ML19052A096

From kanterella
Jump to navigation Jump to search
NRR E-mail Capture - Draft NEI 18-10, Rev a, Monitoring the Effectiveness of Nuclear Power Plant Maintenance
ML19052A096
Person / Time
Issue date: 02/21/2019
From: John Hughey
NRC/NRR/DRA
To: Vaughn S
Nuclear Energy Institute
References
NEI-18-10
Download: ML19052A096 (51)


Text

NRR-DMPSPEm Resource From: Hughey, John Sent: Thursday, February 21, 2019 9:02 AM To: VAUGHN, Stephen

Subject:

RE: RE: DRAFT NEI 18-10, Revision A Attachments: DRAFT NEI 18-10 Rev A, Monitoring the Effectievness of Nuclear Power Plant Maintenance.pdf

Steve, As we discussed and you reference in your e-mail below, I am placing the attached document, Draft NEI 18-10, Rev. A, in ADAMS as publicly available. I will forward the accession number to you once it has been processed.

Thanks and best regards, John John Hughey PRA Oversight Branch Reliability and Risk Analyst, NRR/DRA/APOB US Nuclear Regulatory Commission Phone: (301) 415-3204 Office: O10-G01 e-mail: john.hughey@nrc.gov From: VAUGHN, Stephen [1]

Sent: Wednesday, February 20, 2019 10:52 AM To: Hughey, John <John.Hughey@nrc.gov>

Subject:

[External_Sender] RE: DRAFT NEI 18-10, Revision A

John, It looks like on 12/20/18 I emailed the draft NEI 18-10 to you and copied Mike Montecalvo and Matt Humberstone. I am guessing Matt and Mike did not put it in ADAMS.

If you do find NEI 18-10 in ADAMS or put it in ADAMS, could you send me the ML?

Thanks, Steve From: VAUGHN, Stephen Sent: Thursday, December 20, 2018 3:30 PM To: 'Hughey, John'

Subject:

RE: DRAFT NEI 18-10, Revision A Sure thing John.

From: Hughey, John [2]

Sent: Thursday, December 20, 2018 3:29 PM 1

To: VAUGHN, Stephen Cc: Montecalvo, Michael; Humberstone, Matthew; Fong, CJ

Subject:

[EXTERNAL] RE: DRAFT NEI 18-10, Revision A Thanks, Steve.

John Hughey PRA Oversight Branch Reliability and Risk Analyst, NRR/DRA/APOB US Nuclear Regulatory Commission Phone: (301) 415-3204 Office: O10-G01 e-mail: john.hughey@nrc.gov From: VAUGHN, Stephen [3]

Sent: Thursday, December 20, 2018 3:25 PM To: Hughey, John <John.Hughey@nrc.gov>

Cc: Montecalvo, Michael <Michael.Montecalvo@nrc.gov>; Humberstone, Matthew <Matthew.Humberstone@nrc.gov>

Subject:

[External_Sender] DRAFT NEI 18-10, Revision A

John, Attached is the Draft NEI 18-10, Revision A guidance document. An NEI-led working group developed the document in 2018 with the intent of adding efficiencies and improving the effectiveness of 50.65 implementation.

Please let me know if you have any questions,

Regards, STEPHEN J. VAUGHN l SENIOR PROJECT MANAGER, ENGINEERING AND RISK 1201 F Street, NW, Suite 1100 l Washington, DC 20004 P: 202.739.8163 M: 202.256.5393 sjv@nei.org This electronic message transmission contains information from the Nuclear Energy Institute, Inc. The information is intended solely for the use of the addressee and its use by any other person is not authorized. If you are not the intended recipient, you have received this communication in error, and any review, use, disclosure, copying or distribution of the contents of this communication is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by electronic mail and permanently delete the original message. IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

Sent through www.intermedia.com This electronic message transmission contains information from the Nuclear Energy Institute, Inc. The information is intended solely for the use of the addressee and its use by any other person is not authorized. If you are not the intended recipient, you have received this communication in error, and any review, use, disclosure, copying or distribution of the contents of this communication is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by electronic mail and permanently delete the original message. IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

2

Sent through www.intermedia.com 3

Hearing Identifier: NRR_DMPS Email Number: 809 Mail Envelope Properties (BL0PR0901MB294830A02D2239731A7EA337F67E0)

Subject:

RE: RE: DRAFT NEI 18-10, Revision A Sent Date: 2/21/2019 9:02:09 AM Received Date: 2/21/2019 9:02:00 AM From: Hughey, John Created By: John.Hughey@nrc.gov Recipients:

"VAUGHN, Stephen" <sjv@nei.org>

Tracking Status: None Post Office: BL0PR0901MB2948.namprd09.prod.outlook.com Files Size Date & Time MESSAGE 4722 2/21/2019 9:02:00 AM DRAFT NEI 18-10 Rev A, Monitoring the Effectievness of Nuclear Power Plant Maintenance.pdf 756305 Options Priority: Standard Return Notification: No Reply Requested: No Sensitivity: Normal Expiration Date:

Recipients Received:

DRAFT NEI 18-10, Rev A Monitoring the Effectiveness of Nuclear Power Plant Maintenance Prepared by the Nuclear Energy Institute October 2018

© NEI 2018. All rights reserved. nei.org

October 2018 DRAFT NEI 18-10, Rev A Acknowledgements This document was developed by the Nuclear Energy Institute. NEI acknowledges and appreciates the contributions of NEI members and other organizations in providing input, reviewing and commenting on the document including:

NEI Project Technical Lead: Steve Vaughn Jenna Burr Exelon Larry Ellgass TVA Roy Linthicum PWROG Glen Masters INPO Steve McCoy EPM Mike McLain APS Sam Melton Duke Energy TJ Scott NextEra Geoff Sequin INPO Chuck Sibley WCNOC Rick Way EPRI Meredith Werley Duke Energy Tom Zachariah NEI Jim Zapetis Exelon The Nuclear Energy Institute is the nuclear energy industrys policy organization. This document and additional about nuclear energy are available at nei.org.

1201 F Street, NW Washington, DC 20004

© NEI 2018. All rights reserved. nei.org

October 2018 DRAFT NEI 18-10, Rev A Executive Summary This technical report was prepared to support a Delivering the Nuclear Promise (DNP) initiative to improve the efficiency and effectiveness of station maintenance rule programs (Efficiency Opportunity 18-EG-03).

Over the past 20 plus years, stations have typically used the NUMARC 93-01 guidance in developing station maintenance rule programs to comply with the requirements in 10 CFR 50.65. While NUMARC 93-01 has been a valuable framework, it became apparent that a significant amount of effort was expended beyond what was required for compliance with 50.65.

In keeping with the DNP philosophy, NEI 18-10 takes a fresh look at developing and implementing a maintenance rule program based on the early foundational guidance from the mid-1990s with updates given the advances in information technology and changes to other interfacing programs. The overall purpose is to provide utilities with a risk-informed framework that supports the implementation and monitoring of a maintenance effectiveness program that complies with 10 CFR 50.65, effectively and efficiently leverages utility resources, and is focused on equipment performance commensurate with safety.

© NEI 2018. All rights reserved. nei.org

October 2018 DRAFT NEI 18-10, Rev A Table of Contents 1 PURPOSE ...................................................................................................... 1 2 BACKGROUND.............................................................................................. 1 3 REFERENCES ................................................................................................. 1 4 DEFINITIONS ................................................................................................ 2 5 IMPLEMENTATION OVERVIEW ..................................................................... 4 6 SCOPING, DETERMINING SAFETY SIGNIFICANCE, AND ESTABLISHING AND IMPLEMENTING MAINTENANCE STRATEGY .................................................. 6 6.1 Scoping................................................................................................. 6 6.1.1 Safety-Related SSCs ............................................................................. 7 6.1.2 Non-Safety-Related SSCs...................................................................... 7 6.2 Determining Safety Significance ......................................................... 11 6.3 Establish and Implement Maintenance Strategy................................. 12 6.3.1 Background ........................................................................................ 12 6.3.2 Establishing the Maintenance Strategy .............................................. 12 7 (A)(1) OR (A)(2) DETERMINATION .............................................................. 13 7.1 Evaluating (A)(1) or (A)(2) Status ........................................................ 13 7.1.1 Establishing New SSCs as (A)(1) or (A)(2) ........................................... 13 7.1.2 Evaluating (A)(1)/(A)(2) Status Using CAP Cause Evaluation Results ..13 7.1.3 Returning to (A)(2) Status after (A)(1) Goals Are Met ........................ 14 7.2 (A)(1) Path .......................................................................................... 15 7.2.1 Establishing Corrective Actions and Goals.......................................... 15 7.2.2 Monitor Performance to Goals .......................................................... 15 7.2.3 Are Goals Met? .................................................................................. 16 7.3 (A)(2) Path .......................................................................................... 17 8 ISSUE REPORT (IR) OR CONDITION REPORT (CR) FOR SCOPED SSC.............. 17 8.1 Plant Level Event (PLE) ....................................................................... 17 8.2 High Safety Significance (HSS)? ........................................................... 18

© NEI 2018. All rights reserved. nei.org

October 2018 DRAFT NEI 18-10, Rev A 8.3 Maintenance Rule Functional Failure (MRFF) or Condition Monitoring Event (CME)? ...................................................................................... 18 9 (A)(3) ASSESSMENT .................................................................................... 18 9.1 (A)(3) Assessment Inputs .................................................................... 18 9.1.1 Review High Safety Significant SSC Failures ....................................... 18 9.1.2 Review Low Safety Significant SSC Events .......................................... 18 9.1.3 Review CDF Trending ......................................................................... 19 9.1.4 Operating Experience (OE) ................................................................. 20 9.1.5 Review Plant Level Events .................................................................. 21 9.1.6 Review (A)(1) and (A)(2) Determinations ........................................... 21 9.1.7 Review (A)(1) Actions and Goals ........................................................ 21 9.2 (A)(3) Assessment Outputs ................................................................. 22 9.2.1 Trend Identification? ......................................................................... 22 9.2.2 Adjustments to Balance Availability and Reliability ............................ 22 9.2.3 Documentation .................................................................................. 22 10 CAP CAUSE EVALUATION ........................................................................... 23 11 (A)(4) ASSESSMENT .................................................................................... 23 11.1 Reference ........................................................................................... 23 11.2 Background ........................................................................................ 23 11.3 Guidance ............................................................................................ 23 11.3.1 Assessment Process, Control and Responsibilities ............................. 24 11.3.2 General Guidance for the Assessment - Power Operations and Shutdown .......................................................................................... 24 11.3.3 Scope of Assessment for Power Operating Conditions ......................26 11.3.4 Assessment Methods for Power Operating Conditions ......................28 11.3.5 Scope of Assessment for Shutdown Conditions ................................. 31 11.3.6 Assessment Methods for Shutdown Conditions................................. 31 11.3.7 Managing Risk.................................................................................... 34

© NEI 2018. All rights reserved. nei.org

October 2018 DRAFT NEI 18-10, Rev A 11.3.8 Regulatory Treatment of Compensatory Measures ........................... 40 11.3.9 Documentation .................................................................................. 40 11.4 PSA Attributes .................................................................................... 41

© NEI 2018. All rights reserved. nei.org

October 2018 DRAFT NEI 18-10, Rev A 1 PURPOSE To provide the utilities with a risk-informed framework that supports the implementation and monitoring of a maintenance effectiveness program that complies with 10 CFR 50.65, leverages utility resources effectively and efficiently, and is focused on equipment performance commensurate with safety.

2 BACKGROUND In July 1991, the U.S. Nuclear Regulatory Commission (NRC) published its final maintenance rule entitled, "Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants,"

which was fully implemented by 1996. In the Supplementary Information published with the notice, the commission stated that it, "believes that effectiveness of maintenance must be assessed on an ongoing basis in a manner which ensures that the desired result, reasonable assurance that key structures, systems, and components (SSCs) are capable of performing their intended function, is consistently achieved." In 1995, NUREG-1528, Lessons Learned from Early Implementation of the Maintenance Rule at Nine Nuclear Power Plants, was published and provided early insights regarding utility maintenance rule programs and compliance with 50.65. In 1999, NUREG-1628, Lessons Learned from Maintenance Rule Baseline Inspections, was published and provided a second round of maintenance rule program implementation insights from the entire nuclear power reactor fleet. The NRC significantly modified the maintenance rule in July 1999. This rulemaking established requirements under paragraph (a)(4) for the assessment and management of risk associated with maintenance activities and clarified the applicability of the maintenance rule to all modes of plant operation.

The importance of proper maintenance to safe and reliable nuclear plant operation has long been recognized by the nuclear utility industry and the NRC. The industry and the NRC recognize that effective maintenance provides reasonable assurance that key structures, systems and components are capable of performing their intended function. Given that 50.65 is a risk-informed, performance-based rule, there is not a single approach to achieve compliance; rather, there are multiple valid means to reach the same end. This guidance document was developed to provide the industry with an approach to develop a maintenance rule program that complies with 50.65 and effectively leverages and efficiently utilizes other station programs and processes.

3 REFERENCES

1. 10 CFR 50.65, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants
2. Statements of Consideration for 10 CFR 50.65-56 FR 31324, July 10, 1991, as amended at 58 FR 33996, June 23, 1993; 61 FR 39301, July 29, 1996; 61 FR 65173, Dec. 11, 1996; 62 FR 47271, Sept. 8, 1997; 62 FR 59276, Nov. 3, 1997; 64 FR 38557, July 19, 1999; 64 FR 72001, Dec. 23, 1999; 72 FR 49501, Aug. 28, 2007
3. NUREG-1526, Lessons Learned from Pilot Sites, 1995, U.S. Nuclear Regulatory Commission
4. NUREG-1648, Maintenance Rule Baseline Inspections, 1999, U.S. Nuclear Regulatory Commission

© NEI 2018. All rights reserved. nei.org 1

October 2018 DRAFT NEI 18-10, Rev A

5. AP-913, Equipment Reliability Process Description, Revision 6, April 2018, Institute of Nuclear Power Operations
6. NEI 16-07, Improving the Effectiveness of Issue Resolution to Enhance Safety and Efficiency, Revision 0, March 2018, Nuclear Energy Institute
7. NUMARC 93-01, Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, Revision 3, July 2000, Nuclear Energy Institute
8. RG 1.160, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, Revision 2, March 1997, U.S. Nuclear Regulatory Commission 4 DEFINITIONS Availability: The time that a system, structure, or component (SSC) is capable of performing its intended function as a fraction of the total time that the intended function may be demanded.

Core Damage: Uncovery and heat-up of the reactor core to the point at which prolonged oxidation and severe fuel damage are anticipated and involving enough of the core, if released, to result in offsite public health effects.

Core Damage Frequency (CDF): Expected number of core damage events per unit of time.

CDF Trending: The process of tracking and trending changes in CDF based on the unavailability of SSCs modeled in the configuration risk management program software and comparing the aggregate results to pre-determined limits, and to focus on particular SSC-specific results to identify any unexpected increases in risk.

Condition Monitoring: Unobtrusive tests and inspections performed to identify a potential failure to include established predictive maintenance techniques such as surveillance testing, vibration monitoring, thermography, visual inspections, ultrasonic thickness measurements, etc.

Condition Monitoring Event: An event in which the maintenance rule (MR) function has not been lost, but a performance threshold as defined in the applicable MR bases has been exceeded.

Explicitly Used: SSCs specifically called out in the emergency operating procedure (EOP) by tag identification or noun name that provide a mitigating function, and includes those SSCs required to support the explicitly used SSCs even though they are not called out in the EOP. For example, all SSCs associated with an instrument loop supporting a control room instrument that is specifically called out in the EOP are considered explicitly used.

High Safety Significant: Those SSCs that are significant contributors to safety as determined by the MR authority, PRA importance measurese.g., Birnbaum, insights or other methods.

Implied Use: SSCs not specifically called out in the EOP but which are understood to be essential for successful completion of the associated mitigating EOP step, although they may not directly address or mitigate the event.

© NEI 2018. All rights reserved. nei.org 2

October 2018 DRAFT NEI 18-10, Rev A Industrywide Operating Experience: Information included in NRC, industry and vendor equipment information that are applicable and available to the nuclear industry with the intent of minimizing adverse plant conditions or situations through shared experiences.

Large Early Release: The rapid, unmitigated release of air-borne fission products from the containment to the environment occurring before the effective implementation of off-site emergency response and protective actions such that there is a potential for early health effects.

Large Early Release Frequency (LERF): Expected number of large early releases per unit of time.

Maintenance: The aggregate of those functions required to preserve or restore safety, reliability and availability of plant structures, systems and components. Maintenance includes not only activities traditionally associated with identifying and correcting actual or potential degraded conditionsi.e.,

repair, surveillance, diagnostic examinations, and preventive measuresbut extends to all supporting functions for the conduct of these activities. 1 Maintenance Preventable Functional Failure (MPFF): An MPFF is the failure of an SSC within the scope of the maintenance rule to perform its intended functioni.e., the function performed by the SSC that required its inclusion within the scope of the rulewhere the cause of the failure is attributable to a maintenance-related activity. The maintenance-related activity is intended in the broad sense of maintenance as defined above.

Maintenance Rule Function: The attributee.g., safety related, mitigates accidents, causes a scram, etc.that included the SSC within the scope of the maintenance rule at either the system and/or component level.

Maintenance Rule Functional Failure (MRFF): The failure of an SSC within the scope of the maintenance rule to perform its function.

Maintenance Strategy: A methodology to perform planned activitiesi.e., Inspections, Surveillance Tests, Predictive Maintenance activities or Preventive Maintenance tasksthat provide an effective method to ensure that component reliability is commensurate with its safety significance.

Mitigate or Mitigating: Actions or steps taken to lessen the severity or the adverse consequences of the event/symptom that necessitated entry into the EOP.

Operating System: An operating system is one that is required to perform its intended function continuously to sustain power operation or shutdown conditions Performance Monitoring: Continuous or periodic tests, inspections, measurement or trending of the performance or physical characteristics of an SSC to indicate current or future performance and the potential for failure. Monitoring is frequently conducted on a non-intrusive basis. Examples of preventive maintenance actions may include operator rounds, engineering walkdowns and management inspections.

1 Federal Register Vol. 53, No. 56, Wednesday, March 23, 1988, Rules and Regulations / Page 9340

© NEI 2018. All rights reserved. nei.org 3

October 2018 DRAFT NEI 18-10, Rev A Plant Level Event: Failure of an SSC which causes one of the following to occur:

x Reactor Trip/Scram x Unplanned power change greater than 20% (see NEI 99-02) x Unplanned Safety System Actuation Preventive Maintenance: Predictive, periodic and planned maintenance actions taken prior to SSC failure to maintain the SSC within design operating conditions by controlling degradation or failure.

Reactor Scram (Reactor Trip): The sudden shutting down of a nuclear reactor, usually by rapid insertion of control rods, either automatically or manually by the reactor operator.

Reliability: A measure of the expectationassuming that the SSC is availablethat the SSC will perform its function upon demand at any future instant in time. The monitoring of performance and any resulting MPFFs or MRFFs is an indicator of reliability.

Run to Maintenance: A maintenance strategy in which a component is run until corrective maintenance is required with the understanding that the risk and consequences of failure are acceptable without any predictive or repetitive maintenance being performed.

Standby System or Train: A standby system or train is one that is not operating and only performs its intended function when initiated by either an automatic or manual demand signal.

Unplanned Power Changes: Any unintentionali.e., initiated less than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> following the discovery of an off normal conditionload reduction greater than 20% of full reactor power. NEI 99-02 provides additional details.

Unplanned Safety System Actuation: Unplanned actuations of Engineered Safety Featurese.g.,

unplanned emergency core cooling system actuations, emergency alternating current power system actuations due to loss of power to a safeguards bus, etc.

5 IMPLEMENTATION OVERVIEW Currently, stations already have a mature maintenance and equipment reliability program that ensures equipment is able to perform its intended function. A large subset of that equipment involves SSCs that are scoped into the maintenance rule in accordance with 50.65(b)(1) and (b)(2). Most stations structured their maintenance rule program around the NUMARC 93-01 framework and have developed and maintained procedures, technical basis documents, databases, training materials and qualifications to support implementation. The guidance in NEI 18-10 is designed to support a station in modifying their current maintenance rule program procedures, bases, etc., to improve efficiency and effectiveness. The flowchart below (Figure 1) provides the overall process logic, and the various sections of NEI 18-10 provide more detailed guidance regarding the flowchart blocks and the links between them.

© NEI 2018. All rights reserved. nei.org 4

October 2018 DRAFT NEI 18-10, Rev A FIGURE 1

© NEI 2018. All rights reserved. nei.org 5

October 2018 DRAFT NEI 18-10, Rev A 6 SCOPING, DETERMINING SAFETY SIGNIFICANCE, AND ESTABLISHING AND IMPLEMENTING MAINTENANCE STRATEGY 6.1 Scoping (Block 1)

As used in this guideline, SSCs can mean "structures, systems, and components," or "structures, systems, or components," depending on use. Where the guideline discusses the need to establish goals and monitoring, SSCs will include, as applicable, "structures, systems, trains, and/or components."

The utility must first determine which SSCs are within the scope of the maintenance rule (MR) by applying the screening criteria below. For the purposes of this guideline, a system is any collection of equipment that is configured and operated to serve some specific plant functione.g., provides water to the steam generators, sprays water into the containment or injects water into the primary system) as defined by the terminology of each utilitye.g., auxiliary feedwater system, containment spray system or high pressure coolant injection system. Periodically, as a result of design changes, modifications to the plant occur that may affect the maintenance program. These changes are reviewed to assure the maintenance program is appropriately adjusted in areas such as scope, safety significance, goal setting and performance monitoring.

The scope of the maintenance rule, as defined in 10 CFR 50.65(b), is limited to SSCs that directly affect plant operations, regardless of what organization actually performs the maintenance activities. For example, electrical distribution equipment out to the first inter-tie with the offsite distribution system are considered for comparison with §50.65(b), and thereafter, possible inclusion under the scope of the maintenance rule. Thus, equipment in the switchyard, regardless of its geographical location, is potentially within the scope of the maintenance rule.

Safety systems may perform not only safety functions but also other functions that have no safety significance. For example, the system may be used to transfer water from one part of the plant to the other as well as provide additional safety functions.

It is necessary to identify and document the functions for both safety and non-safety-related SSCs that causes the SSCs to be within the scope of the maintenance rule. There are two basic areas where this information is needed. First, the function which the system or structure provides is needed so all failures can be evaluated against those functional aspects. Not all failures that cause loss of some function are functional failures under the maintenance rule because, for systems with multiple design functions, the function lost may not be within the scope of the maintenance rule, and further, components not required to meet this function that causes the system to be within the scope of the rule may be excluded unless they meet another scoping criterion. Secondly, when removing SSCs from service, it is important to be aware of what function is being lost so the impact of removing multiple equipment from service can be determined. The safety functions of SSCs are addressed by the maintenance rule.

As an alternative approach, licensees may use a functional basis to determine which SSCs must be monitored within the scope of the rule. That is, the licensee may determine all the functions performed by the SSCs and include within the scope of the maintenance rule only those functions, and the associated SSCs that fulfill those functions, that meet the scoping criteria of the rule.

© NEI 2018. All rights reserved. nei.org 6

October 2018 DRAFT NEI 18-10, Rev A Examples of available information sources of to determine SSC functions:

x Final Safety Analysis Report (FSAR) x Q-list x Master equipment list x Probabilistic Risk Assessment (PRA)

Industrywide operating experience is reviewed for plant-specific applicability and, where appropriate, is included in utility specific programs and procedures. It is appropriate to use this information to the extent practical to preclude unacceptable performance experienced in the industry from being repeated. An event that has occurred at a similarly configured plant should be considered for applicability to the reviewing utility.

SSCs are scoped into the rule by following the guidance in sections 6.1.1 and 6.1.2.

6.1.1 Safety-Related SSCs Are the safety-related SSCs relied upon to remain functional during and following design basis events to ensure:

x The integrity of the reactor coolant pressure boundary?

x The capability to shut down the reactor and maintain it in a safe shutdown condition?

x The capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposure comparable to 10 CFR Part 100 Guidelines?

A YES answer to any of the above will identify that the SSCs are within the scope of the maintenance rule under this criterion. Continue to the next scoping criteria.

6.1.2 Non-Safety-Related SSCs A NO answer to all of the questions in 6.1.1 identifies the SSC as non-safety-related. The questions in the following sub-sections all relate to non-safety SSCs.

Since the maintenance rule is a performance-based regulation, licensees have the flexibility to add or remove SSCs from the scope of 10 CFR 50.65(b) if an adequate technical basis exists for including or excluding the SSC in question.

6.1.2.1 Non-Safety-Related SSCs that are Relied Upon to Mitigate an Accident or Transient, or are Used in Plant Emergency Operating Procedures (EOPs)

This step requires utilities to determine which non-safety SSCs are needed to mitigate accidents or transients or used in plant EOPs as described in the plant's Final Safety Analysis Report (FSAR).

© NEI 2018. All rights reserved. nei.org 7

October 2018 DRAFT NEI 18-10, Rev A This scoping criterion is not required to consider designed features/functions of SSCs listed in other sections of the FSARe.g., a roof drain design to handle a specific amount of rainfall, Fire Protection SSCs required for fire mitigation such as Appendix-R or NFPA-805, Seismic Class II SSCs installed within proximity with Seismic Class I SSCs, etc. References to sections identified in USAR/FSAR/UFSAR under the heading of Hazards Analysis do not meet these criteria for inclusion.

Are the non-safety-related SSCs relied upon to mitigate accidents or transients or used in plant EOPs?

x Non-safety-related SSCs that are necessary to be in the maintenance rule scope by this paragraph are those explicitly used in the EOPs that are required to provide a mitigating function.

o SSCs used in plant EOPs are required for mitigation of the event/symptom that necessitated entry into the EOP.

o Severe Accident Management Guidelines (SAMGs) are not considered to be EOPs.

Equipment described only in SAMGs would not be in scope of the maintenance rule unless otherwise required by paragraph 50.65(b).

o Equipment used in support of 10 CFR 50.54(hh)(2) (Loss of Large Areas) would not be in scope of the maintenance rule unless otherwise required by paragraph 50.65(b).

o FLEX Support Guidelines (FSGs) are not considered to be EOPs. Equipment described only in FSGs would not be in scope of the maintenance rule unless otherwise required by paragraph 50.65(b).

o Only those SSCs under licensee control need be included in the maintenance rule scope.

o When the EOPs direct the user to another procedure, the associated SSCs required to perform the EOP mitigating function are included in the scope of the maintenance rule.

When steps are added to an EOP only to direct to FSGs for implementing non-safety-related SSCs, those SSCs should not be considered used in the EOP, as long as the changes associated with these steps made to the EOP do not impede the successful implementation of other SSCs used in the EOP. An appropriate technical basis should be documented that demonstrates that these changes do not impede the successful implementation of the other SSCs. These uses of non-safety-related SSCs should be evaluated against all other 10 CFR 50.65(b) scoping criteria.

The following two items apply when EOP steps are added that direct operators to FSGs for additional defense-in-depth measures. If these are met, then the non-safety-related equipment in the FSGs is not considered used in the EOPs:

x Differentiate the non-safety-related equipment in the FSGs from the equipment providing EOP mitigation function in the maintenance rule scoping evaluation or EOP change process documentation.

© NEI 2018. All rights reserved. nei.org 8

October 2018 DRAFT NEI 18-10, Rev A x Equipment already scoped into the maintenance rule under the used in plant EOPs criteria should not be removed from the maintenance rule scope based solely on the addition of non-safety-related equipment in the FSGs as a defense-in-depth measure.

o SSCs whose use are implied and are necessary to perform the EOP steps within the appropriate response times, such as emergency lighting or communication SSCs, are included in the scope of the maintenance rule.

A YES answer to any of the above will identify that the SSCs are within the scope of the maintenance rule under this criterion. Continue to the next scoping criteria.

6.1.2.2 Non-Safety-Related SSCs Whose Failure Prevents Safety-Related SSCs from Fulfilling their Safety-Related Function Will the failure of non-safety-related SSCs prevent safety-related SSCs from fulfilling their safety-related function?

This question requires that each utility investigate the systems and system interdependencies to determine failure modes of non-safety-related SSCs that will directly affect safety-related functions.

As used in this section of the guideline, the term "directly" applies to non-safety-related SSCs whose single failure prevents a safety function from being fulfilled. Cascading failures do not need to be considered. Typically, the question, Whose failure as a support SSC prevents a safety function from being fulfilled? is intended for direct interdependencies, such as room cooling required for a safety-related SSC to function. Another example, in some cases, the Condensate Storage Tank is non-safety-related but is a source of water for the Emergency Core Cooling System (ECCS).

Resources utilized include the station actual plant-specific data and industrywide operating experience, prior engineering evaluations such as a plant-specific PRA, environmental qualification (EQ), and 10 CFR 50 Appendix R analyses.

The determination of hypothetical failures that could result from system interdependencies but have not previously been experienced is not required. Failures subsequent to implementation of this guideline will be addressed in the determination of cause, corrective action and performance monitoring.

For example, failure of a non-safety-related system fluid boundary causing loss of a safety system functione.g., heating system piping over a safety-related electrical panel. This failure can directly result in loss of a safety function from being fulfilled. However, an obstructed nearby building floor drain would not, by itself, directly result in loss of a safety functione.g., safety-related electrical panelfrom being fulfilled because the loss of safety function is conditioned on the occurrence of an initiating eventi.e., internal or external flooding.

The floor drain function review is based on actual plant-specific and industrywide operating experience, prior engineering evaluations such as a plant-specific PRA, environmental qualification (EQ), and 10 CFR 50 Appendix R analyses. If it is required to remain functional, it may be scoped in as a non-safety-related SSC whose failure as a support SSC prevents a safety function from being fulfilled.

© NEI 2018. All rights reserved. nei.org 9

October 2018 DRAFT NEI 18-10, Rev A A YES answer to any of the previous will identify that the SSCs are within the scope of the maintenance rule under this criterion. Continue to the next scoping criteria.

6.1.2.3 Non-Safety-Related SSCs Whose Failure Causes a Reactor Scram or Actuates Safety Systems Has failure of the non-safety-related SSCs caused a reactor SCRAM or actuation of safety-related systems at your plant or a plant of similar design?

This question requires plants to determine, on the basis of plant specific and industrywide operating experience, those non-safety-related SSCs whose failure caused a reactor scram or actuation of a safety-related system.

Licensees will consider the following SSCs to be within the scope of the rule:

1. SSCs whose failure has caused a reactor scram or actuation of a safety-related system at their site.
2. SSCs whose failure has caused a reactor scram or actuation of a safety-related system at a site with a similar configuration.
3. SSCs identified in the licensees analysise.g., FSAR or PRAwhose failure would cause a reactor scram or actuation of a safety-related system.

A licensee may exclude SSCs that meet criteria 2 or 3 if they have demonstrated by analysise.g., FSAR or PRAand by operational experience that the design or configuration of an SSC is fault-tolerant through redundancy or installed standby spares such that a reactor scram or actuation of a safety-related system is implausible.

Resources utilized include the station actual plant-specific data and industrywide operating experience, prior engineering evaluations such as a site-specific PRA, environmental qualification (EQ), and 10 CFR 50 Appendix R analyses.

The determination of hypothetical failures that could result from system interdependencies but have not been previously experienced is not required. Failures subsequent to implementation of this guideline will be addressed in the determination of cause, corrective action and performance monitoring.

A YES answer to any of the above questions will identify that the SSCs are within the scope of the maintenance rule under this criterion.

If the answers to all the previous questions were NO in sections 6.1.1 and 6.1.2, then the SSC does not meet the scoping criteria and is outside the scope of the maintenance rule.

© NEI 2018. All rights reserved. nei.org 10

October 2018 DRAFT NEI 18-10, Rev A 6.2 Determining Safety Significance (Block 2)

Safety significance should be determined using a combination of both safety and deterministic considerations:

1. Safety inputs should be obtained from a plant plant-specific Probabilistic Risk Assessment (PRA),
2. Deterministic considerations should be evaluated by a review of critical safety functionse.g.,

vessel inventory controlusing an Expert Panel and an expert elicitation process 2 to compensate for limitations of the PRA.

Though the primary indicator of safety significance is core damage frequency (CDF), it is important to consider large early release frequency (LERF) as well.

An SSC could be safety significant for one failure mode and not safety significant for otherse.g.,

blowdown valves on steam generators perform a safety function to close on isolation. However, the open position function is to maintain water chemistry which is a non-safety-related function.

Additionally, many SSCs that are functionally important in modes other than power operation, such as shutdown, should be identified for the Expert Panels consideration. Entry into a Technical Specification Limiting Condition for Operation, although important, is not necessarily safety significant.

Safety significant SSCs can be either safety-related or non-safety-related. There are safety significant systems that are in a standby mode and, when called upon to perform a safety function, are required to be available and reliablee.g., high pressure coolant injection. Safety significant SSCs should be determined using internal events PRA that generally meets Capability Category II of the AMSE/ANS PRA Standard (latest edition).

The process begins by assembling a panel of individuals experienced with the plant PRA and with operations and maintenance. The panel should utilize their collective expertise and PRA insights to develop the final list of safety significant SSCs. NUREG/CR5424 or NUREG/CR-4962 may be used as a guideline in structuring the panel. The panel should review input from the PRA, as well as any open Peer Review findings in making their final safety significance determination.

The use of an expert panel should compensate for the limitations of PRA implementation approaches resulting from the PRA structuree.g., model assumptions, treatment of support systems, level of definition of cut sets, cut set truncation, shadowing effect of very large (high frequency) cut sets, and inclusion of repair or restoration of failed equipment.

2 The following NUREGs describe other processes that could be used for this purpose:

NUREG/CR5424, "Eliciting and Analyzing Expert Judgment" NUREG/CR-4962, PLG-0533, "Methods for the Elicitation and Use of Expert Opinion in Risk Assessment"

© NEI 2018. All rights reserved. nei.org 11

October 2018 DRAFT NEI 18-10, Rev A The inputs typically used to determine safety significance are Risk Reduction Worth (RRW), Fussell-Veseley (FV), Risk Achievement Worth (RAW) and Birnbaum importance measures. If the importance measure(s) for an SSC exceed(s) a threshold listed below, the expert panel should consider the SSC as potentially high safety significant:

1. RRW > 1.005 (FV > .005)
2. RAW > 2.0
3. Birnbaum > 1E-05/yr CDF or >1E-06/yr LERF Note: Birnbaum values that are not specifically related to maintenancee.g., operator error and external or initiating eventsshould be eliminated from the safety significance determination process.

6.3 Establish and Implement Maintenance Strategy (Block 3) 6.3.1 Background The objective of the maintenance rule is to require the monitoring of the overall continuing effectiveness of the maintenance program to ensure that (1) safety-related and certain non-safety-related structures, systems and components (SSCs) are capable of performing their intended functions, (2) that failures of non-safety-related SSCs will not occur which prevent the fulfillment of safety-related functions and (3) that failures resulting in scrams and unnecessary actuations of safety-related systems are minimized. Therefore establishing the current maintenance strategy of an SSC is required to define the current maintenance expected and allow for monitoring of its effectiveness.

6.3.2 Establishing the Maintenance Strategy The maintenance strategy provides the bases for acceptable performance of SSCs within the scope of the rule.

The maintenance strategy provides a documented methodology to perform time-based maintenance, condition-based maintenance, and run-to-maintenance activities, or some combination thereof, that provide an effective method to ensure the SSCs reliability commensurate with safety significance. The maintenance strategy is developed based on an analysis of Preventive Maintenance (PM) Template recommendations, commitments, in-house work order history, Preventive Maintenance Feedback, and other sources that could provide the basis for the tasks performed for the specific SSC. SSCs are considered "Run-to-Maintenance" when no planned or scheduled activities are appropriate to maintain the SSCs reliability commensurate with the business need. Maintenance strategies are established and documented in accordance with the sites Preventive Maintenance Program.

While it is suggested that maintenance strategies are established for all low safety sign (LSS) SSCs within the scope of the rule, utilities may elect to document strategies for LSS SSCs only upon component failures, condition monitoring events or identified material condition trends. The preventive maintenance program is a living document that requires continuous improvement. Therefore, the maintenance strategy will change over time as driven by the PM program procedures. Changes based on failures will be evaluated in the next section for (a)(1)-(a)(2) determinations.

© NEI 2018. All rights reserved. nei.org 12

October 2018 DRAFT NEI 18-10, Rev A 7 (A)(1) OR (A)(2) DETERMINATION 7.1 Evaluating (A)(1) or (A)(2) Status (Block 4)

MR scoped SSCs without acceptable performance must be evaluated for continued monitoring in (a)(2) or corrective actions, goal setting and monitoring in (a)(1).

7.1.1 Establishing New SSCs as (A)(1) or (A)(2)

New SSCs that have not had a maintenance strategy implemented require evaluation to determine if (a)(2) can be demonstrated based on pre-installation and post-installation testing or industry operating experience (OE).

Several determinations should be made regarding applicable OE including the following:

x Design is similar enough to establish a baseline of performance x Maintenance strategies of comparable SSCs per OE are effective and the new SSCs have a basis for comparison 7.1.2 Evaluating (A)(1)/(A)(2) Status Using CAP Cause Evaluation Results The Corrective Action Program (CAP) Cause Evaluation (Block 14) provides information on the cause(s) and proposed corrective action(s) to support the (a)(1)-(a)(2) determination. When reviewing the CAP cause evaluation, refer to the set of questions below to completely evaluate the effectiveness of the maintenance strategy for the applicable SSC.

Did the CAP Cause Evaluation determine that the Maintenance Strategy is Complete and Appropriate?

Items that may be documented in the CAP cause evaluation:

x Does an Electric Power Research Institute (EPRI) PM Template apply to the SSC(s) or to the cause of the event?

x Does the station have a specific maintenance strategy or PM program task associated with the SSC(s)?

x Refer to Block 3 for further information concerning the appropriate maintenance strategy or PM program task.

If it was determined in the cause evaluation that the maintenance strategy is complete and appropriate, then go to Section 10.2.

If it was determined in the cause evaluation that the maintenance strategy is not complete or appropriate, then the maintenance strategy should be modified for the applicable SSC to add new tasks or modify existing tasks as appropriate (Block 3). Consider in (a)(1) determination.

© NEI 2018. All rights reserved. nei.org 13

October 2018 DRAFT NEI 18-10, Rev A Did the CAP Cause Evaluation Determine that the site is performing the task(s) and performing it correctly?

Items that may be documented in the CAP cause evaluation:

x Was the event or failure the result of not completing a scheduled PM Template task appropriately and in a timely manner?

x Was the event or failure the result of or caused by a PM deferral?

x Was the event or failure the result of not scheduling or missing a PM Template task that was previously identified as being required?

x Was the failure the result of implementation of incorrect maintenance procedures?

x Was the failure the result of incorrect implementation of correct maintenance procedures?

x Was the failure the result of incorrect implementation of a skill of the craft activity or a human performance event?

If it was determined in the cause evaluation that the maintenance strategy tasks are being performed correctly, then the SSC can remain under (a)(2) monitoring (Block 6A) and continue to perform the current maintenance strategy (Block 6B).

If it was determined in the cause evaluation that the station is not performing the associated task(s) or not performing them correctly, then review the corrective actions and consider for (a)(1) determination.

After review for (a)(1) or (a)(2) Determination, it may be decided to remain (a)(2) if any of the following criteria exist:

x A technical assessment demonstrates the cause is known and corrected such that recurrence is not likely, and therefore, monitoring against goals is not necessarye.g., a completed procedure change to correct a procedure error causing the failure.

x The cause determination indicates unacceptable performance is not related to the effectiveness of maintenance, was not preventable and the current maintenance strategy is appropriate.

x The component maintenance strategy is run-to-maintenance, and the event occurred in accordance with the assumption(s) in the run-to-maintenance strategy.

7.1.3 Returning to (A)(2) Status after (A)(1) Goals Are Met Once (a)(1) corrective actions have been completed (7.2.1) and (a)(1) monitoring goals have been met (7.2.2), an evaluation can be documented to place the SSC in (a)(2) status.

© NEI 2018. All rights reserved. nei.org 14

October 2018 DRAFT NEI 18-10, Rev A 7.2 (A)(1) Path (Blocks 5A-5E)

It is necessary to initially determine which SSCs must have goals established and monitoring activities performed in accordance with (a)(1). When SSCs in (a)(2) do not demonstrate effective maintenance, they are evaluated to determine the need for goal setting and monitoring under the requirements of (a)(1) (Block 5A).

7.2.1 Establishing Corrective Actions and Goals (Block 5B)

For SSCs that have been determined to be (a)(1), a cause determination is performed and appropriate goals are established commensurate with an SSCs safety significance and performance. Based on the results of the cause determination, corrective actions are planned and implemented to rectify the cause of degraded performance. The corrective actions need to be tracked to completion.

Monitoring the performance of the SSCs against established goals is intended to provide reasonable assurance that the SSCs are proceeding to acceptable performance. The number of SSCs monitored under the requirements of (a)(1) can vary greatly due to factors unrelated to the quality of a licensees maintenance program; therefore, the number of SSCs monitored under the requirements of (a)(1) should not be used as an indicator of the quality of a licensees maintenance program.

Goals are established to bring about the necessary improvements in performance. When establishing goals, a utility should consider various goal setting criteria such as existing industry indicators, industry codes and standards, failure rates, duty cycles, and performance related data. In addition to the assumptions made in and results of reliability approaches to maintenance, the assumptions in or results of IPEs/PRAs should also be considered when establishing goals. In addition, analytical techniquese.g.,

system unavailability modelingmay be considered for developing goals. When selecting a goal, the data should be collected over a sufficient length of time to minimize the effects of a random event.

Goals can be set at the structure, system, train, or component level, and for aggregates of these, where appropriate. In some cases, the utility may elect to establish thresholds which would provide indication of improved performance toward the goal. A quantitative value for a goal or threshold may be established based on judgment resulting from an appropriately documented review of performance.

When setting a goal, the utility should consider, where practical, industrywide operating experience.

7.2.2 Monitor Performance to Goals (Block 5C)

Monitoring should consist of periodically gathering, trending, and evaluating information pertinent to the performance and/or availability of the SSCs and comparing the results with the established (a)(1) goals to verify that the goals are being met. Monitoring should also provide a means for determining the effectiveness of the corrective actions. Results of monitoring should be analyzed in timely manner to assure that appropriate action is taken. The object of monitoring at the system, train or component level is to evaluate the performance of the system against established goals in order to proceed from the present status of unacceptable performance criteria toward a level of acceptable performance. Some examples of parameters monitored include availability, reliability and failure rate. Systems should be monitored utilizing existing surveillance procedures provided that the data collected using these procedures addresses the specific system goal(s).

© NEI 2018. All rights reserved. nei.org 15

October 2018 DRAFT NEI 18-10, Rev A Regulations and utility commitmentse.g., Emergency Diesel Generator docketed reliability targets in response to the Station Blackout Rule, 10 CFR 50.63provide a baseline for testing and surveillance activities of some SSCs under the scope of the maintenance rule. Additional testing and surveillance activities could be necessary if SSC performance is unacceptable. The maintenance rule results could also provide the basis for reduced testing and surveillance. The basis for technical specification, licensing commitments and other regulation may be appropriately used for goal setting.

Typical examples of such regulations or licensee commitments include:

1. Surveillance test and inspections performed in accordance with Section XI of the ASME code as required by 10 CFR 50.55a.
2. Reactor pressure vessel material surveillance tests conducted in accordance with Appendix H of 10 CFR Part 50.
3. Containment leakage tests performed in accordance with Appendix J of 10 CFR Part 50.
4. Component surveillance or testing required by plant technical specifications.
5. Fire protection equipment tested and maintained in accordance with Appendix R of 10 CFR Part 50.
6. Tests and inspections performed in response to NRC bulletins, generic letters or information notices.

Data could be collected from existing sourcese.g., surveillances, Appendix J requirements, ISI/IST or work order trackingthat are relevant to the goal being monitored. The type and quality of the data being collected and trended is very important in that it will ultimately determine if goals are being met.

The analysis and evaluation of the collected data should be timely so that, where necessary, corrective action can be taken.

The monitoring frequency to meet established goals can vary, but may be initially established as that currently required by existing surveillance requirements or other surveillance type monitoring currently being performed. Frequency of monitoring is also dependent upon the goal established and the availability of plant-specific or industry data. It may be either time directed, or based on performance.

The frequency of monitoring should be adjusted, if necessary, to allow for early detection and timely correction of negative trends.

7.2.3 Are Goals Met? (Block 5D)

A goal may be determined to have been met, and monitoring of SSC performance against specific goals may be discontinued if any of the following criteria are satisfied:

x Performance is acceptable for three surveillance periods where the surveillance periodicity is equal to or less than a six month interval.

x Performance is acceptable for two successive surveillances where the surveillance periodicity is greater than six months but no greater than two fuel cycles.

© NEI 2018. All rights reserved. nei.org 16

October 2018 DRAFT NEI 18-10, Rev A x An approved and documented technical assessment assures the cause is known and corrected and thus monitoring against goals is unnecessary.

If any of these conditions are met, the SSC may be returned to the provisions of (a)(2) (Block 6A).

If none of these conditions are met such that the performance is unacceptable during the monitoring periodi.e., unable to meet goal, then an additional cause determination is necessary (Block 5E), and the results from that cause determination will be inputs to Block 5A to establish new corrective actions, goal setting and monitoring to drive the SSC to acceptable performance.

7.3 (A)(2) Path (Block 6A and 6B)

If the SSC is retained in (a)(2) status, then document a description of the evidence that explains that the condition of the SSC is being effectively controlled through the performance of an appropriate maintenance strategy such that the SSC is performing its intended function (Block 6A).

Continue to perform the appropriate maintenance strategies for the (a)(2) SSCs and evaluate additional failures or changes to the maintenance strategies per section 7 and 8 (Block 6B).

8 ISSUE REPORT (IR) OR CONDITION REPORT (CR) FOR SCOPED SSC If an event or failure occurs and an IR or CR is generated (Block 7) using the CAP associated with a scoped in SSC then the plant level event (Block 8), high safety significant (Block 9), and MRFF or CME (Block 10) sections will be addressed to determine if the issue will be an input to the CAP causal evaluation (Block 14) or the (a)(3) assessment (Block 11).

In addition to an event or failure, an identified trend can also generate an IR or CR. The trend could result from a system engineer reviewing SSC performance, gathering operating experience, etc.

However, in this case the process flow would start at Block 7 and go directly to Block 13, Trend Identified? As the answer to Block 13 would be YES, a CAP cause evaluation would be performed on the trend.

8.1 Plant Level Event (PLE) (Block 8)

After reviewing the IR or CR from Block 7, did the event meet the definition of a PLE as described in Section 4?

If YES, then perform a CAP cause evaluation (Block 14).

If NO, then verify the safety significance of the SSC (Block 9).

© NEI 2018. All rights reserved. nei.org 17

October 2018 DRAFT NEI 18-10, Rev A 8.2 High Safety Significance (HSS)? (Block 9)

Based on the safety significance determination made in Block 2, verify whether the SSC is considered HSS.

If YES, then continue to Block 10 to determine whether there was a Maintenance Rule Functional Failure (MRFF) or Condition Monitoring Event (CME).

If NO, then the SSC is low safety significant (LSS) and is an input to the (a)(3) assessment (Block 11).

8.3 Maintenance Rule Functional Failure (MRFF) or Condition Monitoring Event (CME)?

(Block 10)

Determine whether the HSS SSC failure or condition results in a MRFF or a CME as defined in Section 4.

If YES, then perform a CAP cause evaluation (Block 14).

If NO, then it is an input to the (a)(3) assessment (Block 11).

9 (A)(3) ASSESSMENT The (a)(3) assessment is an activity performed to meet the requirements of 10 CFR 50.65(a)(3). Once per refueling cycle, each station must evaluate MR SSCs against their established monitoring criteria and determine whether the requirements of 10 CFR 50.65 have been applied appropriately. This review should be formally documented and easily accessible. The time interval between assessments will not exceed 24 months. Several areas should be considered for inclusion in the assessment with two areas that must be included as they are mentioned specifically in 10 CFR 50.65(a)(3): operating experience and balancing reliability and availability.

9.1 (A)(3) Assessment Inputs 9.1.1 Review High Safety Significant SSC Failures Perform a review of all HSS MRFFs occurring during the assessment period for appropriate (a)(1)/(a)(2) status determination, adequate corrective actions and goals. Initiate a CAP trend document in the station's CAP to evaluate any trends in HSS failures on the effectiveness of maintenance.

9.1.2 Review Low Safety Significant SSC Events Perform a review of LSS events occurring during the assessment period to determine that effectiveness of maintenance is demonstrated. Initiate a CAP trend document in the station's CAP to evaluate any trends in LSS events on the effectiveness of maintenance. If the trend evaluation shows an unfavorable trend due to ineffective maintenance, the SSC is evaluated for (a)(1) considerationsee section 7.1.2.

© NEI 2018. All rights reserved. nei.org 18

October 2018 DRAFT NEI 18-10, Rev A Tools and techniques listed below can be used at the discretion of the utility to support identifying LSS trends that may be indications of ineffective maintenance:

x MRFFs x CAP trending x Equipment reliability trending x Resource inputs 9.1.3 Review CDF Trending Prior to setting up the stations configuration risk management program (CRMP) software to be able to track CDF trending, review station processes and procedures to determine whether the unavailability data going into the CRMP model is sufficiently accurate to provide realistic results. If the CRMP inputs for unavailability are too conservative, the CDF trend results will not be indicative of the real impact that unavailability is having on safety. In addition, the unavailability data does not need to be extremely accurate numbers to the nearest minute.

CDF trending provides an aggregate assessment of the balance between reliability and availability by looking at the risk impact associated with both planned and unplanned maintenance. It also considers the impact of failures as failures that occur at power result in unplanned maintenance. CDF trending also provides an aggregate assessment of maintenance planning and execution. As an input to the periodic assessment, each plant should review their CDF trends based on information obtained by the on-line risk assessment program using a 12-month rolling average. The previous two 12-month trends should be evaluated in the (a)(3) assessment to cover the entire periodi.e., not to exceed 24 months. The model used should be the zero-maintenance model 3 adjusted for actual unavailability of SSCs. In developing the trends, plants should use actual configurations that were experienced to minimize the effort needed for future PRA model updates. The trends should be compared to the risk significant change criteria in the EPRI PSA Applications Guide Section 4.2.1. 4 If the 12-month rolling average for CDF exceeds that value anytime during the assessment period, the reasons for the exceedance are evaluated. The evaluation should consider, at a minimum:

x Long duration periods of unavailability that have an adverse impact on the risk x Peak periods of risk increase x Need to update the PRA model to represent the as-operated plant x Multiple occurrences of same configuration due to ineffective maintenance 3

The zero-maintenance model is the base model with all of the maintenance-related terms set to 0.0 or FALSE.

4

Reference:

EPRI TR-105396

© NEI 2018. All rights reserved. nei.org 19

October 2018 DRAFT NEI 18-10, Rev A If the evaluation determines that the increase in CDF average values was the result of an ineffective maintenance strategy, appropriate corrective actions should be taken including consideration of placing the SSCs that significantly contributed to the increase into (a)(1) enter Block 4 and reference section 6.4.1. In addition, a summary of the peaks and plateaus of unavailability and any corresponding concerns with associated maintenance strategies should be included in the (a)(3) assessment.

An example CDF trend chart is provided below:

Unit 1 Trend Average Annual CDF Trend (Risk Increase)

Year Unit 1 Unit 2 Quarter 1 1.14 1.16 Quarter 2 1.1415 1.1628 Limit 1.50 1.50 9.1.4 Operating Experience (OE) 10 CFR 50.65(a)(3) specifically states taking industrywide operating experience into account. A mature operating experience program was not in existence for non-safety-related equipment at the time of inception of the maintenance rule. It was imperative that industrywide operating experience was taken into account where practical to ensure adequate maintenance of equipment was maintained. This

© NEI 2018. All rights reserved. nei.org 20

October 2018 DRAFT NEI 18-10, Rev A included review of OE when equipment failures or degraded conditions occurred and what acceptable performance looked like. Today's operating experience program as a whole is a very mature program at the time of writing this document, and is governed by 10 CFR 21, INPO 97-011, INPO 10-006, INPO 12-001, INPO 12-002, INPO 12-003, INPO 12-004, INPO 12-005 and INPO 12-009. Each utility also has its own program procedure for governance and implementation of their Operating Experience Program.

Operating experience is extremely valuable and is a cornerstone of safe, reliable operations and effective maintenance. It is expected to be considered in every aspect of plant operations, including the maintenance rule. As station documentation for the assessment period is reviewed, the operating experience review performed should be reviewed for completeness and proper application. However, since operating experience is a governed and controlled process, it can be credited for purposes of the (a)(3) assessment with no additional searches or documentation required.

9.1.5 Review Plant Level Events Perform a review of all station Plant Level Events occurring during the assessment period. Verify that the SSCs causing the PLEs are properly scoped into the MR. Verify the accuracy and disposition of (a)(1) status determinations for the associated PLEs.

9.1.6 Review (A)(1) and (A)(2) Determinations Perform a review of all open or closed (a)(1)/(a)(2) determinations for the assessment periodwhether generated during the assessment period or notto verify appropriate dispositionsee section 6.4, corrective actions, goals, monitoring periods and operating experience reviews were performed in support of an effective maintenance program. This review should be performed regardless of the final status determination, as SSCs determined to be (a)(2) need review to ensure that determination was reached appropriately. Document the results and any maintenance strategy corrective actions in the report.

9.1.7 Review (A)(1) Actions and Goals Effectiveness of corrective actions taken for ongoing maintenance activities, MRFFs, (a)(1) actions, or goal setting are evaluated to ensure action(s) were initiated when appropriate, and the action(s) taken resulted in improved performance of the SSC. Corrective actions that should be reviewed include the following:

x Actions to ensure that SSC performance meets goals established by requirements of (a)(1) x Actions taken as a result of cause determination x Status of problem resolution actions, if any, identified during the previous periodic assessment Any issues identified from the reviews performed above are documented in the station's CAP with appropriate actions identified. Where appropriate, adjustments should be made to the existing program. (A)(2) monitoring effectiveness is determined by the reviews above.

© NEI 2018. All rights reserved. nei.org 21

October 2018 DRAFT NEI 18-10, Rev A 9.2 (A)(3) Assessment Outputs 9.2.1 Trend Identification? (Block 13)

If the items reviewed during the (a)(3) assessment identify a trend that may indicate ineffective maintenance, then a CR/IR should be generated to determine cause and evaluate for (a)(1) condition.

The items reviewed in the (a)(3) assessment that could be used to identify a trend are listed below:

x HSS SCC failures x LSS events x CDF trending x PLEs 9.2.2 Adjustments to Balance Availability and Reliability Making adjustments to balance availability and reliability is discussed in 10 CFR 50.65(a)(3). The Maintenance Rule FAQs have stated that meeting performance criteria achieves a satisfactory balance of unavailability and reliability. This guidance document eliminates the need for establishing performance criteria, however, an appropriate balance is still implied by an (a)(2) status determination.

If ineffective maintenance is determined for an SSC and therefore placed in (a)(1) status, this implies a potential imbalance between unavailability and reliability which is corrected through corrective actions and goals. Once those actions and goals have been satisfied and an SSC is determined to have effective maintenance and returned to (a)(2) status, then it is implied a balance of unavailability and reliability has been reestablished.

Balancing should be specifically considered as part of the (a)(3) only if new SSCs have been implemented at the station within the last two refueling cycles. Otherwise, no additional reviews of balancing are required to meet this part of the regulation.

9.2.3 Documentation Historically, the assessment has been performed with a team of individuals comprised of internal and external peers whom are sequestered for a few days to review and evaluate all the data during the entire period. This method may still be employed; however, an additional option exists through more frequent reviews or a "living" process, which is described by the Maintenance Rule Users Group whitepaper guidelines. This guidance can be found through the EPRI Collaboration website.

The formal documentation includes written reports from manual or automated data review, electronically generated reports reviewed by station personnel and "living" (a)(3) reports. The formal documentation between assessment periods will not exceed 24 months.

A separate report need not be generated for each unit at a multi-unit statione.g., a three unit station on 18-month refueling cycles can generate one report for all three units, looking at the same 18-month time frame for each of the three units; the report must be generated at least once every 24-months.

© NEI 2018. All rights reserved. nei.org 22

October 2018 DRAFT NEI 18-10, Rev A 10 CAP CAUSE EVALUATION A CAP cause evaluation (Block 14) will be considered in accordance with NEI 16-07 when there is a PLE (Block 8), a MRFF or CME involving an HSS SSC (Block 10), a trend is identified from the (a)(3) assessment (Block 13), or goals were not met for an SSC in the (a)(1) process (Block 5E). The causes and proposed corrective actions from the CAP cause evaluation will support the (a)(1)-(a)(2) determination (Block 4) and will be used to decide ifand howthe maintenance strategy should be modified for the applicable SSC (Block 3).

1. Ensure a CAP cause evaluation is being documented.
2. Once documented, review and use the cause information to complete the (a)(1)-(a)(2) determination in section 7.1.2.

11 (A)(4) ASSESSMENT 11.1 Reference 10 CFR 50.65(a)(4)

Before performing maintenance activities, including but not limited to surveillance, post-maintenance testing, and corrective and preventive maintenance, the licensee shall assess and manage the increase in risk that may result from the proposed maintenance activities. The scope of the assessment may be limited to those structures, systems and components that a risk-informed evaluation process has shown to be significant to public health and safety.

11.2 Background Maintenance activities must be performed to provide the level of plant equipment reliability necessary for safety and managed carefully to achieve a balance between the benefits and potential impacts on safety, reliability and availability.

The benefits of well managed maintenance conducted during power operations include increased system and unit availability, reduction of equipment and system deficiencies that could impact operations, more focused attention during periods when fewer activities are competing for specialized resources, and reduction of work scope during outages. In addition, many maintenance activities may be performed during power operation with a smaller net risk impact than during outage conditions, particularly for systems whose performance is most important during shutdown, or for which greater functional redundancy is available during power operations.

11.3 Guidance This section provides guidance for the development of an approach to assess and manage the risk impact expected to result from performance of maintenance activities. Assessing risk means using a risk-informed process to evaluate the overall contribution to risk of the planned maintenance activities.

Managing risk means providing plant personnel with proper awareness of the risk, and taking actions as appropriate to control the risk.

© NEI 2018. All rights reserved. nei.org 23

October 2018 DRAFT NEI 18-10, Rev A The assessment is required for maintenance activities performed during power operations or during shutdown. Performance of maintenance during power operations should be planned and scheduled to properly control out-of-service time of systems or equipment. Planning and scheduling of maintenance activities during shutdown should consider their impact on performance of key shutdown safety functions.

11.3.1 Assessment Process, Control and Responsibilities The process for conducting the assessment and using the result of the assessment in plant decision-making should be proceduralized. The procedures should denote responsibilities for conduct and use of the assessment, and should specify the plant functional organizations and personnel involved, including, as appropriate, operations, engineering, and risk assessment (PSA) personnel. The procedures should denote responsibilities and process for conducting the assessment for cases when the plant configuration is not covered by the normal assessment tool.

11.3.2 General Guidance for the Assessment - Power Operations and Shutdown

1. Power Operating conditions are defined as plant modes other than hot shutdown, cold shutdown, refueling or defueled. Section 11.3.3 describes the scope of SSCs subject to the assessment during power operations. Section 11.3.5 describes the scope of SSCs subject to the assessment during shutdown.
2. The assessment method may use quantitative approaches, qualitative approaches or blended methods. In general, the assessment should consider:

x Technical specifications requirements.

x The degree of redundancy available for performance of the safety function(s) served by the out-of-service SSC.

x The duration of the out-of-service or testing condition.

x The likelihood of an initiating event or accident that would require the performance of the affected safety function.

x The likelihood that the maintenance activity will significantly increase the frequency of a risk-significant initiating evente.g., by an order of magnitude or more as determined by each licensee, consistent with its obligation to manage maintenance-related risk.

x Component and system dependencies that are affected.

x Significant performance issues for the in-service redundant SSCs.

3. The assessment may also consider the following factors, if desired:

x The risk impact of performing the maintenance during shutdown with respect to performing the maintenance at power.

© NEI 2018. All rights reserved. nei.org 24

October 2018 DRAFT NEI 18-10, Rev A x The impact of transition risk if the maintenance activity would require a shutdown that would otherwise not be necessary

4. The assessments may be predetermined or performed on an as-needed basis.
5. The degree of depth and rigor used in assessing and managing risk should be commensurate with the complexity of the planned configuration.
6. Performance of maintenance may involve alterations to the facility or procedures for the duration of the maintenance activity. Examples of these alterations include jumpering terminals, lifting leads, placing temporary lead shielding on pipes and equipment, removal of barriers, and use of temporary blocks, bypasses, scaffolding and supports. The assessment should include consideration of the impact of these alterations on plant safety functions.

Note: If, during power operation conditions, the temporary alteration associated with maintenance is expected to be in effect for greater than 90 days, the temporary alteration should be screened and, if necessary, evaluated under 10 CFR 50.59 prior to implementation.

7. The assessment may take into account whether the out-of-service SSCs could be promptly restored to service if the need arose due to emergent conditions. This would apply to surveillance testing or to the situation where the maintenance activity has been planned in such a manner to allow for prompt restoration. In these cases, the assessment may consider the time necessary for restoration of the SSCs function, with respect to the time at which performance of the function would be needed.
8. Emergent conditions may result in the need for action prior to conducting the assessment or could change the conditions of a previously performed assessment. Examples include plant configuration or mode changes, additional SSCs out of service due to failures, or significant changes in external conditionsweather or offsite power availability. The following guidance applies to this situation:

x The safety assessment should be performedor re-evaluatedto address the changed plant conditions on a reasonable schedule commensurate with the safety significance of the condition. Based on the results of the assessment, ongoing or planned maintenance activities may need to be suspended or rescheduled, and SSCs may need to be returned to service.

x Performanceor re-evaluationof the assessment should not interfere with or delay the operator and/or maintenance crew from taking timely actions to restore the equipment to service or take compensatory actions.

x If the plant configuration is restored prior to conducting or re-evaluating the assessment, the assessment need not be conducted or re-evaluated if preformed once before.

© NEI 2018. All rights reserved. nei.org 25

October 2018 DRAFT NEI 18-10, Rev A 11.3.3 Scope of Assessment for Power Operating Conditions 10 CFR 50.65(a)(4) states, The scope of the Systems, Structures and Components (SSCs) to be addressed by the assessment may be limited to those SSCs that a risk-informed evaluation process has shown to be significant to public health and safety. Thus, the scope of SSCs subject to the (a)(4) assessment provision may not include all SSCs that meet the sections (b)(1) and (b)(2) maintenance rule scoping criteria.

The probabilistic safety assessment (PSA) provides an appropriate mechanism to define the assessment scope, as it is developed with consideration of dependencies and support systems, and, through definition of top events, cutsets, and recovery actions, includes those SSCs that could, in combination with other SSCs, result in significant risk impacts. Thus, the (a)(4) assessment scope may be limited to the following scope of SSCs:

1. Those SSCs included in the scope of the plants level-one internal events PSA.
2. SSCs in addition to the above that have been determined to be high safety significantrisk significantthrough the process described in Section 9.3 of this document.

The PSA used to define the (a)(4) assessment scope should have the following characteristics:

x The PSA should reasonably 5 reflect the as-built plant, and the plant operating practices.

x The PSA should include both front-line/support system dependencies and support system/support system dependencies, to the extent that these inter-system dependencies would have a significant effect on the key plant safety functions. The licensee should evaluate whether these dependencies are adequately modeled in the PSA. PSA peer review information may be used to facilitate this evaluation. If the modeling of inter-system dependencies is determined to be inadequate, the licensee should either revise the PSA to address the inter-system dependencies, or add the SSCs to the (a)(4) assessment scope.

x A PSA is typically modeled at the component level, whereas the concern of the (a)(4) assessments is the safety function of a system that the component supports. Thus, the phrase SSCs modeled in the PSA should be interpreted as identifying the systems, trains or portions of systems/trains whose functions are necessary to mitigate initiating events included in the high level logic structure of the PSA model, rather than the individual components. Appendix E provides information on PSA attributes and further detail on methods to evaluate the PSA with regard to its use in defining the (a)(4) scope.

x SSCs within the plant PSA scope may be evaluated and determined to have low safety significance regardless of plant configuration. These SSCs need not be included in the scope of the (a)(4) assessments. The expert panel may be used to facilitate these determinations.

x If the plant PSA includes level-two considerations, such as containment performance or release frequency, the scope of the (a)(4) assessment may optionally include the scope of the level two PSA. Otherwise, inclusion within the assessment scope of SSCs important to containment 5

Reasonably means that a difference between the as-built plant and its description in the PSA is such that a difference could realistically result in the incorrect assessment or management of maintenance-related risk.

© NEI 2018. All rights reserved. nei.org 26

October 2018 DRAFT NEI 18-10, Rev A performance may be covered by inclusion of high safety significant SSCs as discussed previously in item 2. Section 9.3.1 of this document discusses the importance of containment performance as a consideration in identifying risk significanthigh safety significantSSCs.

x The scope of hazard groups to be considered for assessment during power operating conditions includes internal events and floods and fires; licensees need not consider other hazard groups, except as noted in Section 11.3.4.2.

11.3.3.1 Scope of Assessment for Fire Risk In addressing the scoping associated with fire risk for power operating conditions, the following guidance is provided.

Maintenance activities can impact fire risk. In particular, the following activities could have risk impacts:

1. Performance of maintenance activities with potential to cause a firee.g., welding, use of cutting and grinding tools, transient combustibles, etc.
2. Removal of fire detection or suppression equipment from service .
3. Removal or impairment of fire barrierse.g., opening of fire doors to facilitate maintenance, removal of protective barriers on cable trays or conduit, etc.
4. Removal of equipment important to core damage mitigation from service.

Each plant is required to maintain a fire protection program, pursuant to 10 CFR 50.48 or Part 50, Appendix R. The programs, as implemented through NRC guidance documents, directly address the risk management aspects of items 1 through 3 above, and no additional action is warranted under

§50.65(a)(4) for these items. Concerning item 4, the following discussion concerns the scope of the assessment for fire risk.

The identification of important equipment for mitigating core damage resulting from fire initiating events can come from one of two sources:

First, each plant is required by 10 CFR 50.48 or Appendix R to identify one train of safe shutdown capability free of fire damage, such that the plant can be safely shutdown in the event of a fire. The magnitude of the fire is based on analysis of combustible loadings in the areas of concern. Some plants maintain this requirement through adequate separation between redundant trains of safe shutdown equipment, such that a single fire could not render both trains incapable of performing their safe shutdown function. Other plants, lacking adequate train separation, need to protect one train of equipment through fire barriers. While fire protection regulations require compensatory measures for the temporary removal of these barriers, they do not address the removal from service of the protected equipment for maintenance activities.

Second, each plant has also performed either a screening analysise.g., Fire Induced Vulnerability Evaluation, or FIVEor a fire PRA to examine fire risks relative to the Individual Plant Examination for External Events (IPEEE). These analyses may identify additional equipment, beyond the safe shutdown path discussed previously, that is useful for mitigating the risk of a fire or may identify alternative safe shutdown pathways. There are some plants that have fire PRAs, or integrated PRAs, such that fire risk

© NEI 2018. All rights reserved. nei.org 27

October 2018 DRAFT NEI 18-10, Rev A can be quantified and addressed in the same manner as internal events risk. In many cases, however, the analyses performed for the IPEEE and fire PRAs may not provide quantitative fire risk information that can be directly compared to the internal events PRA model on a quantitative basis. Thus, it is recommended that those plants use their fire risk analyses qualitatively, rather than quantitatively, in assessing and managing risk for §50.65(a)(4); further, it is notable that the qualitative approach is fully acceptable regardless of the state of a plants fire risk analyses.

Note: Each plant should use the above-selected source of information to identify equipment within the existing (a)(4) scope that is found to have appreciable impact on core damage mitigation for fire initiators. This scope of equipment will be a subset of the overall (a)(4) scope, and the fire risk implications need only be considered for equipment falling in this specific scope.

Since safe shutdown is oriented to assuring adequate core cooling, it is generally likely that equipment important to internal events core damage mitigation may also be important for fire risk.

Some fire scenarios have no success paths available. Examples may include some main control room (MCR) fires or severe fires in electrical equipment rooms. For these scenarios, there are essentially no impacts of removing equipment from service. These fire scenarios are almost always risk significant, but are generally not impacted by on-line maintenance. It is recommended that these scenarios be screened from further consideration.

11.3.4 Assessment Methods for Power Operating Conditions Removal from service of a single structure, system, train or component is adequately covered by existing Technical Specifications requirements, including the treatment of dependent components. Thus, the assessment for removal from service of a single SSC for the planned amount of timee.g., the Technical Specifications allowed out-of-service time, or a commensurate time considering unavailability performance criteria for a Non-Technical Specification high safety significant SSCmay be limited to the consideration of unusual external conditions that are present or imminente.g., severe weather or offsite power instability.

Simultaneous removal from service of multiple SSCs requires that an assessment be performed using quantitative, qualitative or blendedquantitative and qualitativemethods. Sections 11.3.4.1 and 11.3.4.2 provide guidance regarding quantitative and qualitative considerations, respectively.

11.3.4.1 Quantitative Considerations

1. The assessment process may be performed by a tool or method that considers quantitative insights from the PSA. This can take the form of using the PSA model or using a safety monitor, matrix or pre-analyzed list derived from the PSA insights. In order to properly support the conduct of the assessment, the PSA must have certain attributes, and it must reasonably reflect the plant configuration. Appendix E provides information on PSA attributes. Section 11.3.7.2 provides guidance on various approaches for using the output of a quantitative assessment to manage risk.
2. If the PSA is modeled at a level that does not directly reflect the SSC to be removed from servicee.g., the RPS system, diesel generator, etc., have each been modeled as a single component in the PSA, the assessment should include consideration of the impact of the out-

© NEI 2018. All rights reserved. nei.org 28

October 2018 DRAFT NEI 18-10, Rev A of-service SSC on the safety function of the modeled component. SSCs are considered to support the safety function if the SSC is significant to the success path for function of the train or systeme.g., primary pump or valve in primary flow path. However, if the SSC removed from service does not contribute significantly to the train or system safety functione.g., indicator light, alarm or drain valve, the SSC would not be considered to support the safety function.

11.3.4.2 Qualitative Considerations

1. The assessment may be performed by a qualitative approach, by addressing the impact of the maintenance activity upon key safety functions, as follows:

x Identify key safety functions affected by the SSC planned for removal from service.

x Consider the degree to which removing the SSC from service will impact the key safety functions.

x Consider the degree of redundancy, duration of out-of-service condition, and appropriate compensatory measures, contingencies, or protective actions that could be taken if appropriate for the activity under consideration.

2. For power operation, key plant safety functions are those that ensure the integrity of the reactor coolant pressure boundary, ensure the capability to shut down and maintain the reactor in a safe shutdown condition, and ensure the capability to prevent or mitigate the consequences of accidents that could result in potentially significant offsite exposures.

Examples of these power operation key safety functions are:

x Containment Integrity (Containment Isolation, Containment Pressure and Temperature Control) x Reactivity Control x Reactor Coolant Heat Removal x Reactor Coolant Inventory Control

3. The key safety functions are achieved by using systems or combinations of systems. The configuration assessment should consider whether the maintenance activity would:

x Have a significant impact on the performance of a key safety function considering the remaining degree of redundancy for trains or systems supporting the key safety function and considering the likelihood of an initiating event.

x Involve a significant potential to cause a scram or safety system actuation.

x Result in significant complications to recovery efforts.

4. The assessment should consider plant systems supporting the affected key safety functions and trains supporting these plant systems.

© NEI 2018. All rights reserved. nei.org 29

October 2018 DRAFT NEI 18-10, Rev A

5. Qualitative considerations may also be necessary to address external events, SSCs not in the scope of the level one and internal events PSAe.g., included in the assessment scope because of expert panel considerations.
6. The assessment may need to include consideration of actions which could affect the ability of the containment to perform its function as a fission product barrier. With regard to containment performance, the assessment should consider:

x Whether new containment bypass conditions are created or the probability of containment bypass conditions is increased.

x Whether new containment penetration failures that can lead to loss of containment isolation are created.

x If maintenance is performed on SSCs of the containment heat removal system or SSCs upon which this function is dependent, whether redundant containment heat removal trains should be available.

7. External event considerations involve the potential impacts of weather or other external conditions relative to the proposed maintenance evolution. For the purposes of the assessment, weather, external flooding and other external impacts need to be considered if such conditions are imminent or have a high probability of occurring during the planned out-of-service duration.

An example of where these considerations are appropriate would be the long-term removal of exterior doors, hazard barriers or floor plugs.

8. Internal flooding considerations, from internal or external sources, should be addressed if pertinent. The assessment should consider the potential for maintenance activities to cause internal flood hazards and for maintenance activities to expose SSCs to flood hazards in a manner that degrades their capability to perform key safety functions.

11.3.4.3 Fire Risk Assessment Considerations In addressing the assessment of fire risk for power operating conditions, the following guidance is provided:

With regard to item 4 from Section 11.3.3.1, removal of mitigation equipment from service, the

§50.65(a)(4) program should include consideration of these risks with respect to fire, as they are not covered by existing fire protection regulations and can have a risk impact.

1. The plant personnel responsible for activities relative to fire protection and §50.65(a)(4) should communicate and maintain awareness of their respective risk management actions such that an integrated perspective of these activities is maintainedsee further discussion on risk management actions in Section 11.3.7.5.
2. Include consideration of the implications of fire risks when removing equipment from service that is known from existing plant specific evaluations to have appreciable impact on mitigation of core damage due to fire initiators. This is generally a qualitative evaluation, but quantitative

© NEI 2018. All rights reserved. nei.org 30

October 2018 DRAFT NEI 18-10, Rev A approaches may be optionally used by plants that are capable of such evaluationssee Section 11.3.7.3 for further discussion of limitations on use of quantitative techniques.

3. For plants that meet §50.48/Appendix R by protecting one train of safe shutdown equipment through fire barriers, the overall risk significance, internal events and fire, may be greater for the protected train than for the redundant, nonprotected train of the same system.

Maintenance activities on the protected train should consider this greater risk, and appropriate risk assessment and management actions should be taken.

11.3.5 Scope of Assessment for Shutdown Conditions The scope of the Systems, Structures and Components (SSCs) to be addressed by the assessment for shutdown conditions are those SSCs necessary to support the following shutdown key safety functions from Section 4 of NUMARC 91-06:

x Decay heat removal capability x Inventory Control x Power Availability x Reactivity control x Containment (primary/secondary)

The shutdown key safety functions are achieved by using systems or combinations of systems. The shutdown assessment need not be performed for SSCs whose functionality is not necessary during shutdown modes, unless these SSCs are considered for establishment of backup success paths or compensatory measures.

11.3.6 Assessment Methods for Shutdown Conditions NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management, Section 4.0 provides a complete discussion of shutdown safety considerations with respect to maintaining key shutdown safety functions and should be considered in developing an assessment process that meets the requirements of 10 CFR 50.65(a)(4).

Performance of the safety assessment for shutdown conditions generally involves a qualitative assessment with regard to key safety functions and follows the same general process described in Section 11.3.4.2 above. Those plants that have performed shutdown PSAs can use these PSAs as an input to their shutdown assessment methods. However, some considerations differ from those associated with the at-power assessment. These include:

1. The scope of initiators to be considered in the assessment for shutdown conditions is limited to internal events, except as noted in item 5.
2. The shutdown assessment is typically focused on SSCs available to perform a function versus SSCs out of service in the case of power operations. Due to decreased equipment

© NEI 2018. All rights reserved. nei.org 31

October 2018 DRAFT NEI 18-10, Rev A redundancies during outage conditions, the outage planning and control process may involve consideration of contingencies and backup methods to achieve the key safety functions, as well as measures that can reduce both the likelihood and consequences of adverse events.

3. Assessments for shutdown maintenance activities need to take into account plant conditions and multiple SSCs out-of-service that impact the shutdown key safety functions. The shutdown assessment is a component of an effective outage planning and control process.
4. Maintenance activities that do not necessarily remove the SSC from service may still impact plant configuration and impact key safety functions. Examples could include:

x A valve manipulation that involves the potential for a single failure to create a drain-down path affecting the inventory control key safety function.

x A switchyard circuit breaker operation that involves the potential for a single failure to affect availability of alternating current (AC) power.

5. External event considerations involve the potential impacts of weather or other external conditions relative to the proposed maintenance evolution. For the purposes of the assessment, weather, external flooding and other external impacts need to be considered if such conditions are imminent or have a high probability of occurring during the planned out-of-service duration.

An example where these considerations are appropriate would be the long-term removal of exterior doors, hazard barriers or floor plugs.

Because of the special considerations of shutdown assessments, additional guidance is provided below with respect to each key safety function.

11.3.6.1 Decay Heat Removal (DHR) Capability Assessments for maintenance activities affecting the DHR system should consider that other systems and components can be used to remove decay heat depending on a variety of factors, including the plant configuration, availability of other key safety systems and components, and the ability of operators to diagnose and respond properly to an event. For example, assessment of maintenance activities that impact the decay heat removal key safety function should consider:

x initial magnitude of decay heat x time to boiling x time to core uncovery x time to containment closure (PWR) x initial reactor coolant system (RCS) water inventory conditione.g., filled, reduced, mid-loop, refueling canal filled, reactor cavity flooded, etc.

x RCS configurationse.g., open/closed, nozzle dams installed or loop isolation valves closed, steam generator manways on/off, vent paths available, temporary covers or thimble tube plugs installed, main steam line plugs installed, etc.

© NEI 2018. All rights reserved. nei.org 32

October 2018 DRAFT NEI 18-10, Rev A x natural circulation capability with heat transfer to steam generator shell side (PWR)

If the fuel is offloaded to the spent fuel pool during the refueling outage, the decay heat removal function is shifted from the RCS to the spent fuel pool. Assessments for maintenance activities should reflect appropriate planning and contingencies to address loss of spent fuel pool cooling.

11.3.6.2 Inventory Control Assessments for maintenance activities should address the potential for creating inventory loss flow paths. For example:

x For BWRs, maintenance activities associated with the main steam linese.g., safety/relief valve removal, automatic depressurization system testing, main steam isolation valve maintenance, etc.can create a drain-down path for the reactor cavity and fuel pool. This potential is significantly mitigated through the use of main steam plugs.

x For BWRs, there are potential inventory loss paths through the DHR system to the suppression pool when DHR is aligned for shutdown cooling.

x For PWRs, assessments for maintenance activities during reduced inventory operations are especially important. Reduced inventory operation occurs when the water level in the reactor vessel is lower than 3 feet below the reactor vessel flange x A special case of reduced inventory operation for PWRs is mid-loop operation, which occurs when the RCS water level is below the top of the hot legs at their junction with the reactor vessel. Similar conditions can exist when the reactor vessel is isolated from steam generators by closed loop isolation valves or nozzle dams with the reactor vessel head installed or prior to filling the reactor cavity. Upon loss of DHR under these conditions, coolant boiling and core uncovery can occur if decay heat removal is not restored or provided by some alternate means.

In addition, during mid-loop operation, DHR can be lost by poor RCS level control or by an increase in DHR floweither of which can ingest air into the DHR pump.

11.3.6.3 Power Availability Assessments should consider the impact of maintenance activities on availability of electrical power.

Electrical power is required during shutdown conditions to maintain cooling to the reactor core and spent fuel pool, to transfer decay heat to the heat sink, to achieve containment closure when needed, and to support other important functions.

x Assessments for maintenance activities involving AC power sources and distribution systems should address providing defense in depth that is commensurate with the plant operating mode or configuration.

x Assessments for maintenance activities involving the switchyard and transformer yard should consider the impact on offsite power availability.

x AC and direct current (DC) instrumentation and control power is required to support systems that provide key safety functions during shutdown. As such, maintenance activities affecting

© NEI 2018. All rights reserved. nei.org 33

October 2018 DRAFT NEI 18-10, Rev A power sources, inverters or distribution systems should consider their functionality as an important element in providing appropriate defense in depth.

11.3.6.4 Reactivity Control The main aspect of this key safety function involves maintaining adequate shutdown margin in the RCS and the spent fuel pool. For PWRs, maintenance activities involving addition of water to the RCS or the refueling water storage tank have the potential to result in boron dilution. During periods of cold weather, RCS temperatures can also decrease below the minimum value assumed in the shutdown margin calculation.

11.3.6.5 Containment - Primary (PWR)/Secondary (BWR)

Maintenance activities involving the need for open containment should include evaluation of the capability to achieve containment closure in sufficient time to mitigate potential fission product release.

This time is dependent on a number of factors, including the decay heat level and the amount of RCS inventory available.

For BWRs, technical specifications may require secondary containment to be closed under certain conditions, such as during fuel handling and operations with a potential to drain the vessel.

In addition to the guidance in NUMARC 91-06, for plants which obtain license amendments to utilize shutdown safety administrative controls in lieu of Technical Specification requirements on primary or secondary containment operability and ventilation system operability during fuel handling or core alterations, the following guidelines should be included in the assessment of systems removed from service:

x During fuel handling/core alterations, ventilation system and radiation monitor availability, as defined in NUMARC 91-06, should be assessed, with respect to filtration and monitoring of releases from the fuel. Following shutdown, radioactivity in the RCS decays fairly rapidly. The basis of the Technical Specification operability amendment is the reduction in doses due to such decay. The goal of maintaining ventilation system and radiation monitor availability is to reduce doses even further below that provided by the natural decay and to avoid unmonitored releases.

x A single normal or contingency method to promptly close primary or secondary containment penetrations should be developed. Such prompt methods need not completely block the penetration or be capable of resisting pressure. The purpose is to enable ventilation systems to draw the release from a postulated fuel handling accident in the proper direction such that it can be treated and monitored.

11.3.7 Managing Risk The assessment provides insights regarding the risk-significance of maintenance activities. The process for managing risk involves using the result of the assessment in plant decision-making to control the overall risk impact. This is accomplished through careful planning, scheduling, coordinating, monitoring and adjusting of maintenance activities.

© NEI 2018. All rights reserved. nei.org 34

October 2018 DRAFT NEI 18-10, Rev A The objective of risk management is to control the temporary and aggregate risk increases from maintenance activities such that the plants average baseline risk is maintained within a minimal range.

This is accomplished by using the result of the (a)(4) assessment to plan and schedule maintenance such that the risk increases are limited and to take additional actions beyond routine work controls to address situations where the temporary risk increase is above a certain threshold. These thresholds may be set on the basis of qualitative considerationse.g., remaining mitigation capability, quantitative considerationse.g., temporary increase in core damage frequency, or blended approaches using both qualitative and quantitative insights Management of risk involves consideration of temporary risk increases, as well as aggregate risk impactsaggregate risk is the collected risk impact; cumulative risk is successive addition of accumulated risk impacts. Aggregate risk impacts are controlled to a degree through maintenance rule requirements to establish and meet SSC performance criteria. These requirements include consideration of the risk significance of SSCs in establishing performance goals. Plants that routinely enter the risk management action thresholds should consider measures to assess the aggregate risk with respect to its estimated impact on the average baseline risk. This could be accomplished through a periodic assessment of previous out-of-service conditions. Such an assessment may involve a quantitative computation of cumulative risks or may involve a qualitative assessment of the risk management approach employed and the actual temporary risk impacts observed. When permanent changes are made to the maintenance planning and control process that would result in increased component unavailability, the impact of these changes on the average baseline risk should be evaluated with respect to the permanent change guidelines discussed in NRC Regulatory Guide 1.174.

The PSA provides valuable insights for risk management because it realistically assesses the relationship of events and systems. Risk management can be effectively accomplished by making use of qualitative insights from the PSA, rather than sole reliance on quantitative information. Removing equipment from service may alter the significance of various risk contributors from those of the baseline PSA. Specific configurations can result in increased importance of certain initiating events or of systems or equipment used for mitigation of accidents. Evaluation of a specific configuration can identify low order cutsets or sequences, which are accident sequences that may not be important in the baseline analysis but become important for a specific configuration. These considerations are important to risk management.

The most fundamental risk management action is the planning and sequencing of the maintenance activities while taking into account the insights provided by the assessment. In conjunction with scheduling the sequence of activities, additional risk management actions may be undertaken that have the effect of reducing the temporary risk increase as determined by the assessment. Since many of the risk management actions address nonquantifiable factors, it is not expected that the risk reduction achieved by their use would necessarily be quantified. The assessment provides the basis for consideration of their use. The following sections discuss the establishment of thresholds for the use of risk management actions.

11.3.7.1 Establishing Action Thresholds Based on Qualitative Considerations The risk management action thresholds may be established qualitatively by considering the performance of key safety functions or the remaining mitigation capability, given the out-of-service SSCs. Qualitative methods to establish risk management actions would generally be necessary to address SSCs not modeled in the PSA and assessments for shutdown conditions. However, the use of qualitative methods is not limited to these applications and is an acceptable approach for establishing

© NEI 2018. All rights reserved. nei.org 35

October 2018 DRAFT NEI 18-10, Rev A risk management actions for (a)(4) assessments in general. This approach typically involves consideration of the following factors from the assessment:

x Duration of out-of-service condition, with longer duration resulting in increased exposure time to initiating events x The type and frequency of initiating events that are mitigated by the out-of-service SSC, considering the sequences for which the SSC would normally serve a safety function x The impact, if significant, of the maintenance activity on the initiating event frequencies x The number of remaining success pathsredundant systems, trains, operator actions, recovery actionsavailable to mitigate the initiating events x The likelihood of proper function of the remaining success paths The above factors can be used as the basis for the establishment of a matrix or list of configurations and attendant risk management actions.

11.3.7.2 Establishing Action Thresholds Based on Quantitative Considerations The thresholds for risk management actions may be established quantitatively by considering the magnitude of increase of the core damage frequency, and/or large early release frequency, for the maintenance configuration. This is defined as the incremental CDF or incremental LERF.

The incremental CDF is the difference in the configuration-specific CDF and the baseline, or zero-maintenance, CDF. The configuration-specific CDF is the annualized risk rate with the unavailability of the out-of-service SSCs set to one. The configuration-specific CDF may also consider the zero maintenance modeli.e., the unavailability of the out-of-service SSC(s) is set to one, and the maintenance unavailability of the remaining SSC(s) is set to zero. This more closely reflects the actual configuration of the plant during the maintenance activity.

Plants should consider factors of duration in setting the risk management thresholds. This may be either the duration of a particular out-of-service condition, or a specific defined work intervale.g., shift, week, etc. The product of the incremental CDF, or LERF, and duration is expressed as a probabilitye.g.,

incremental core damage probability (ICDP) or incremental large early release probability (ILERP).

The EPRI PSA Applications Guide, 6 Section 4.2.3, includes guidance for evaluation of temporary risk increases through consideration of the configuration-specific CDF, as well as the ICDP and ILERP. When combined with the other elements of the maintenance rule, and other quantitative or qualitative measures as necessary to control cumulative risk increases, this guidance provides one acceptable alternative for (a)(4) implementation. The guidance is as follows:

1. The configuration-specific CDF should be considered in evaluating the risk impact of the planned maintenance configuration. Maintenance configurations with a configuration-specific CDF in excess of 10-3/year should be carefully considered before voluntarily entering such conditions. If 6

Reference:

EPRI TR-105396

© NEI 2018. All rights reserved. nei.org 36

October 2018 DRAFT NEI 18-10, Rev A such conditions are entered, it should be for very short periods of time and only with a clear detailed understanding of which events cause the risk level.

2. ICDP and ILERP, for a specific planned configuration, may be considered as follows with respect to establishing risk management actions:

ICDP ILERP

- configuration should not normally be entered

> 10-5 > 10-6 voluntarily

- assess nonquantifiable factors 10-6-10-5 10-7-10-6

- establish risk management actions

< 10-6 - normal work controls < 10-7 Another acceptable approach would be to construct a similar table using ICDF and ILERF, expressed as either an absolute quantity or as a relative increase from the plants baseline CDF and LERF.

Due to differences in plant type and design, there is acknowledged variability in baseline core damage frequency and large early release frequency. Further, there is variability in containment performance that may impact the relationship between baseline core damage frequency and baseline large early release frequency for a given plant or class of plants. Therefore, determination of the appropriate method or combination of methods, as discussed above, and the corresponding quantitative risk management action thresholds are plant-unique activities.

11.3.7.3 Establishing Fire Risk Management Action Thresholds Each plant should develop a process for implementing risk management actions related to fire risk impacts of equipment identified above.

For determination of the threshold for risk management actions, any of the following approaches, or a comparable approach, may be considered:

1. Establish an adjustment factor to the internal events ICDPsee Section 11.3.7.2.

OR Raise the risk management action threshold by one level.

The appropriate adjustment factor can be determined by risk personnel using insights from screening evaluations or fire PRAs performed for the IPEEE or fire PRAs that contain conservative modeling assumptions. This adjustment factor should take into account the number of safe shutdown paths available.

2. Use the following table to determine the need for risk management actions specific to fire risk when fire risk mitigation equipment is taken out of service. As the risk from internal events is evaluated under current (a)(4) programs, this table only addresses incremental risk from fire events and it is not appropriate to utilize the information below to aggregate risk from fire and

© NEI 2018. All rights reserved. nei.org 37

October 2018 DRAFT NEI 18-10, Rev A internal events. This table may be used in addition to the existing guidance in NUMARC 93-01 i.e., this table is specific to fire risk and does not address other contributors. Background information on the development of this table may be found in EPRI Report 1012948, Methodology for Fire Configuration Risk Management Final Report, December 2005.

Number of Core Damage Avoidance Success Paths Available 1 or More Success Paths Available No Success Paths Available Duration of Unavailability Duration of Unavailability

<3d 3-30d >30d <3d 3-30d >30d Normal Avoid Normal Controls Risk Mgmt. Risk Mgmt.

Control Config.

3. Quantifying the fire risk and internal events risk for the purpose of calculating the ICDP (limited applicability see Sections 11.3.3.1 and 11.3.4.3.

11.3.7.4 Risk Management Actions Determination of the appropriate actions to control risk for a maintenance activity is specific to the particular activity, its impact on risk and the practical means available to control the risk. Actions, similar to the examples shown below, may be used singularly or in combinations. Other actions may be taken that are not listed in the examples.

Normal work controls would be employed for configurations having nominal risk significance. This means that the normal plant work control processes are followed for the maintenance activity, and no additional actions to address risk management actions are necessary.

Risk management actions should be considered for configurations that result in a minimal increase from the plants baseline risk. As discussed previously, the benefits of these actions are generally not quantifiable. These actions are aimed at providing increased risk awareness of appropriate plant personnel, providing more rigorous planning and control of the activity, and taking measures to control the duration of the increased risk and the magnitude of the increased risk. Examples of risk management actions are as follows:

1. Actions to provide increased risk awareness and control:

x Discuss planned maintenance activity with operating shift and obtain operator awareness and approval of planned evolution.

x Conduct pre-job briefing of maintenance personnel, emphasizing risk aspects of planned maintenance evolution.

x Request the system engineer to be present for the maintenance activity or for applicable portions of the activity.

© NEI 2018. All rights reserved. nei.org 38

October 2018 DRAFT NEI 18-10, Rev A x Obtain plant management approval of the proposed activity.

2. Actions to reduce duration of maintenance activity:

x Pre-stage parts and materials.

x Walk-down tagout and maintenance activity prior to conducting maintenance.

x Conduct training on mockups to familiarize maintenance personnel with the activity.

x Perform maintenance around the clock.

x Establish contingency plan to restore out-of-service equipment rapidly if needed.

3. Actions to minimize magnitude of risk increase:

x Minimize other work in areas that could affect initiatorse.g., RPS equipment areas, switchyard, D/G rooms or switchgear roomsto decrease the frequency of initiating events that are mitigated by the safety function served by the out-of-service SSC.

x Minimize other work in areas that could affect other redundant systemse.g.,

HPCI/RCIC rooms or auxiliary feed water pump roomssuch that there is enhanced likelihood of the availability of the safety functions at issue served by the SSCs in those areas.

x Establish alternate success paths for performance of the safety function of the out-of-service SSC.

Note: equipment used to establish these alternate success paths need not necessarily be within the overall scope of the maintenance rule.

x Establish other compensatory measures.

4. A final action threshold should be established such that risk significant configurations are not normally entered voluntarily.

11.3.7.5 Fire Risk Management Actions If the evaluation described in Section 11.3.7.3 indicates risk management actions are appropriate, the following actions should be considered:

1. Primary action: Coordinate activities within the plant that could involve increased fire risk with those maintenance activities involving removal from service of mitigation equipment important for fire risk. This involves coordination of fire protection personnel with Maintenance Rule (a)(4) personnel. Based on this coordination, evaluate appropriate risk management actions as discussed in Section 11.3.7.4.

© NEI 2018. All rights reserved. nei.org 39

October 2018 DRAFT NEI 18-10, Rev A

2. Additional risk management actions specific to fire could include:

x Re-scheduling activities that involve increased fire likelihood in fire areas where the out of service core damage mitigation equipment would be relied upon in the event of a fire.

x Increased fire watches in fire areas where the out-of-service core damage mitigation equipment would be relied upon in the event of a fire.

x Confirm the availability of an alternate success path for safe shutdown, should it be needed. These could include alternative success paths excluded from design basis evaluationse.g., Bleed & Feed Cooling (PWRs) or Containment Venting (BWRs).

11.3.8 Regulatory Treatment of Compensatory Measures Use of compensatory measures is discussed in several sections of this guideline. These measures may be employed, either prior to or during maintenance activities, to mitigate risk impacts. The following guidance discusses the applicability of 10 CFR 50.65 (a)(4) and 10 CFR 50.59 to the establishment of compensatory measures. There are two circumstances of interest:

1. The compensatory measure is established to address a degraded or nonconforming condition and will be in effect for a time period prior to conduct of maintenance to restore the SSCs condition. Per NRC Generic Letter 91-18, Revision 1, and NEI 96-07, Revision 1, the compensatory measure should be reviewed under 10 CFR 50.59. Since the compensatory measure is in effect prior to performance of the maintenance activity, no assessment is required under 10 CFR 50.65 (a)(4).
2. The compensatory measure is established as a risk management action to reduce the risk impact during a planned maintenance activity. The 50.65 (a)(4) assessment should be performed to support the conduct of the corrective maintenance and those compensatory measures that will be in effect during performance of the maintenance activity. The compensatory measures would be expected to reduce the overall risk of the maintenance activity; however, the impact of the measures on plant safety functions should be considered as part of the (a)(4) evaluation. Since the compensatory measures are associated with maintenance activities, no review is required under 10 CFR 50.59, unless the measures are expected to be in effect during power operation for greater than 90-days.

11.3.9 Documentation The following are guidelines for documentation of the safety assessment:

The purpose of this paragraph of the maintenance rule is to assess impacts on plant risk or key safety functions due to maintenance activities. This purpose should be affected through establishment of plant procedures that address process, responsibilities and decision approach. It may also be appropriate to include a reference to the appropriate procedures that govern planning and scheduling of maintenance or outage activities. The process itself should be documented.

© NEI 2018. All rights reserved. nei.org 40

October 2018 DRAFT NEI 18-10, Rev A The normal work control process suffices as a record that the assessment was performed. It is not necessary to document the basis of each assessment for removal of equipment from service as long as the process is followed.

11.4 PSA Attributes The PSA used for the (a)(4) assessment is important for two aspects:

1. Determination of scope of SSCs to which the assessment applies.
2. Evaluation of risk impact of the maintenance configurationor as the basis for the risk monitor, matrix or other toolif the assessment is performed quantitatively.

The PSA model should include the following characteristics, or, if not, its limitations for use in supporting the assessment should be compensated for by additional qualitative evaluation. The EPRI PSA Applications Guide 7 discusses considerations regarding PSA attributes, maintenance and use in decision-making. This guidance should be considered in determining the degree of confidence that can be placed in the use of the PSA for the assessment and whether additional qualitative considerations should be brought to bear.

1. The PSA should address internal initiating events.
2. The PSA should provide level-one insights contribution to core damage frequency.
3. The PSA is not required to be expanded to quantitatively address level-two containment performance, external events or conditions other than power operation. Use of such an expanded PSA is an option.
4. The PSA should be reviewed periodically and updated as necessary to provide reasonable representation of the current plant design.
5. The PSA should include consideration of support systems and dependencies for SSCs that impact plant risk. NEI document 00-02, Probabilistic Risk Assessment Peer Review Process Guidance, includes additional information for evaluation of the correct treatment of these attributes in a PSA.

7

Reference:

EPRI TR-105396

© NEI 2018. All rights reserved. nei.org 41