

The plant mode at the time of a demand is needed to g§\~Jrn~I§ determine the demand frequency, demand reliability. and unavailability according to plant mode . These factors. as well as the risk associated with unreliability and unavailability, can be quite different depending on whether the plant is in operation or shut down .

The hours of operation following successful starts are needed to compute

§§\R1m~j,ij the probability the equipment will function for a specified period of time .

21 This information is needed for systems that must operate for an extended period following an accident to fulfill a risk-significant safety function.

The hours of unavailability are needed to determine the fraction of time that a train is not available to perform its risk-significant safety function.

For some systems this can be an important or dominant contributor to the overall probability of failure to perform the system's safety function. It can be significantly affected by elective maintenance.

The type of unavailability (planned or unplanned) is needed to effectively utilize these estimates. For example. a high unplanned unavailability may indicate a need for more preventive maintenance; a high planned unavailability may indicate the opposite.

The hours of unavailability due to support systems failure or unavailability are needed to properly capture concurrent outages and to eliminate double counting. For example, an Emergency Service Water CESW) train pgjQg unavailab]§+-t-tty may result in other trains being unavailable as well; however. for purposes of estimating risk in a PRA study, that unavailability should not be counted more than once.

The date of each failure is needed to allow screening for potential common cause failures. Failures that occur closely together in time warrant review to see whether a common cause failure may be involved. Common cause failures may indicate a need for revised maintenance procedures or staggered

24 Demand is an occurrence where a system or train is called upon to perform its risk-significant safety function. A demand may be manual or automatic. It may occur in response to a real need, a test. an error. an equipment malfunction or other spurious causes. For the purposes of reporting under this rule. the demands of interest are those which are actual demands or closely simulate actual demands for the train or specific equipment involved.

Failure. for the purpose of reporting under this rule. is an occurrence where a system or train fails to perform its risk-significant safety function.

A failure may occur as a result of a hardware malfunction. a software malfunction. or a human error. Failures to start in response to a demand are reported under paragraph 50.76Cb)Cl)Ci). Failures to run after a successful start are reported under paragraph 50.76Cb)Cl)Cii).

Unava n abi 1i ty is ~m~:P09P~RJJ}ti¥]~h~~ an instance .,,here a required system or train is not in a condition to perform or is not capable of performing its risk-significant safety function. This may result from failure to start. from failure to run. or from intentional or unintentional removal of equipment from service (e.g .. for maintenance or testing).

Risk-significant safety function is a safety function that has or could have a significant effect on risk in terms of avoiding core damage accidents or preserving containment integrity.

Risk-significant systems and equipment are the systems and equipment which have or could have a significant effect on risk in terms of avoiding