Text

Attachments 3-7 Methodologies for Computing the Unavailability Index, the Unreliability Index and System Reliability Limits
	ML042660358
Person / Time
Issue date:	09/15/2004
From:	Dyer J; Office of Nuclear Reactor Regulation
To:	Floyd S; Nuclear Energy Institute
	Thompson JW, NRR/DIPM/IIPB, 415-1011
Shared Package
ML042790514	List: ML042660358;
References
	SECY-04-0053
	Download: ML042660358 (59)
	v • d • e

R<c~v 3

o UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 September 15, 2004 Mr. Stephen D. Floyd Vice President, Regulatory Affairs Nuclear Generation Division Nuclear Energy Institute )

1776 I Street, NW, Suite 400 Washington, D.C. 20006-3708

Dear Mr. Floyd:

As you are aware, the staff and industry have been working for over two years on a replacement for the Safety System Unavailability (SSU) performance indicator (PI). Its proposed replacement, the Mitigating Systems Performance Index (MSPI), is a risk-informed PI that sums and averages risk from the unavailability and unreliability of a system over a three year period of time.

In SECY 04-0053, "Reactor Oversight Process Self-Assessment for Calendar Year 2003,"

dated April 6, 2004, the staff outlined a number of advantages and disadvantages with the MSPI. The issues were further discussed with external stakeholders during a public Reactor Oversight Process (ROP) Working Group meeting on April 22, 2004. One of the issues discussed was the proposed elimination of the significance determination process (SDP) for areas covered by MSPI. Following the April 22, 2004, public meeting, the industry agreed to the Nuclear Regulatory Commission (NRC) staffs position to retain the SDP with MSPI implementation. This significant change allowed the staff to reassess the other issues outlined in SECY-04-0053. As a result of this reassessment, the staff concluded that many of the issues were reduced in significance or deemed non-critical to moving forward with MSPI implementation.

During the August 19, 2004, ROP Working Group meeting, the staff and industry reached agreement on the two remaining issues with the MSPI, and the staff agreed to move forward with MSPI implementation. As part of that agreement, the staff and industry agreed to define the minimum probabilistic risk assessment characteristics needed for MSPI implementation, and have established a task group for this purpose.

The staff expects that the MSPI temporary instruction, which will be conducted to ensure industry readiness, will be completed for all plants, and significant findings satisfactorily resolved prior to full implementation. As discussed during the August 19, 2004, meeting, in order to fully implement MSPI, all plants will need to implement MSPI on the agreed upon implementation start date; there will be no partial or delayed implementation.

As requested by the Nuclear Energy Institute, this letter confirms the NRC commitment to implement MSPI, as discussed above.

Sincerely, J. E. Dyer, Director Office of Nuclear Reactor Regulation

DRAFT NEI 99-02 MSPI Rev H 9/14/200491-d/-0049/-91-2004912004 1

APPENDIX F 2

3 METHODOLOGIES FOR COMPUTING THE UNAVAILABILITY INDEX, THE 4

UNRELIABILITY INDEX AND SYSTEM RELIABILITY LIMITS 5

This appendix provides the details of three calculations: the System Unavailability Index, the 6

System Unreliability Index, and system component unreliability limits.

7 8

1. System Unavailability Index (UAI) Due to Train Unavailability 9

10 Unavailability is monitored at the train level for the purpose of calculating UAI. The process for 11 calculation of the System Unavailability Index has three major steps:

12 Identification of system trains 13

Collection of plant data 14 Calculation of UAI 15 The first of these steps is performed once for the initial setup of the index calculation. The 16 second step has some parts that are performed initially and then only performed again when a 17 revision to the plant specific PRA is made or'changes are made to the normal preventive 18 maintenance practices. 'Other parts of the calculation are performed periodically to obtain the 19 data elements reported to the NRC. This section provides the detailed guidance for the 20 calculation of UAI.

21 1.1. Identification of System Trains 22 The identification of system trains is accomplished in two steps:

23

Determine the system boundaries' 24 Identify the trains within the system 25 The use of simplified P&IDs can be used to document the results of this step and will also 26 facilitate the completion of the directions in section 2.1.1 later in this document.

27 1.1.1. System'Boundaries 28 The first step in the identification of system trains is to define the system boundaries.

29 Include all components that are required'to satisfy the risk-significant functions of the 30 system. For fluid systems the boundary should extend from the' water.sourc6 (e.g., tanks, 31 sumps, etc.) to the injection point (e.g., RCS, Steam Generators).- For example, high-32 pressure injection may have both an injection mode with suction from the refueling water 33 storage tank and a recirculation mode with suction from the containment sump. For 34 Emergency AC systems, the system consists of all class lE generators atthe station.

35 Additional system specific guidance on system boundaries can be found in section 5 36 titled "Additional Guidance for Specific System's" at the end of this'appendix;-

37 Some common conditions that may occur are discussed below.

F-1

DRAFT NEI 99-02 MSPI Rev H 9/1412004W 4-1 20049-1-20049A112004 1

Component Interface Boundaries 2

For water connections from systems that provide cooling water to a single monitored 3

component, only the final connecting valve is included in the boundary. For example, for 4

service water that provides cooling to support an AFW pump, only the final valve in the 5

service water system that supplies the cooling water to the AFW system is included in the 6

AFW system scope. This same valve is not included in the cooling water support system 7

scope.

8 Water Sources and Inventory 9

Water tanks are not considered to be monitored components. As such, they do not 10 contribute to URI. However, periods of insufficient water inventory contribute to UAI if 11 they result in loss of the risk-significant train function for the required mission time.

12 Water inventory can include operator recovery actions for water make-up provided the 13 actions can be taken in time to meet the mission times and are modeled in the PRA. If 14 additional water sources are required to satisfy train mission times, only the connecting 15 active valve from the additional water source is considered as a monitored component for 16 calculating UAI. If there are valves in the primary water source that must change state to 17 permit use of the additional water source, these valves are considered monitored and 18 should be included in UAI for the system.

19 Common Components 20 Some components in a system may be common to more than one system, in which case 21 the unavailability of a common component is included in all affected systems. (However, 22 see "Additional Guidance for Specific Systems" for exceptions; for example, the PWR 23 High Pressure Safety Injection System.)

24 25 1.1.2. Identification of Trains within the System 26 Each monitored system shall then be divided into trains to facilitate the monitoring of 27 unavailability.

28 A train consists of a group of components that together provide the risk significant 29 functions of the system as explained in the "additional guidance for specific mitigating 30 systems". Fulfilling the risk-significant function of the system may require one or more 31 trains of a system to operate simultaneously. The number of trains in a system is 32 generally determined as follows:

33

for systems that provide cooling of fluids, the number of trains is determined by the 34 number of parallel heat exchangers, or the number of parallel pumps, or the minimum 35 number of parallel flow paths, whichever is fewer.

36

for emergency AC power systems the number of trains is the number of class IE 37 emergency (diesel, gas turbine, or hydroelectric) generators at the station that are 38 installed to power shutdown loads in the event of a loss of off-site power. (This does 39 not include the diesel generator dedicated to the BWR HPCS system, which is 40 included in the scope of the HPCS system.)

41 F-2

DRAFT NEI 99-02 MSPI Rev H 9/14/20049/14li-2OO491-9/2O0494O04 1

Some components or flow paths may be included in the scope of more than one train. For 2

example, one set of flow regulating valves and isolation valves in a three-pump, two-3 steam generator system are included in the motor-driven pump train with which they are 4

electrically associated, but they are also included (along with the redundant set of valves) 5 in the turbine-driven pump train. In these instances, the effects of unavailability of the 6

valves should be reported in both affected trains. Similarly, when two trains provide flow 7

to a common header, the effect of isolation or flow regulating valve failures in paths 8

connected to the header should be considered in both trains.

9 Additional system specific guidance on train definition can be found in section 5 titled 10 "Additional Guidance for Specific Systems" at the end of this appendix.

11 12 Additional guidance is provided below for the following specific circumstances that are 13 commonly encountered:

14 Cooling Water Support System Trains 15

Swing Trains and Components Shared Between Units 16

Maintenance Trains and Installed Spares 17 18 Cooling Water Support Systems and Trains 19 The cooling water function is typically accomplished by multiple systems, such as 20 service water and component cooling water. A separate value for UAI will be calculated 21 for each of the systems in this indicator and then they will be added together to calculate 22 an overall UAI value.

23 In addition, cooling water systems are frequently not configured in discrete tains. In this 24 case, the system should be divided into logical segments and each segment treated as a 25 train. This approach is also valid for other fluid systems that are not configured in 26 obvious trains. The way these functions are modeled in the plant-specific PRA will 27 determine a logical approach for train determination. For example, if the PRA'modeled 28 separate pump and line segments (such as suction and discharge headers), then the 29 number of pumps and line segments would be the number of trains.

~

30 Unit Swing trains and components shared between units 31 Swing trains/components are trains/components that can be aligned to any unit. To be 32 credited as such, their swing capability should be modeled in the PRA to provide an 33 appropriate Fussell-Vesely value.

34 Maintenance Trains and Installed Spares 35 Some power plants have systems with extra trains to allow preventive maintenance to be 36 carried out with the unit at power without impacting the risk-significant function of the 37 system. That is, one of the remaining trains may fail; but the system can still perform its 38 risk significant function. To be a maintenance train, a train must not be needed to 39 perform the system's risk significant function.

40 An "installed spare" is a component (or set of components) that is used as a replacement 41 for other equipment to allow for the removal of equipment from service for preventive or F-3

DRAFT NEI 99-02 MSPI Rev H 9/14/20049J-/1--20049/-A2004942004 1

corrective maintenance without impacting the risk-significant function of the system. To 2

be an "installed spare," a component must not be needed for the system to perform the 3

risk significant function.

4 Unavailability of the spare component/train is only counted in the index if the spare is 5

substituted for a primary train/component. Unavailability is not monitored for a 6

component/train when that component/train has been replaced by an installed spare or 7

maintenance train.

8 1.2.Collection of Plant Data 9

Plant data for the UAI portion of the index includes:

10 Actual train total unavailability data for the most recent 12 quarter period collected on 11 a quarterly basis, 12

Plant specific baseline planned unavailability, and 13 Generic baseline unplanned unavailability.

14 Each of these data inputs to UAI will be discussed in the following sections.

15 1.2.1. Actual Train Unavailability 16 The (Consolidated Data Entry) CDE inputs for this parameter are Train Unavailable 17 Hours and Critical Hours. The actual calculation of Train Unavailability is performed by 18 CDE.

19 Train Unavailability: Train unavailability is the ratio of the hours' the train was 20 unavailable to perform its risk-significant functions due to planned or unplanned 21 maintenance or test during the previous 12 quarters while critical to the number of critical 22 hours2.546296e-4 days 0.00611 hours 3.637566e-5 weeks 8.371e-6 months during the previous 12 quarters. (Fault exposure hours are not included; 23 unavailable hours are counted only for the time required to recover the train's risk-24 significant functions.)

25 Train unavailable hours: The hours the train was not able to perform its risk significant 26 function due to maintenance, testing, equipment modification, electively removed from 27 service, corrective maintenance, or the elapsed time between the discovery and the 28 restoration to service of an equipment failure or human error that makes the train 29 unavailable (such as a misalignment) while the reactor is critical.

30 l Traiii-tnavailable-hotrs--will-be--divide iintoplartw-antd.ulnplanread-navailable-hours 3 1 l fot-inpuvoG t 32 Additional guidance on the following topics for counting train unavailable hours is 33 provided below.

34 Short Duration Unavailability 35 Credit for Operator Recovery Actions to Restore the Risk-Significant Function 36 F-4

DRAFT NEI 99-02 MSPI Rev H 9/1141200491-14/-20049/-9-2049P14204 1

Short Duration Unavailability 2

Trains are generally considered to be available during periodic system or equipment 3

realignments to swap components or flow paths as part of normal operations. Evolutions 4

or surveillance tests that result in less than 15 minutes of unavailable hours per train at a 5

time need not be counted as unavailable hours. Licensees should compile a list of 6

surveillances or evolutions that meet this criterion and have it available for inspector 7

review. In addition, equipment misalignment or mispositioning which is corrected in less 8

than 15 minutes need not be counted as unavailable hours. The intent is to minimize 9

unnecessary burden of data collection, documentation, and verification because these 10 short durations have'insignificant risk impact. If a licensee is required to take a 11 component out of service for evaluation and corrective actions for greater than 15 12 minutes (for example, related to a Part 21 Notification), the unavailable hours must be 13 included.

14 Credit for Operator Recovery Actions to Restore the Risk-Significant Functions 15

1.

During testing or operational alignment:

16 Unavailability of a risk-significant function during testing or operational alignment need 17 not be included if the test configuration is automatically overridden by a valid starting 18 signal, or the function can be promptly restored either by an operator in the control room 19 or by a designated operator' stationed locally for that purpose. Restoration actions must 20 be contained in a written procedure2, must be uncomplicated (a single action or afewv 21 simple actions), must be capable of being restored in time to satisfy PRA success criteria 22 and must not require diagnosis or repair. Credit for a designated local operator'can be 23 taken only if (s)he is positioned at the proper location throughout the duration of the test 24 for the purpose of restoration of the train should a valid demand occur. The intent of this 25 paragraph is to allow licensees to take credit for restoration actions that are virtually 26 certain to be successful (i.e., probability nearly. equal to 1) during accident conditions.

27 28 The individual performing the restoration function can be the person conducting the test 29 and must be in communication with the control room. Credit can also be taken for an 30 operator in the main control room provided (s)he is in close proximity to restore the 31 equipment when needed. Normal staffing for the test may satisfy the 'requirement for a 32 dedicated op*erator, depending'on work assignments. In all cases, the staffing must be 33 considered in advance and an operator identified to perform the restoration actions 34 independent of other control ro6m actions that may be required.

35 36 Under stressful, chaotic conditions, otherwise simple multiple actions may not be 37 accomplished with the'virtual certainty called for by the guidance (e.g., lifting test leads I Operator in this circumstance refers to any plant personnel qualified and designated to perform the restoration function.

2 Including restoration steps in an approved test procedure.

F-5

I DRAFT NEI 99-02 MSPI Rev H 9/ 141200494/-/-20049A91-200494142004 1

and landing wires; or clearing tags). In addition, some manual operations of systems 2

designed to operate automatically, such as manually controlling HPCI turbine to establish 3

and control injection flow, are not virtually certain to be successful. These situations 4

should be resolved on a case-by-case basis through the FAQ process.

5 6

2. During Maintenance 7

Unavailability of a risk-significant function during maintenance need not be included if 8

the risk-significant function can be promptly restored either by an operator in the control 9

room or by a designated operator3 stationed locally for that purpose. Restoration actions 10 must be contained in a written procedure4, must be uncomplicated (a single action or a 11 feiv simple actions), must be capable of being restored in time to satisfy PRA success 12 criteria and must not require diagnosis or repair. Credit for a designated local operator 13 can be taken only if (s)he is positioned at a proper location throughout the duration of the 14 maintenance activity for the purpose of restoration of the train should a valid demand 15 occur. The intent of this paragraph is to allow licensees to take credit for restoration of 16 risk-significant functions that are virtually certain to be successful (i.e., probability nearly 17 equal to 1).

18 The individual performing the restoration function can be the person performing the 19 maintenance and must be in communication with the control room. Credit can also be 20 taken for an operator in the main control room provided (s)he is in close proximity to 21 restore the equipment when needed. Normal staffing for the maintenance activity may 22 satisfy the requirement for a dedicated operator, depending on work assignments. In all 23 cases, the staffing must be considered in advance and an operator identified to perform 24 the restoration actions independent of other control room actions that may be required.

25 Under stressful chaotic conditions otherwise simple multiple actions may not be 26 accomplished with the virtual certainty called for by the guidance (e.g., lifting test leads 27 and landing wires, or clearing tags). These situations should be resolved on a case-by-28 case basis through the FAQ process.

29 30 1.2.2. Plant Specific Baseline Planned Unavailability 31 The baseline planned unavailability is based on actual plant-specific values for the period 32 2003 through 2005. (Plant specific values of the most recent data are used so that the 33 indicator accurately reflects deviation from expected planned maintenance.) These values 34 are expected to remain fixed unless the plant maintenance philosophy is substantially 35 changed with respect to on-line maintenance or preventive maintenance. In these cases, 36 the planned unavailability baseline value can be adjusted. A comment should be placed 37 in the comment field of the quarterly report to identify a substantial change in planned 3 Operator in this circumstance refers to any plant personnel qualified and designated to perform the restoration function.

4 Including restoration steps in an approved test procedure.

F-6

DRAFT NEI 99-02 MSPI Rev H 9/1412004,91414200491,91-20049/112004 1

unavailability. The baseline value ofplanned unavailability may be changed at the 2

discretion of the licensee except that they shall be changed when changes in maintenance 3

practices result in greater than a 25% change in planned unavailability. Revised values 4

will be used in the calculation the quarterfollouwing their update.

5 To determine the initial value of planned unavailability:

6

1) Record the total train unavailable hours reported under the Reactor Oversight Process 7

for 2003-2005.

8

2) Subtract any fault exposure hours still included in the 2003-2005 period.

9

3) Subtract unplanned unavailable hours.

10

4) Add any on-line overhaul hours and any other planned unavailability excluded in 11 accordance with NEI 99-02. 5 12

5) Add any planned unavailable hours for functions monitored under MSPI which were 13 not monitored under SSU in NEI 99-02.

14

6) Subtract any unavailable hours reported when the reactor was not critical.

15

7) Subtract hours cascaded onto monitored systems by support systems. (However, do 16 not subtract any hours already subtracted in the above steps.)

17

8) Divide the hours derived from steps 1-7 above by the total critical hours during 2003-18 2005. This is the baseline planned unavailability.

19 Support cooling planned unavailability baseline data is based on plant specific 20 maintenance rule unavailability for years 2003-2005. Maintenance Rule practices do not 2 1 typically differentiate planned from unplanned unavailability. However, best efforts will 22 be made to differentiate planned and unplanned unavailability during this time period.

23 24 1.2.3. Generic Baseline Unplanned Unavailability 25 The unplanned unavailability values are contained in Table 1 and remain fixed. They are 26 based on ROP PI industry data from 1999 through 2001; (Most baseline data used in Pis 27 come from the 1995-1997 time period. However, in this case, the 1999-2001 ROP data 28 are preferable, because the ROP data breaks out systems separately. Some of the industry 29 1995-1997 INPO data combine systems, such as HPCI and RCIC, and do not include 30 PWR RHR. It is important to note that the data for the two periods is very similar.)

3 1 Table 1. Historical Unplanned Maintenance Unavailability Train Values 32 (Based on ROP Industry wide Data for 1999 through 2001)

SYSTEM UNPLANNED UNAVAILABILITY/TRAIN EAC J.7 E-03 PWR HPSI 6.1 E-04 6 Note: The plant-specific PRA should model significant on-line overhaul hours.

F-7

I DRAFT NEI 99-02 MSPI Rev H 9/14/20049-/1-/-20049 91-200491412004 SYSTEM UNPLANNED UNAVAILABILITY/TRAIN PWR AFW (TD) 9.1 E-04 PWR AFW (MD) 6.9 E-04 PWR AFW (DieselD) 7.6 E-04 PWR (except CE) RHR 4.2 E-04 CE RHR 1.1 E-03 BWR HPCI 3.3 E-03 BWR HPCS 5.4 E-04 BWR RCIC 2.9 E-03 BWR IC Need a value for isolation condensers BWR RHR 1.2 E-03 Support Cooling Use plant specific Maintenance Rule data for 2003-2005 1

Unplanned unavailability baseline data for the support cooling systems should be 2

developed from plant specific Maintenance Rule data from the period 2003-2005.

3 Maintenance Rule practices do not typically differentiate planned from unplanned 4

unavailability. However, best efforts will be made to differentiate planned and unplanned 5

unavailability during this time period. NOTE: The sum ofplanmed and unplanned 6

unavailability cannot exceed the total unavailability.

7 8

1.3.Calculation of UAI 9

The specific formula for the calculation of UAI is provided in this section. Each term in the 10 formula will be defined individually and specific guidance provided for the calculation of 11 each term in the equation. Required inputs to the INPO Consolidated Data Entry (CDE) 12 System will be identified.

13 Calculation of System UAI due to train unavailability is as follows:

14 n

UAI = I:UAIY j=1 Eq. 1 15 where the summation is over the number of trains (n) and UAIt is the unavailability index for 16 a train.

17 Calculation of UAI, for each train due to actual train unavailability is as follows:

UAI: = CDFp I FUA 1 (UAt - UABLt) 18 LUA maax Eq. 2 19 where:

F-8

DRAFT NEI 99-02 MSPI Rev H 9/14/20049/ 11-/ 2O49A92 49II 04 1

CDFp is the plant-specific Core Damage Frequency, 2

FVUAp is the train-specific Fussell-Vesely value for unavailability, 3

UAp is the plant-specific PRA value of unavailability for the train, 4

UA, is the actual unavailability of train t, defined as:

5 Unavailabl e hours during the previous 12 quarters while critical 5

UAt=

Critical hours during the previous 12 quarters 6

and, determined in section 1.21 7

UABLt is the historical baseline unavailability value for the train (sum of planned 8

unavailability determined in section 1.2.2 and unplanned unavailability in 9

sectionl.2.3) 10 Calculation of the quantities in equation 2 are discussed in the following sections.

11 1.3.1. Calculation of Core Damage Frequency (CDFp) 12 The Core Damage Frequency is a CDE input value. The required value is the internal 13 events, average maintenance, at power value. Internal flooding and fire are not included 14 in this calculated value. In general, all inputs to this indicator from the PRA are 15 calculated from the internal events model only.

16 1.3.2. Calculation of IFVIUA]max for each train 17 FV and UA are separate CDE input values. Equation 2 includes a term that is the ratio of 18 a Fussell-Vesely importance value divided by the related unav'ailability. This ratio is 19 calculated for each train in the system and both the FV and UA are CDE inputs. (It may 20 be recognized that the quantity [FV/UA] multiplied by the CDF is the Birnbaum 21 importance measure, which is used in section 2.3.3.)

22 Calculation of these quantities is generally complex, but in the specific application used 23 here, can be greatly simplified.

24 The simplifying feature of this application is that only those components (or the' 25 associated basic events) that can make a train unavailable are considered in the -

26 performance index. Components within a train that can each make the train unavailable 27 are logically equivalent and the ratio FV/UA is' a constant value for any basic'event in 28 that train. It can also be shown that for a given component or train represented by 29 multiple basic events, the ratio of the two values for the component or train is equal to the 30 ratio of values for any basic event within the train.' Or:

F~be FVUAp 31 UA

=

-'Constant Ube UAp 32 Thus, the process for determining the value of this ratio for any train is to identify a basic 33 event that fails the train, determine the unavailability for the event, determine the 34

--associated FV value for the event and then calculate the ratio. Use the basic event in the 35 train with the largest failure probability (hence the maximum notation on the bracket) to 36 minimize the effects of truncation on the calculation.

F-9

I DRAFT NEI 99-02 MSPI Rev H 9/ 14/200491-1-1/-2004g/-91-20049412004 1

Some systems have multiple modes of operation, such as PWR HPSI systems that operate 2

in injection as well as recirculation modes. In these systems all monitored components 3

are not logically equivalent; unavailability of the pump fails all operating modes while 4

unavailability of the sump suction valves only fails the recirculation mode. In cases such 5

as these, if unavailability events exist separately for the components within a train, the 6

appropriate ratio to use is the maximum.

7

[What happens if the Be is truncated in quanltfi cation and has no FV to ratio?]

8 9

2. System Unreliability Index (URI) Due to Component Unreliability 10 11 Calculation of the URI is performed in three major steps:

12 Identification of the monitored components for each system 13 Collection of plant data 14 Calculation of the URI 15 Only the most risk significant components in each system are monitored to minimize the burden 16 for each utility. It is expected that most, if not all the components identified for monitoring are 17 already being monitored for failure reporting to INPO and are also monitored in accordance with 18 the maintenance rule.

19 2.1. Identify Monitored Components 20 Monitored Component: A component whose failure to change state or remain running 21 renders the train incapable of performing its risk-significant functions. In addition, all pumps 22 and diesels in the monitored systems are included as monitored components.

23 The identification of monitored components involves the use of the system boundaries and 24 success criteria, identification of the components to be monitored within the system boundary 25 and the scope definition for each component.

26 2.1.1. System Boundaries and Success Criteria 27 The system boundaries developed in section 1. 1. 1 should be used to complete the steps in 28 the following section.

29 For each system, the at power risk significant functions described in the Appendix F 30 section "Additional Guidance for Specific Systems," that were determined to be risk-31 significant in accordance with NUlIARC 93-01, or NRC approved equivalents (e.g., the 32 STP exemption request) shall be identified. Success criteria shall then be identified for 33 these functions.

34 If the licensee has chosen to use success criteria documented in the plant specific PRA, 35 examples of plant specific performance factors that may be used to identify the required 36 capability of the train/system to meet the risk-significant functions are provided below.

37 Actuation 38 o Time 39 o Auto/manual F-10

DRAFT NEI 99-02 MSPI Rev H 9/14/20049-I4-2004909!-2004941004 1

o Multiple or sequential 2

Success requirements 3

o Numbers of components or trains 4

o Flows 5

o Pressures 6

o Heat exchange rates 7

o Temperatures 8

o Tank water level 9

Other mission requirements 10 o Run time 11 o State/configuration changes during mission 12 Accident environment from internal events 13 a Pressure, temperature, humidity 14 Operational factors 15 o Procedures 16 o Human actions 17 o Training 18 o Available externalities (e.g., power supplies, special equipment, etc.)

19 If the licensee has chosen to use design basis success criteria, it is not required to 20 separately document them other than to indicate'that is what was used.

21 If success criteria for a system varies by function or initiator, the most restrictive set will 22 be used for the MSPI.

23 24 2.1.2. Selection of Components 25 For unreliability, use the following process for determining those components that should 26 be monitored. These steps should be applied in the order listed.

27

1) INCLUDE all pumps and diesels.

28

2) Identify all AOV's and MOV's that change state to achieve the risk significant 29 functions for the system as potential monitored components. Check valves, 30 solenoid valves and manual valves are not included in the index.

31

a. INCLUDE those valves-fromn the list of valves from step 2 whose failure 32

.alone can fail a train. The success criteria used to identify these valves are 33 those identified in the previous section. (See Figure F-5) 34

b. INCLUDE redundant valves from the list of valves from step 2 within a 35 multi-train system, whether in series or parallel, where the failure of both 36 valves would prevent all trains in the system from performing a risk-37 significant function. The success criteria used to identify these valves are 38 those identified in the previous section.(See Figure F-5) 39

c. EXCLUDE those valves from steps' a) and b) above whose Birnbaum 40 importance, (See section 2.3.3) as calculated in this appendix, is less than 41 1.0e-06. This rule is applied at the discretion of the individual plant. A F-Il

I DRAFiT NEI 99-02 MSPI Rev H 9/14/20049/14/-2004919/-20049 12004 1

2 3

4 5

6 7

8 9

balance should be considered in applying this rule between the goal to minimize the number of components monitored and having a large enough set of components to have an adequate data pool.

3) INCLUDE components that cross tie monitored systems between units (i.e.

Electrical Breakers and Valves) if they are modeled in the PRA.

2.1.3. Definition of Component Boundaries Table 2 defines the boundaries of components, and Figures F-1, F-2, F-3 and F-4 provide examples of typical component boundaries as described in Table 2.

Table 2. Component Boundary Definition Component Component boundary Diesel The diesel generator boundary includes the generator body, Generators generator actuator, lubrication system (local), fuel system (local), cooling components (local), startup air system receiver, exhaust and combustion air system, dedicated diesel battery (which is not part of the normal DC distribution system),

individual diesel generator control system, circuit breaker for supply to safeguard buses and their associated local control circuit (coil, auxiliary contacts, wiring and control circuit contacts, and breaker-closure interlocks).

Motor-Driven The pump boundary includes the pump body, motor/actuator, Pumps lubrication system cooling components of the pump seals, the voltage supply breaker, and its associated local control circuit (coil, auxiliary contacts, wiring and control circuit contacts).

Turbine-The turbine-driven pump boundary includes the pump body, Driven Pumps turbine/actuator, lubrication system (including pump),

extractions, turbo-pump seal, cooling components, and local turbine control system including the control valve (speed).

Motor-The valve boundary includes the valve body, motor/actuator, Operated the voltage supply breaker (both motive and control power)

Valves and its associated local open/close circuit (open/close switches, auxiliary and switch contacts, and wiring and switch energization contacts).

Air-Operated The valve boundary includes the valve body, the air operator, Valves associated solenoid-operated valve, the power supply breaker or fuse for the solenoid valve, and its associated control circuit I (open/close switches and local auxiliary and switch contacts).

10 11 12 13 14 15 For control and motive power, only the last relay, breaker or contactor necessary to power or control the component is included in the monitored component boundary. For example, if an ESFAS signal actuates a MOV, only the relay that receives the ESFAS signal in the control circuitry for the MOV is in the MOV boundary. No other portions of the ESFAS are included.

F-12

DRAFT NEI 99-02 MSPI Rev H 9/14/2004a9 4-J-2004909!-049I12004 1

Each plant will determine their monitored components and support components and have 2

them available for NRC inspection.

3 2.2.- Collection of Plant Data 4

Plant data for the URI includes:

5

Demands and run hours 6

Failures 7

2.2.1. Demands and Run Hours 8

Start demand: Any demand for the component to successfully start to perform its risk-9 significant functions, actual or test.' (Exclude'post maintenance tests, unless in case of a 10 failure the cause of failure was independent of the maintenance performed.) The number 11 of demands is; 12

the number of actual ESF demands plus 13 the number of estimated test demands plus 14

the number of estimated operational/alignment demands.

15 It is also permissible to use the actual 'numnber of test and operational demands.

16 An update to the estimated demands is required if a change to the basis for the estimated 17 demands results in a >25% change in the estimate. The new estimate'will be used in the 18 calculation'the quarter following the input of the updated estimates into CDE. Some 19 monitored valves will include a throttle function as well as open and close functions. It is 20 not required to include every throttle movement of a valve as a counted demand. Only the 21 initial movement of the valve should be counied as a demarnd.

22 Post maintenance tests: Tests performed 'following maintenance but prior to decaring the 23 train/component operable, consistent with Maintenance Rule implementation.

24 Run demand: Any demand for the component, given that it has successfully started and 25 run for I hour, to run/operate for its mission time to perform its risk-significant functions.

26 (Exclude post maintenance tests, unless the cause of failure was independent of the 27 maintenance performed.)

28 Rtn Hours: Th'e number of run hours is:

29 the number of actual ESF run hours plus 30

the number of estimated test run hours plus 31 the number of estimated operational/alignment run hours.

32 It is also permissible to use the actual number of test and operational run hours. Run 33 hours3.819444e-4 days 0.00917 hours 5.456349e-5 weeks 1.25565e-5 months include the first hour'of operation 'f a component. An update to the estimated run 34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months is required if a change to the basis for the estimated hours results'in a >25% change 35 in the estimate.:

F-13

DRAFT NEI 99-02 MSPI Rev H 911412004-91--IA2004-99-200491412004 1

2.2.2. Failures 2

EDG failhre to start: A failure to start includes those failures up to the point the EDG has 3

achieved rated speed and voltage. (Exclude post maintenance tests, unless the cause of 4

failure was independent of the maintenance performed.)

5 EDG Jailhre to load/run: Given that it has successfully started, a failure of the EDG 6

output breaker to close, to successfully load sequence and to run/operate for one hour to 7

perform its risk-significant functions. This failure mode is treated as a demand failure for 8

calculation purposes. (Exclude post maintenance tests, unless the cause of failure was 9

independent of the maintenance performed.)

10 EDGffailure to run: Given that it has successfully started and loaded and run for an hour, 11 a failure of an EDG to run/operate. (Exclude post maintenance tests, unless the cause of 12 failure was independent of the maintenance performed.)

13 Pump failure on demand: A failure to start and run for at least one hour is counted as 14 failure on demand. (Exclude post maintenance tests, unless the cause of failure was 15 independent of the maintenance performed.)

16 Pump failure to run: Given that it has successfully started and run for an hour, a failure of 17 a pump to run/operate. (Exclude post maintenance tests, unless the cause of failure was 18 independent of the maintenance performed.)

19 Valve failure on demand: A failure to transfer to the required risk significant position 20 (open, close, or throttle to the desired position as applicable) is counted as failure on 21 demand. (Exclude post maintenance tests, unless the cause of failure was independent of 22 the maintenance performed.) (What about failure to maintain position? Howv does this 23 relate to table 4? Same questionfor breakerfaihire on demand) 24 Breakerfailure on demand: A failure to transfer to the required risk significant position 25 (open or close as applicable) is counted as failure on demand. (Exclude post maintenance 26 tests, unless the cause of failure was independent of the maintenance performed.)

27 Treatment of Demand and Run Failures 28 Failures of monitored components on demand or failures to run, either actual or test are 29 included in unreliability. Failures on demand or failures to run while not critical are 30 included unless an evaluation determines the failure would not have affected the ability 31 of the component to perform its risk-significant at power function. In no case can a 32 postulated action to recover a failure be used as a justification to exclude a failure from 33 the count. Shiould Failures conditional oil an initial success-be counted or not?

34 Treatment of Degraded Conditions Capable of Being Discovered By Normal Surveillance 35 Tests 36 Normal surveillance tests are those tests that are performed at a frequency of a refueling 37 cycle or more frequently.

38 Degraded conditions, even if no actual demand or test existed, that render a monitored 39 component incapable of performing its risk-significant functions are included in 40 unreliability as a demand and a failure. The appropriate failure mode must be accounted 41 for. For example, for valves, a demand and a demand failure would be assumed and F-14

DRAFT NEI 99-02 MSPI Rev H I 9/14/20049 /11/°O49I91-200494I2004 1

included in URI. For pumps and diesels,' if the degraded condition would have prevented 2

a successful start, a demand'and a failure is included in URI, but there would be no run 3

time hours or run failures. If it was determined that the pump/diesel would start and load 4

run, but would fail sometime during the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months run test or its surveillance test 5

equivalent, the evaluated failure time would be included in run hours and a run failure 6

would be assumed. A' start demand and start failure would not be included. 'If a running 7

component is secured from operation due to'observed degraded performance, but prior to 8

failure, then a run failure shall be counted unless evaluation of the condition shows that 9

the component would have continued to operate for the risk-significant mission time 10 starting from the time the component was secured. Unavailable hours are included for the 11 time required to recover the risk-significant function(s) and only while critical.

12 Degraded conditions, or actual unavailability due to mispositioning of non-mfonitored 13 components that render a train incapable of performing its risk-significant functions are 14 only included in unavailability for the time required to recover the risk-significant 15 function(s) and only while critical.

16 Loss of risk significant function(s) is assumed to have occurred if the established success 17 criteria has not been met. If subsequent analysis identifies additional margin for the 18 success criterion, future impacts on URI or UAI for degraded conditions may be 19 determined based on the new criterion. However, URI and UAI must be based on the 20 success criteria of record at the time the -degraded condition is discovered. If the 21 degraded condition is not addressed by any of the pre-defined success criteria, an 22 engineering evaluation to determine the impact of the degraded condition on the risk-23 significant function(s) should be completed and documented. The use of component 24 failure analysis, circuit analysis, or event investigations is acceptable. Engineering 25 judgment may be used in conjunction with analytical techniques to determine the impact 26 of the degraded condition on the risk-significant function. The engineering evaluation 27 should be completed as soon as practicable.' If it cannot be completed in time to support 28 submission of the PI report for the current quarter, the comment field shall note that an 29 evaluation is pending. The evaluation must be completed in time to accurately account 30 for unavailability/unreliability in the next quarterly report. Exceptions to this guidance 31 are expected to be rare and will be treated on a case-by-case basis. Licensees should 32

'identify these situations to the resident inspector.

33 Treatment of Degraded Conditions Not Capable of Being Discovered by Normal 34 Surveillance Tests 35 These failures or conditions are usually of longer exposure time. Since these'failure 36 modes have not been tested on a regular basis, it is inappropriate to include them in the 37 performance index statistics. These failures or conditions are subject to evaluation 38 through the inspection process. Examples of this type are failures due to pressure 39 locking/thermal binding of isolation valves, blockages in lines not regularly tested, 40 unforeseen' sequen'ces notincorporated into the surveillance test, or inadequate 41 component 'sizing/settings'under accident conditions (not under normal test conditions).

42 While 'not included in the c.6 lculationf'of the index, they should be reported in the 43 comment field of the PI data submittal.

44 Failures of Non-Monitored Components F-15

DRAFT NEI 99-02 MSPI Rev H 9114/2004941--/-20049f9A2004912004 1

Failures of SSC's that are not included in the performance index will not be counted as a 2

failure or a demand. Failures of SSC's that cause an SSC within the scope of the 3

performance index to fail will not be counted as a failure or demand. An example could 4

be a manual suction isolation valve left closed which causes a pump to fail. This would 5

not be counted as a failure of the pump. Any mispositioning of the valve that caused the 6

train to be unavailable would be counted as unavailability from the time of discovery.

7 The significance of the mispositioned valve prior to discovery would be addressed 8

through the inspection process.

9 10 2.3. Calculation of URI 11 Unreliability is monitored at the component level and calculated at the system level.

12 Calculation of system URI due to changes in component unreliability is as follows:

13 UR =CDp X [FVURcJ]

(URBc - URBLcj)

Eq. 3 14 Where the summation is over the number of monitored components (171) in the system, and:

15 CDFp is the plant-specific Core Damage Frequency, 16 FVURC is the component-specific Fussell-Vesely value for unreliability, 17 URpC is the plant-specific PRA value of component unreliability, 18 URBC is the Bayesian corrected component unreliability for the previous 12 quarters, 19 and 20 URBLC is the historical industry baseline calculated from unreliability mean values for 21 each monitored component in the system. The calculation is performed in a manner 22 similar to equation 6 in section 2.3.4 below using the industry average values in Table 4.

23 The following sections will discuss the calculation of each of the terms in equation 3.

24 2.3.1. Calculation of Core Damage Frequency (CDFp) 25 The Core Damage Frequency is a CDE input value. The required value is the internal 26 events average maintenance at power value. Internal flooding and fire are not included in 27 this calculated value. In general, all inputs to this indicator from the PRA are calculated 28 from the internal events model only.

29 2.3.2. Calculation of IFV/URlmax 30 The FV, UR and common cause adjustment values developed in this section are separate 31 CDE input values.

32 Equation 3 includes a term that is the ratio of a Fussell-Vesely importance value divided 33 by the related unreliability. The calculation of this ratio is performed in a similar manner 34 to the ratio calculated for UAI, except that the ratio is calculated for each monitored 35 component. Two additional factors need to be accounted for in the unreliability ratios that 36 were not needed in the unavailability ratios, the contribution to the ratio from common 37 cause failure events and the possible contribution from cooling water initiating events.

F-16

DRAFT NEI 99-02 MSPI Rev H l

9/14/20049-/-1-1 0049/,2004 14l2 3

4 1

The discussion will start with the calculation of the initial ratio and then proceed with 2

options for adjusting this value to account for the additional two factors.

3 It can be shown that for a given component represented by multiple basic events, the ratio 4

of the two values for the component is equal to the ratio of values for any basic event 5

representing the component. Or:

FVbe FVURc 6

=

= Constant URbe URPc 7

Note that the constant value may be different for the unreliability ratio and the 8

unavailability ratio because the two types of events are frequently not logically 9

equivalent. For example recovery actions may be modeled in the PRA for one but not the 10 other.

11 Thus, the process for determining the initial value of this ratio for any 'component is to 12 identify a basic event that fails the component (excluding common cause events),

13 determine the failure probability for the event, determine the associated FV value for the 14 event and then calculate the ratio, [FV/UR],nd, where the subscript refers to independent 15 failures. Use the basic event for the component and its associated FVvalue that results in 16 the largest [FV/UR] ratio. This will typically be the event with the largest failure 17 probability to minimize the effects of truncation on the calculation.

18 It is typical, given the component scope definitions in Table 2, that there will be several 19 plant components modeled separately in the plant PRA that make up the MSPI-20 component definition. For example, it is common that an MOV, the actuation relay for 21 the MOV and the power supply breaker for the MOV are separate components in the 22 plant PRA. Ensure that the basic events related to all of these individual components are 23 considered when choosing the appropriate [FVI/UR] ratio.

24

[/Wat happens if the BE is truncated in quantification and has no FV to ratio?]

25 Cooling Water and Service Water System [FVJUR]ind Values 26 Component Cooling Water Systems (CCW) and Service Water Systems (SWS) at some 27 nuclear stations contribute to risk in two ways. First, the systems provide cooling to 28 equipment used for the mitigation of events and second, the failures in the systems may 29 also result in the initiation of an event.-The contribution to risk from'failures to provide 30 cooling to other plant equipment is modeled directly through' dependencies in the PRA 31 model. However; the contribution due to event initiation is treated in three general ways 32 in current PRAs:

33

1) The use of linked initiating event fault trees for these systems 34

2) Fault tree solutions areigenerated for these systems external to the PRA and the 35 calculated value is used in the PRA as a point estimate 36

-- 3) A point estimate value is generated for the initiator using industry and plant 37 specific event data and used in the PRA.'

38 If a PRA uses the first modeling option, then the FV values calculated will reflect the 39 total contribution to risk for a component in the system, as long the same basic event is 40 used in the initiator and mitigation fault trees. If different basic events are used, the F

DRAFT NEI 99-02 MSPI Rev H 9/14/2004W1JJ4-1-20049S/11-2004912004 1

FV values for the initiator tree basic event and the mitigation tree basic event should be 2

added.

3 If a linked initiating event fault tree is the modeling approach taken, then no additional 4

corrections to the FV values is required. This section will outline a method to be used to 5

if linked initiating event fault trees are not used.

6 The corrected [FV/UR];nd for a component C is calculated from the expression:

7

[FV / UR]ind = [(FVc + FVie

FVsc) / UR]

8 Where:

9 FVc is the Fussell-Vesely for CDF for component C as calculated from the PRA 10 Model. This does not include any contribution from initiating events.

11 FVie is the Fussell-Vesely contribution for the initiating event in question (e.g.

12 loss of service water).

13 FVsc is the Fussell-Vesely within the system fault tree only for component C 14 (i.e. the ratio of the sum of the cut sets in the fault tree solution in which that 15 component appears to the overall system failure probability).

16

[FV/UR]ind is a CDE input value.

17 Including the Effect of Common Cause in IFV/URlmaz 18 Changes in the independent failure probability of an SSC imply a proportional change in 19 the common cause failure probability, even though no actual common cause failures have 20 occurred. The impact of this effect on URI is considered by including a multiplicative 21 adjustment to the [FV/UR]id ratio developed in the section above. This multiplicative 22 factor is a CDE input value.

23 Two methods are provided for including this effect, a simple generic approach that uses 24 bounding generic adjustment and a more accurate plant specific method that uses values 25 derived from the plant specific PRA.

26 Generic Adjustment Values 27 Generic values have been developed for monitored components that are subject to 28 common cause failure. The correction factor is used as a multiplier on the [FV/IUR] ratio 29 for each component in the common cause group. This method may be used for simplicity 30 and is recommended for components that are less significant contributors to the URI (e.g.

31

[FVIUR] is small). The multipliers are provided in the table below. Single train systems 32 are not included.

33 Table 3. Generic CCF Adjustment Values System Component Generic CCF Adjustment Values 1.25 1.50 2.00 3.00 5.00 EAC EDG 2 EDGs 4

3 4

(1/2)

EDGs(l/4)

EDGs(1/3)

EDGs(l/4) or with other and no 3 EDGs diverse diverse (2/3) sources of sources of F-18

I DRAFT NEI 99-02 MSPI Rev H DRAFT1NEI99-022MSPRevH49/

14/20 N

OO4 System Component Generic CCF Adjustment Values 1.25 1.50 2.00 3.00 5.00 power power HPI MDP With SI With

'Running and CVC only e

.,CVC MDP With SI With Standby and CVC only SI HRS MDP 2 MDP 3 MDP Standby (1/2)

(1/3).

TDP 2 TDP 3 TDP and I and no MDP MDP RHR MDP ALL Standby SWS MDP ALL Running MDP ALL Standby DDP ALL..____

CCW MDP ALL Running MDP ALL Standby ALL MOV ALL ALL AOV ALL Note: Success criteria noted in parenthesis 1

NOTE WE BELIEVE THIS TABLE SHOULD BE DEVELOPED FOR ALL PLANTS 2

The Multiplier in the table above is used to adjust the FV value selected for use in the 3

preceding section. For example, at a plant with three one hundred percent capacity 4

EDG's, the FV selected in the preceding section would be multiplied by 2.00.

5 Plant Specific Common Cause-Adjustment' 6

The general form of a plant specific common cause adjustment factor is given by the 7

equation:

8

-=

Ea. 4 9

10 11 1=1 Where:

n = is the number of components in a common cause group, F

= the FV for independent failure of component i, F-19

DRAFT NEI 99-02 MSPI Rev H 9/1412004-J/-1-1-/-20049L/-9!-2004491342004 1

and 2

rVI, = the FV for the common cause failure of components in the group.

3 In the expression above, the FVj are the values for the specific failure mode for the 4

component group that was chosen because it resulted in the maximum [FV/UR] ratio.

5 The FVc is the FV that corresponds to all combinations of common cause events for that 6

group of components for the same specific failure mode. Note that the FVCC may be a sum 7

of individual FVCC values that represent different combinations of component failures in a 8

common cause group.

9 For example consider again a plant with three one hundred percent capacity emergency 10 diesel generators. In this example, three failure modes for the EDG are modeled in the 11 PRA, fail to start (FTS), fail to load (FTL) and fail to run (FTR). Common cause events 12 exist for each of the three failure modes of the EDG in the following combinations:

13

1) Failure of all three EDGs, 14

2) Failure of EDG-A and EDG-B, 15

3) Failure of EDG-A and EDG-C, 16

4) Failure of EDG-B and EDG-C.

17 This results in a total of 12 common cause events.

18 Assume the maximum [FV/UR] resulted from the FTS failure mode, then the FV,, used 19 in equation 4 would be the sum of the four common cause FTS events for the 20 combinations listed above.

21 It is recognized that there is significant variation in the methods used to model common 22 cause. It is common that the 12 individual common cause events described above are 23 combined into a fewer number of events in many PRAs. Correct application of the plant 24 specific method would, in this case, require the decomposition of the combined events 25 and their related FV values into the individual parts. This can be accomplished by 26 application of the following proportionality:

27 FVpart = FVlotal x URpart Eq.5 URtotal 28 Returning to the example above, assume that common cause was modeled in the PRA by 29 combining all failure modes for each specific combination of equipment modeled. Thus 30 there would be four common cause events corresponding to the four possible equipment 31 groupings listed above, but each of the common cause events would include the three 32 failure modes FTS, FTL and FTR. Again, assume the FTS independent failure mode is 33 the event that resulted in the maximum [FV/UR] ratio. The FVcc value to be used would 34 be determined by determining the FTS contribution for each of the four common cause 35 events. In the case of the event representing failure of all three EDGs this would be 36 determined from FVFTSABC = FVABC x 37 URABC 38

Where, 39 FVFT&4SC = the FV for the FTS failure mode and the failure of all three EDGs F-20

DRAFT NEI 99.-02 MSPI Rev H

-9/14/4-149// -20049920049412004 1

FVABc = the event from the PRA representing the failure of all three EDGs due to 2

all failure modes 3

URFMsBc = the failure probability for a FTS of all three EDGs, and 4

URAsc = the failure probability for all failure modes for the failure of all three 5

EDGs.

6 7

After this same calculation was performed for the remaining three common cause events, 8

the value for FVcc to be used in equation 4 would then be calculated from:

9 FVcc = FVFTSABC + FVFTSAB + FVFTSAC + FVFTSBC 10 This value is used in equation 4 to determine the value ofA. The final quantity used in 11 equation 3 is given by:

12

[FV/UR] Max = A*[FV/UR]ind 13 In this case the individual values on the right hand side ofthe'equation above are input to 14 CDE.

15 2.3.3. Birnbaum Importance 16 One of the rules used for determining the valves to be monitored in this performance 17 indicator permitted the exclusion of valves with a Birnbaum importance less than l.0e-18

06. To apply this screening rule the Birnbaum importance is calculated from the values 19 derived in this section as:

20 B = CDF*A *[FV/'JR]id = CDF*[FV/URJmaR 21 22 2.3.4. Calculation of URB, 23 Component unreliability is calculated by:

24 URBc = PD + ATm Eq 6 25 Where:

26 PD is the component failure on demand probability calculated based on data 27 collected during the previous 12 quarters; 28 X is the component failure rate (per hour) for failure to run calculated based on 29 data collected during the previous 12 quarters, 30 and 31 Tm is the risk-significant mission time for the component based on plant specific 32 PRA model assumptions.

33 NOTE:

34 For valves only the PD term applies 35 For pumps PD + )X Tm applies 36 For diesels PD ; + PD load run + X Tm applies F-21

DRAFT NEI 99-02 MSPI Rev H 9/14/2004S9120049-9--0049J O004 2

The first term on the right side of equation 6 is calculated as follows. 6 PD-(Nd + a) 3 (a+b+D).

Eq. 7 4

where in this expression:

5 Nd is the total number of failures on demand during the previous 12 quarters, 6

D is the total number of demands during the previous 12 quarters determined in 7

section 2.2.1 8

The values a and b are parameters of the industry prior, derived from industry 9

experience (see Table 4).

10 In the calculation of equation 5 the numbers of demands and failures is the sum of all 11 demands and failures for similar components within each system. Do not sum across 12 units for a multi-unit plant. For example, for a plant with two trains of Emergency Diesel 13 Generators, the demands and failures for both trains would be added together for one 14 evaluation of PD which would be used for both trains of EDGs.

15 In the second term on the right side of equation 6, X is calculated as follows.

(Nr + a) 16 (Tr+b)

Eq. 8 17 where:

18 Nr is the total number of failures to run during the previous 12 quarters 19 (determined in section 2.2.2),

20 Tr is the total number of run hours during the previous 12 quarters (determined in 21 section 2.2.1) 22 and 23 a and b are parameters of the industry prior, derived from industry experience (see 24 Table 4).

25 In the calculation of equation 8 the numbers of demands and run hours is the sum of all 26 run hours and failures for similar components within each system. Do not sum across 27 units for a multi-unit plant. For example, a plant with two trains of Emergency Diesel 28 Generators, the run hours and failures for both trains would be added together for one 29 evaluation of X which would be used for both trains of EDGs.

30 31 2.3.5. Baseline Unreliability Values 32 The baseline values for unreliability are contained in Table 4 and remain fixed.

6 Atwood, Corwin L., Constrained noninformative priors in risk assessment, Reliability Engineering and System Safety, 53 (1996; 37-46)

F-22

I DRAFT NEI 99-02 MSPI Rev H 9/ 14/20049AI441--2,0049-/-1-0049111204 1

2 Table 4. Industry Priors and Parameters for Unreliability Component Failure Mode a

ba Industry MeanValue b

URBLC Circuit Breaker 4.99E-1 6.23E+2 8.OOE-4 Motor-operated valve Fail to open (or 4.99E-1 7.12E+2 7.OOE-4 close)

Air-operated valve Fail to open (or

4.98E-1 4.98E+2 1.OOE-3 close)

Motor-driven pump, Fail to start 4.97E-1 2.61E+2 1.90E-3 standby 5.OOE-1 LOOE+4 5.OOE-5 Fail to run Motor-driven pump, Fail to start 4.98E-1 4.98E+2 L.OOE-3 running or alternating 5.OOE-1 L.OOE+5 5.OOE-6 Fail to run Turbine-driven pump, Fail to start 4.85E-1 5.33E+1 9.OOE-3 Fail to run 5.OOE-1 2.50E+3 2.OOE-4 Turbine-driven pump, Fail to start 4.78E-1 3.63E+1 1.30E-2 HPCIorRCIC 5.OOE-1 2.50E+3 2.OOE-4 Fail to run Diesel-driven pump, Fail to start 4.80E-1 3.95E+1 1.20E-2 AFWS 5.00E-1 2.50E+3 2.00E-4 Fail to run Emergency diesel Fail to start 4.92E-1 9.79E+1 5.OOE-3 generator 4.95E-1 1.64E+2 3.OOE-3 Fail to load/run 5.OOE-1

'6.25E+2 8.OOE-4 Fail to run 3

4 5

6 7

a. A constrained, non-informative prior is assumed. For failure to run events, a = 0.5 and b = (a)/(mean rate). For failure upon demand events, a is a function of the mean probability:

l Mean Probability I a I A A cIAC I

IV.V tv V.VVZi UV.JV F-23

I DRAFT NEI 99-02 MSPI Rev H 9/ 14/20049-1--A2004-91--1-20049412004

>0.0025 to 0.010 0.49

>0.OlO to 0.016 0.48

>0.016 to 0.023 0.47

>0.023 to 0.027 0.46 1

Then b = (a)(1.0 - mean probability)/(mean probability).

2

b. Failure to run events occurring within the first hour of operation are included within 3

the fail to start failure mode. Failure to run events occurring after the first hour of 4

operation are included within the fail to run failure mode.

5

c. Fail to load and run for one hour was calculated from the failure to run data in the 6

report indicated. The failure rate for 0.0 to 0.5 hour5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months (3.3E-3/h) multiplied by 0.5 7

hour, was added to the failure rate for 0.5 to 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months (2.3E-4/h) multiplied by 0.5 8

hour.

9 10 l 3. Avoidinflx,}Faifs hite4ndieationsEstablislhi!, Statistical Si nificance 11 In typical applications where statistical data is used in decision making7 the general approach is:

12

1. Choose the conclusion that the test is intended to confirm (the null hypothesis). In the 13 case of the MSPI the null hypothesis could be stated as "the system is performing at the 14 industry average performance".

15

2. Choose the significance level at which the hypothesis is to be rejected, typically greater 16 than 90%. This level is related to the probability of making a Type 1 error (probability of 17 a type I error = [1-significance]), or rejecting the hypothesis when it is actually true. In 18 NUREG-1753, "Risk Based Performance Indicators" this type of error was characterized 19 as a false positive indication. The criteria used in this report was that the probability of 20 indicating white when performance was actually at the baseline should be less than 20%.

2 1

3. Determine the test statistic to be used to reject the hypothesis. In the case of the MSPI, 22 the test statistic is that the hypothesis is rejected when the MSPI>l.Oe-06. It is usual that 23 the test statistic and sample plan be selected in a manner that allows the desired 24 significance level to be achieved. In the case of MSPI, the test statistic is imposed. In 25 addition, the size of the sample is fixed by the number of demands and run hours in the 26 rolling 36 month window used for the indicator.

27 Thus for the MSPI, the significance level at which the hypothesis is rejected is actually the result 28 of the imposed test criteria (l.Oe-06) and the fixed sample plan. In some cases, the significance 29 level is very high, with little potential for a false positive indication. However, in other instances, 30 the potential for a false white indication is unacceptably large. Although rigorous calculations of 31 the significance level for the MSPI were not performed, simple analyses showed that the 32 potential for a false positive was high when the difference between performance at the industry 33 average level (baseline) and MSPI>l.Oe-06 is represented by only one additional failure.

7 (See the subject of Hypothesis Testing in any good Statistics Text. A good online reference can be found if you Google SticiGui.)

F-24

DRAFT NEI 99-02 MSPI Rev H 91141200491444-200491-9A200491,1204 1

This problem can be illustrated by examining a postulated plant with three EDGs, each one 2

tested monthly. In a 36 month window this would result in a total of 108 starts. The demand 3

related failure probability from table 3 is 8.0e-03 (Fail to Start and Fail to Load). Thus the 4

expected number of demand failures is about 1. There is, however, over a 20%probability that 2 5

or more demand failures would be experienced even though the EDGs are actually operating at 6

the expected reliability. This may or not result in a MSPI value greater than the white threshold, 7

depending on the Birnbaum importance of the EDGs. If the importance is large enough then 8

there is a 20% probability that EDGs operating at the industry average reliability would cross the 9

white performance threshold based on the one additional failure.

.10 This problem is resolved by applying a limit of 5.0e-07 to the magnitude of the most significant 11 failure in a system. This ensures that one failure beyond the expected number of failures alone 12 cannot result in MSPI > l.Oe-06. A MSPI > 1.Oe-06 will still be a possible result if there is 13 significant system unavailability, or failures in other components in the system.

14 This limit on the maximum value of the most significant failure in a system is only applied if the 15 MSPI value calculated without the application of the limit is less than 1.Oe-05.

16 This calculation will be performed by the CDE software, no additional input values are required.

17

4. Calculation of System Component Reliability Limits 18 The mitigating systems chosen to be monitored are generally the most important systems in 19 nuclear power stations. However, in some cases the system may not be as important at a specific 20 station. This is generally due to specific features at a plant, such as diverse methods of achieving 21 the same function as the monitored system. In these cases a significant degradation in 22 performance could occur before the risk significance reached a point where the MSPI would 23 l cross the white boundary. In cases such as this it is not likely that the performance degradation 24 would be limited to that. one system and may well involve cross cutting issues that would 25 potentially affect the performance of other mitigating systems.

26 A performance based criteria for determining degraded performance is used as an additional 27 decision criteria for determining that performance of a mitigating system has degraded to the 28 white band. This decision is based on deviation of system performance from expected 29 performance. The decision criteria was developed such that a system is placed in the white 30 performance band when there is high confidence that system performance has degraded even 31 though MSPI < I.Oe-06.

32 The criteria is applied to each component type in a system. If the number of failures in a 36 33 month period for a component type exceeds a performance based limit, then the system is 34 considered to be performing at a white level, regardless of the MSPI calculated value. The 35 performance based limit is calculated in two steps:

36

1. Determine the expected number of failures for a component type and 37

2. Calculate the performance limit from this value.

38 The expected number of failures is calculated from the relation 39 Fe = Nd

p + A

Tr 40 Where:

F-25

DRAFT NEI 99-02 MSPI Rev H 9/14/2004W41-/-20004919/-2004f9J12004 1

Nd is the number of demands 2

p is the probability of failure on demand 3

X is the failure rate 4

T, is the runtime of the component 5

This value is used in the following expression to determine the maximum number of failures:

6 Fm = 4.65

Fe + 4.2 7

If the actual number of failures (Fa) of a similar group of components (components that are 8

grouped for the purpose of pooling data) within a system in a 36 month period exceeds Fm, then 9

the system is placed in the largest of the white performance level or the level dictated by the 10 MSPI calculation.

11 This calculation will be performed by the CDE software, no additional input values are required.

12 F-26

DRAFT NEI 99-02 MSPI Rev H 9/14/20044144 200491-/MI04912004 1

5. Additional Guidance for Specific Systems 2

This guidance provides typical system scopes. Individual plants should include those systems 3

employed at their plant that are necessary to satisfy the specific risk-significant functions 4

described below and reflected in their PRAs.

5 Emergency AC Power Systems 6

Scope 7

The function monitored for the emergency AC power system is the ability of the emergency 8

generators to provide AC power to the class IE buses upon a loss of off-site power while the 9

reactor is critical, including post-accident conditions. The 6iergency AC power system is 10 typically comprised of two or more independent emergency generators that provide AC power to 11 class IE buses following a loss of off-site power. The emergency generator dedicated to 12 providing AC power to the high pressure core spray system in BWRs is not within the scope of 13 emergency AC power.

14 The electrical circuit breaker(s) that connect(s) an emergency generator to the class IE buses that 15 are normally served by that emergency generator are considered to be part of the emergency 16 generator train.

17 Emergency generators that are not safety grade, or that serve a backup role only (e.g., an 18 alternate AC power source), are not included'in the performance reporting.

19 Train Determination 20 The number of emergency AC power system trains for a unit is equal to the number of class IE 21 emergency generators that are available to power safe-shutdown loads in the event of a loss of 22 off-site power for that unit. There are three typical configurations for EDGs at a multi-unit 23 station:

24

1. EDGs dedicated to only one unit.

25

2. One or more EDGs are available to "swing" to either unit 26

3. All EDGs can supply all units 27 For configuration 1, the number of trains for a unit is equal to the number of EDGs dedicated to 28 the unit. For configuration 2, the number of trains for a unit is equal to the number of dedicated 29 EDGs for that unit plus'the number of "swing" EDGs available to that unit (i.e., The "swing" 30 EDGs are included in the train count for each unit). For configuration 3, the number of trains is 31 equal to the number of EDGs.

32 Clarifving Notes 33 The emergency diesel generators are'not considered to be available during the following portions 34 of periodic surveillance tests unless recovery from the test configuration'during accident 35 conditions is virtually certain,' as described in "Credit for operator recovery actions during 36 testing," can be satisfied; orthe duration of the condition'is less than fifteen minutes per train at 37 one time:

38

Load-run testing 39 Barring F-27

S DRAFT NEI 99-02 MSPI Rev H 9/1412004-9-1-1-A/20091--20049A112004 1

An EDG is not considered to have failed due to any of the following events:

2 spurious operation of a trip that would be bypassed in a loss of offsite power event 3

malfunction of equipment that is not required to operate during a loss of offsite power event 4

(e.g., circuitry used to synchronize the EDG with off-site power sources) 5

failure to start because a redundant portion of the starting system was intentionally disabled 6

for test purposes, if followed by a successful start with the starting system in its normal 7

alignment 8

Air compressors are not part of the EDG boundary. However, air receivers that provide starting 9

air for the diesel are included in the EDG boundary.

10 If an EDG has a dedicated battery independent of the station's normal DC distribution system, 11 the dedicated battery is included in the EDG system boundary.

12 IfThe-EDG-day-tank-is-not-suffleient-t-meet-the-EDG-mission-time-t7he fuel transfer pumps are 13 not considered to be a monitored component in the EDG system. They are considered to be a 14 support system.

15 16 BWR High Pressure Injection Systems 17 (High Pressure Coolant Injection, High Pressure Core Spray, and Feedwater Coolant 18 Injection) 19 Scope 20 These systems function at high pressure to maintain reactor coolant inventory and to remove 21 decay heat following a small-break Loss of Coolant Accident (LOCA) event or a loss of main 22 feedwater event.

23 The function monitored for the indicator is the ability of the monitored system to take suction 24 from the suppression pool (and from the condensate storage tank, if credited in the plant's 25 accident analysis) and inject into the reactor vessel.

26 Plants should monitor either the high-pressure coolant injection (HPCI), the high-pressure core 27 spray (HPCS), or the feedwater coolant injection (FWCI) system, whichever is installed. The 28 turbine and governor (or motor-driven FWCI pumps), and associated piping and valves for 29 turbine steam supply and exhaust are within the scope of these systems. Valves in the feedwater 30 line are not considered within the scope of these systems.

31 The emergency generator dedicated to providing AC power to the high-pressure core spray 32 system is included in the scope of the HPCS. The HPCS system typically includes a "water leg" 33 pump to prevent water hammer in the HPCS piping to the reactor vessel. The "water leg" pump 34 and valves in the "water leg" pump flow path are ancillary components and are not included in 35 the scope of the HPCS system. Unavailability is not included while critical if the system is below 36 steam pressure specified in technical specifications at which the system can be operated.

37 Train Determination 38 The HPCI and HPCS systems are considered single-train systems. The booster pump and other 39 small pumps are ancillary components not used in determining the number of trains. The effect F-28

I DRAFT NEI 99-02 MSPI Rev H 9/ 14/200491-1-200491-91-049412004 1

of these pumps on system performance is included in the system indicator to the extent their 2

failure detracts from the ability of the system to perform its risk-significant function. For the 3

FWCI system, the number of trains is determined by the number of feedwater pumps. The 4

number of condensate and feedwater booster pumps are not used to determine the number of 5

trains.

6 7

Reactor Core Isolation Cooling 8

(or Isolation Condenser) 9 Scope 10 This system functions at high pressure to remove decay heat following a loss of main feedwater 11 event. The RCIC system also functions to maintain reactor coolant inventory following a very 12 small LOCA event.

13 The function monitored for the indicator is the ability of the RCIC system to cool the reactor 14 vessel core and provide makeup water by taking a suction from either the condensate storage 15 tank or the suppression pool and injecting at rated pressure and flow into the reactor vessel.

16 The Reactor Core Isolation Cooling (RCIC) system turbine, governor, and associated piping and 17 valves for steam supply and exhaust are within the scope of the RCIC system. Valves in the 18 feedwater line are not considered within the scope of the RCIC system.

19 The Isolation Condenser and inlet valves are within the scope of Isolation Condenser system.

20 Unavailability is not included while critical if the system is below steam pressure specified in 21 technical specifications at which the system can be operated.

22 Train Determination 23 The RCIC system is considered a single-train system. The condensate and vacuum pumps are, 24 ancillary components not used in determining the number of trains. The effect of these pumps on 25 RCIC performance is included in the system indicator to the extent that a component failure 26 results in an inability of the system to perform its risk-significant function.

27 28 BWR Residual Heat Removal Systems 29 Scope 30 The functions monitored for the BWR residual heat removal (RHR) system are the ability of the 31 RHR system to remove heat from the suppression pool, provide low pressure coolant injection, 32 and provide post-accident decay heat removal. The pumps, heat exchangers, and associated.

33 piping and valves for those functions are included in the scope of the RHR system.

34 Train-Determination 35 The number of trains in the RHR system is determined by the number of parallel RHR heat 36 exchangers.

F-29

DRAFT NEI 99-02 MSPI Rev H 9/14/200491--1-/A200J9--200491112004 1

PWR High Pressure Safety Injection Systems 2

Scope 3

These systems are used primarily to maintain reactor coolant inventory at high pressures 4

following a loss of reactor coolant. HPSI system operation following a small-break LOCA 5

involves transferring an initial supply of water from the refueling water storage tank (RWST) to 6

cold leg piping of the reactor coolant system. Once the RWST inventory is depleted, 7

recirculation of water from the reactor building emergency sump is required. The function 8

monitored for HPSI is the ability of a HPSI train to take a suction from the primary water source 9

(typically, a borated water tank), or from the containment emergency sump, and inject into the 10 reactor coolant system at rated flow and pressure.

11 The scope includes the pumps and associated piping and valves from both the refueling water 12 storage tank and from the containment sump to the pumps, and from the pumps into the reactor 13 coolant system piping. For plants where the high-pressure injection pump takes suction from the 14 residual heat removal pumps, the residual heat removal pump discharge header isolation valve to 15 the HPSI pump suction is included in the scope of HPSI system. Some components may be 16 included in the scope of more than one train. For example, cold-leg injection lines may be fed 17 from a common header that is supplied by both HPSI trains. In these cases, the effects of testing 18 or component failures in an injection line should be reported in both trains.

19 Train Determination 20 In general, the number of HPSI system trains is defined by the number of high head injection 21 paths that provide cold-leg and/or hot-leg injection capability, as applicable.

22 For Babcock and Wilcox (B&W) reactors, the design features centrifugal pumps used for high 23 pressure injection (about 2,500 psig) and no hot-leg injection path. Recirculation from the 24 containment sump requires operation of pumps in the residual heat removal system. They are 25 typically a two-train system, with an installed spare pump (depending on plant-specific design) 26 that can be aligned to either train.

27 For two-loop Westinghouse plants, the pumps operate at a lower pressure (about 1600 psig) and 28 there may be a hot-leg injection path in addition to a cold-leg injection path (both are included as 29 a part of the train).

30 For Westinghouse three-loop plants, the design features three centrifugal pumps that operate at 31 high pressure (about 2500 psig), a cold-leg injection path through the BIT (with two trains of 32 redundant valves), an alternate cold-leg injection path, and two hot-leg injection paths. One of 33 the pumps is considered an installed spare. Recirculation is provided by taking suction from the 34 RHR pump discharges. A train consists of a pump, the pump suction valves and boron injection 35 tank (BIT) injection line valves electrically associated with the pump, and the associated hot-leg 36 injection path. The alternate cold-leg injection path is required for recirculation, and should be 37 included in the train with which its isolation valve is electrically associated. This represents a 38 two-train HPSI system.

39 For Four-loop Westinghouse plants, the design features two centrifugal pumps that operate at 40 high pressure (about 2500 psig), two centrifugal pumps that operate at an intermediate pressure 41 (about 1600 psig), a BIT injection path (with two trains of injection valves), a cold-leg safety 42 injection path, and two hot-leg injection paths. Recirculation is provided by taking suction from F-30

DRAFT NEI 99-02 MSPI Rev H 9/14120049/1-1-/20049#91-2004911/2004 1

the RHR pump discharges. Each of two high pressure trains is comprised of a high pressure 2

centrifugal pump, the pump suction valves and BIT valves that are electrically associated with 3

the pump. Each of two intermediate pressure trains is 'comprised of the safety injection pump, the 4

suction valves and the hot-leg injection valves electrically associated with the pump. The cold-5 leg safety injection path' can be fed with either safety injection pump, thus it should be associated 6

with both intermediate pressure trains. This HPSI system is considered a four-train system for 7

monitoring purposes.

8 For Combustion Engineering (CE) plants, the design features two or three centrifugal pumps that 9

operate at intermediate pressure (about 1300 psig) and provide flow to two or four cold-leg 10 injection paths or two hot-leg injection paths. In most designs, the HPSI pumps take suction 11 directly from'the containment 'sump for recirculation. In these'cases, the sump suction valves are 12 included within the scope of the IHPSI system. This is a two-train system (two trains of combined 13 cold-leg' 'and hot-leg injection capability): One of the three pumps is typically an' installed spare 14 that can be aligned to either train or only to one of the trains (depending on plant-specific 15 design).

16 17 PWR Auxiliary Feedwiater Systems 18 Scope 19 The AFW system provides decay heat removal via the steam generators to cool down and 20 depressurize the reactor coolant system following a reactor trip. The AFW system is assumed to 21 be required for an extended period of operation during which the initial supply of water from the 22 condensate storage tank is depleted and water from an alternative water source (e.g., the service 23 water system) is required. Therefore components in the flow paths from both of these water 24 sources are included; however, the alternative water source (e.g., service water system) is not 25 included.

26 The function monitored for the indicator is the ability of the AFW system to take a suction from 27 the primary water source (typically, the condensate storage tank) or, if required, from an 28 emergency source (typically, a lake or river via the service water system) and inject into at least 29 one steam generator at rated flow and pressure.

30 The scope of the auxiliary feedwater (AFW) or emergency feedwater (EFW) 'systems includes 31 the pumps and the components in the flow paths from the condensate storage tank and, if 32 required; the valve(s) that'connect the alternative water source to the auxiliary feedwater system.

33 Pumps'included in the Technical'Specifications are included in the scope of this indicator.

34 Startup feedwater pumps are not included in the scope of this indicator.

35 Train Determination 36 The number of trains is determined primarily by the number of parallel pumps. For example, a 37 system with three pumps is defined as a three-train system, whether it feeds two, three, or four 38 injection lines, and regardless of the flow capacity 'of the pumps. Some components may be 39 included in the scope of more than one train. For example, one set of flow'regulating valves and 40 isolation valves in a three-pump, two-steam generator system are included in the motor-driven 41 pump train with which they are electrically associated, but they are also included (along with the 42 redundant set of valves)"in the turbine-driven pump train. In these instances, the effects of testing F-31

DRAFT NEI 99-02 MSPI Rev H 9/14/200491-1--/200491-9-/-20049b4004 1

or failure of the valves should be reported in both affected trains. Similarly, when two trains 2

provide flow to a common header, the effect of isolation or flow regulating valve failures in 3

paths connected to the header should be considered in both trains.

4 PWR Residual Heat Removal System (Checkfor any needed change wvrt CEplants 5

and Surry, V Anna and Beaver Valley) 6 Scope 7

The functions monitored for the PWR residual heat removal (RHR) system are those that are 8

required to be available when the reactor is critical. These typically include the low-pressure 9

injection function and the post-accident recirculation mode used to cool and recirculate water 10 from the containment sump following depletion of RWST inventory to provide post-accident 11 decay heat removal. The pumps, heat exchangers, and associated piping and valves for those 12 functions are included in the scope of the RHR system. Containment spray function should be 13 included if it is identified as a risk-significant post accident decay heat removal function.

14 Containment spray systems that only provide containment pressure control are not included.

15 Train Determination 16 The number of trains in the RHR system is determined by the number of parallel RHR heat 17 exchangers. Some components are used to provide more than one function of RHR. If a 18 component cannot perform as designed, rendering its associated train incapable of meeting one 19 of the risk-significant functions, then the train is considered to be failed. Unavailable hours 20 would be reported as a result of the component failure.

21 Cooling Water Support System 22 Scope 23 The function of the cooling water support system is to provide for direct cooling of the 24 components in the other monitored systems. It does not include indirect cooling provided by 25 room coolers or other HVAC features.

26 Systems that provide this function typically include service water and component cooling water 27 or their cooling water equivalents. Pumps, valves, heat exchangers and line segments that are 28 necessary to provide cooling to the other monitored systems are included in the system scope up 29 to, but not including, the last valve that connects the cooling water support system to a single 30 component in anotherthe-other monitored systems. This last valve is included in the other 31 monitored system boundary. Service wvater systems are typically open "raw wvater" systems that 32 urse natural sources of wvater such as rivers, lakes or oceans. Component Cooling Water systems 33 are typically closed "clean wvater " systems.

34 Valves in the cooling water support system that must close to ensure sufficient cooling to the 35 other monitored system components to meet risk significant functions are included in the system 36 boundary.

37 If a cooling water system provides cooling to only one monitored system, then it should be 38 included in the scope of that monitored system.

39 Train Determination 40 The number of trains in the Cooling Water Support System will vary considerably from plant to 41 plant. The way these functions are modeled in the plant-specific PRA will determine a logical F-32

DRAFT NEI 99-02 MSPI Rev H 9/14/20049tl4-1-2/0499-920049II20O4 1

approach for train determination. For example, if the PRA modeled separate pump and line 2

segments, then the number of pumps and line segments would be the number of trains.

3 Clarifying Notes 4

Service water pump strainers and traveling screens are not considered to be monitored 5

components and are therefore not part of URI. However, clogging of strainers and screens due-to 6

expeeted-oroutineby-predietable-envrenmental-eenditions that render the train unavailable to 7

perform its risk significant cooling function (which includes the risk-significant mission times) 8 are included in UAI.

9 Unpredictable-extreme--environmental-conditions -that-render-the--t-rain-unavailable-to-per-form-its 10 risk}-significant-eooling-function--should--be-addfessed-t-hrough-t-he-F-AQ--process-to -determine-if 11 resulting-unavailability-should-be-included--inAI.

12 F-33

I DRAFT NEI 99-02 MSPI Rev H 9/14/20049/11/20049/19/2 049/112004 F-34

D DRAFT NEI 99-02 MSPI Rev H 9//

11°0049 912 0494100 c

1 l Controls Breaker

_ I _

Motor Operator o

D

. Motor Driven Pump Boundary ESFAS 2

3 Figure F-2 F-35

I DRAFT NEI 99-02 MSPI Rev H 9/ 14/2004-9I1-I40049J-1 0494/004 1

,.............................................. I.................................................................

Controls I

rI ESFAS l

Breaker l

-Motor Operator MOV Boundary 2

3 Figure F-3 4

F-36

I DRAFT NEI 99-02 MSPI Rev H 9/14120049 /4-/-20049/

AO04912004 1

2 3

Figure F-4 F-37

I DRAFT NEI 99-02 MSPI Rev H 9/14/20049/11/200419/9/20049A 04 1

Non-monitored Components (1 of 2 valves per system (1 of 2 valves per train success criteria) success criteria) 2 3

Figure F-5 4

F-38

I)

A LOG I FAQ LOG 9/1 4/049n4n.00 DRAFT TempNo.

Pi Question/Response.

Status Plant/ Co.

27.3 1E02 Question:.

1/25 Introduced LaSalle Should a reactor scram due to high reactor water level, where the fcedwater pumps tripped due to the high reactor 2/28 NRC to discuss water level, count as a scram with a loss of normal heat removal with resident Background Information:

l 4/25 Discussed On April 6, 2001 LaSalle Unit 2 (BWR), during maintenance on a motor driven feedwater pump regulating valve, 5/22 On hold experienced a reactor automatic reactor scram on high reactor water level. During the recovery; both turbine driven 6/12 Discussed.

reactor feedwater pumps (TDRFPs) tripped due to high reactor water level. The motor driven reactor feedwater pump Related FAQ 30.8 was not available due to the maintenance being performed. The reactor operators choose to restore reactor water level 9/26 Discussed through the use of the Reactor Core Isolation Cooling (RCIC) System, due to the fine flow control capability of this 10/31 Discussed system, rather than restore the TDRFPs. Feedwater could have been restored by resetting a TDRFP as soon as the control board high reactor water level alarm cleared. Procedure LGA-001 "RPV Control" (Reactor Pressure Vessel control) requires the unit operator to "Control RPV water level between 11 in. and 59.5 in. using any of the systems.

listed below: Condensate/feedwater, RCIC, HPCS, LPCS, LPCI, RHR."

7.

The followving control room response actions, from standard operating procedure LOP-FW-04, "Startup of the TDRFP" are required to reset a TDRFP.-

No actions are required outside of the control r o o m ( a n d n o d ia g n o s tic s te ps a re r e q u ire d )..

l.

,V rify the following:

TDRFP A XFER (Manual/Automatic Controller) station is reset to-Minimum.--

No TDRFP trip signals are present Depress TDRFP Turbine RESET pushbutton and observe the following -.

,Turbine RESET light Illuminates

'TDRP High Press and Low Pressuie Stop Valves OPEN PUSH M/A increase pushbutton on the Manual/Automatic Controller station Should 'this be considered a scram with the loss of normal heat removal?

Proposed Answer:

'The ROP working group is currently working to prepare a response.

28.3 IE02 Question:

. p-..

a

.3/21 Discussed Perry This event w

as initiated because a feedwater summer car d

failed low

. The failur caused the feedwater circuitry to 4/25 Discussed sense a lower level than actual. This invalid low level signal caused the Reactt r Recirculation pumps to shift to slow 5/22 Modified to

! speed while also causing the feedwater system to feed the Reactor Pressure Vessel (RPV) until a high level scram reflect discussion of

, (Reactor Vessel Water Level - High, Level 8) was initiated.

,4/25 On Hold

. i' 6 / 1 2 D i s c u s s e d.

Within the first three minutes of the transient, te e plant had gone from Level 8, which initiate d the scraa, to Level 2 Related FAQ 30.8 (Reatctr Vessel WAter Level - Low Low, Level 2), initiating High Pressure Core Spray (HPCS) and Reactor Core Isolation Cooling (RCIC) injection, and again back to Level 8. The operators had observed the downshift of the Recirculation pumps nearly coincident with the scram, and it was not immediately apparent what had caused the trip due to the rapid sequence of events..

As designed, when the reactor water level reached Level 8, the operating turbine driven feed pumps tripped. The pump p

c ontrol logic prohibits restart of the feed pumps (both the turbine driven pumps and motor driven feed pump

I DAA

-A T11D~ A lit1r

.P It.1-Bnn

{u1. Inn t

QIA 40 1 n 1 I 1AV LUGJ MIU111f' I

'J141n Ihth)uI.%

Pi 1mW if TempNo.

Pi Question/Response Status PlantI Co.

(MFP)) until the Level 8 signal is reset. (On a trip of one or both turbine feed pumps, the MFP would automatically start, except when the trip is due to Level 8.) All three feedwater pumps (both turbine driven pumps and the MFP) were physically available to be started from the control room, once the Level 8 trip was reset. Procedures are in place for the operators to start the MFP or the turbine driven feedwater pumps in this situation.

Because the cause of the scram was not immediately apparent to the operators, there was initially some misunderstanding regarding the status of the MFP. (Because the card failure resulted in a sensed low level, the combination of the recirculation pump downshift, the reactor scram, and the initiation of HPCS and RCIC at Level 2 provided several indications to suspect low water level caused the scram.) As a result of the initial indications of a plant problem (the downshift of the recirculation pumps), some operators believed the MFP should have started on the trip of the turbine driven pumps; This was documented in several personnel statements and a narrative log entry.

Contributing to this initial misunderstanding was a MFP control power available light bulb that did not illuminate until it was touched. In fact, the MFP had functioned as it was supposed to, and aside from the indication on the control panel, there were no impediments to restarting any of the feedwater pumps from the control room. No attempt was made to manually start the MFP prior to resetting the Level 8 feedwater trip signal.

Regardless of the issue with the MF1P, however, both turbine driven feed pumps were available once the high reactor water level cleared, and could have been started from the control room without diagnosis or repair. Procedures are in place to accomplish this restart, and operators are trained in the evolution. Since RCIC was already in operation, operators elected to use it as the source of inventory, as provided for in the plant emergency instructions, until plant conditions stabilized. Should this event be counted as a Scram with a Loss of Normal Heat Removal?

Response

The ROP working group is currently working to prepare a response.

30.8 IE02 Question:

5/22 Introduced Generic Many plant designs trip the main feedwater pumps on high reactor water level (BWRs), and high steam generator 6/12 Discussed water level or certain other automatic trips (PWRs). Under what conditions would a trip of the main feedwater pumps 9/26 Discussed.

be considered/not considered a scram with loss of normal heat removal?

10/31 Discussed

Response

The ROP working group is currently working to prepare a response.

32.3a IE02 Question:

1/23 Revised. Split into DC Cook An unplanned scram occurred October 7, 2001, during startup following an extended forced outage. The unit was in two FAQs Mode 1 at approximately 8% reactor power with a main feed pump and low-flow feedwater preheating in service. The 3/20 Discussed operators were preparing to roll the main turbine when a reactor tripped occurred. The cause of the trip was a loss of 5/1 Discussed voltage to the control rod drive mechanisms and was not related to the heat removal path. Main feedwater isolated on 5/22 Tentative the trip, as designed, with the steam generators being supplied by the auxiliary feedwater (AFW) pumps. At 5 minutes Approval after the trip, the reactor coolant system (RCS) temperature was 540 degrees and trending down. The operators verified 6/18 Discussion that the steam dumps, steam generator power operated relief valves, start-up steam supplies and blowdown were deferred to July isolated. Additionally, AFW flow was isolated to all Steam Generators as allowed by the trip response procedure. At 9 7/24 Discussed minutes after the trip, with RCS temperature still trending down, the main steam isolation valves (MSIV) were closed in accordance with the reactor trip response procedure curtailing the cooldown.

The RCS cooldown was attributed to steam that was still being supplied to low-flow feedwater preheating and #4 steam generator AFW flow control valve not automatically moving to its flow retention position as expected with high AFW flow. The low-flow feedwater preheating is a known steam load during low power operations and the AFW flow control issue was identified by the control room balance of plant operator. The trip response procedure directs the operators to check for and take actions to control AFW flow and eliminate the feedwater heater steam supply.

2 q

it Be I FAQ LOG DRAFT 9/1 420040/1lOf40$482f12 04, TempNo.

PI Question/Response Status Plant/ Co.

When this trip occurred the unit was just starting up following a 40 day forced outage. The reactor was at approxim ately 8% power and there was very little decay heat present following the trip. With very little decay heat available, the primary contribution to RCS heating is from Reactor Coolant Pumps (RCPs). Evaluation of these heat loads, when compared to the cooling provided by AFW, shows that there is approximately 3.5 times as much cooling flow provided than is required to remove decay heat under these conditions plus pump heat. This resulted in rapid cooling of the RCS and ultimately required closure of the MSIVs. Other conditions such as low flow feedwater preheating and the'additional AFW flow due to the AFW flow control valve failing to move to its flow retention setting contributed to this cooldown, but were not the primary cause. Even without these contributors to the cooldown, clsure of MSIVs w ould have been required due to the low decay heat present following the trip.,

It should also be noted that the conditions that are identified as contributing to the cooldown are not conditions which prevent the secondary plant from being available for use as a cooldown path. The AFW flow control valve not going to the flow retention setting increases ihe AFW flow to the S/G, and in turn causes an increase in cooldown. This condition is corrected by the trip response procedure since the procedure directs the operator to control AFW flow as a method to stabilize the RCS temperature. With low-flow feedwater preheating in service, main steam is aligned to feedwater heaters 5 and 6 and is remotely regulated from the control room. Low-flow feedwater preheating is used until turbine bleed steam is sufficient to provide the steam supply then the system is isolated. There are no automatic controls or responses associated with the regulating valves, so when a trip occurs, operators must close the regulating valves to secure the steam source. Until the steam regulating valves are closed, this is a steam load contributing to a cooldown. The low-flow preheating steam supplies are identified in the trip response procedure since they are a CNP specific design issue.

The actions taken to control RCS cooldown were in accordance with the plant procedure in response to the trip. The primary reason that the MSIVs were required to be closed was due to the low level of decay heat present following a 40 day forced outage. The closure of the MSIVs was to control the cooldown as directed by plant procedure and not to mitigate an off-normal condition or for the safety of personnel or equipment. With the low decay heat present following the 40 day forced outage, there would not have been a need to reopen the MSIVs prior to recommencing the startup.,-

Should the reactor trip described above be counted in the Unplanned Scrams with Loss of Normal Heat Removal Performance Indicator?_

Response

i -

Yes. The licensee's reactor trip response procedure has an "action/expected response" that reactor coolant system temperature following a trip would be stable at or trending to the no-load Tavg value. If that expected response is not obtained, operators are directed to stop dumping steam and verify that steam generator blowdown is isolated. If cooldown continues, operators are directed to control total feedwater flow. If cooldown continues, operators are directed to close all steam generator stop valves (MSIVs) and other steam valves.

During the unit trip described, the #4 steam generator auxiliary feedwater flow control valve did not reposition to the' flow retention setting as expected (an off normal condition). In addition; although control room operators manually closed the low-flow feedwater preheat control valves that were in service, leakage past these valves (a pre-existing, degraded condition identified in the Operator Workaround database) also contributed to the cooldown. Operator logs attributed the reactor system cooldown to the #4 AFW flow control valve failure as well as to steam being supplied to low-flow feedwater preheating. As stated above, the trip response procedure directs operators to control feedwater flow in order to control the cooldown. Operator inability to control the cooldown through control of feedwater flow as directed is considered an off normal condition. Since the cooldown continued due to an off normal condition, operators closed the MSIVs, and therefore this trip is considered a scram with loss of normal heat removal.

34.6 j1E02 I Question:

,1.I 3/20 Introduced I STP

_____I

_____~Should the following event be counted as a scram with loss of normal heat removal?

j 3/20 Discussed J _____

'3

I e -

1.1....

at -

lo \\\\ to-l1 lnwl I FAQ LOG IJuAt 9/t4/ZW14 A1 44 r

l

-.lA TenminNa I Pi Antestinn/Resmnnqc Status I Plant/ Co.

1..

I I

sTP Unit Two was manually tripped on Dec. 15, 2002 as required by the off normal procedure for high vibration of the main turbine. Approximately 17 minutes after the Unit was manually tripped main condenser vacuum was broken at the discretion of the Shift Supervisor to assist in slowing the turbine. Plant conditions were stabilized using Auxiliary Feedwater and Steam Generator Power Operated Relief Valves. Main Feedwater remained available via the electric motor driven Startup Feedwater pump. Main steam headers remained available to provide cooling via the steam dump valves. At any time vacuum could have been reestablished without diagnoses or repair using established operating procedures until after completion of the scram response procedures.

Scrams with a Loss of Normal Heat Removal performance indicator is defined as "The number of unplanned scrams while critical, both imanual and automatic, during the previous 12 quarters that were either caused by or involved a loss of the norimal heat removal path prior to establishing reactor conditions that allow use of the plant's normal long ternn heat removal systems. " This indicator states that a loss of normal heat removal has occurred whenever any of the following conditions occur: loss of main feedwater, loss of main condenser vacuum, closure of the main steam isolation valves or loss of turbine bypass capability. The determining factor for this indicator is whether or not the normal heat removal path is available, not whether the operators choose to use that path or some other path.

The STP plant is designed to isolate main feedwater after a trip by closing the main feedwater control valves. The auxiliary feedwater pumps are then designed to start on low steam generator levels. This is expected following normal operation above low power levels and in turn provides the normal heat removal.

This design functioned as expected on December 15, 2002 when the reactor was manually tripped due to high turbine vibration. Normal plant operating procedures OPOP03-ZG-0006 (Plant Shutdown from 100% to Hot Standby) and OPOP03-ZG-0001 (Plant Heatup) state if Auxiliary Feedwater is being used to feed the steam generators than the preferred method of steaming is through the steam generator power operated relief valves. This can be found in steps 7.4 and 7.5 of OPOP03-ZG-0001 and steps 6.6.5 and 6.6.10 of OPOP03-ZG-0006. The note prior to 6.6.10 states "the preferred inethod for controlling SG steaming rates whilefeeding with AFW is with the SG PORVs".

The normal heat removal path as defined in NEI 99-02 Revision 2 was in service and functioning properly for seventeen minutes after the manual reactor trip and would have continued to function had not the shift supervisor voluntarily broke condenser vacuum and closed the MSIV's. Interviews with the shift supervisor showed that the decision to break vacuum was two part. I) Based on experience and reports from the field it was known that vacuum would need to be broken to support the maintenance state required for the main turbine and at a minimum to support timely inspection. 2)This would assist in slowing the turbine. The decision to break vacuum was not based solely on mitigating an off-normal condition or for the safety of personnel or equipment. Because Auxiliary Feedwater system had actuated and was in service as expected, the decision was made to use Auxiliary Feedwater and steam through the SG PORVs. As stated earlier, this is the preferred method of heat removal if the decision to use Auxiliary Feedwater is employed as supported by the normal operating procedures while the plant is in Mode 3. Main feedwater remained available via the electric motor driven Startup Feedwater pump and the main steam headers remained available to provide cooling via the steam dump valves if required. Discussion with the shift supervisor showed he was confident that at any time vacuum could have been readily recovered from the control room without the need for diagnoses or repair using established operating procedures if the need arose. An outside action would be required in drawing vacuum in that a Condenser Air Removal pump would require starting locally in the TGB. This is a simplistic, proceduralized and commonly performed evolution. Personnel are fully confident this would have been performed without incident if required.

Closing the MSIVs and breaking vacuum as quickly as possible is not uncommon at STP. For a normal planned shutdown MSIVs are closed and vacuum broken within four to six hours typically to support required maintenance in the secondary. If maintenance in the secondary is known to be critical path than vacuum has been broken as early as three hours and fifteen minutes following opening of the main generator breaker. The only reason that vacuum is not broken sooner is because in most cases it is needed to support chemistry testing.

6/18 Discussed; Question to be revised to reflect discussion 7/24 Discussed I

l 4

r A TIMM

-S..

n n -

n n_ I n.

I FA LUU

__I_-

TcmnNo.

Pi Ouestion/Response Status I Plant/ Co.

.

4.

t By limiting the flow path'as described in NEI 99-02 for norm'al heatremoval there is undue burden being placed on the utility., Only recognizing this one specific'flow path reduces operational flexibility and penalizes utilities for imparting conservative decision making. Conditions are established immediately following a reactor trip (100% to Mode 3) that can be sustained indefinitely using'Auxiliary Feedwirater and steaming through the steam generator PORVs. This fact is 'again supported in the stations Plant Shutdown from 100% to Hot standby and Plant Heatup normal operating procedures: The cause of a trip, the intended forced outage work scope, or outage duration varies and inevitably will factor into which method of normal long term heat removal is best for the station to employ shortly following a trip.

Response: -

i-I;.

The ROP. working group is currently working to prepare a response. I

,Licensee Proposed Response:.

e '- -.

NO. Since vacuum was secured at the discretion of the Shift Supervisor and could have been restored using existing normally performied operating procedures, the function meets the intention of being available but not used.

36.1 1E02 t

Question:

With the unit in RUN mode at 100% power, the control room received indication that a Reactor Pressure Vessel relief valve was open.' After taking the'steps directed by procedure to attempt to reseat the valve 'without'success, operators

'schrmmed the-reactor in response to increasing suppression pool temperature. Following the scram, and in response to procedural direction to' limit the reactor cooldown rate to less than 100 degrees'per hour, theoperators closed the Main Steam Isolation Valves (MSIVs):'The-operators are trained that closure'of the MSIV's to limit cool'down rate is expected in order to'minimiie steam lois through'n6rmal downstream balance-of-plant loads (steam jet air ejectors,

'offgas preheater, glarnd seal steam).

At the time that the'MSIVs were closed 'the reactor was'at approximately 500 psig. One half hour later, condenser vacuum was too low to open the~turbifie bypass valves and reactor pr'essure was'approxim tely 325 psig.

'Approximately eight hours after the RPV relief vaNe opened. th'e RPV relief valve cl6sed'with'reactoi pressure at approximately 50 psig.' This information is provided to illustrate theetime frame during' which the reactor was pressurized and ciridenservacubm was low.'

Although the MSIVs were not reopened during this event, they could have been opened at any time. Procedural guidai6ce is prOvided for reopening the MSIVs. Had the MSIVs been reopened within approximately 30 minutes of their'closure, condenser vacuum wa's' sufficient to allo'w opening of the turbine bypass valves. If it had been desired to reopen the MSIVs later than that, the condenser would have been brought back on line by following the normal startup..

procedure for the'condenser.

As part of the normal startup procedure for the'condenser, the control 'roomoperator draws vacuum in the condenser

by dispatching an'operator to the mechanical vacuum pump. The'operat6r starts the mechanical vacuum pump by

'opening a couple of manual valves and operating-a local switch. 'All other actions, including opening the MSIVs and the turbine bypass valves, are taken by the control room operator in the control room. It normally takes between 45 minutes and one hour-to establish vacuum-using the mechanical vacuum pump.

The reactor feed pumps and feedwater system remained in operation or available for operation throughout the event.

The condenser remained intact and available and the MSIVs were available to be opened from the control room

'throughout the event. The normal heat removal path was always and readily available (i.e. 'use of the normal heat removal path iequired only a decision to use it and the following'of normal stati6n procedures) during this eve'nt.

Does this scram constitute a scram with a loss of normal heat removal?

9/25 Introduced and discussed

' Quad ICities

'Response: '

No. The normal heat removal path was not lost even though the MSIVs were manually closed to'control c6oldown' rate. There was no leak downstream of the MSIVs, and reopening'the MSIVs would not have introduced further'

'5 '

l FAQ LOG DRAFT 9/14/2)049#I/20048/2040 TempNo.

Pi Question/Response Status Plant/ Co.

complications to the event. The normal heat removal path was purposefully and temporarily isolated to address the cooldown rate, only. Reopening the normal heat removal path was always available at the discretion of the control room operator and would not have involved any diagnosis or repair.

Further supporting information:

The clarifying notes for this indicator state: "Loss of iorinal heat relnoval path means the loss of the normal heat removal path as defined above. The deterrnining factor for this indicator is whether or not the normal heat removal path is available, not whether the operators choose to use that path or some other path." In this case, the operator did not choose to use the path through the MSIVs, even though the normal heat removal path was available.

The clarifying notes for this indicator also state: "Operator actions or design features to control the reactor cooldown rate or water level, such as closing the main feedwater valves or closing all MSIVs, are not reported in this indicator as long as the normal heat removal path can be readily recovered from the control room without the need for diagnosis or repair." In this case, the closing of the MSIVs was performed solely to control reactor cooldown rate. It was not performed to isolate a steam leak. There was no diagnosis or repair involved in this event. The MSIVs could have been reopened following normal plant procedures 36.2 IE02 Question:

9/25 Introduced and Peach Should an "Unplanned Scram with a Loss of Normal Heat Removal" be reported for the Peach Bottom Unit 2 (July discussed Bottom 22, 2003) reactor scram followed by a high area temperature Group I isolation?

Description of Event:

At approximately 1345 on 07/22/03, a Main Generator 386B and 386F relay trip resulted in a load reject signal to the main turbine and the main turbine control valves went closed. The Unit 2 reactor received an automatic Reactor Protection System (RPS) scram signal as a result of the main turbine control valves closing. Following the scram signal, all control rods fully inserted and, as expected, Primary Containment Isolation System (PCIS) Group II and III isolations occurred due to low Reactor Pressure Vessel (RPV) level. The Group III isolation includes automatic shutdown of Reactor Building Ventilation. RPV level control was re-established with the Reactor Feed System and the scram signal was reset at approximately 1355 hours0.0157 days 0.376 hours 0.00224 weeks 5.155775e-4 months .

At approximately 1356 hours0.0157 days 0.377 hours 0.00224 weeks 5.15958e-4 months , the crew received a High Area Temperature alarm for the Main Steam Line area. The elevated temperature was a result of the previously described trip of the Reactor Building ventilation system. At approximately 1358, a PCIS Group I isolation signal occurred due to Steam Tunnel High Temperature resulting in the automatic closure of all Main Steam Isolation Valves (MSIV).Following the MSIV closure, the crew transitioned RPV pressure and level control to the High Pressure Coolant Injection (HPCI) and Reactor Core Isolation Cooling (RCIC) systems. Following the reset of the PCIS Group II and III isolations at approximately 1408, Reactor Building ventilation was restored.

At approximately 1525, the PCIS Group I isolation was reset and the MSIVs were opened. Normal cooldown of the reactor was commenced and both reactor recirculation pumps were restarted. Even though the Group I isolation could have been reset following the Group II/III reset at 1408, the crew decided to pursue other priorities before reopening the MSIVs including: stabilizing RPV level and pressure using HPCI and RCIC; maximizing torus cooling; evaluating RCIC controller oscillations; evaluating a failure of MO-2-02A-53A "A" Recirculation Pump Discharge Valve; and, minimizing CRD flow to facilitate restarting the Reactor Recirculation pumps.

Problem Assessment:

It is recognized that loss of Reactor Building ventilation results in rising temperatures in the Outboard MSIV Room.

The rate of this temperature rise and the maximum temperature attained are exacerbated by summertime temperature conditions. When the high temperature isolation occurred, the crew immediately recognized and understood the cause to be the loss of Reactor Building ventilation. The crew then prioritized their activities and utilized existing General Plant (GP) and System Operating (SO) procedures to re-open the MSIVs.

Reopening of the MSIVs was:

6

I I

I FAQ LOG I)KAI1-1/I4121HJ4Y4z 4*JVUf*J4 TcmpNo. I PI l Question/Response l - Status -

Plant/ Co.

easily facilitated by restarting Reactor Building ventilation,

, completed from the control room using normal operating procedures without the need of diagnosis or repair Therefore, the MSIV closure does not meet the definition of 'Loss of normal heat removal path" provided in NEI 99-02, Rev. 2, page 15, line 37, and it is appropriate not to include this event in the associated performance indicator -

Unplanned Scrams with Loss of Normal Heat Removal.

Discussion of specific aspects of the event:

Was the recognition of the condition from the Control Room?

, Yes. Rising temiiperature in the Outboard MSIV Room is indicated by annunciator in the main control room. Local radiation levels are also available in the control room. During the July 22, 2003 scram, control room operators also recognized that the increase in tern'perature was not due to a steam leak in the Outboard MSIV Room because the local radiation monitor did not indicate an increase in radiation levels. Initiation of the Group I isolation on a Steam Tunnel High Temperature is indicated by two annunciators in the control room.

Does it require diagnosis or was it an alarm?

The event is annunciated in the conitr6l room as'described previously.

Is it a design issue?'

Yes. The current Unit 2 design has the Group I isolation temperature elements closer to the Outboard MSIV Room ventilation exhaust as compared to Unit 3. As a result, the baseline temperatures, which input into the Group I isolation signal, are higher on Unit 2 than Unit 3.

Are actions virtually certain to be successful?

The actions to reset a Group I isolation are straight forward and the procedural guidance is provided to operate the associated equipment. No diagnosis or troubleshooting is required. -

A're operato'i aciions proceduralized?

The actions to reset the Group I isolation are delineated in General Plant procedure GP-8.A "PCIS Isolation-Group I." The actions to reopen the MSIVs are contained in System Operating procedures SO IA.7.A-2 "Main Steam System Recovey Following a Group I Isolati6o"'and Check Off List SO I A.7.A-2 "Main Steam Lineup After a Group IIsroom.

Group I Isolation;" These procedures are performed from the control room.

How does Training address operator actions?

The actions necessary for responding to a Group I isolation and subsequent recovery of the Main Steam system are covered in licensed operator training..

Are stressful or chaotic conditions during or following an accident expected to be present?

As was demonstrated in the event of July 22, 2003, sufficient time existed to stabilize RPV level and pressure

,'control and methodically progress through the associated procedures to reopen the MSIVs without stressful or chaotic conditions Response: .*

The Peach Bottom Unit 2 July 22, 2003 reactor scram followed by a high area temperature Group I isolation should not be included in the Performance Indicator - 'Unplanned Scram with a Loss of Normal Heat Removal." This specific MSIV closure does not meet the definition of "Loss of normal heat removal path" provided in NEI 99-02, Rev.

2, page 15, line 37, in that the main steam system was "easily recovered from the control room without the need for diagnosis or repair.- Therefore, it would not be appropriate to include this event in the associated performance indicator

-Unplanned Scrams with Loss of Normal Heat Removal.

36.8 IE02 Question:,

I 1122 Introduced Ginna On August 14, 2003 Ginna Station scrammed due to the wide spread grid disturbance in the Northeast United States.

3/25 Discussed I

7

I A A An NT} A rT-Wi s1. Iln -

s oss

__snll.

.{-....

,-I IR 4 AV LUi iJ1U 1 N

IIY/

14/Z111fi4W I TenpNo. I PI Question/Response Status Plant/ Co.

Subsequent to the scram, Main Feedwater Isolation occurred as designed on low Tavg coincident with a reactor trip.

However, due to voltage swings from the grid disturbance, instrument variations caused the Advanced Digital Feedwater Control System (ADFCS) to transfer to manual control. This transfer overrode the isolation signal causing the Main Feedwater Regulation Valves (MFRVs) to go to, and remain at, the normal or nominal automatic demand position at the time of the transfer, resulting in an unnecessary feedwater addition. The feedwater addition was terminated when the MFRVs closed on the high-high steam generator level (85%) signal. Operators conservatively closed the MSIVs in accordance with the procedure to mitigate a high water level condition in the Steam Generators.

Decay heat was subsequently removed using the Atmospheric Relief Valves (ARVs). Should the scram be counted under the PI "Unplanned Scrams with Loss of Normal Heat Removal?"

6/16 Discussed

Response

No. Under clarifying notes, page 16, lines 18 - 22, NEI 99-02 states: "Actions or design features to control the reactor cool down rate or water level, such as closing the main feedwater valves or closing all MSIVs, are not reported in this indicator as long as the normal heat removal path can be readily recovered from the control room without the need for diagnosis or repair. However, operator actions to mitigate an off-normal condition or for the safety of personnel or equipment (e.g., closing MSIVs to isolate a steam leak) are reported." In this case, a feedwater isolation signal had automatically closed the main feed regulating valves, effectively mitigating the high level condition. Manually closing the MSIVs was a conservative procedure driven action, which in this case was not by itself necessary to protect personnel or equipment. The main feed regulating valves were capable of being easily opened from the control room, and the MSIVs were capable of being opened from the control room (after local action to bypass and equalize pressure, see FAQ 303).

In addition, the cause of the high steam generator level was due to voltage fluctuations on the offsite power grid which resulted in the operators closing the MSIVs. Clarifying notes for this performance indicator exempt scrams resulting in loss of all main feedwater flow, condenser vacuum, or turbine bypass capability caused by loss of offsite power. In this case, offsite power was not lost. However, the disturbances in grid voltage affected the ADFCS system which started a chain of events which ultimately resulted in the closure of the MSIVs.

I _____

4-4-

36.9 IE02 Question:

During startup activities following a refueling outage in which new monoblock turbine rotors were installed in the LP turbines, reactor power was approximately 10% of rated thermal power, and the main turbine was being started up.

Feedwater was being supplied to the steam generators by the turbine driven main feedwater pumps, and the main condensers were in service. During main turbine startup, the turbine began to experience high bearing vibrations before reaching its normal operating speed of 1800 rpm, and was manually tripped. The bearing vibrations increased as the turbine slowed down following the trip. To protect the main turbine, the alarm response procedure for high-high turbine vibration required the operators to manually SCRAM the reactor, isolate steam to the main condensers by closing the main steam isolation valves and to open the condenser vacuum breaker thereby isolating the normal heat removal path to the main condensers. This caused the turbine driven main feedwater pumps to trip. Following the reactor SCRAM, the operators manually started the auxiliary feedwater pumps to supply feedwater to the steam generators.

Based on industry operating experience, operators expected main turbine vibrations during this initial startup. Nuclear Engineering provided Operations with recommendations on how to deal with the expected turbine vibration issues that included actions up to and including breaking condenser vacuum. Operations prepared the crews for this turbine startup with several primary actions. First, training on the new rotors, including industry operating experience and technical actions being taken to minimize the possibility of turbine rubs was conducted in the pre-outage Licensed Operator Requalification Training. Second, the Alarm Response Procedures (A-34 and B-34) for turbine vibrations were modified to include procedures to rapidly slow the main turbine to protect it from damage. Under the worst 1/22 Introduced 3/25 Discussed.

Question to be rewritten and response provided 4/22 Question and response provided 6/16 Discussed 7/22 Discussed 8/18 Discussed Millstone 2 8

a

be t

An rTYT A T-"

ad..

a 1-1 nn x

s a

FAiJ LUU t9i/14114

)5F4w 1

TempNo.

PI Question/Response Status Plant/ Co.

turbine vibration-conditions, the procedure required operators to trip the reactor, close MSIVs and break main condenser vacuum. Third, operating crews were provided training in the form of a PowerPoint presentation for required reading which included a description of the turbine modifications, a discussion of the revised Alarm Response Procedures and industry operating experience.

Does this SCRAM count against the performance indicator for scrams with loss of normal heat removal?

Response

No, this scram does not count against the performance indicator for scrams with loss of normal heat removal. The conditions that resulted in the closure of the MSIVs after the reactor trip were expected for the main turbine startup following rotor replacement.- Operator actions for this situation had been incorporated into normal plant procedures.

37.3 ORI Question: 'i!;

3/25 Introduced NRC The definition of the Occupational Exposure Control Effectiveness performance indicator refers to "measures that 4/22 Directed to HP provide assurance that inadvertent entry into the technical specification high'radiation areas by unauthorized personnel counterparts for review will be prevented" (page 98; NEI 99-02,; Revision 2). In the context of applying the performance indicator definition 5/27 To be revised by in evaluating physical barriers to control access to technical specification high radiation areas, what is meant by HP counterparts "inadvertent entry"?

7/22 Revised Response:'

8/18 Tentative In reference to application of the performarice indicator definition in evaluating physical barriers, the term "inadvertent Approval entry" means that the physical barrier can' not be' easily circumvented (i.e., an individual 'who incorrectly assumes, for'

' whatever reason, that he or she is authorized to enter the area, is unlikely to disregard, and circumvent, the barrier).

The barriers used to control access to technical'specification high radiation areas should provide reasonable assurance that they secure the area against unauthorized access.

37.5 ORI Question:

3/25 Introduced TMI A vorker entered a Technical Specification High Radiation Area (>_lR/hr)_with all requirements of the job (training, 4/22 Being revised by briefings, dosimetry, ALARA Plan and RWP requirements, electronic dosimetry, etc.). The worker did not perform licensee the RWP process auto-sign-in on the RWP; which would have electronically checked the worker's 700 mrem 5/27 Revised To be

'administrative RWP buffer. Not performing this auito-sign-in process-did not violate the primary-means'of controlling reviewed by HP access and did not invalidate the RWP for the job: The RWP stated that 700 mrem dose availability was required prior counterparts to entry. 'This administrative dose buffer is an additional defense-in-depth, licensee-initiated control to-protect against 8/18 Tentative exceeding the licensee's system of dose control and is not utilized to control dose. The worker's actual dose did not Approval exceed the electronic dosimeter set point and the minimum administrative control guideline. The dose availability of the worker is defined as the difference between'the site-specific administrative control level of 2000 mrem (significantly below Federal Limits) and the worker's current accumulated dose for the year. ~

An ALARA Plan and RWP controlled the work activity. The individual used teledosimetry with predetermined alarm setpoints for the job, which transmitted'dose and dose rate information during the entry.'Video surveillance was

'utilized by radiation protection technicians and in compliance with 10CFR20.1601(b)'durinig the entry intb the >lR/hr area. Specific authorization was given by the remote monitoring' station technician to enter into the area. The worker

'had the training arid respiratory protection qualifications required b-y the RWP, multiple TLDs had been issued, the' required RWP was obtained and signed, and briefings were attended. The RWP entry was accomplished within pre-determined stay-time limitations, as discussedint the worker briefing. The electronic entry time was entered after the worker had exited the area. There was no over exposure or unintended dose for this worker. The work Was completed within the maximum projected dose for the activity. Technical Specification requirements for control of entry into the high radiation' area were met and worker dose was controlled since the worker was authorized and had obtained the RWP for the job.

9'- -

II A d"I ar%

n IDA Tr II IAI I I l/

/I~l /1I\\{

lMQ17I /I III I I

nvA %J"A6tkir A

71 I 'Il 1

TernpNo.

PI Qucstion/Response Status Plant/ Co.

The primary means of control of occupational dose exposure include predetermined stay-time limitations and alarming dosimetry set below expected job levels. The administrative control level is an additional exposure control mechanism. The licensee's administrative control level is conservatively established at 2 rem, or 40% of the Federal dose limit, to provide a substantial margin to prevent personnel from exceeding the Federal dose limit of 5 rem and to help ensure equitable distribution of dose among workers with similar jobs. The individual's annual dose was well below 2 rem and the administrative control level had not been raised above 2 rem prior to the worker obtaining a TLD.

If needed, additional and higher levels of managerial review and authorization are required for higher dose control levels. Increasing levels of management review and approvals are required to exceed the administrative control level of 2000 mrem (i.e., to 3000 mrem requires written approval by the Radiation Protection Manager and the work group supervisor, to 4000 mrem requires written approval by the Radiation Protection Manager, work group supervisor, and Plant Manager, to 5000 mrem requires written approval by the Site Vice President). The administrative dose buffer is in addition to the Technical Specification requirements for an RWP and therefore not material to the Technical Specification requirements for control of occupational dose.

As it is stated in NEI 99-02, "this PI does not include nonconformance with licensee-initiated controls that are beyond what is required by technical specifications and the comparable provisions in IOCFR Part 20." The check of dose availability is a licensee-initiated administrative control that is beyond what is required by technical specifications, comparable provisions in IOCFR20, or Regulatory Guide 8.38. Does failure of the worker to meet the internal administrative control guideline for dose available as specified by the RWP for the job activity count as a Pi occurrence?

Response

Yes this event would be a reportable PI occurrence. The above clearly describes a nonconformance with an RWP procedural requirement that resulted in a loss of control of access to the Tech. Spec. High Radiation Area. Had the RWP procedure been adhered to, this individual would not have been allowed to enter without further approval.

37.6 B102 Question:

3/25 Introduced River Bend River Bend Station (RBS) seeks clarification of BI-02 information contained in NEI 99-02 guidance, specifically page 4/22 Discussed 80, lines 36 and 37 "Only calculations of RCS leakage that are computed in accordance with the calculational 5/27 Discussed methodology requirements of the Technical Specifications are counted in this indicator."

8/18 Tentative Approval NEI 99-02, Revision 2 states that the purpose for the Reactor Coolant System (RCS) Leakage Indicator is to monitor the integrity of the reactor coolant system pressure boundary. To do this, the indicator uses the identified leakage as a percentage of the technical specification allowable identified leakage. Moreover, the definition provided is "the maximum RCS identified leakage in gallons per minute each month per technical specifications and expressed as a percentage of the technical specification limit."

The RBS Technical Specification (TS) states "Verify RCS unidentified LEAKAGE, total LEAKAGE, and unidentified LEAKAGE increase are within limits (12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months frequency)." RBS accomplishes this surveillance requirement using an approved station procedure that requires the leakage values from the 0100 and 1300 calculation be used as the leakage "of record" for the purpose of satisfying the TS surveillance requirement. These two data points are then used in the population of data subject to selection for performance indicator calculation each quarter (highest monthly value is used).

The RBS approved TS method for determining RCS leakage uses programmable controller generated points for total RCS leakage. The RBS' programmable controller calculates the average total leakage for the previous 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and l0

I FAO LOG.

DRAFT I. -

TcmnNo.

Pi Ouestion/Resnonsc Status PlantI Co. --

F I

prints a report giving the leakage rate into each sump it monitors, showing the last four calculations to indicate a trend and printing the total unidentified LEAKAGE, total identified LEAKAGE, their sum, and the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months average; The programmable controller will print this report any time an alarm value is exceeded. The printout can be ordered manually or can be automatic on a I or 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months basis. While the equipment is capable of generating leakage values at any. frequency, the equipment generates hourly values that are summarized in a daily report.

The RBS' TS Bases states "In conjunction with alarms and other administrative controls, a, 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency for this Surveillance is, appropriate for identifying changes in LEAKAGE and for tracking required trends."

The Licensee provides that NEI 99-02 requires only the calculations performed to accomplish the approved TS surveillance using the station procedure be counted in the RCS leakage indicator. In this case, the surveillance procedure captures and records the 0100 and 1300 RCS leakage values to satisfy the TS surveillance requirements.

The NRC Resident has taken the position that all hourly values from the daily report should be used for the RCS leakage performance indicator determination, even though they are not required by the station surveillance procedure.

The Resident maintains that all hourly values use the same method as the 0100 and 1300 values and should be included in the leakage determination.

l Is the Licensee interpretation of NEI 99-02 correct?

Response

Appendix D-.

All calculations of RCS leakage that are computed in accordance with the calculational methodology requirements of the Technical Specifications are counted in this indicator. Since the River Bend Station leakage calculation is an

'average of the previous 24 hourly leakage rates which arecalculated in aciordance with the technical specification methodology, it is acceptable for River Bend Station to include only those calculations that are performed to meet the technical specifications surveillance requirement when determining the highest monthly values for reporting. The ROP Working Group is forming a task force to review this performance indicator based on industry practices..

37.9 EP02 Question:

NEI 99-02 Rev 2 ERO Participation PI defines the numerator and denominator of the calculation as based on Key ERO Members. The key position list (on pase 89 and 90) was originally created from NUREG 0696 key functionsthe NUREG 0651 Table B I positions that involved actions associated with the risk significant planning standards (classification, notification, PARs, and assessment), with the addition-of the Key OSC Operations Manager included from a mitigation perspective.

It is understnod that Wwhen a single individual is assigned in more than one 'key position' that individualthey must be counted individually for each ey position (page 91 lines 4-7 of NEI 99-02).'

Guidance is not provided in the case where more than' one key positions is' performed by a single member of the ERO in a single drill/exercise tiqe tosep rate4rq-memberq. For example, the communicator is defined in NEI 99-02 as the kev position individual that fills out the notification form, seeks approval and usually communicates the information to off site agencies (these duties may vary from site to site based on site procedures).

-Assigning a single member to multiple Key Positions and then only counting the performance for one Key Position could mask the ability or proficiency of the remaining Key Positions. The concern is that an ERO member having multiple Key Positions may never have a performance enhancing experience for all of them, vet credit for participaition will he riven when anv one of the mdltinle Kev Pnsitions is nerformed.

-r 4/22 Introduced 5/27 Discussed. To be revised to reflect discussion.

7/22 EP peer experts to Ireview this issue 8/18 To be discussed at 9/1 EP public meeting generic

.I, 11,

I FAQ LOG DRAFTS 9/14/2004911-.1/200 18120/200 1 TcnipNo.

Pi Question/Rcsponsc Status Plant/ Co.

When the communicator key positionaetiY is performed by an ERO member who is also asigneddefined-by another key position (i-ee.g.., the Shift Manager (Emergency Director)), should participation be counted individually for two key positions or for one key position'?eauh function or collectiVelY for th1 Sinile-member-

Response

Participation by a single member of the ERO performing multiple key positions should be counted for each key position Pcrtforned. For the situation described, two key positions should be counted.

BetdiRO participation should be counted as individual oppeounitice for each key positiong]O-fanetin, even when the hey ERO Gwiction-is-i bmultiple key positions are assnined to the same quaiified ERO member. In the case where a utility has espritd the funeiiens of the qual ERO members as detineld in tluetlaneassiuncd two or more key positions to-undeF a single E lROncnibfeipeition, each key position 4hose ie)-EROft.:nuiens must be counted as SOI)affate opptRunlitie:; in the denominator for each qualified ERO member and credit given in the numerator when the qualified ERO member performs each iiidisdual key positionERG ftiuoll "Assisned" as used in this FAO applies to those ERO personnel filling key positions listed on the licensee duty roster on the last day o' the reporting period (attarter).

4nii eomtclhOr provides linkage to the DEP 4l. in, auiing the individuak -ho-hav"*94medliie

),y ERG fJnciin ovetll-44he assigned qualikied ERaO mbe mi inle rto p

hheflu ai-h I

nrlrance fior one funectione ei'k-tyasli-.the-ability or profieiaeny of the remaining t'unctions. The e*Q inern-is-thibff nhnEi,-

He1er-hvi1n-tI-fuflnLi*ns-nay nev4er haVe a performance enlianeing experience 14r al of them ye! er-eliHua-iation will be givenl of multiplef ion is il3er;)rmcMepar lore than one ERO p nto performed the same-fwtion_

38.2

MS01, MS04 Question:

If the emergency AC power system or the residual heat removal system is not required to be available for service (e.g.,

the plant is in "no mode" or Technical Specifications do not require the system to be operable), is it appropriate to include this time in the "hours train required" portion of the safety system performance indicator calculation?

5/27 Introduced 7/22 Discussed 8/18 Discussed NEI 99-02, Revision 2, starting on line 25 of page 33, discusses the term "hours train required" as used in safety system unavailability performance indicators. For the emergency AC power system and residual heat removal system, the guidance allows the "hours train required" to be estimated by the number of hours in the reporting period because the emergency generators are normally expected to be available for service during both plant operations and shutdown, and because the residual heat removal system is required to be available for decay heat removal at all times.

The response to FAQ 183 states: "During periods and conditions where Technical Specifications allow both shutdown cooling trains to be removed from service the shutdown cooling system is, in effect, not required and required hours and unavailable hours would not be counted."

Response

Being revised Appendix D FAQ: Mitigating Systems - Safety System Unavailability, Emergency AC Power During a monthly surveillance test of Emergency Diesel Generator 3 (EDG3), an alarm was received in the control room for an abnormal condition. The jacket water cooling supply to EDG3 had experienced a small leak (i.e., less than I gpm) at a coupling connection that resulted in a low level condition and subsequent control room alarm. The Low Jacket Water Pressure Alarm, which annunciates locally and in the control room, indicated low pump suction pressure.

This was due to low level in the diesel generator jacket water expansion tank. An Auxiliary Operator (AO) stationed at EDG3 responded to the alarm by opening the manual supply valve to provide makeup water to the expansion tank.

=

6/16 Introduced 7/22 Discussed 8/18 Discussed Brunswick

.5.

12

FAQ LOG DRAFT 9/14/2004943048nW24-FAO LOG DRAFT 9I14I20O4I1l1)04RIA)I2OO4 K

TempNo. I PI Question/Rcsponsc Status Plant/ Co.

l l EDG3 continued to function normally and the surveillance test was completed satisfactorily. Review of data determined that improper tightening of the coupling was performed after the monthly EDG run on December 8, which led to an unacceptable leak if the EDO was required 'to run. The coupling was properly repaired and tested,' and declared to be available and operable on January 6. The condition existed for approxiniatel' 28 days.

Although tlie recovery action was conducted outside of the main cofntrbl room, it was a'simple ev'olution directed by a' pr6cedure step, with a high'orobabilityof success. This operator response is similar to the response described in Appendix D FAQ 301. In addition, this operator action would be successful during a postulated loss of offsite power event, rexcept for 'a 23 hour2.662037e-4 days 0.00639 hours 3.80291e-5 weeks 8.7515e-6 months ' period when the demineralized water'supply level was too low to support gravity feed. The enginee'ring'analysis determined that a level of 21' 5" of denjineraliied water supply level was necessary to'support gravity feed to the expansion tank. Another 9" (4,740 gallons) was added to this level to allow for the leak and.

nominal usage and makeup'over the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time. Using this analysis, any time the demineralized water level fell belo v22" 2", the EDG was considered to be unavailable. A human reliability analysis calculated the probability of an AO failing to add water to the expansion tank from receipt of the low pressure alarm to be 4.7 E-3. In other words, there would be a greater than 99.5% probability of successful task completion within twenty minutes of receiving the annunciator. Vendor analysis'determined that, with the existing leak rate, the EDG would remain undamaged'for twenty minutet. e' The human 'reliability analysis considered that the low jacket water pressure would be annunciated in the control room, the annunciator procedure provided specific direction for filling the expansion tank, the action is reinforced through operator training, and sufficient time would be available to perform the simple action. In its calculation of the probability of operator recovery, the analysis also considered that another indicator, a low-level expansion tank alarm was-out-of-service during this tirme 'period. However, although the low'expansion tank alarm was out of service, it results in low pump suction pressure'which did anniunciate; c;

t'"-'"-"'-

NEI 99-02 Appendix D lists several issues that may be addressed for'exceptions to allow-credit for operator compensatory actions to mitigate the'effects of unavailability of monitored systems.

1. The capability to recognize the need for compensatory-actions - Low pump suction pressure'annunciates in'

'the controliroom.

2.

The availability of trained personnel to perform the compensatory action - This is an uncomplicated action, but operators are'trained on it. An auxiliary operator simply has to open one manual valve as directed by the annunciatorprocedure. >

'-X

3. The means of communications between the control room and the local operator - Communications can be accomplislied'either' via the plaht PA system' or a portableradio.

i,-

4.

The availability of compensatory equipment - No compensatory equipment is necessary.

5.

The availability of a procedure for ornpen'atory actions - There is an annunciator procedure in the diesel generator room that vould direct the auxiliary operator to'open the manual valve.

-6. The frequency with which the compensatory actions are performed -This action is performed infrequently,-

but it was demonstrated to be successful during the surveillance test.

7.' The probability of successful completion of c6inpensatory acti6ns within the required time - The human

-'reliability analysis determined that there was a 99.5% probability of successful completion of compensatory action within the required time.

In summary, over a 28-day period, jacket water cooling for EDG3 was degraded, but functional for approximately 27 days, and was totally unavailable for 23 hours2.662037e-4 days 0.00639 hours 3.80291e-5 weeks 8.7515e-6 months . This is based on a review of Operator logs, plant trending computer points, and flow calculations. During the 27-day degraded period, a simple manual action directed by procedure and Status 13

II FAQ LOG DRAFT 9/1 4/2004W1/2004' 8'/2004 TcmpNo.

P1 Qucstion/Response Status Plant/ Co.

performed by an operator would have been used to ensure that jacket water was available.

Should fault exposure hours be reported for the 27 days when the Emergency Diesel Generator 3 jacket water was considered to be degraded but functional?

Response

No. Unavailable hours need not be reported for this situation. The actions are proceduralized, operators are trained on the procedure, no troubleshooting or diagnosis is necessary, there is a control room alarm to alert the operators to the need for action, and the actions have been demonstrated to be able to be accomplished within the necessary time constraints. Therefore, operator recovery actions are considered to be virtually certain of success.

38.4 EP03 Question:

6/16 Introduced Pilgrim Pilgrim has 112 sirens which are normally scheduled to be tested for performance indicator purposes once each 8/18 To be discussed at calendar month (e.g., once during the month of September). This was reflected in procedure as a requirement to test 9/1 EP public meeting all of the sirens "monthly". The person scheduling the testing of the sirens incorrectly interpreted the procedure's "monthly" frequency consistent with other "monthly" tests as allowing a 25% grace period for scheduling flexibility.

As a result, 29 of the siren tests normally scheduled to be performed in September were scheduled to be performed during the beginning of October.

On October 1 the status of the siren testing was discussed with other members of the plant staff who understood that the intent of the "monthly" requirement was once per calendar month and that no grace period applied. Immediate actions were taken including performing the remaining 29 tests on an accelerated basis (all satisfactory tested by October 3) and entering the item in the corrective action program.

All of the 29 sirens passed the testing performed during the first 3 days of October. The testing was not delayed due to the unavailability or suspected unavailability of the sirens. The reason for the late testing of the equipment was purely an administrative error and not siren functionality related.

For plants where siren tests are initiated by the utility, if a scheduled test(s) was not performed due to an administrative issue but the untested siren(s) was not out-of-service for maintenance or repair and was believed to be capable of operation if activated, should the missed tests be considered non-opportunities or failures for performance indicator reporting purposes?

Response

Regularly scheduled tests missed for reasons other than siren unavailability (e.g.. out of service for planned maintenance or repair) should be considered non-opportunities. The failure to perform a regularly scheduled test should be entered in the plant's corrective action proerami and annotated in the comment field on the cuarterlv data submittal. The failure to perform regularly scheduled tests may be reviewed as part of the baseline inspection process ts mi:;:,J to rca:,cn. other than sire*

I unvl ia blity (s... (ut ff sarvic for fintcailtfline OF lepair) Shuuld 38.9 OR01I Question:

7/22 Introduced Brunswick On March 4, 2004, workers initiated a series of diving activities related to the inspection and repair of the Steam Dryer 8/18 Additional in the Dryer Separator Pit.

On March 5,2004, a contract diver proceeded to the Unit I Reactor Building 117' information required Elevation in preparation for the next diving evolution on the Steam Dryer. Based on underwater dose gradients from the steam dryer, 5 Electronic Dosimeters (EDs), 10 thermoluminescent dosimeters (TLDs) and a telemetry transmitter were placed on the diver by a Radiation Protection Technician (RPT) to monitor personnel exposure. ED/TLD combinations were placed on the chest, right arm, left arm, right leg, and left leg. TLDs were use to monitor the extremities. Communication between the EDs and the telemetry system was verified after placement on the diver. The RPT conducted the pre-dive radiological briefing and the diver entered the Contaminated Area.

Telemetry problems were experienced prior to the diver entering the Dryer Separator Pit. The underwater antenna was changed out and telemetry problems appeared to be corrected. The diver was in the Dryer Separator Pit approximately 40 minutes when additional telemetry problems occurred. The diver was instructed to exit the water and the 14

I VA ^ I^0`

nn11 A Vr All1 A Mnn An I 'l 2Vnn AQnn"onA~

I r!Avf I

WiiY flD 1I llJ/1-tfi#.iJf A

1/_

TempNo.

PI QuestionlResponsc Status Plant/ Co.

4.

I transmitter replaced. The telemetry problems were corrected and the diver re-entered the Dryer Separator Pit. After entering the water, the left arm ED stopped communicating with the telemetry system. The telemetry computer was rebooted while the diver was in the Dryer Separator Pit, but the left arm ED failed to transmit. The RP Supervisor evaluated the situation and decided to allow the dive to continue since four of the five EDs were transmitting properly.

The left arm ED did not transmit for the remainder of the dive. However, it did remain functional and continued to accumulate dose. Upon completion of the work, the'diver exited the Dryer Separator Pit and it was discovered that his left arm ED was in alarm.' Specific ED results for the diver are given below:

ED Location ED Result (mrem)

,Chest 1

147 Right Arm 319 Left Arm 588 Right Leg 30 Left Leg 31 Per the RWP,.the Administrative Dose Limit for the dive was 500 mrem.

The'diver's TLDs were processed and the results are given below TLD Location TLD Result (mrem)

Chest 135 Right Arm 403 Left Arm 673 Right Leg 30 LeftLeg -

34-th, '

Head 216 Does situation described above constitute an unintended exposure occurrence in the Occupational Radiation Safety

'Cornerstone as described in NEl 99-02?

Response

NEI 99-02 identifies the dose value used as a screening criterion to identify an unintended exposure occurrence as 100 mrem. -The administrative dose guideline was established in the RWP as 500 mrem. Since the ED was functional and read 588 mrem, the screening criterion in 99-02 was not exceeded.

IE03 Question:,,

ur pgson the Unit I and 2 main condensers indicated

'On June 23, 2004, condenser waterbox level and temperature radzings nteUi n

ancnesr niae partial blockage of the waterbox intake debris filters. The cause was an influx of gracilaria, which'is a marine grass found in the river water that is the circulating water intake supply to the plant. Subsequent backwashes of the debris filters were successful at restoring waterbox level and temperature readings to the normal band, except for the 2B-South waterbox, which is one of four waterboxes of the Unit 2 main condenser. An extended backwash was unsuccessful in restoring its readings back to normal.

Debris is removed prior to entering the circulating water intake bay by traveling screens with spray nozzles. The 2B-South debris filter is directly downstream from the 2D traveling screen. Investigation of this event found that the spray nozzles for the 2D traveling screen had more fouling than the other spray nozzles. The 2D traveling screen was able to adequately remove normal debris loading, but was not as effective as the other spray nozzles in removing the debris during the large influx of gracilaria.

A decision was made on June 24,2004 to reduce power to about 53% and isolate the 21B-South waterbox to clean its debris filter. The decision to reduce power within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months was based on several factors, such as reduced condenser efficiency, the potential for additional debris filter clogging,- and a reduction in reactor water chemistry due to elevated 8/18 Introduced Brunswick 15

I a

a.a rTN A

YI1 nl 1.

lu

{loln

-nsn-I 4

pAY LUGz I1JA1 I

YI/141ZhtJIJ4W-.VA1!ibh&WU'UUI TempNo.

PI Question/Response Status Plant/ Co.

condensate demineralizer resin temperatures.

It was also based on input from work management, operations, and the load dispatcher. The 213-South waterbox was successfully cleaned during the downpower and reactor power was restored to normal operating conditions.

This was an anticipated power chance in response to expected conditions. Operating experience has shown that the plant is susceptible to large influxes of gracilaria when the salinity level in the river water is elevated. For example, gracilaria problems were correlated with high salinity levels in 2002, which led to high vulnerability conditions. In addition, during another influx of gracilaria, a downpower was required in August, 2001 to clean the lA-South debris filter. In response to experience over the past 5 years with gracilaria and other intake canal debris, modifications are being implemented at the river water intake diversion structure, which is the first barrier for intake debris, to improve the debris removal capability.

In response to the influx of gracilaria, the plant implemented compensatory actions for a "High Vulnerability" condition in the intake canal. These actions include manning the diversion structure round-the-clock for manual debris removal, increasing screen wash pressure, and staging fire hoses at the traveling screens, if needed, to assist in removing debris. During the June 23 event, all four waterboxes on Unit I and three of four waterboxes on Unit 2 were managed within normal operating levels.

The power change was proceduralized. The plant operating procedure for circulating water directs a power reduction to isolate a waterbox and clean the debris filter if an abnormally high differential pressure exists after debris filter flushing has been completed.

The influx of gracilaria was not predictable greater than 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months in advance. Although the biology staff has found that high salinity levels in the river water make the conditions for a gracilaria release favorable, it is not possible to predict when an excessive influx will occur. The compensatory actions taken for a high vulnerability condition have usually been effective in preventing debris filter clogging.

Should this event be counted as an unplanned power change?

Response

No, the event should not be counted as an unplanned power change. The increased accumulation of gracilaria in the river water was anticipated due to operating experience with high salinity levels in the river water, but the timing of the gracilaria release into the intake canal could not be predicted with certainty. In addition, the response to the condenser level and temperature conditions is proceduralized.

39.2 EP03 Question:

8/18 Introduced. To be NRC If a licensee makes a change in ANS testing methodology, when can that change be used in the ANS PI calculation?

discussed at 9/1 EP

Response

public meeting The chanee in test methodology shall be reportced as part of the ANS Reliability Performance Indicator effective the start of the next quarterly reporting period.

A licensee may chance ANS test methodology at any time consistent with regulatorv guidance. For the purpOscs ot the Performance Indicator, only the testing methodology in effect on the first day of the quarter shall be used for that reporting period. NEI 99-02 requires that the periodic tests be used in developing the Performance Indicator. Pc 94.

lines 12-13. states that: "Periodic tests are the regularly scheduled tests..." Theretore, a reporting period (quarter) starts with a senuence of regularly scheduled tests for that quarter. If a licensee determines that testing methodology should be changced. the plan/procedure directing the periodic tests should be revised and screened in accordance with the licensee's change orocessThe-thange may net be used inf he ANS PI calculation until tie beginningef thnem quaiier-This is consisctent with NE! 99 02, pg 9 1, lines 12 13, that states: "Periadie-tea&- !he Feg dulfly-beheduled tesI.

Thus, tie reguiarl H

cheduled-test methadelogy bat was used at thte inting cf the qualrter is to be sed thr*Ughe+*-t the 4"rter-Fb input to the ANS P dta. Thi i necessieneyandaly of e qua rterl1sy ANS P1at taremfinderifhe une-in h-ANS test metldohloloy is eensideed t*-bea sig!i1iiiiit-e4iange I

16 I

1 I FAQ LOG __UAPT 9W14I2f0J494I/J4YiR 4J4 TempNo.

Pi Question/Response Status Plant/ Co.

I.

p e r F E M u

r m nt.-

I I

rF I

17

Sifaca LeG6 Monitoring Of Unavailability During Shutdown Conditions Unavailability monitoring during shutdown is unnecessary because it captures only a fraction of a fraction of overall unavailability. First, with average refueling durations in the 30 day range (every 18 to 24 months), any unavailability is a small fraction of the overall cycle (approximately 4%). Secondly, to count as unavailability during shutdown under NUMARC 93-01, Appendix B, the train has to fail in service or when it is the primary backup for a function. This will only capture unplanned unavailability, which is also a very small fraction of overall unavailability. Thus, to simplify both the Mitigating System Performance Index (MSPI) and maintenance rule accounting (and to make them consistent),

unavailability monitoring during shutdown will be eliminated when MSPI is implemented. The unavailability data that will no longer be captured is not significant to the monitoring of system health under the maintenance rule.

Reliability data will continue to be captured for both maintenance rule and MSPI during shutdown. For the purpose of balancing unavailability and unreliability per section (a)(3) of the maintenance rule, the assessment will continue to consider all unreliability data captured during at power and shutdown operations, and the unavailability data captured during power operations. For the reasons noted above, any unavailability during shutdown is not significant to the (a)(3) assessment.

CVA

,- Gm+

DRAFT FOR COMMENT September 15, 2004 Appendix D PUBLIC RADIATION SAFETY SIGNIFICANCE DETERMINATION PROCESS This process is used in conjunction with Inspection Procedure 71122, "Public Radiation Safety,"

to determine the risk significance of a finding.

Ill.

RADIOACTIVE MATERIAL CONTROL PROGRAM A.

Obiective This branch of the logic diagram focuses on the licensee's radioactive material control program.

It assesses the licensee's ability to prevent the inadvertent release and/or loss of control of licensed radioactive material.

B.

Basis 10 CFR Part 20 contains the requirements for the control and disposal of licensed radioactive material. At a licensee's facility, any equipment or material that came into contact with licensed radioactive material or that had the potential to be contaminated with radioactive material of plant origin and are to be removed from the facility must be surveyed for the presence of licensed radioactive material. This is because NRC regulations, with one exception in 10 CFR 20.2005, provide no minimum level of licensed radioactive material that can be disposed of or released for use in an unrestricted area in a manner other than as radioactive waste or transferred to a licensed recipient.

C.

SDP DETERMINATION PROCESS Is there a finding in the licensee's radiological material control program that is contrary to NRC regulations and/or the licensee's program? If yes, the question is what is the dose impact? Note:

The dose assessment is to be based on an actual or realistic scenario. If the dose impact was not greater than 0.005 rem total effective dose equivalent (TEDE), then the SDP classification is GREEN. If the dose impact was greater than 0.005 rem TEDE, but < 0.1 rem TEDE, then the SDP classification is WHITE. If the dose impact was greater than 0.1 rem TEDE (exceeds 10 CFR Part 20 public dose limit), but < 0.5 rem TEDE, the SDP classification is YELLOW. If the dose impact was greater than 0.5 rem TEDE, the SDP classification is RED.

A finding represents a failure or performance deficiency of the licensee's Radiation Protection program. An inspection finding is defined as: 1) licensed radioactive material identified outside of a Protected Area, Restricted Area (as defined in 10 CFR Part 73 and Part 20, respectively), or an area defined by the licensee in which licensed radioactive material is controlled, and 2) an evaluation which concluded that the material was released as a result of a) not following plant procedures, b) not being in accordance with documented training, c) inadequate plant procedures, or d) inadequate training. A performance deficiency would not be the following: 1) licensed radioactive material that is below the radiation detection sensitivity of the instruments used (in a manner that is reasonable under the circumstances) for the survey and control of licensed radioactive material, or 2) licensed radioactive material that was released in accordance with the licensee's radioactive gaseous and liquid effluent release program.

DRAFT FOR COMMENT Issue Date: XX/XX/04 D-1 0609, App D

I DRAFT FOR COMMENT September 15, 2004 Individuals who are not authorized to receive "occupational dose" are classified as "Members of the Public." Sometimes these individuals are permitted access to a licensee's Protected or Restricted Areafor job-related or public information purposes. Such individuals are either physically escorted or are granted limited unescorted access following the successful completion of appropriate orientation training and security screening. The significance of the radioactive material control finding involving licensed radioactive material in a Protected Area, Restricted Area, or an area defined by the licensee in which licensed radioactive material is controlled will be evaluated using the dose-based criteria in the SDP.

In the evaluation of a potential finding, consideration should be given to whether it is a minor issue.

To be considered minor, there must be no dose impact to a member of the public. In practice, this means that the whole body dose rate (measured by a qualified individual, in a low background area, at a distance of 30 cm from the unshielded material with a "micro-rem" per-hour type instrument which typically uses a 1" by 1" scintillation detector) from the item or material is indistinguishable from background.

However, the presence of licensed radioactive material, regardless of whether it meets the minor criteria described above, in an unrestricted area is a condition that warrants documentation in an NRC Inspection Report (see NRC Manual Chapter 0612, Section 05.03.d). This is because licensed radioactive material in the public domain directly relates to an issue of agency-wide concern (Disposition of Solid Materials).

In an inspection report, it is acceptable to document multiple instances of licensed radioactive material being identified outside of a Protected Area, Restricted Area, or an area defined by the licensee in which licensed radioactive material is controlled, as a single finding in the following circumstances: 1) instances that do not represent a performance deficiency and 2) licensee identified instances that represent a performance deficiency that stem from a common root cause or are the result of investigations and surveys conducted in conjunction with a corrective action plan or a general site survey upgrade program.

A finding which involves discrete radioactive particles (also known as hot particles or fuel fleas) will be assessed in the same manner as discussed above (i.e., based on the actual or realistic dose impact [TEDE] to a member of the public).

DRAFT FOR COMMENT END 0609, App D D-2 Issue Date: XX/XX/04

ML042660358

Contents

Text

Dear Mr. Floyd:

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Navigation menu

ML042660358

Text

Dear Mr. Floyd:

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Navigation menu

Search