Generic Implementation of Risk Management Technical Specifications (RMTS) Initiative 4b

ML031960663
Person / Time
Issue date:	07/15/2003
From:	Beckner W NRC/NRR/DIPM
To:	Pietrangelo A Nuclear Energy Institute
Tjader T., NRC/IROB, 415-1187
References
Download: ML031960663 (16)
v • d • e

Text

July 15, 2003 Mr. Anthony Pietrangelo, Director Risk and Performance Based Regulation Nuclear Energy Institute 1776 I Street, N. W.

Suite 400 Washington, DC 20006-3708

Dear Mr. Pietrangelo:

The Nuclear Regulatory Commission (NRC) has completed its acceptance review of the Nuclear Energy Institute proposed Risk Management Guide for generic implementation of Risk Management Technical Specifications (RMTS) Initiative 4b, submitted on January 21, 2003.

RMTS Initiative 4b proposes the use of risk-informed AOTs through the application of a configuration risk management program in conformance with the guidance presented in the Risk Management Guide. Enclosed are staff comments on the Risk Management Guide. We are prepared to meet with you to further discuss these comments to ensure the Risk Management Guide is acceptable, and to assist in making progress on Initiative 4b.

Please contact me at (301) 415-1161 or e-mail wdb@nrc.gov if you have any questions or need further information on these proposed changes.

Sincerely,

/RA/

William D. Beckner, Branch Chief Reactor Operations Branch Division of Inspection Program Management Office of Nuclear Reactor Regulation

Enclosure:

As stated cc w/encl: See next page

ML031960663 DOCUMENT NAME: G:\\RORP\\TSS\\Tjader\\RMGuide-AccpetanceReviewLetter.wpd OFFICE TSS:IROB:DIPM (A)SC:IROB:DIPM BC:IROB:DIPM NAME TRTjader:sg SLMagruder WDBeckner DATE 07/11/2003 07/15/2003 07/15/2003

/ /2003

Mr. Tony Pietrangelo cc via e-mail:

Mr. Tony Pietrangelo Nuclear Energy Institute Mr. Biff Bradley Nuclear Energy Institute Mr. Mike Schoppman Nuclear Energy Institute Mr. Alan Hackerott, Chairman Omaha Public Power District Mr. Jim Kenny Pennsylvania Power & Light Company Mr. James Andrachek Westinghouse Electric Company Mr. Jack Stringfellow Southern Nuclear Operating Company Mr. Donald McCamy Browns Ferry Nuclear Plant Mr. Ray Schneider Westinghouse Electric Company Mr. Frank Rahn EPRI Mr. Wayne Harrison STP Mr. Drew Richards STP Mr. Gabe Salamon PSEG Nuclear Mr. Gene Kelly Exelon Mr. Rick Hill General Electric Nuclear Energy Mr. Michael S. Kitlan, Jr.

Duke Energy Corporation Mr. Noel Clarkson Duke Energy Corporation Mr. Donald Hoffman EXCEL Services Corporation Mr. Ted Book Framatech-ANP Mr. R. J. Schomaker Framatech-ANP Mr. J. E. Rhoads Energy Northwest Ms. Deann Raleigh Scientech Mr. Ken Canavan DS&S Mr. Sam Chien SCE Mr. Gary Chung SCE-SONGS Mr. Courtney Smyth PSEG Nuclear LLC Mr. Jerry Andre Westinghouse Electric Company Mr. David Helher Exelon

NRC STAFF ACCEPTANCE REVIEW QUESTIONS REGARDING RISK-MANAGEMENT TECHNICAL SPECIFICATIONS NEI/RITSTF RISK MANAGEMENT GUIDE

GENERAL COMMENT

S 1.

The document contains misspelled words. The treatment of acronyms is inconsistent; some acronyms are never defined others are defined after being used several times, and others are frequently defined. Punctuation needs improvement. The use of i.e.

and e.g., is not always correct and could cause confusion, especially in a guidance document meant to be followed by implementors throughout the nuclear power industry.

2.

The implementation of the proposed RMTS approach needs to be justified in accordance with guidance provided in RG 1.177 and RG 1.174. Will the implementation of the proposed RMTS approach meet the guidance stated in these two regulatory guides? If the answer is yes, please discuss how such guidance will be met.

3.

The topical report documenting the risk management guide was prepared by EPRI and CEOG for NEI. It needs to be clearly stated that the report is proposed for both CE and non-CE reactors. [page 1]

4.

Presently the TS requirements are relatively easy to inspect. Unless the requirements for RMTS are clearly stated in the TS, the inspectors may have a difficult time verifying the implementation of flexible completion times. The TS should state that the licensees risk assessment and risk management actions must be in accordance with

[Risk Management Guide, ----]. How does the RITSTF see the proposed risk management approach fitting into the regulatory framework and regulatory process?

5.

Recommend that the guide be revised to address maintenance of equipment during:

high demand months, bad weather, when electric demand is high, and other times of external vulnerability, such as plant vulnerabilities to terrorist attack.

COMMENTS CONCERNING CLARITY OF THE GUIDE TERMS, DEFINITIONS, EDITORIAL CHANGES, and EXPLANATIONS REQUIRED 1.a.

[pages 4, 5, 11, 26] Use of figures needs work. The static nature of figure 3-1 does not capture the dynamic nature of emergent conditions. For example, what happens when an emergent condition creates a configuration that is outside the modeling capability of the PRA so that calculation of a RICT is not possible? The discussion of determining a RICT under Process Description is hard to follow and could benefit from use of a diagram.

1.b.

Page 11 flow chart:

i. first stop RICT not required - should it also read not permitted?;

Enclosure ii. who determines what makes a qualified staff to perform a RICT?;

iii. monitor configuration risk factors - what is the frequency of this?

2.

On page 17 and 18, it is stated: It is important to note that a RMTS program should not permit intentional, simultaneous disabling of all trains of any key safety function. This sentence needs clarification. The sentence should state It is important to note that a RMTS program SHALL not permit intentional, simultaneous disabling of all trains of all trains of any key safety system and define a key safety system. Loss of function for key systems should be addressed outside this initiative.

3.

Terms need to be better defined and explained; functional vs operable, degree of residual capability, intended vs specified, restored to service, key safety function, RMTS tool vs quantitative risk assessment tool, etc.

4.

A clear definition should be provided in Appendix A for the terms front-stop and back-stop.

5.

Page 16 - item 2 of section 3.4.2 states...to shutdown and maintain the reactor in a safe shutdown condition.... Define the safe shutdown condition and show its relationship with LCO 3.0.3 of the STS, related to the shutdown end states. Discuss the interrelationship of this initiative with Initiative 6 on modifying TS 3.0.3.

6.

Review the entire document to ensure that when a given direction is imperative, it utilizes an appropriate word, such as, shall.

7.

In some places it says fire, seismic, and or flood (p.8); fire, floods, and external flooding (p.22). Other places it says external events should be considered, which I would include hurricanes, tornados, local events (e.g., fire at near-by plant). Others places just says initiating events without calling out external events (p.12). Please re-check document to be consistent or are events limited to just the listed events?

8.

Pages 14/15 add bullet to include industry experience 9.

Page 32 2nd paragraph states that...Additional discussion on these features is presented in Section 5.3. Section 5.3 is missing.

10.

Page 3:

a. What is the implication of, The RMTS... will not change the manner in which plant design parameters are controlled.?

11.

Page 4:

a. How is risk justified?

b. How is Guidance for continuing maintenance beyond the CT tracked; recommend rewording sentence to make clear that it is the continuing maintenance beyond the CT that is tracked and not the guidance?

12.

Page 5:

a. How do you enter a front-stop CT; recommend clarifying sentence to explicitly state that it is the LCO Condition and Required Actions that are being entered?

b. What does this mean: Note at intermediate risk levels plant actions will escalate to be commensurate with the projected risk.?

c.

The rest of Section 2 appears to be leftover paragraphs that had been written but found no acceptable home in the document; coherence is needed.

d. Note that the NRC has never endorsed Reference 3, which is revision 3 of NEIs guidance for implementation of the maintenance rule. NRC has endorsed revision 2 of NUMARC 93-01 plus a revised Section 11 dated February 22, 2000. Comment also applies to page 33.

13.

Page 6:

a. How do you assess and manage the risk impact incurred from plant configuration risk management?

b. It appears that what is being said is that the (a)(4) process involves a greater reliance on PRA methods and insights in establishing and planning maintenance activities than implementation of the RMTS will require; when what is meant is the inverse; recommend rewording.

14.

Page 7:

a. What is an RMTS tool?

b. What is the meaning of, The assessment then requires...

performance of a risk assessment....? Recommend rewording for clarity.

15.

Page 8:

a. In (2).. How do you perform a risk assessment of the inoperability? Clarify.

b. In (2).. Same sentence.. That is done to justify continued power operation beyond the front-stop. Suggest adding the determination of the feasibility of continued power operation etc.?

c.

In (3) the word manage is misspelled and a comma is missing after manage risk.

d. In (4).. The time line seems reversed: AFTER entering the extended CT, THEN re-perform the risk assessment?

e. The first three sentences of the paragraph beginning at the bottom of the page need clarity.

16.

Page 9:

a. Agree that the risk assessment shall be documented.

b. How will be the risk assessment be documented and what will be in the documentation?

17.

Figure 3-1:

a. 3rd box text is incomplete.

b. SIGNIFICANT ISSUE: How are Qualified Staff selected/determined/etc. This is a significant issue with respect to all uses of risk assessment.

c.

How do you perform an RICT?

d. Next oval.. Who is qualified to review and approve RICT assessment?

e. Time line. Is it appropriate to implement configuration before establish risk management actions?

f.

Next oval.. What are the risk factors to be monitored?

g. The Yes words on the decision branches are illegible.

18.

Page 13:

a. In 9.. Define promptly as in promptly restored to service.

Comment also applies to page 28.

b. UNACCEPTABLE: In these cases, the assessment may consider the time necessary for restoration of the SSCs function, with respect to the time at which performance of the function would be needed. This issue caused major problems in maintenance rule space. However, the technical specifications were always considered a safety net or backstop to the application of this logic. It now appears that the RMTS program is removing that safety net to the benefit of the plant operators and to the potential detriment of safety.

c.

In 10.. Procedural guidance should be provided to specify the appropriate completion time for reassessing the risk. To be provided when and by whom?

19.

Page 14:

a. What are equipment maintenance configurations? Clarify.

b. Next sentence.. What does this mean:... SSCs that have or could have front-stop CT requirements imposed.... (emphasis added) 20.

Page 15:

a. Second bullet.. How are the dependencies modeled to ensure adequacy the assessment?

b. Fifth bullet.. If the process is available, should it not also be used?

21.

Page 18:

a. There are no maintenance rule requirements to establish and meet SSC performance criteria. Such aspects of implementing the rule come from NEI guidance and are not required by the rule.

b. How can one observe actual temporary risk impacts?

c.

The statement that Risk management can be effectively accomplished by using qualitative insights from the PRA is not always true.

22.

Page 19:

The statement that Qualitative methods to establish risk management actions would generally be necessary to address SSCs not modeled in the PRA, and for shutdown conditions. May better be modified to acknowledge that many licensees have PRAs that function for shutdown conditions.

23.

Page 20:

a. The phrase, which events cause the risk level, needs to be clarified.

b. The parenthetical phrase, i.e., in a weekly maintenance plan, indicates that the only way maintenance can be intentionally and deliberately pre-scheduled is through such a weekly maintenance plan. True?

24.

Page 21:

a. The erroneous statement is made that, The quantitative risk acceptance guidelines presented in Table 3-2 are consistent with NRC Maintenance Rule (a)(4) guidance. Quite different.

Table 3-2 NUMARC 93-01 (Risk Acceptance Guidelines)

(Risk Management Actions)

>10-3/yr Config risk not voluntarily entered Careful consideration before entering config

>10-5 C.R. not voluntarily maintained(?) Config should not normally be entered voluntarily

>10-6 (words make no sense*)

Take risk mgmt actions

<10-6 (words make no sense*)

Normal work controls

• How can risk be greater than time???

25.

Page 23:

a. What is the meaning of RMTS thresholds?

b. On this page it is stated, Risk management actions should be considered for plant configurations whose instantaneous and cumulative risk measures are predicted to approach or exceed RMTS thresholds. It sounds unacceptable; clarify. Compare with Page 24, where it says: Controlled plant shutdown should be considered for plant configurations whose instantaneous and cumulative risk measures are predicted to exceed RMTS thresholds. Which sounds contradictory.

26.

Figure 3-2:

a. Define when operating risk is unacceptably high.

b. Define when projected integrated risk to complete is acceptable.

c.

Define criteria in determination of SD risk compensate benefit for increased operational risk? [Explain the figure.]

27.

Page 27:

a. In 3.6.1... The last sentence is misleading. No (a)(4) assessment is required at the time of establishing the compensatory measure, but one IS required before performing the maintenance to address the degraded or nonconforming condition.

b. In 3.7.2.. Last line.. shall or must vice should.

28.

Page 38:

The definitions of functional and the phrase as modeled in the plant-specific PRA need to be clarified.

29.

Page 40:

The definition of operable is almost the same as the NRC/TS definition; the word and has been replaced with or in two places; why?

30.

Page 43:

a. As a matter of record, the pre-1999 versions of the maintenance rule DID NOT require licensees to assess and manage risk, as the rule does today.

b. The statement that This rule requires that a risk assessment be performed prior to voluntary entry into a maintenance configuration... is erroneous. The rule requires a risk assessment before performing maintenance activities, regardless of configuration or whether equipment will be taken out of service.

c.

Once again, the guidance for satisfying the requirements of this rule provision is defined in Section 11 of NUMARC 93-01 (Reference 3) and has been endorsed by the NRC.... Note:

the NRC has not endorsed Reference 3.

COMMENTS CONCERNING IMPLEMENTATION TIMES 1.

[pages 4, 8, 10, 13, Table 3-1] Times for performing risk assessments need a rational basis. Why 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for emergent conditions; why not 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> or less; why not minutes? How is [6] hour re-assessment time limit implemented? Why 30 days for the backstop time; what precludes a NOED at that point?

1.b.

Page 5 - 3rd paragraph discusses the recalculation of the RICT for a changes maintenance configuration. An example of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is used as acceptable time to complete the RICT recalculation. Provide the basis for the acceptable required time to complete the RICT recalculation and address the risk significance of the duration of the recalculation time during which the original target RICT is exceeded.

1.c On page 10, Table 3-1 third column, it is stated that licensees will verify that the completion time extension is acceptable In accordance with the RMTS Program (i.e.,

within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of a subsequent configuration change. This statements needs to be revised to distinguish between voluntary and involuntary (emergent) configuration changes. For voluntary configuration changes, the acceptability of the extension (or continued extension) should be verified before entering the new configuration. For emergent configuration changes, such acceptability should be verified expeditiously (e.g., within one hour) to ensure that it is safe to operate the plant at the current configuration until a more detailed risk assessment is performed. A longer period (e.g.,

24-hours) can be allowed to perform and document a more detailed risk assessment.

1.d.

The staff feels that 30-day completion time is a very long time for an equipment to be inoperable. The guide should provide the basis for establishing a maximum of 30-day completion time. The staff believes that most of the maintenance and repairs on the safety equipment can be accomplished within 14 days ( based on industry experience a complete overhaul of a diesel generator can be accomplished within 14 days).

Consideration need be given to restoring compliance with such GDCs as 17, 34, and 35, and to single failure criteria as soon as practical when determining the appropriate completion time.

1.e.

The staff feels that the unavailability of the safety equipment would increase with the proposed completion time of 30 days. How would this increase in unavailability satisfy the requirements of maintenance rule regarding minimizing unavailability of safety systems.

1.f.

Has any consideration been given to Nuclear Power Plant security, in light of the recommended long completion times? Shouldnt the guide provide guidance on what measures the licensees should take in order to protect the plant equipment during this period?

1.g.

On page 28, Testing, it is stated that SSCs out of service for testing are considered unavailable, unless the test configuration is automatically overridden by a valid starting signal, or the function can be promptly restored... The guide should define promptly, such as within 5 minutes. It is not clear what promptly means here.

2.

page 15] Existing completion time (front-stop time) provided in the TS may not be conservative for certain plant configuration ( maintenance activities on multiple SSCs).

Table 3-1 suggests that the licensees have to verify only the time beyond the front-stop completion times. The licensees have to do a risk assessment for the configuration they are in to validate the completion time. The approach of this process seems to be based on the assumption that all completion times specified in the existing technical specifications are conservative.

PRA QUALITY, RISK ASSESSMENT PROCESS and RISK MANAGEMENT 1.a.

[pages 13, 14] PRA Quality considerations need to be defined; depth/rigor commensurate with complexity of plant configuration; qualitative vs quantitative vs blended risk assessment requirements need to be explicit. Shouldnt level 3 ASME PRA standards be required for technical specification work rather than level 2? What is more important than operational safety?

1.b Page 4 - 2nd paragraph states that...The assessment should be performed...and supported by a plant...(PRA) and other risk management tools.... Provide examples to illustrate what are the other risk management tools that may be used, and address their acceptability for use in risk assessment to support the risk management guide discussed in the topical report.

1.c How will TS on systems that do not contribute to CDF or LERF be addressed; will this process apply (e.g., SFP)?

1.d Page 14 - Last paragraph states... The PRA should meet...industry standards...(See References).... Where applicable, list the documents or letters by which the NRC either endorses or accepts the cited references in support of an acceptable plant PRA for use in the risk management guide.

1.e Page 22 mentions plants without external events PRAs, how broad of a spectrum are we allowing in term of quality or completeness of PRA to apply the RMTS?

1.f.

Page 22 states that plants must appropriately consider the issue of uncertainty - who determines appropriateness? What guides are available to ensure industry uniformity?

2.a.

[pages 4, 8] How does risk assessment of (a)(4) differ from risk assessment of inoperability/for determining appropriate CT? Says the assessment process will be three tiered but the tiers are not discussed. Guidance needs to be more detailed and explicit.

2.b.

[page 7] Is there a limit to the number of changes allowed in a given period of time, such that a qualitative understanding of the risk is known?

3.a.

[pages 15, 16] It is not evident what decisions or actions the quantitative and qualitative considerations discussed refer to or how they relate logically (to the unspecified action or decision). What acceptance criteria will the results of these considerations be tested against? Qualitative Consideration 1 and 3 seem to be redundant since they both address impact on key safety functions.

3.b.

[page 21] The staff fully supports and expects that RMTS Quantitative Risk Acceptance Guidelines will be implemented that include both instantaneous and cumulative performance indicators, and used to assess risk management as an element of a units annual NRC assessment.

3.c.

[pages 5, 19, Figure 3-2] Why are acceptance guidelines of RG 1.177/1.174 not used?

They seem entirely appropriate for this TS application. For example, RG 1.177 acceptance guidelines for a completion time change are an ICCDP of less than 5.0E-7 and an ICLERP of 5.0E-8 or less, are apparently not considered.

3.d.

Page 20 -Item 2 states that [q]uantitative risk acceptance guidelines...are presented in Table 3.2.... Discuss the acceptability of the proposed acceptance risk guidelines in Table 3.2 for use in the RMST risk analysis.

4.

On page 18, it is stated: Plants that implement RMTS should develop measures to assess the aggregate risk with respect to its estimated impact on the average baseline risk. This could be accomplished through a periodic assessment of previous out-of-service conditions. Such an assessment may involve quantitatively estimating cumulative risks or may involve a qualitatively assessing the risk management approach employed versus the actual temporary risk impacts observed. The staff believes that guidance is needed on developing and using measures to assess the aggregate risk with respect to its estimated impact on the average baseline risk based on RG 1.174 criteria. Also, clarification is needed on how a qualitative assessment of the risk management approach versus the actual temporary risk impacts can be used to ensure that the plants baseline risk will not increase by the implementation of the proposed RMTS program.

5.

On page 7, it is stated: In performing the RMTS assessment, the decision making process may optionally include consideration of transition risks associated with mode changes. Does this statement imply a quantitative consideration? The staff believes that for a quantitative consideration of transition risks, licensees will need appropriate models to ensure that the credit taken for avoiding transition risks (by continued operation at power) is not overestimated.

6.

On pages 6 and 7, items 1 to 4, several attributes that the RMTS process should have (in addition to MR (a)(4) attributes) are listed. These attributes relate to the development of procedures and guidance for implementing the RMTS process. For example, it states that the RMTS process shall.... Be documented in plant procedures delineating appropriate responsibilities for (a)(4) related actions, and Include guidance for using risk insights to manage overall plant risk. Are these attributes explained in the RMTS Risk Management Guide? Who is going to develop such procedures and guidance?

7.

On page 5, it is stated: Consistent with the maintenance rule a target RMTS configuration risk would be a configuration ICDP of 1E-6 (as measured from entry into the RMTS). For emergent conditions (or forced, unplanned extension of planned maintenance) a maximum RICT equivalent to an ICDP of 1E-5 is identified. It is not clear why an ICDP of 1E-6, measured from entry into the RMTS, is consistent with the maintenance rule. It appears that if the ICDP were measured from the time the component is taken out for maintenance, the ICDP could be significantly above the 1E-6 target for normal work controls. Also, the exact meaning of the statement forced, unplanned extension of planned maintenance needs to be clarified. Is the underestimation of the time needed to perform maintenance on certain systems included in this statement? It appears that only one such case per year is likely to cause a significant increase in the plants baseline risk. What would prevent licensees to use all allowed CT (front-stop), overestimate the maintenance they can perform within the RICT, and then use the forced, unplanned extension of planned maintenance clause to further extend the RICT? How will this scenario be controlled, especially when cumulative risks may not be always assessed quantitatively?

8.

On page 15 it is stated: Removal of a single SSC from service for longer than its front-stop CT, or simultaneous removal from service of multiple SSCs for longer than the resulting most limiting front-stop CT, requires an assessment using blended...

methods. Does the phrase simultaneous removal from service of multiple SSCs for longer than the resulting most limiting front-stop CT imply use of (a)(4)? An investigation may be needed to determine whether there are any interface issues between (a)(4) and RMTS program applied before and after the CT extension, respectively.

9.

Explain why the required PRA levels are different for the cases discussed in the following statements. Clarify any inconsistences as necessary.

- page 6 - 3rd paragraph states that...The scope of the maintenance rule includes SSCs from plant Level 1 PRA....

- page 8 - 3rd paragraph states that...For emergent (unplanned) conditions,... PRA results should be based on PRAs with minimum Levels 1 and 2 attributes....

- page 30 - 2nd paragraph states that...Ideally, this supporting PRA is a full scope Level 2 or 3 PRA....

10.

Page 13 #10 - are all PRA performed prior to action except emergent conditions? Risk assessment guidance for emergent condition should be consistent with (a)(4) guidance?

11.

Pages 14/15 - what about updates to information, including industry experience? At what frequency should they be updated?

12.

Risk assessment and/or risk management actions to justify an extension of a completion time or validate an existing completion time shall be documented.

13.

The guidance document should specify the SSCs that must be considered for the risk assessment. This should also be addressed in TS bases. The existing guidance states that...the risk informed assessment scope may be limited to the following scope.....

14.

In general, configuration risk is now controlled to a large degree by fixed allowed outage times in current STS, and NRC review and approval of any proposed temporary extensions to completion times. Under the approach proposed in the Risk Management Guide, configuration risk would be controlled to a large degree by the licensees risk management practices. Will guidance be provided on how licensees can monitor and report the overall change in plant risk associated with extending outage times under a RMTS 4b program to ensure that any increase is acceptably small? If so, what quantitative and qualitative criteria will be used to determine the acceptability of the licensees performance in implementing risk management? If not, why not?