U.S. NUCLEAR REGULATORY COMMISSION

REGULATORY GUIDE 1.177, REVISION 2 Issue Date: January 2021 Technical Lead: Todd Hilsmeier Pete Snyder PLANT-SPECIFIC, RISK-INFORMED DECISIONMAKING:

TECHNICAL SPECIFICATIONS

A. INTRODUCTION

Purpose This regulatory guide (RG) describes an approach that is acceptable to the staff of the U.S. Nuclear Regulatory Commission (NRC) for developing risk-informed applications for changes to completion times (CTs) and surveillance frequencies (SFs) of plant technical specifications (TS). This RG

provides specific guidance for considering engineering issues and using risk information to evaluate nuclear power plant TS changes to CTs and SFs.

This RG supplements the guidance in RG 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis (Ref. 1), and includes precise terminology to ensure that the defense-in-depth philosophy is interpreted and implemented consistently.

Applicability This RG applies to light-water reactor (LWR) licensees subject to Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities (Ref. 2), and

10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants (Ref. 3).

Applicable Regulations

10 CFR Part 50 provides regulations for licensing production and utilization facilities.

o 10 CFR 50.36, Technical Specifications, requires applicants to submit proposed TS for their facilities. The TS include items in the categories of (1) safety limits, limiting safety system settings, and limiting control settings, (2) limiting conditions for operation (LCOs), (3) surveillance requirements, (4) design features, and (5) administrative Written suggestions regarding this guide or development of new guides may be submitted through the NRCs public Web site in the NRC Library at https://nrcweb.nrc.gov/reading-rm/doc-collections/reg-guides/, under Document Collections, in Regulatory Guides, at https://nrcweb.nrc.gov/reading-rm/doc-collections/reg-guides/contactus.html.

Electronic copies of this RG, previous versions of RGs, and other recently issued guides are also available through the NRCs public Web site in the NRC Library at https://nrcweb.nrc.gov/reading-rm/doc-collections/reg-guides/, under Document Collections, in Regulatory Guides. This RG is also available through the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html, under ADAMS Accession Number (No.) ML20164A034. The associated draft guide DG-1287 may be found in ADAMS under Accession No. ML19206A489, and the staff responses to the public comments on DG-1287 may be found under ADAMS Accession No. ML20191A231. The responses to public comments on the 2012 version of DG-1287 (ADAMS Accession No. ML12017A054) can be found in ADAMS under Accession No. ML12228A289. The regulatory analysis may be found in ADAMS under Accession No. ML19206A493.

controls (stating that each licensee shall submit any reports to the Commission under approved TS as specified in 10 CFR 50.4, Written Communications).

o 10 CFR 50.90, Application for Amendment of License, Construction Permit, or Early Site Permit, requires that applications for license amendments fully describe the changes desired.

10 CFR Part 52 governs the issuance of early site permits, standard design certifications, combined licenses, standard design approvals, and manufacturing licenses for nuclear power facilities.

Related Guidance

NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition (Ref. 4), provides guidance to the NRC staff for performing safety reviews of construction permit or operating license applications (including requests for amendments) under 10 CFR Part 50 and of early site permit, design certification, combined license, standard design approval, or manufacturing license applications under 10 CFR Part 52 (including requests for amendments).

o NUREG-0800, Section 16.1, Risk-Informed Decision Making: Technical Specifications, addresses risk-informed decisionmaking for TS. The guidance pertaining to TS changes to SFs and CTs in Section 16.1 is consistent with the guidance in this RG.

o NUREG-0800, Section 19.1, Determining the Technical Adequacy of Probabilistic Risk Assessment for Risk-Informed License Amendment Requests after Initial Fuel Load, addresses the acceptability of a baseline probabilistic risk assessment (PRA) that a licensee uses to support license amendments for an operating reactor, as well as license amendment requests submitted after initial fuel load for new reactors.

o NUREG-0800, Section 19.2, Review of Risk Information Used To Support Permanent Plant-Specific Changes to the Licensing Basis: General Guidance, addresses the review of risk information used to support permanent plant-specific changes to the licensing basis.

NUREG-1855, Guidance on the Treatment of Uncertainties Associated with PRAs in Risk-Informed Decisionmaking: Final Report, (Ref. 5), provides guidance on how to treat uncertainties associated with PRAs in risk-informed decisionmaking. This guidance is intended to foster an understanding of the uncertainties associated with PRAs and their impact on PRA

results.

RG 1.160, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants (Ref. 6),

provides methods demonstrating compliance with the provisions of 10 CFR 50.65, Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants.

RG 1.174 provides guidance on an acceptable approach for developing risk-informed applications for a licensing basis change that considers engineering issues and applies risk insights.

RG 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities (Ref. 7), provides an approach for determining whether the base PRA, in total or the parts used to support an application, is acceptable for use in RG 1.177, Rev. 2, Page 2

regulatory decisionmaking for LWRs. Also note that the NRC will periodically update RG 1.200

as the agency adopts new PRA standards.

Purpose of Regulatory Guides The NRC issues RGs to describe methods that are acceptable to the staff for implementing specific parts of the agencys regulations, to explain techniques that the staff uses in evaluating specific issues or postulated events, and to describe information that the staff uses in its review of applications for permits and licenses. Regulatory guides are not NRC regulations and compliance with them is not required. Methods and solutions that differ from those set forth in RGs are acceptable if supported by a basis for the issuance or continuance of a permit or license by the Commission.

Paperwork Reduction Act This RG provides voluntary guidance for implementing the mandatory information collections in

10 CFR Parts 50 and 52 that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).

These information collections were approved by the Office of Management and Budget (OMB), approval numbers 3150-0011 and 3150-0151. Send comments regarding this information collection to the Information Services Branch (T6-A10M), U.S. Nuclear Regulatory Commission, Washington, DC

20555-0001, or by e-mail to Infocollects.Resource@nrc.gov, and to the OMB reviewer at: OMB Office of Information and Regulatory Affairs (3150-0011 or 3150-0151), Attn: Desk Officer for the Nuclear Regulatory Commission, 725 17th Street, NW, Washington, DC 20503; e-mail:

oira_submission@omb.eop.gov.

Public Protection Notification The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless the document requesting or requiring the collection displays a currently valid OMB

control number.

RG 1.177, Rev. 2, Page 3

B. DISCUSSION

Reason for Revision This revision of the guide (Revision 2) provides updated guidance on the defense-in-depth philosophy to be consistent with the related guidance in RG 1.174. The NRC revised RG 1.174 in 2018 to expand the guidance on the meaning of and the process for assessing defense-in-depth considerations.

Specifically, this revision of RG 1.177 references the defense-in-depth guidance in RG 1.174 in several places in the staff regulatory guidance.

Additionally, the staff revised this guide to (1) adopt the term PRA acceptability, and related phrasing variants, instead of terms such as PRA quality, PRA technical adequacy, and technical adequacy to describe the appropriateness of the PRA used to support risk-informed licensing submittals,

(2) update Section C.2.3 on the evaluation of risk impact (Principle 4), (3) specify that long-term CT

extension requests will increase the depth and level of detail of the staffs review and the need for proposed measures to reduce the risk impact of the TS change commensurate with the proposed CT

extension, and (4) add a new Section C.2.6 on integrated decisionmaking consistent with RG 1.174, Section C.2.6.

Background The Commission established its regulatory requirements for TS in 10 CFR 50.36. In doing this, the Commission emphasized matters related to the prevention of accidents and the mitigation of accident consequences. The Commission noted that applicants were expected to incorporate into their TS those items that are directly related to maintaining the integrity of the physical barriers designed to contain radioactivity (Ref. 8).

In August 1995, the NRC issued Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities: Final Policy Statement (Ref. 9), which encourages greater use of this analysis technique to improve safety decisionmaking and regulatory efficiency. One activity undertaken in response to the policy statement is the use of PRA to support decisions to modify an individual plants licensing basis. Such modifications are related to decisions to modify an individual plants TS.

To support the use of risk-informed decisionmaking, the NRC developed RG 1.174, which provides guidance on an acceptable approach for developing risk-informed applications for a licensing basis change and considers engineering issues and applies risk insights. This RG supplements the guidance in RG 1.174.

The staff normally uses deterministic engineering analysis to evaluate license amendment requests for TS changes that are consistent with approved staff positions (e.g., generic letters (GLs), RGs, standard review plans, branch technical positions, or the Standard Technical Specifications (STS)

(Refs. 10-14)). For TS change requests that go beyond current staff positions, in which a licensee elects to use risk information to support the proposed TS change, the staffs evaluation may use deterministic engineering analyses and the risk-informed approach set forth in this RG. The staff will review the information provided by the licensee to determine whether it can approve the application based on the information provided using deterministic and risk-informed methods, as applicable, and will either approve or reject the application based on the review.

The guidance in this RG does not preclude other approaches for requesting changes to the TS.

Rather, this RG is intended to improve consistency in regulatory decisions when the results of risk analyses are used to help justify TS changes.

RG 1.177, Rev. 2, Page 4

This RG describes an acceptable approach for assessing the nature and impact of proposed TS

changes in CTs and SFs by considering engineering issues and applying risk insights. As presented in detail in Section C of this RG, assessments should consider relevant safety margins and defense-in-depth attributes, including success criteria and equipment functionality, reliability, and availability.

In addition, this RG describes acceptable TS change implementation strategies and performance monitoring plans that will help ensure that assumptions and analyses supporting the change are verified. It also indicates an acceptable level of documentation to reach a finding that the licensee has performed a sufficiently complete and scrutable TS change analysis and that the results of the engineering evaluations support the licensees proposed TS change.

Risk-informed TS submittals may address either permanent changes to TS requirements or one-time-only changes. Once approved, permanent changes apply to all future occurrences. Licensees request a one-time-only change to a TS requirement for a particular condition and for a specified period, typically for a CT. This RG provides guidance for both permanent and one-time-only CT changes to TS.

In addition, the term operable as used in this document and the single-failure criterion should be understood within the context of this RG. All TS contain a definition of the terms operable and operability that is similar to this example from NUREG-1431, Standard Technical Specifications, Westinghouse Plants, Revision 4 (Ref. 11):

A system, subsystem, train, component, or device shall be OPERABLE or have OPERABILITY when it is capable of performing its specified safety function(s) and when all necessary attendant instrumentation, controls, normal or emergency electrical power, cooling and seal water, lubrication, and other auxiliary equipment that are required for the system, subsystem, train, component, or device to perform its specified safety function(s) are also capable of performing their related support function(s).

As described above, a plant-specific TS may differ from the STS definition of Operable Operability. Therefore, some judgment is needed in applying the guidance from Inspection Manual Chapter 0326, Operability Determinations, dated September 30, 2019 (Ref. 15).

The staff gave the historical basis for this definition in GL 80-30, Clarification of the Term Operable as It Applies to Single Failure Criterion for Safety Systems Required by TS, dated April 10, 1980 (Ref. 16). GL 80-30 states that the TS were formulated to preserve the single-failure criterion for systems that are relied upon in the safety analysis report. When the required redundancy is not maintained, the TS require action within a specified time. GL 80-30 calls the specified time to take action an equipment out-of-service time. This term is equivalent to the term completion time used in the STS. This limited time is a temporary relaxation of the single-failure criterion to take action so that the equipment can be restored to an operable status in accordance with the TS.

Since publishing GL 80-30, the NRC has issued various initial operating licenses, combined licenses, and amendments to licenses, each of which contains a definition of operable similar to the GL 80-30 definition. These definitions do not require a licensee to assume an additional failure when assessing the operability of a degraded or nonfunctional safety system or component.

Harmonization with International Standards The NRC has a goal of harmonizing its regulatory guidance with documents issued by the International Atomic Energy Agency (IAEA) to the extent practical. Although the NRC does not endorse RG 1.177, Rev. 2, Page 5

the following IAEA safety standard(s) and/or guide(s), this RG generally incorporates similar guidelines and is generally consistent with the basic safety principles provided in them.

IAEA Safety Standards Series No. SSG-3, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, Specific Safety Guide, issued 2010

(Ref. 17)

IAEA Safety Standards Series No. SSG-4, Development and Application of Level 2 Probabilistic Safety Assessment for Nuclear Power Plants, Specific Safety Guide, issued 2010

(Ref. 18)

IAEA Safety Standards Series No. SSR-2/1, Revision 1, Safety of Nuclear Power Plants:

Design, issued 2016 (Ref. 19)

RG 1.177, Rev. 2, Page 6

C. STAFF REGULATORY GUIDANCE

This section provides detailed descriptions of the methods, approaches, or data that the staff considers acceptable for meeting the requirements of the applicable regulations cited in the Introduction of this guide.

RG 1.174 identifies five key principles that all risk-informed applications are expected to meet and that risk-informed changes to plant TS should explicitly address:

(1) Principle 1: The proposed licensing basis change meets the current regulations unless it is explicitly related to a requested exemption (i.e., under 10 CFR 50.12, Specific Exemptions).

(2) Principle 2: The proposed licensing basis change is consistent with the defense-in-depth philosophy.

(3) Principle 3: The proposed licensing basis change maintains sufficient safety margins.

(4) Principle 4: When proposed licensing basis changes result in an increase in risk, the increases should be small and consistent with the intent of the Commissions policy statement on safety goals for the operation of nuclear power plants.

(5) Principle 5: The impact of the proposed licensing basis change should be monitored using performance measurement strategies.

RG 1.174 identifies a four-element approach to evaluating proposed licensing basis changes. This section addresses the applicability of these key principles and elements to TS changes.

1. Element 1: Define the Proposed Change

1.1 Reason for Proposed Change The submittals should state the reasons for requesting the TS change or changes, along with information that demonstrates that the extent of the change is needed. Generally, acceptable reasons for requesting TS changes fall into one or more of the categories below. RG 1.174, Section C.1, provides additional guidance on defining the proposed change.

1.1.1 Improvement in Operational Safety A licensee may request the TS change to improve operational safety (i.e., a reduction in the plant risk or a reduction in occupational exposure of plant personnel in complying with the requirements).

1.1.2 Consistency of Risk Basis in Regulatory Requirements The TS change can be supported based on its risk implications. TS requirements can be changed to reflect improved design features in a plant or to reflect equipment reliability improvements that make a previous requirement unnecessarily stringent or ineffective. The TS may also be changed to establish consistently based requirements across the industry or across an industry group. The licensee must ensure that the risk resulting from the change remains acceptable.

RG 1.177, Rev. 2, Page 7

1.1.3 Reduce Unnecessary Burdens A licensee may request the TS change to reduce unnecessary burdens in complying with current TS requirements, based on the operating history of the plant or industry in general. For example, in specific instances, the repair time may need to be longer than the CT defined in the TS. The required surveillance may lead to plant transients, result in unnecessary equipment wear, cause excessive radiation exposure to plant personnel, or place unnecessary administrative burdens on plant personnel that are not justified by the safety significance of the surveillance requirement. In some cases, the change may provide operational flexibility; in those cases, the change might allow increased allocation of the plant personnels time to more safety-significant aspects.

In some cases, licensees may determine that there is a common need for a TS change among several licensees and that it is beneficial to request the changes as a group rather than individually. Group submittals can be advantageous when the equipment being considered in the change is similar across all plants in the group. The submittal still needs to provide plant-specific information about the engineering evaluations described in Section C.2. However, the group may be able to draw generic conclusions from a compilation of the plant-specific data. In addition, there will be benefits from cross comparison of the results of the plant-specific evaluations.

2. Element 2: Perform Engineering Analysis As part of the second element, the licensee should evaluate the proposed TS change with regard to the key principles that ensure (1) current regulations are met, (2) adequate defense in depth is maintained, (3) sufficient safety margins are maintained, and (4) proposed increases in risk are small and are consistent with the intent of the Commissions policy statement on safety goals for the operation of nuclear power plants.

The staff expects licensees to provide strong technical bases for any TS change. The technical bases should be rooted in deterministic engineering and system analyses. Licensees should not submit for review TS change requests based on PRA results alone. TS change requests should give proper attention to the integration of considerations, such as conformance to the STS, generic applicability of the requested change if it is different from the STS, operational constraints, manufacturer recommendations, and practical considerations for test and maintenance. Standard practices used in setting CTs and SFs should be followed (e.g., CTs normally are 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , 7 days, 14 days, and so on, and SFs normally are once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , 7 days, 1 month, 3 months, and so on). Using such standards greatly simplifies implementation, scheduling, monitoring, and auditing. Logical consistency among the requirements should be maintained (e.g., CT requirements for multiple trains out of service should not be longer than that for one of the constituent trains).

2.1 Compliance with Current Regulations (Principle 1)

In evaluating proposed changes to TS, the licensee must ensure that the current regulations, orders, and license conditions are met, consistent with Principle 1 in RG 1.17

4. The regulations in

10 CFR 50.36 are specific to TS. The NRCs final policy statement on TS improvements (Ref. 20) gives more information on the agencys TS policies. These documents define the main elements of TS and provide criteria for items to be included in the TS.

The final policy statement and the Statements of Consideration for 10 CFR 50.36, as published in Volume 60 of the Federal Register, pages 36953-36959 (60 FR 36953-36959; July 19, 1995) (Ref. 21),

also discuss the use of probabilistic approaches to improve TS. Regulations on applications for, and the issuance of, license amendments appear in 10 CFR 50.90; 10 CFR 50.91, Notice for Public Comment;

RG 1.177, Rev. 2, Page 8

State Consultation, and 10 CFR 50.92, Issuance of Amendment. In addition, the licensee should ensure that the evaluation identifies and considers any discrepancies between the proposed TS change and licensee commitments.

2.2 Deterministic Engineering Considerations

2.2.1 Technical Specification Change Is Consistent with the Defense-in-Depth Philosophy (Principle 2)

Defense in depth is an element of the NRCs safety philosophy that employs multiple independent and redundant layers of defense to compensate for potential human and mechanical failures so that no single layer, no matter how robust, is exclusively relied upon. Defense in depth includes the use of access controls, physical barriers, redundant and diverse key safety functions, and emergency response measures to prevent accidents or mitigate damage if a malfunction, accident, or naturally caused event occurs at a nuclear facility. The defense-in-depth philosophy has traditionally been applied in plant design and operation to provide multiple means to accomplish safety functions and prevent the release of radioactive material. It has been and continues to be an effective way to account for uncertainties in equipment and human performance and, in particular, to account for the potential for unknown and unforeseen failure mechanisms or phenomena that, because they are unknown or unforeseen, are not reflected in either the PRA or deterministic engineering analyses. Staff Requirements Memorandum-SECY-98-144, Staff RequirementsSECY-98-144White Paper on Risk-Informed and Performance-Based Regulation, dated March 1, 1999 (Ref. 22), provides additional information on defense in depth as an element of the NRCs safety philosophy.

The engineering evaluation should demonstrate whether the implementation of the proposed TS

change is consistent with the defense-in-depth philosophy (Principle 2 in RG 1.174). The intent of this key principle of risk-informed decisionmaking is to ensure that the licensee fully understands, and the submittal addresses, any impact of the proposed licensing basis change on defense in depth and that the change maintains consistency with the defense-in-depth philosophy. The intent is not to prevent changes in the way defense in depth is achieved. The licensee should fully understand how the proposed licensing basis change impacts plant design and operation from both risk and deterministic engineering perspectives.

RG 1.174 provides guidance on how to evaluate the impact of a proposed licensing basis change on defense in depth to determine whether that consistency is achieved. The seven defense-in-depth considerations in Section C.2.1.1 of RG 1.174 should be used to evaluate the impact of a proposed TS

change on defense in depth to determine whether it maintains consistency with the defense-in-depth philosophy.

Additionally, the licensee should select engineering analysis techniqueswhether quantitative or qualitative, deterministic or probabilisticappropriate for the proposed TS change and that address the following:

a. whether there are appropriate restrictions in place to prevent simultaneous equipment outages that would erode the principles of redundancy and diversity, b. whether compensatory measures that should be taken when entering the modified CT for preplanned maintenance are identified, RG 1.177, Rev. 2, Page 9

c. whether voluntary removal of equipment from service during plant operation is scheduled when adverse weather conditions are predicted, or when the plant may be subjected to other abnormal conditions, d. whether the impact of the TS change on the safety function should be considered (e.g., the impact of a change in the CT for the low-pressure safety injection system on the overall availability and reliability of the low-pressure injection function), and e. whether the potential loss of the TS-specified safety function should be evaluated for TS

conditions with one or more trains, channels, systems, or subsystems inoperable.

2.2.2 Technical Specification Change Maintains Sufficient Safety Margin (Principle 3)

The licensees engineering evaluation should assess whether the impact of the proposed TS

change to a CT or SF is consistent with the principle that sufficient safety margins are maintained (Principle 3 in RG 1.174). The following summarizes an acceptable set of guidelines for making that assessment. Other equivalent decision guidelines are acceptable.

Sufficient safety margins are maintained under the following circumstances:

a. Codes and standards (e.g., American Society of Mechanical Engineers, Institute of Electrical and Electronics Engineers) or alternatives approved for use by the NRC are met (e.g., the proposed TS change to a CT or SF does not conflict with approved codes and standards relevant to the subject system).

b. Safety analysis acceptance criteria in the final safety analysis report are met, or proposed revisions provide sufficient margin to account for analysis and data uncertainties (e.g., the proposed TS change to a CT or SF does not adversely affect any assumptions or inputs to the safety analysis, or, if such inputs are affected, justification is provided to ensure sufficient safety margin will continue to exist). For TS CT changes, the effect on the final safety analysis report acceptance criteria should be assessed, assuming the plant is in the condition addressed by the proposed CT (i.e., the subject equipment is inoperable) and there are no additional failures. Such an assessment should result in identifying all situations in which entry into the condition addressed by the proposed CT could result in failure to meet an intended safety function.

2.3 Evaluation of Risk Impact (Principle 4)

Consistent with Principle 4 in RG 1.174, the NRC staff has identified the following three-tiered approach for licensees to evaluate the risk associated with proposed TS CT changes:

a. Tier 1 evaluates the impact on plant risk of the proposed TS change as expressed by the change in core damage frequency (CDF), the incremental conditional core damage probability (ICCDP), 1 the change in large early release frequency (LERF), and the incremental conditional large early release probability (ICLERP). 2 To support this evaluation, two aspects are to be considered:

1 ICCDP = ((conditional CDF with the subject equipment out of service and nominal expected equipment unavailabilities for other equipment permitted to be out of service by the TS) (baseline CDF with nominal expected equipment unavailabilities)) x (total duration of a single CT under consideration).

2 ICLERP = ((conditional LERF with the subject equipment out of service and nominal expected equipment unavailabilities for other equipment permitted to be out of service by the TS) (baseline LERF with nominal expected equipment unavailabilities)) x (total duration of a single CT under consideration).

RG 1.177, Rev. 2, Page 10

(1) the acceptability of the PRA and (2) the PRA insights and results. The licensee should demonstrate that its PRA is acceptable for assessing the proposed TS change, identify the impact of the TS change on plant risk, and demonstrate that this impact on plant risk meets the TS

acceptance guidelines in Section C.2.4 of this RG.

b. Tier 2 identifies potentially high-risk configurations that could exist if equipment, in addition to the item associated with the change, is taken out of service simultaneously or if other risk-significant operational factors, such as concurrent system or equipment testing, are also involved. The objective of this part of the evaluation is to ensure that appropriate restrictions on dominant risk-significant configurations associated with the change are in place. In addition, compensatory measures that can mitigate any corresponding increase in risk (e.g., backup equipment, increased SF, or upgraded procedures and training) should be identified and evaluated.

c. Tier 3 establishes a risk-informed plant configuration control program (i.e., configuration risk management program (CRMP)) to ensure that other potentially lower probability, but nonetheless risk-significant, configurations resulting from maintenance and other operational activities are identified and compensated for. If the Tier 2 assessment demonstrates, with reasonable assurance, that there are no risk-significant configurations involving the subject equipment, the application of Tier 3 to the condition addressed by the proposed CT may not be necessary.

Application of the three-tiered approach to risk-informed TS CT changes will ensure that such changes to the licensing basis will not significantly affect defense in depth.

Sections C.2.3.1-2.3.7 and Appendix A to this RG discuss various issues related to the three-tiered approach. Specifically, Sections C.2.3.1-2.3.5 and Appendix A outline issues associated with Tier 1, and Sections C.2.3.6 and C.2.3.7 outline issues associated with Tier 2 and Tier 3, respectively.

The NRC staff has identified several factors, discussed below, that should be considered in proposals for SF changes. In summary, the licensee should identify the SFs to be evaluated, determine the risk contribution associated with the subject SFs, determine the risk impact from the change to the proposed SFs, and perform sensitivity and uncertainty evaluations to address uncertainties associated with the SF evaluations. Sections C.2.3.1-2.3.6 and Appendix A to this RG provide more detail on risk evaluation for SF changes.

2.3.1 Acceptability of the Probabilistic Risk Assessment The PRA used to support the TS change evaluation is measured in terms of its appropriateness with respect to scope, level of detail, conformance to the technical elements, and plant representation. These aspects of the PRA are to be commensurate with its intended use and the role the PRA results play in justifying the TS change. This applies to Tier 1 and to Tiers 2 and 3 to the extent that a PRA model is used. Section C.2.3 of RG 1.174 provides guidance on evaluating the acceptability of the PRA with respect to these PRA aspects and should be used to support TS change evaluations. In addition, Sections C.2.3.2 and C.2.3.3 of this RG provide guidance on assessing the acceptability of the PRA scope and PRA level of detail, respectively, for TS change evaluations.

2.3.2 Scope of the Probabilistic Risk Assessment for Technical Specification Change Evaluations The scope necessary to fully support the evaluation of a TS change depends on the type of TS

change being sought. The text below discusses the scope required for a variety of cases. However, in RG 1.177, Rev. 2, Page 11

some cases, a PRA of sufficient scope may not be available. Qualitative arguments, bounding analyses, or compensatory measures will have to compensate for this lack.

At a minimum, evaluations of CDF and LERF should be performed to support any risk-informed changes to TS. The scope of the analysis should include all hazard groups (i.e., internal events, internal flood, internal fires, seismic events, high winds, transportation events, and other external hazards) unless the contribution from specific hazard groups does not affect the decision. When the risk associated with a particular hazard group or operating mode would affect the decision being made, the Commissions policy is to assess the risk using a staff-endorsed PRA standard for that hazard group or operating mode.

Sections C.2.3.1 and C.2.5 of RG 1.174 provide more detail.

When changes to the requirements for systems needed for decay heat removal are considered, an appropriate assessment of shutdown risk should also be considered. Examples of such systems are auxiliary feedwater, residual heat removal, emergency diesel generator, and service water. In addition, when CTs are being modified to facilitate online maintenance (i.e., transferring scheduled preventive maintenance from shutdown to power operation), the impact on the shutdown modes should also be considered. Using both power operation and shutdown models, when available, a comparative evaluation may be presented to decide the appropriate condition for scheduling maintenance based on risk evaluations. In some cases, a semiquantitative analysis of shutdown risk may be adequate (e.g., fault tree analysis or failure modes and effects analysis).

When CTs are being modified in anticipation of the need for additional time for corrective maintenance, an assessment of transition risk (the risk of transitioning from power operation to the mode required by the current TS in question) that could be incurred under the current, shorter CT may be desirable if the initial calculated risk increase is near or somewhat above the acceptance guidelines. In addition, TS changes to requirements for a controlled shutdown (i.e., the time allocated to transit through hot standby to hot shutdown to cold shutdown or to the final state that should be reached) should be evaluated using a model for the transition risk covering these periods or at least a qualitative evaluation of the transition risk, if possible.

2.3.3 Probabilistic Risk Assessment Modeling and Level of Detail

2.3.3.1 Detail Needed for Technical Specification Changes To evaluate a TS change, the PRA should model specific systems or components involved in the change. The model should also be able to treat the alignments of components during periods when testing and maintenance are being carried out. Typically, LCOs and surveillance requirements relate to the system trains or components that are modeled in the system fault trees of a PRA. System fault trees should be sufficiently detailed to specifically include all the components for which surveillance tests and maintenance are performed and are to be evaluated.

Additional details that should be incorporated in the PRA in support of TS changes include the following:

a. For CT evaluations, system train-level models are adequate if all components belonging to the train are clearly identified (i.e., all those components that could cause the train to fail).

b. For evaluating SFs, individual component-level models are necessary.

c. Since PRAs typically model the plant at the individual component level, they may be used directly to analyze both CTs and SFs.

RG 1.177, Rev. 2, Page 12

d. Component unavailability models should include contributions from random failure, common-cause failure (CCF), test downtime, and maintenance downtime.

e. Changes to the component unavailability model for test and maintenance downtimes should be based on a realistic estimate of expected surveillance and maintenance practices after the TS

change is approved and implemented (e.g., how often the CT is expected to be entered for preplanned maintenance or surveillance).

f. The component unavailability model for test and maintenance downtimes should be based on plant-specific or industrywide operating experience, or both, as appropriate.

g. The component unavailability model should have the flexibility to separate the unavailability contribution from test and maintenance downtimes. For evaluating a CT, the contribution from maintenance downtime can be equated to zero to delete maintenance activities, if desired. For an SF evaluation, the contribution from the test downtime determines a contribution to risk from carrying out the test.

h. Additional details in terms of separating the failure rate contributions into cyclic demand-related and standby time-related contributions can be incorporated, if justifiable, for evaluating surveillance requirements.

The CCF contributions should be modeled so that they can be modified to reflect the condition in which one or more of the components is unavailable. Note that CCF modeling of components is not simply dependent on the number of remaining inservice components; it is also dependent on the reason the components were removed from service (i.e., whether for preventive or corrective maintenance). For appropriate configuration risk management and control, preventive and corrective maintenance activities are considered, and licensees should, therefore, have the ability to address the subtle difference that exists between maintenance activities (Section A-1.3.2 of Appendix A to this guide provides details).

To account for the effects of test placements for redundant components in relation to each other (e.g., staggered or sequential test strategy), time-dependent models and additional evaluations with specialized codes may be used.

If the PRA does not model the system for which the TS change is being requested, specialized analyses may be necessary to demonstrate the sufficiency of the proposal. Examples of these situations include the following:

a. When a system is modeled in the event tree, but a detailed fault tree model is not provided (a direct estimate of system unavailability from experience data or expert judgment is used), the TS

evaluation can proceed in several ways, such as the following:

(1) A separate fault tree can be developed for the system for TS evaluation and used to complement the existing PRA model without directly modifying the PRA (e.g., detailed separate fault tree modeling of the reactor protection system combined with the existing PRA model).

(2) A bounding evaluation can be conducted based on the impact of system failures that are modeled in the PRA event trees; that is, failure of any component in the system can be assumed to cause system failure.

RG 1.177, Rev. 2, Page 13

b. When a separate fault tree is developed, specific TS requirements within the system can be changed, and changes in the system unavailability can be measured. These changes can then be used in the PRA model to obtain the corresponding risk measures, as appropriate. Such evaluations can be considered in the same way as those evaluations made directly using PRA

models, but they should satisfy the following conditions:

(1) Failures within the system should not affect any other system or component failure.

(2) The effect of system failure should not influence any initiating event frequency (or it should have a minimal or negligible effect).

(3) The system should not share components with another system.

c. When bounding evaluations are performed assuming any failure in the system as a system failure, the calculated risk impacts for TS changes are expected to be overestimated. The corresponding changes that may be acceptable will also be fewer than those that could have been justified using a detailed model. When considering the incorporation of non-PRA factors, this perspective should be kept, while at the same time considering the lack of a detailed model. Here also, the three conditions discussed for the previous case apply.

In some cases, since the risk-informed evaluation will be limited and some misestimation of the risk may have been incorporated, nonrisk-related engineering considerations gain importance in the overall decision. In such cases, arguments for the TS change also should be for small increments from current TS requirements (e.g., small changes to CTs or SFs).

2.3.3.2 Modeling of Initiating Events The PRA explicitly models (i.e., uses detailed fault tree models) some initiating events resulting from support system failure (e.g., service water, component cooling water, instrument air). Any TS

change for these systems will affect the corresponding initiating event frequency as well as the system unavailability and availability of other supported systems. The effect of TS changes on these initiating event frequencies should be considered.

Some test and maintenance activities can contribute to some transients. Initiating event frequencies used in the PRA do not typically separate out this contribution, but such a separation may be needed during TS change evaluations. For example, the effect of test-caused transients may be evaluated in determining an SF. Initiating event frequencies from conducting the test (i.e., test-caused transients)

could then be modeled separately to evaluate the risk contribution from test-caused transients.

Section A-2 of the appendix to this RG discusses data needs for estimating initiating event frequencies from test-caused transients.

2.3.3.3 Screening Criteria The main qualitative consideration for the screening of sequences in TS change evaluations is the inclusion of sequences directly affected by the TS change that would have been truncated by frequency-based screening alone. For example, if the TS change involves accumulators in a pressurized-water reactor, qualitative considerations imply the inclusion of sequences that contain the accumulators, even if these sequences do not meet the frequency criteria. Excluding these sequences would result in an underestimation of the risk impact of the proposed TS changes and, therefore, could have a significant influence on the ultimate acceptability of these changes.

RG 1.177, Rev. 2, Page 14

2.3.3.4 Truncation Limits Truncation levels should be used appropriately to ensure that significant underestimation caused by the truncation of cutsets does not occur, as discussed below. Additional precautions relevant to the cutset manipulation method of analysis are needed to avoid truncation errors in calculating risk measures.

When failure or outage of a single component is considered, as in the case of a CT or SF risk evaluation, the truncation levels in evaluating R1 and R0 are of concern. R1 is the increased CDF, with the component assumed to be inoperable (or equivalently, the component unavailability set to true), and R0

is the reduced CDF, with the component assumed to be operable (or equivalently, the component unavailability set to false). If the component in question appears in the cutsets near the truncation limit (e.g., all appearances are in cutsets within a factor of 10 of the truncation limit), it may be necessary to reduce the truncation limit. If R1 is marginally larger than the base case value, then one order of additional cutsets should be generated to ensure that any underestimation did not take place.

When considering risk from plant configurations involving multiple components, a cutset with a relatively small frequency can become a significant contributor to the CDF. This is because more than one of the affected components may appear in the same minimal cutset, and the unavailability (increased by the TS change) of more than one of these components could cause a significant increase in the cutsets frequency. For such cases, truncation levels should be reduced by a larger amount than would be the case for single components. Particular care should be taken if the evaluation of R1 is based on requantification of presolved cutsets, as the events related to the component of concern may not even appear in the cutsets.

2.3.4 Assumptions in Completion Time and Surveillance Frequency Evaluations When using PRA to evaluate TS changes, the evaluation should consider the assumptions made within the PRA that could have a significant influence on the ultimate acceptability of the proposed changes. The submittal requesting the TS changes should discuss such assumption

s. Assumptions that CT

change evaluations should consider include the following:

a. If CT risk evaluations are performed using only the PRA for power operation (i.e., to calculate the risk associated with (1) the equipment being unavailable during power operation for the duration of the CT and (2) any change in the CT), the risk associated with shutting the plant down because the CT is exceeded is not considered. In most cases, this risk has not been considered or, if considered, is assumed to further justify the requested change. If the risk evaluation results are marginal or exceed the guidelines for a proposed CT increase, and the systems involve those needed for shutdown (e.g., residual heat removal systems, service water systems, auxiliary feedwater systems), the licensee may want to perform comparative risk evaluations of continued power operation versus plant shutdown to justify the proposed CT increase. (Section C.2.5 of this RG provides additional discussion on comparative risk evaluations.)

b. When calculating the risk impacts (i.e., a change in CDF or LERF caused by CT changes), the change in average CDF should be estimated using the mean outage times (or an appropriate surrogate) for the current and proposed CTs. If a licensee chooses to use the zero-maintenance state as the base case (i.e., the case in which no equipment is unavailable because of maintenance), the submittal should include an explanation stating so. Usually, data for outage times correspond to the current CT, not to the proposed CT. Different assumptions are made to estimate the outage time corresponding to the proposed CT. The submittal should discuss assumptions concerning changes in maintenance practices under the extended CT regime and characterize their impact on the results of the analysis.

RG 1.177, Rev. 2, Page 15

c. When the risk impact of a CT change is evaluated, the yearly risk impact that is calculated takes into account the outage frequency. A CT extension may imply that the maintenance of the component is improved, which may reduce the components failure rate and, consequently, reduce the frequency of outages needed for correcting degradations or failure. There are no experience data for the extended CT; therefore, allowance for a lower failure rate should not be made. Here, the beneficial aspect of maintenance is not quantified, and this may give a slightly higher estimate of the yearly CT risk measure for the proposed CT.

d. Often, CT extensions are requested to facilitate online (or at-power) preventive maintenance of safety-system components. The frequency and duration of the extension may be estimated and the risk impact from the resulting unavailability of such equipment can be calculated.

e. When CTs of multiple safety system trains are extended, the likelihood of simultaneous outages of multiple components increases (resulting from combinations of failures, testing, and maintenance) because the increased duration increases the probability of the individual events that constitute the simultaneous multiple outages; hence, overlapping of routinely scheduled activities and random failures becomes more likely. The impact of such occurrences on the average plant risk (e.g., CDF) is small, but the conditional risk can be large. This issue is addressed as part of the implementation considerations (see Section C.2.3.7).

SF evaluations should consider the following assumptions:

a. Surveillance tests usually are assumed to detect failures that have occurred in the standby period.

The component failure rate, , represents these failures in the formulation of component unavailability. The test-limited risk is normally estimated by assuming that a surveillance test of a component detects the failures and that after the test, the components unavailability resets to zero, or false in the Boolean expression. Depending on a components design and the test performed, a routine surveillance test may not detect a few component failures. Usually, their contribution to risk is considered negligible.

b. Regular surveillance testing of a component, as performed for safety system components, is considered to influence its performance. Generally, for most components, the increase of a surveillance interval beyond a certain value may reduce the components performance (i.e., increase the failure rate). Experience data are not available to assess the SF values beyond which the component failure rate, , increases. In a risk-informed evaluation of surveillance requirements, if the failure rate is assumed to remain the same (i.e., unaffected by a change in the SF), this assumption implies that the SFs are not being changed beyond the value at which may be affected. Care should be taken not to reduce the SFs beyond such values using risk-informed analyses only.

c. The timing of surveillance tests for redundant components relative to each other (i.e., the test strategy used) impacts the risk measures calculated. Staggered or sequential test strategies are commonly used. The risk impacts of adopting different test strategies (e.g., sequential versus staggered) should be evaluated to determine whether there is an impact on the evaluation of the change being considered (Ref. 23).

d. Notwithstanding the beneficial aspects of testing to detect failures that occur in a standby period, several adverse effects may be associated with the test that should be considered in the SF

evaluation, including downtime to conduct the test, errors of restoration after the test, test-caused transients, and test-caused wear of the equipment. A PRA usually models downtime and errors of restoration, unless they are negligible. Test-caused transients and wear of the equipment are RG 1.177, Rev. 2, Page 16

applicable to a few tests but are not generally modeled separately in a PRA. However, they can be evaluated using PRA models supplemented with additional data and analysis. Methods are available to quantitatively address these aspects (Ref. 24); however, qualitative arguments can also support the reduction of an SF. If the adverse impact of testing is considered significant, such cases should be addressed quantitatively.

2.3.5 Sensitivity and Uncertainty Analyses Relating to Assumptions in Technical Specification Change Evaluations As in any risk-informed study, numerous uncertainties about the assumptions made during the PRA models development and application can affect risk-informed analyses of TS changes.

Sensitivity analyses may be necessary to address the important assumptions in the submittal with respect to TS change analyses. Such sensitivity analyses may include, as appropriate, the following:

a. the impact of a variation in repair or maintenance policy because of CT changes (e.g., scheduling preventive maintenance of longer duration at power),

b. the impact of variation in assumed mean downtimes or frequencies, c. the effect of separating the cyclic demand versus the standby time-related contribution to the components unavailability in deciding changes to an SF,

d. the effect of details about how CCFs are modeled in the PRA, and e. the effect of modeling compensatory measures in the PRA.

Risk resulting from TS CT changes may be relatively insensitive to uncertainties (compared to the effect on risk from uncertainties in assumptions about plant design changes or significant changes to plant operating procedures, for example). This is because the uncertainties associated with CT changes tend to similarly affect the base case (i.e., before the change) and the changed case (i.e., with the change in place). That is, the risks result from similar causes in both cases (i.e., no new initiating transients or subsequent failure modes are likely to have been introduced by relatively minor CT changes). CT changes subject the plant to a variation in its exposure to the same type of risk, and the PRA model can predict, with relative surety based on data from operating experience, how much that risk will change based on that changed exposure. Similar results are expected for SF changes. The licensee should justify any deviations from these expectations.

The effects of multiple outages may become significant during relatively large increases in CTs or SFs. In those cases, however, the Tier 2 and Tier 3 aspects of TS changes (i.e., configuration monitoring, risk predictions, and configuration control based on the risk predictions) are expected to be robust and will be relied on to control the resulting potential for significant risk increases. Therefore, the Tier 2 and Tier 3 aspects of such TS changes should be justified as robust and adequate to control the resulting potential for significant risk increases.

NUREG-1855 provides additional guidance on the treatment of uncertainties.

RG 1.177, Rev. 2, Page 17

2.3.6 Restrictions on Dominant Risk-Significant Configurations and Compensatory Measures (Tier 2)

Consistent with the key principle that changes to TS should result in only small increases in the risk to public health and safety (Principle 4 in RG 1.174), and as part of proposed TS change evaluations, licensees may consider certain compensatory measures (discussed below) that balance the calculated risk increase caused by the changes. This consideration should be made in light of the acceptance guidelines given in RG 1.174. Note that these considerations may be part of Tier 2 or Tier 3 programs.

The licensee should demonstrate that there are appropriate restrictions on dominant risk-significant configurations associated with the TS change. An effective way to perform such an assessment is to evaluate equipment according to its contribution to plant risk (or safety) while the equipment covered by the proposed CT change is out of service. Evaluation of such combinations of equipment out of service against the Tier 1 ICCDP and ICLERP acceptance guidelines could be one appropriate method of identifying risk-significant configurations. Once plant equipment is so evaluated, an assessment can be made about whether certain enhancements to the TS or procedures are needed to avoid risk-significant plant configurations.

To reduce the risk increase resulting from a proposed change, even though the licensee judges that the individual change meets the acceptance guidelines in Section C.2.4, the licensee might take compensatory measures such as those suggested below. If compensatory measures are considered part of the analysis of the change, the overall application for the TS change should include them. However, overreliance on programmatic activities such as compensatory measures associated with the change in the licensing basis should be avoided. Compensatory measures included in the submittal for a TS change should be measures for which the licensee is not already taking credit. Any such compensatory measures would become part of the licensing basis if the TS change were approved. The following are examples of compensatory measures:

a. adding a test of a redundant train before initiating a scheduled maintenance activity as part of a CT extension application, b. limiting simultaneous testing (e.g., surveillance tests) and maintenance of redundant or diverse systems as part of a CT extension application, especially if the testing causes unavailability of the redundant train or component, c. incorporating a staggered test strategy as part of the SF reduction application, d. improving test and maintenance procedures to reduce test- and maintenance-related errors, e. improving operating procedures and operator training to reduce the impact of human errors, and f. improving system designs, which reduces overall system unavailability and plant risk.

When compensatory measures are part of the TS change evaluation, the risk impact of these measures should be considered and presented, either quantitatively or qualitatively. When a quantitative evaluation is used, the total impact of these measures should be evaluated by comparison to the small guideline (Principle 4 in RG 1.174). This includes (1) evaluation of the proposed TS changes without the compensatory measures, (2) evaluation of the proposed TS changes with the compensatory measures, and

(3) specific discussion of how each compensatory measure is credited in the PRA model or during the evaluation process.

RG 1.177, Rev. 2, Page 18

2.3.7 Risk-Informed Plant Configuration Control Program (Tier 3)

Consistent with the key principle that changes to TS result in small increases in the risk to public health and safety (Principle 4 in RG 1.174), certain configuration controls should be use

d. To support TS

changes, a risk-informed plant configuration control program would uncover risk-significant plant equipment outage configurations in a timely manner during normal plant operation. This can be accomplished by evaluating the impact on plant risk of, for example, equipment unavailability, operational activities like surveillance testing or load dispatching, or weather conditions. The importance of this third tier stems from the difficulty of identifying all possible risk-significant configurations under Tier 2 that will ever be encountered over extended periods of plant operation.

2.3.7.1 Configuration Risk Management Program Licensees should describe their capability to perform a contemporaneous assessment of the overall impact on the safety of proposed plant configurations before and during maintenance activities that remove equipment from service. Licensees should explain how these tools or other processes will be used to ensure that risk-significant plant configurations will not be entered and that appropriate actions will be taken when unforeseen events put the plant in a risk-significant configuration.

2.3.7.2 Components of the Configuration Risk Management Program The licensee should ensure the CRMP contains the following components.

Component 1: Implementation of the Configuration Risk Management Program The intent of the CRMP is to implement 10 CFR 50.65(a)(4) (part of the Maintenance Rule) for online maintenance for risk-informed TS, with the following additions and clarifications:

a. The scope of structures, systems, and components (SSCs) within the CRMP includes all SSCs modeled in the licensees plant PRA, in addition to all SSCs considered to have high safety significance in accordance with RG 1.160 that are not modeled in the PRA.

b. The CRMP assessment tool is informed by the PRA and may be in the form of a risk matrix, an online assessment, or a direct PRA assessment.

c. The CRMP should be invoked as follows:

(1) For preplanned entrance into the plant configuration described by a TS action with a risk-informed CT, a risk assessment, including, at a minimum, a search for risk-significant configurations, should be performed before entering the action.

(2) For unplanned entrance into the plant configuration described by a TS action with a risk-informed CT, a similar assessment should be performed in a timeframe defined by the plants corrective action program (10 CFR Part 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, Criterion XVI,

Corrective Action).

(3) In the plant configuration described by a TS action with a risk-informed CT, when additional SSCs become inoperable or nonfunctional, a risk assessment, including, at a minimum, a search for risk-significant configurations, should be performed in a RG 1.177, Rev. 2, Page 19

timeframe defined by the plants corrective action program (10 CFR Part 50,

Appendix B, Criterion XVI).

d. Tier 2 commitments apply only to planned maintenance but should be evaluated as part of the Tier 3 assessment for unplanned occurrences.

Component 2: Control and Use of the Configuration Risk Management Program Assessment Tool a. Plant modifications and procedure changes should be monitored, assessed, and dispositioned as follows:

(1) Evaluations of changes in plant configuration or PRA model features should be dispositioned by implementing PRA model changes or by the qualitative assessment of the impact of the changes on the CRMP assessment tool. This qualitative assessment recognizes that changes to the PRA take time to implement and that changes can be effectively compensated for without compromising the ability to make sound engineering judgments.

(2) Limitations of the CRMP assessment tool are identified and understood for each specific CT extension.

b. Procedures exist for the control and application of CRMP assessment tools, including a description of the process when the plant configuration of concern is outside the scope of the CRMP assessment tool.

Component 3: Level 1 Risk-Informed Assessment The CRMP assessment tool uses at least a Level 1, at-power, internal events PRA mode

l. CRMP

assessments can reference a risk matrix, preexisting calculations, or new PRA analyse

s. The CRMP

assessment may use any combination of quantitative and qualitative input:

a. Quantitative assessments should be performed whenever necessary for sound decisionmaking.

b. When quantitative assessments are not necessary for sound decisionmaking, qualitative assessments can be performed. Qualitative assessments should consider applicable existing insights from previous quantitative assessments.

Component 4: Level 2 Issues and External Hazards The licensee should treat external hazards and Level 2 issues qualitatively or quantitatively, or both.

2.4 Acceptance Guidelines for Technical Specification Changes The guidelines discussed in Sections C.2.4 and C.2.5 of RG 1.174 are applicable to TS change requests for CTs and SFs. Those sections present risk-acceptance guidelines as a function of the result of the licensees risk analysis in terms of total CDF and total LERF predicted for the plant and the change in CDF and LERF predicted for the proposed licensing basis changes. TS submittals for changes to CTs should also be evaluated against the risk-acceptance guidelines in this RG, in addition to those in RG 1.174. All risk-acceptance guidelines to individual proposals for TS changes will be applied in a RG 1.177, Rev. 2, Page 20

manner consistent with Principle 4 in RG 1.174changes to TS result in small increases in the risk to public health and safety.

TS change evaluations may involve some small increase in risk, as quantified by PRA models.

Such a small increase may be offset by the many beneficial effects of the change that are not modeled by the PRA. The role of numerical guidelines is to ensure that the increase in risk is small and to provide a quantitative basis for the risk increase based on aspects of the TS change that are modeled or quantified.

In some instances, risk information submitted by a licensee may support a long-term CT

extension (e.g., greater than 90 days). Restricting CT extensions to a backstop or a maximum CT limits extended exposure to single-failure susceptibility and compensates for the inherent uncertainty associated with PRAs. TS conditions addressed by CTs are entered infrequently and are inherently temporary. As stated in Section 4.1.2 of Nuclear Energy Institute (NEI) 96-07, Guidelines for 10 CFR 50.59 Evaluations, dated February 22, 2000 (Ref. 25), if a temporary change in support of maintenance activities is expected to be in effect during at-power operations for more than 90 days, the provisions of

10 CFR 50.59, Changes, Tests and Experiments, would be applied to the temporary change in the same manner as a permanent change. Even though NEI 96-07 applies to conducting 10 CFR 50.59 evaluations, a parallel can be drawn to TS CT extensions, in that temporary configurations or modifications extending beyond 90 days may no longer be considered temporary. Licensees requesting long-term CT extensions should be aware that such a request would increase the depth and level of detail of the staffs review, and they should ensure that any proposed measures to reduce the risk impact of the TS change (e.g., risk management actions, Tier 2 and 3 analyses, less reliance on programmatic activities as compensatory measures, demonstrating backup equipment reliability or availability) are commensurate with the proposed CT extension.

Using the risk measures discussed in this RG, the change in risk should be calculated for TS

changes and compared against the numerical guidelines referenced in RG 1.174 or, for CT changes, against the numerical guidelines presented below. In calculating the risk impact of the changed case, licensees can credit additional changes to be implemented as part of the change. For example, in seeking an SF change, if the test strategy is also to be changed, the risk evaluation should incorporate its effect.

TS conditions addressed by CTs are entered infrequently and are temporary by their very nature.

However, TS do not typically restrict the frequency of entry into conditions addressed by CTs. Therefore, the staff provides the following TS acceptance guidelines specific to permanent CT changes for evaluating the risk associated with the revised CT, in addition to those acceptance guidelines in RG 1.174:

a. The licensee has demonstrated that the TS CT change has only a small quantitative impact on plant risk. An ICCDP of less than 1x10-6 and an ICLERP of less than 1x10-7 are considered small for a single TS condition entry 3 (Tier 1).

b. The licensee has demonstrated that there are appropriate restrictions on dominant risk-significant configurations associated with the change (Tier 2).

3 The ICCDP and ICLERP acceptance guidelines of 1x10-6 and 1x10-7, respectively, are established for consistency with the incremental core damage probability (ICDP) and incremental large early release probability (ILERP) limits of Section 11 in Nuclear Management and Resources Council (NUMARC) 93-01, Revision 4F, Industry Guidelines for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, issued April 2018 (Ref. 26), applicable for maintenance activities involving normal work controls. RG 1.160 endorses, with certain provisions and clarifications, NUMARC 93-01.

RG 1.177, Rev. 2, Page 21

c. The licensee has implemented a risk-informed plant configuration control program, including procedures to use, maintain, and control such a program (Tier 3).

For one-time-only changes to TS CTs, the frequency of entry into the CT may be known, and the configuration of the plant SSCs may be established. Further, there is no permanent change to the plant CDF or LERF, and hence, the risk guidelines of RG 1.174 cannot be applied directly. The staff provides the following TS acceptance guidelines specific to one-time-only CT changes for evaluating the risk associated with the revised CT:

a. The licensee has demonstrated that the impact on plant risk from implementing the one-time-only TS CT change is acceptable (Tier 1):

(1) an ICCDP of less than 1x10-6 and an ICLERP of less than 1x10-7, or

(2) an ICCDP of less than 1x10-5 and an ICLERP of less than 1x10-6 with effective compensatory measures implemented to reduce the sources of increased risk. 4 b. The licensee has demonstrated that there are appropriate restrictions on dominant risk-significant configurations associated with the change (Tier 2).

c. The licensee has implemented a risk-informed plant configuration control program, including procedures to use, maintain, and control such a program (Tier 3).

In the context of integrated decisionmaking, the acceptance guidelines should not be interpreted as overly prescriptive. They are intended to provide an indication, in numerical terms, of what is considered acceptable. As such, the numerical values above are approximate values that indicate the changes that are generally acceptable. Furthermore, the state of knowledge, or epistemic uncertainties, associated with PRA calculations prevent a definitive decision with respect to the acceptance of the proposed change based purely on the numerical results. The intent in comparing the PRA results with the acceptance guidelines is to demonstrate with reasonable assurance that Principle 4 is being met. This decision should be based on a full understanding of the contributors to the PRA results and the impacts of the uncertainties, both those that are explicitly accounted for in the results and those that are not. In accordance with Section C.2.6 of RG 1.174, the NRC would give increased attention to the application if the calculated values of the changes in the risk metrics and their base values, when appropriate, approach the acceptance guidelines. Therefore, if the risk metrics approach, or even slightly exceed, the acceptance guidelines, the licensees submittal should address the additional aspects of plant risk and operation discussed in Section C.2.6 of RG 1.174.

There may be situations in which a nonquantitative assessment of risk (either alone or accompanied by a quantitative assessment) is sufficient to justify the proposed TS changes. The licensee is expected to use judgment in developing an appropriate (to support regulatory decisionmaking) risk argument to justify the proposed TS changes, including the appropriate blend of quantitative and qualitative assessments.

2.5 Comparison of Risk of Available Alternatives Available alternatives are sometimes compared to justify a TS change. For changes in TS CTs, such cases primarily involve comparing the risk of shutting down with the risk of continuing power

4 For one-time-only CT changes, the ICCDP and ICLERP acceptance guidelines of 1x10-5 and 1x10-6, respectively, are established for compatibility with the ICDP and ILERP limits of Section 11 in NUMARC 93-01, which is applicable for voluntary maintenance activities requiring risk-management actions.

RG 1.177, Rev. 2, Page 22

operation, given that the plant is not meeting one or more TS LCOs. Such comparisons can be used to justify the increase in at-power risk associated with the TS change by averting some transition or shutdown risk.

Similarly, in the case of an SF change, the beneficial and adverse impacts can also be compared.

The modified SF should be chosen so that the benefit of testing is at least equal to or greater than the adverse effects of testing. For example, if the calibration of relays in the reactor protection system causes plant transients, the risk from the test-caused transients is then estimated and compared with the test-limited risk of a reduced SF.

In using such guidelines, the following considerations apply:

a. The uncertainty associated with the two measures being compared can differ and should be considered in deciding on an acceptable change.

b. When the risk measures associated with all alternatives are unacceptably large, ways to reduce the risk should be explored instead of only extending the TS requirement. That is, a large risk from one of the alternatives should not justify relaxing TS without giving appropriate attention to risk-reduction options. If the risk from test-caused transients is large, attention may then be given to exploring changes in test procedures to reduce such risk, rather than only reducing the SF.

However, a combination of the two approaches also may be appropriate.

2.6 Integrated Decisionmaking In accordance with Section C.2.6 of RG 1.174, the results of the evaluations under Sections C.1, C.2, and C.3 should be considered in an integrated manner to determine the final acceptability of the proposed TS change. PRA results are compared to numerical acceptance guidelines, along with other deterministic considerations, operating experience, lessons learned from previous changes, practical considerations associated with test and maintenance practices, and the implementation and monitoring program. The final acceptability of the proposed TS change should be based on all these considerations and not solely on the numerical results of the PRA. These results are one input into the decisionmaking and help in building an overall picture of the risk implications of the proposed TS change. As discussed previously, the numerical guidelines are used to ensure that any increase in risk is within acceptable limits, deterministic considerations are used to ensure that the change satisfies rules and regulations, practical considerations are taken into account to judge the acceptability of implementing the change, lessons learned from past experience ensure that mistakes are not repeated, and monitoring ensures that the TS change does not degrade operational safety over time. RG 1.174, Section C.2.6, provides additional guidance on the integrated decisionmaking process.

3. Element 3: Define Implementation and Monitoring Program

3.1 Three-Tiered Implementation Approach As described in Section C.2.3, the licensee should use a three-tiered approach to implement the proposed TS CT changes. Application of the three-tiered approach is consistent with the fundamental principle that the proposed change is consistent with the defense-in-depth philosophy. It also provides assurance that the proposed change will not significantly impact defense in depth.

RG 1.177, Rev. 2, Page 23

3.2 Technical Specification Change Monitored Using Performance Measurement Strategies (Principle 5)

Consistent with Principle 5 in RG 1.174, extension of a TS CT or reduction of a TS SF should not degrade operational safety over time. The licensee should ensure, as part of its Maintenance Rule program

(10 CFR 50.65), that when equipment does not meet its performance criteria, the scope of the evaluation required under the Maintenance Rule includes prior related TS changes. If the performance or condition of TS equipment affected by a TS change does not meet established performance criteria, the licensee should take appropriate corrective action, in accordance with the Maintenance Rule. Such corrective action could consider another TS change to shorten the revised CT or increase the revised SF, or impose a more restrictive administrative limit if the licensee determines this to be an important factor in reversing the negative trend.

4. Element 4: Submit Proposed Change The evaluations performed to justify the proposed TS changes should be documented, maintained, and included in the license amendment request submittal in accordance with Section C.6 of RG 1.174. Specifically, documentation for risk-informed TS change submittals should include a description or discussion of the following:

a. the TS changes being proposed and the reasons for seeking the changes (Section C.1, Element 1),

b. a summary of the engineering analyses conducted to justify the proposed TS changes and evidence that they meet the principles described in this RG (Section C.2, Element 2),

c. compliance with current regulations, orders, and license conditions (Section C.2.1, Principle 1),

d. the defense-in-depth evaluation (Section C.2.2.1, Principle 2),

e. the safety margins evaluation (Section C.2.2.2, Principle 3),

f. the risk impact evaluation (Sections C.2.3-2.5, Principle 4):

(1) acceptability of the PRA models used to evaluate proposed TS changes (Sections C.2.3.1, C.2.3.2, and C.2.3.3),

(2) changes made to the PRA models used to evaluate proposed TS changes (including data developed and used in addition to the plants PRA database) (Section C.2.3.3),

(3) assumptions of the PRA analysis used to evaluate proposed TS changes (Section C.2.3.4),

(4) sensitivity and uncertainty analyses performed and associated results (Section C.2.3.5),

(5) the approach used to identify the dominant risk-significant plant configurations associated with proposed TS changes, identification of these dominant risk-significant plant configurations, explanation of how these plant configurations will be prohibited (e.g., by TS or plant procedures) during the TS outage, discussion of any compensatory measures proposed as part of the TS change evaluation, and quantitative or qualitative presentation of the risk impact of these compensatory measures (Section C.2.3.6, Tier 2),

RG 1.177, Rev. 2, Page 24

(6) the capability of the risk-informed plant configuration control program to perform contemporaneous assessments of the overall impact on safety of proposed plant configurations, including an explanation of how these tools or other processes will be used to ensure that risk-significant plant configurations will not be entered and that appropriate actions will be taken when unforeseen events put the plant in a risk-significant configuration (Section C.2.3.7, Tier 3),

(7) risk measures used in evaluating the proposed TS changes, providing the calculated risk measure values associated with the TS change evaluation (including intermediate results)

and addressing how they align with the risk-acceptance guidelines presented in this RG,

in addition to those in RG 1.174, as applicable; if the risk metrics approach, or slightly exceed, the acceptance guidelines, discussion of the additional aspects of plant risk and operation identified in Section C.2.6 of RG 1.174 (Section C.2.4), and

(8) a comparison of the risk of available alternatives, as applicable (Section C.2.5),

g. the integrated decision to determine final acceptability of the proposed TS change (Section C.2.6),

h. the implementation and monitoring program (Principle 5), including use of the Maintenance Rule program (10 CFR 50.65) (Section C.3, Element 3),

i. a marked-up copy (e.g., redline markup) of the relevant TS and bases, including adequate information to provide the technical basis for the revised CT or SF, and j. all other documentation required to be submitted with a license amendment request.

RG 1.177, Rev. 2, Page 25

D. IMPLEMENTATION

The NRC staff may use this regulatory guide as a reference in its regulatory processes, such as licensing, inspection, or enforcement. However, the NRC staff does not intend to use the guidance in this regulatory guide to support NRC staff actions in a manner that would constitute backfitting as that term is defined in 10 CFR 50.109, Backfitting, and as described in NRC Management Directive 8.4, Management of Backfitting, Forward Fitting, Issue Finality, and

=

(DG-1287) an Approach for Plant-Specific, Risk Informed Decisionmaking: Technical Specifications
	ML20164A034
Person / Time
Issue date:	01/04/2021
From:	; NRC/RES/DE
To:	;
	SJG1
Shared Package
ML20164A029	List: ML20164A035; ML20191A231; ML20324A718; ML20324A719; ML20324A720; ML20324A721; Regulatory Guide 1.177;
References
	DG-1287 RG-1.177, Rev 2
	Download: ML20164A034 (40)
	v • d • e

Information Requests

=

(Ref. 27), nor does the NRC staff intend to use the guidance to affect the issue finality of an approval under

10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants. The staff also does not intend to use the guidance to support NRC staff actions in a manner that constitutes forward fitting as that term is defined and described in Management Directive 8.4. If a licensee believes that the NRC is using this regulatory guide in a manner inconsistent with the discussion in this Implementation section, then the licensee may file a backfitting or forward fitting appeal with the NRC in accordance with the process in Management Directive 8.4.

RG 1.177, Rev. 2, Page 26

REFERENCES 5

1. U.S. Nuclear Regulatory Commission, Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Washington DC.

2. U.S. Code of Federal Regulations, Domestic Licensing of Production and Utilization Facilities, Part 50, Chapter I, Title 10, Energy.

3. U.S. Code of Federal Regulations, Licenses, Certifications, and Approvals for Nuclear Power Plants, Part 52, Chapter I, Title 10, Energy.

4. U.S. Nuclear Regulatory Commission, NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, Washington DC.

5. U.S. Nuclear Regulatory Commission, NUREG-1855, Guidance on the Treatment of Uncertainties Associated with PRAs in Risk-Informed Decisionmaking: Final Report, Washington DC.

6. U.S. Nuclear Regulatory Commission, Regulatory Guide 1.160, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, Washington DC.

7. U.S. Nuclear Regulatory Commission, Regulatory Guide 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Washington DC.

8. Atomic Energy Commission, Part 50Licensing of Production and Utilization Facilities Technical Specifications for Facility Licenses; Safety Analyses Reports, Federal Register, Vol. 33, No. 244, December 17, 1968, pp. 18610-18613.

9. U.S. Nuclear Regulatory Commission, Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities; Final Policy Statement, Federal Register, Vol. 60, No. 158, August 16, 1995, pp. 42622-42629.

10. U.S. Nuclear Regulatory Commission, NUREG-1430, Standard Technical Specifications, Babcock and Wilcox Plants, Revision 4, Washington DC.

11. U.S. Nuclear Regulatory Commission, NUREG-1431, Standard Technical Specifications, Westinghouse Plants, Revision 4, Washington DC.

12. U.S. Nuclear Regulatory Commission, NUREG-1432, Standard Technical Specifications, Combustion Engineering Plants, Revision 4, Washington DC.

13. U.S. Nuclear Regulatory Commission, NUREG-1433, Standard Technical Specifications, General Electric BWR/4 Plants, Revision 4, Washington DC.

14. U.S. Nuclear Regulatory Commission, NUREG-1434, Standard Technical Specifications, General Electric BWR/6 Plants, Revision 4, Washington DC.

5 Publicly available NRC published documents are available electronically through the NRC Library on the NRCs public Web site at https://www.nrc.gov/reading-rm/doc-collections/ and through the NRCs Agencywide Documents Access and Management System (ADAMS) at https://www.nrc.gov/reading-rm/adams.html. The documents can also be viewed online or printed for a fee in the NRCs Public Document Room (PDR) at 11555 Rockville Pike, Rockville, MD. For problems with ADAMS, contact the PDR staff at (301) 415-4737 or (800) 397-4209; fax (301) 415-3548; or e-mail pdr.resource@nrc.gov.

RG 1.177, Rev. 2, Page 27

15. U.S. Nuclear Regulatory Commission, Inspection Manual Chapter 0326, Operability Determinations, September 30, 2019, ADAMS Accession No. ML19273A878.

16. U.S. Nuclear Regulatory Commission, Generic Letter 80-30, Clarification of the Term Operable as It Applies to Single Failure Criterion for Safety Systems Required by TS,

Washington DC, April 10, 1980.

17. International Atomic Energy Agency, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, Specific Safety Guide, Safety Standards Series No. SSG-3, Vienna, Austria, 2010. 6

18. International Atomic Energy Agency, Development and Application of Level 2 Probabilistic Safety Assessment for Nuclear Power Plants, Specific Safety Guide, Safety Standards Series No. SSG-4, Vienna, Austria, 2010.

19. International Atomic Energy Agency, Safety of Nuclear Power Plants: Design, Safety Standards Series No. SSR-2/1, Rev. 1, Vienna, Austria, 2016.

20. U.S. Nuclear Regulatory Commission, Final Policy Statement on Technical Specifications Improvements for Nuclear Power Reactors, Federal Register, Vol. 58, No. 139, July 22, 1993, pp. 39132-39139.

21. U.S. Nuclear Regulatory Commission, Technical SpecificationsFinal Rule, Federal Register, Vol. 60, No. 138, July 19, 1995, pp. 36953-36959.

22. U.S. Nuclear Regulatory Commission, Staff RequirementsSECY-98-144White Paper on Risk-Informed and Performance-Based Regulation, Staff Requirements Memorandum-SECY-98-144, March 1, 1999, ADAMS Accession No. ML003753601.

23. U.S. Nuclear Regulatory Commission, Handbook of Methods for Risk-Based Analyses of Technical Specifications, NUREG/CR-6141, BNL-NUREG-52398, December 1994, ADAMS

Accession No. ML093090361.

24. U.S. Nuclear Regulatory Commission, Quantitative Evaluation of Surveillance Test Intervals Including Test-Caused Risks, NUREG/CR-5775, BNL-NUREG-52296, February 1992, ADAMS Accession No. ML19172A254.

25. Nuclear Energy Institute, NEI 96-07, Guidelines for 10 CFR 50.59 Evaluations, February 22, 2000, ADAMS Accession No. ML003686043.

26. Nuclear Management and Resources Council, Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, NUMARC 93-01, Rev. 4F, April 2018, ADAMS Accession No. ML18120A069. 7

27. U.S. Nuclear Regulatory Commission, Management of Backfitting, Forward Fitting, Issue Finality, and

=

Information Requests

=

, Management Directive 8.4, September 20, 2019.

6 Copies of International Atomic Energy Agency (IAEA) documents may be obtained through their website:

WWW.IAEA.Org/ or by writing the International Atomic Energy Agency, P.O. Box 100 Wagramer Strasse 5, A-1400

Vienna, Austria.

7 Publications from the Nuclear Energy Institute (NEI) are available at the NEI Web site: http://www.nei.org/ or by contacting the headquarters at Nuclear Energy Institute, 1776 I Street, NW, Washington, DC 20006-3708, Phone: (202) 739-800,

Fax (202) 785-4019.

RG 1.177, Rev. 2, Page 28

APPENDIX A

CONSIDERATIONS AND DATA NEEDS FOR

TECHNICAL SPECIFICATION CHANGE RISK EVALUATIONS

A-1. Other Considerations in Technical Specification Change Risk Evaluations A-1.1 Risk-Informed Measures for Technical Specification Changes to Completion Times and Surveillance Frequencies This section lists the risk-informed measures used in completion time (CT) and surveillance frequency (SF) evaluations. 1 NUREG/CR-6141, Handbook of Methods for Risk-Based Analyses of Technical Specifications, issued December 1994 (Ref. 1), discusses these measures in more detail.

The measures applicable for CT evaluations include the following:

a. conditional risk given the limiting condition for operation (LCO),

b. incremental conditional core damage probability (ICCDP), and c. yearly CT risk.

When comparing the risk of shutting down with the risk of continuing power operation for a given LCO, the following measures apply:

a. risk of continued power operation for a given downtime, like ICCDP, and b. risk of shutting down the plant for the same downtime.

The following measures apply for SF evaluations:

a. test-limited risk, and b. test-caused risk.

Similar to the CT evaluations, the risk contributions for preventive maintenance (PM) include the following:

a. single PM risk, and b. yearly PM risk.

The risk associated with simultaneous outages of multiple components, called configuration risk, is calculated as part of CT changes. The three-tiered approach discussed in Section C.2.3 of this regulatory guide (RG) includes calculations of risks for multiple components that may be taken down together. The following applicable measures are similar to the CT measures stated above:

a. conditional risk (e.g., increase in core damage frequency (CDF)) caused by the configuration, and

1 The improved Standard Technical Specifications (NUREGs 1430-1434; see References in this RG) use completion time and surveillance frequency in place of allowed outage time and surveillance test interval.

Appendix A to RG 1.177, Rev. 2, Page A-1

b. increase in risk (e.g., core damage probability, which is obtained by multiplying the increase in CDF by the duration of the configuration for the occurrence of a given configuration).

If the licensee uses different measures, it should adequately discuss them in its submittal.

A-1.2 Measures for Multiple Technical Specification Changes When multiple technical specification (TS) changes are being evaluated, the combined impact of the individual changes should also be considered. The following sections discuss the considerations related to the calculation of total impacts.

A-1.2.1 Measures That Can Be Combined for Multiple Technical Specification Changes When considering risk contributions from several CTs, the risk measures can be combined according to the following guidelines:

a. The ICCDPs from several CTs do not generally interact nor accumulate to give a total contribution because the single CT risks are conditional risks per event, and the downtime events for the different CTs are different events. The only time that ICCDPs should be considered simultaneously is when multiple components can be down at the same time, constituting the same event. Such a case is referred to as a downed configuration, or simply a configuration. The risk contribution associated with a configuration is referred to as the configuration risk and is evaluated separately as a multiple component downtime. Conducting maintenance on several components is a principal cause of potentially high configuration risks.

b. Yearly CT risk contributions from several CTs can interact and should be accumulated to give the total yearly contribution from all the CTs being considered. When the CTs do not interact (i.e., when the downed components are not in the same minimal cutset), the yearly CT risk contribution from several CTs is the sum of the individual yearly CT risk contributions. When the CTs do interact (i.e., when two or more of the downed components are in the same minimal cutset), interaction of the CT risk contributions should be considered.

c. When calculating the test-limited risk for changes in multiple SFs, the total test-limited risk should be properly evaluated. Simple addition of individual test-limited risks will not provide the combined test-limited risk. In a simple addition, the total test-limited risk contribution is underestimated because the interacting terms are neglected.

A-1.2.2 Total Impact of Multiple Changes When multiple changes are requested, the total collective risk impact from all the changes should be evaluated. For example, for a group of CT and SF changes, this includes the total impact of all the requested CT changes, SF changes, and CT and SF changes.

If multiple changes are made, the impact of each change is assessed individually; as a check, the plant probabilistic risk assessment (PRA) should be used to quantify the total impact.

Appendix A to RG 1.177, Rev. 2, Page A-2

A-1.3 Quantification of Risk Measures A-1.3.1 Alternative Ways of Calculating Technical Specification Change Risk Measures In calculating the measures discussed for evaluating TS changes, two specific risk levels should be quantified using PRA. Focusing on the CDF level, the risk levels are R1, the increased risk level (e.g., CDF) with the component assumed down or equivalent component unavailability set to true, and R0, the reduced CDF with the component assumed up; that is, the component unavailability is set to false.

A-1.3.1.1 Using Probabilistic Risk Assessment To Obtain Completion Time, Preventive Maintenance, and Configuration Risk Contributions R1 can be calculated by setting the component-down event to a true state in the PRA. Similarly, R0 can be calculated by setting the component-down event to a false state in the PRA. The component-down event in the PRA is the event showing that the component is down for repair or maintenance. If the existing minimal cutsets include the component-down event, these minimal cutsets can be used to determine R1 and R0, provided the minimal cutsets sufficiently cover the contribution of the down event. The existing minimal cutsets are sufficient if those containing the down event are not all near the truncation limit (i.e., are not all within a factor of 10 of the truncation limit).

Alternatively, the minimal cutsets are sufficient if those containing the down event have a nonnegligible contribution (i.e., a contribution greater than or equal to 1 percent). If the existing minimal cutsets are sufficient, the increased risk level R1 can be determined by setting the component-down unavailability to 1 and deleting larger minimal cutsets that contain smaller minimal cutsets (i.e., those absorbed by the smaller minimal cutsets). If any minimal cutsets contain complementary events, they also should be removed if they are inconsistent with the component being down. The reduced risk level R0 can be determined analogously by setting the down unavailability to zero.

If the existing minimal cutsets do not contain the component-down event, or if there is a question on the coverage of the existing minimal cutsets, the minimal cutsets should be regenerated. R1 is determined by setting the component-down event in the PRA models to a true state. The truncation limit of the minimal cutset can be reduced by at least a factor of 10 to give added assurance of sufficient coverage. The minimal cutsets that are generated using the reduced truncation limit can then be used to determine R1 by setting the down unavailability to zero.

Contributions from common-cause failures (CCFs) need special attention when calculating the increased risk level R1. If the component is down because of a failure, the common-cause contributions involving the component should be divided by the probability of the component being down because of failure since the component is given to be down. If the component is down because it is being brought down for maintenance (but not failed), the CCF contributions involving the component should be modified to remove the component and to only include failures of the remaining components (also see Section C.2.3.3 of this RG).

If other components are reconfigured while the component is down, these reconfigurations can be incorporated in estimating R1 or R using the PRA. If other components are tested before repair or if maintenance is carried out on the downed components, the conduct of these tests and their outcomes also can be modeled. If other components are more frequently tested when the component is down for the conditions addressed by the CT, this increased frequency of testing also can be incorporated into the PRA.

These modeling details are sometimes neglected in the PRA because of their apparently small Appendix A to RG 1.177, Rev. 2, Page A-3

contribution. However, when isolating the CT risk contributions and in justifying modified CTs, these details can become significant.

A-1.3.1.2 Appropriate Use of Probabilistic Risk Assessment Minimal Cutsets As indicated, a PRA computes the yearly CT risk contribution to the yearly CDF. Basically, the yearly CT risk contribution is the sum of the minimal cutset contributions containing the component-down unavailability (typically for maintenance) qm, qm = f d where f is the downtime frequency and d is the downtime associated with the CT. The downtime d usually is estimated as an average downtime associated with the CT. If the minimal cutsets sufficiently cover the downed unavailability, those that contain the downed unavailability, qm, can be summed to give the yearly CT risk contribution, Ry.

A-1.3.1.3 Using the Probabilistic Risk Assessment To Determine the Test-Limited Risk Contribution The PRA can be used to calculate the increase in the risk-level R and to obtain the component unavailability, q, which are the contributing factors in calculating the test-limited risk contribution. The preceding and following sections discuss considerations involved in calculating R1 and R0 to obtain R.

When the effect of change in SF for one or more components is being evaluated, the PRA can directly calculate the change in the risk measure (e.g., in the CDF). The calculation of PRA results, when changed SFs are included, incorporates interactions among the SFs. The differences between the results (i.e., CDF when the SFs are changed from the baseline CDF) provide the test-limited risk contribution for changing the SFs.

Such a calculation should include appropriately modified contributions of CCFs. The common-failure terms modeled as a function of the SF should be modified to reflect the new SF.

Typically, CCFs are modeled using a -factor or multiple Greek letter model when the CCF of multiple components is a function of the SF. When changing SFs, care should be taken to change this term within the common-cause contribution. The common cause of failing multiple components resulting from human error following a test is not a function of the SF, but it may be affected by the test strategy used.

When different test strategies are being evaluated, the human error term should be considered.

Specific assumptions that were used in quantifying the human error common-cause term should be identified and checked if they apply to the test strategy being analyzed. For example, if the term was developed assuming a sequential test strategy, but a staggered test strategy is being analyzed, the term should be modified to reflect this change. The failure probability from a common-cause human error for a staggered test strategy is expected to be significantly lower than that for the sequential test strategy.

A-1.3.1.4 Using Minimal Cutsets To Calculate Test-Limited Risks The test-limited risk for a component or a set of components also can be determined by identifying those minimal cutsets that contain one or more of the SF contributions. The sum of the relevant minimal cutset contributions is then equal to the test-limited risk. To evaluate changes in the test-limited risks for changes in the SFs, the difference between the minimal cutset contributions with and without the SF changes will be the difference between the test-limited risks. In using the minimal cutsets, the SF contributions should all be included in the set of minimal cutsets used. Even though use of the Appendix A to RG 1.177, Rev. 2, Page A-4

minimal cutsets gives the same results, the above basic description of methods for obtaining the test-limited risks is useful because it shows the basic factors contributing to the SF risk.

A-1.3.1.5 Specific Considerations for Evaluating Multiple Test-Limited Risks When multiple SFs are modified or defined, the total test-limited risk from the multiple SF

changes or definitions should be properly evaluated. Instead of using the PRA to evaluate all the changes in a given run, the individual test-limited risks can be evaluated one at a time, provided that the updated SFs are used for the other relevant components. An iterative procedure can then be used, in which individual SFs are successively updated using the methods described above for individual component SF

risk contributors. These one-at-a-time, or iterative, evaluations are useful if acceptable guidelines on test-limited risks are defined and the SFs are selected to satisfy the risk guidelines.

A-1.3.2 Appropriate Calculation of Conditional Core Damage Frequency A-1.3.2.1 Conditional Core Damage Frequency for Failure of a Component To calculate the conditional CDF when a component is failed (typically represented by R1 in this RG), the component unavailability is changed to the true, or T, state. However, the component unavailability may be modeled in terms of many contributors: random failure, maintenance downtime, test downtime, and CCF. The CCF term represents the failure probability of two or more redundant components that include the failed component in question. The CCF term is modeled as a product of multiple terms (e.g., using the -factor model for two redundant components; the CCF term is times the component unavailability from random failures) but may be represented by one parameter.

Consider a component Q in train A of a safety system and let QLA, QMA, and QTA represent the components unavailability from random failures, maintenance downtimes, and test downtimes, respectively. Also, let QC = QL be the term for CCF of the redundant components in trains A and B,

where QL is numerically equal to QLA and represents QLA or QLB. QLB is the unavailability of a component in train B from random failure. Usually, the terms QLA, QMA, QTA, and QC will be part of the PRA input data.

To calculate the conditional CDF, given that the component is failed, the component unavailability should be represented by the T state. This means that QLA, QMA, and QTA should be changed to the T state and QC should be divided by QLA since the component is down because of failure. In principle, changing one of the three conditions (QLA, QMA, QTA) to the T state should suffice. However, in many cases, truncated cutsets are used to calculate the conditional CDF, and changing all three will ensure that the failed state of the component is represented. For this example, QC

will be changed to , which represents the conditional failure probability of the redundant component.

When QC represents the failure of more than two components, QC will be converted to the failure probability of the remaining componentsin this case, two components.

A-1.3.2.2 Conditional Core Damage Frequency When a Component Is Down (But Not Failed) for Preventive Maintenance To calculate the conditional CDF when a component is taken down for PM (R1 for PM analyses),

the CCF term should be treated differently from that described above for the failure of the component.

Considering the same example as above, the down state of the component is represented by changing QLA, QMA, and QTA to T and by changing QC to QL, which is numerically the same as QLB or QLA. The CCF term is changed to represent the unavailability of the remaining component and Appendix A to RG 1.177, Rev. 2, Page A-5

not because the initial component is already down for PM and not because of failure. If the redundant component is successfully tested before taking the component down for PM, QC can then be equated to zero for a short-duration PM (i.e., when the duration of the PM is much less than the test interval).

A-1.3.2.3 Conditional Core Damage Frequency When the Component Is Not Down for Maintenance or Is Tested Operable The conditional CDF is reduced when the component is not down for maintenance or when it has just successfully been tested. The determination of CT and SF risk contributions involves calculating this conditional CDF (R0). For evaluating the CT risk contribution, R0 signifies that the component is not down for test or maintenance, and setting test and maintenance downtime unavailabilities to the false, or F, state represents this condition. In this example, QMA and QTA should be changed to the F

state. For SF evaluations, R0 signifies that the component is up, which is known from the test and is represented by setting its unavailability to false. In this example, QLA, QMA, and QTA should be changed to the F state. In many cases, the reduction in CDF from the baseline CDF is negligible.

A-1.3.2.4 Conditional Core Damage Frequency When Multiple Components Are Involved To calculate conditional CDFs (R1 and R0) when multiple components are involved, the corresponding terms relating to each of the components should be changed to the T or F state. For each component, the corresponding terms relating to random failures, CCFs, test downtimes, and maintenance downtimes should be converted, as discussed above. When all the components modeled by a common-cause term are failed, this term changes to the T state for calculating R1. Otherwise, it is modeled as discussed above, representing the unavailability of the remaining component

s. In many PRA

computer codes, the CCF term does not retain the specific component designator (e.g., a unique notation identifying the specific component involved may not be part of the name of the CCF term), and the relevant term cannot be identified directly by searching the names of the input parameters of the PRA.

The description of the CCF terms modeled in the PRA may need to be examined to identify the relevant term or the input parameter.

A-1.3.3 Treatment of Common-Cause Failure and Recovery Factors The treatment of CCF in estimating the conditional CDF for CT and SF evaluations was discussed above, as were the appropriate considerations in modifying CCF terms modeled in the PRA (to include the effect of a component being unavailable because of failure, maintenance, or testing, and for implementing a staggered test strategy). In addition, since the CCF contributions can be a dominant contributor, sensitivity analyses with respect to these parameters may be appropriate (see Section C.2.3.5 of this RG). Recovery factors used in the PRA model should perhaps be reviewed to learn whether the component assumed to be down because of failure is credited to be recovered. For example, consider that a TS change for an emergency diesel generator (EDG) is being evaluated, and conditional CDF for the EDG being down is being calculated. Then, if the cutsets used to calculate the conditional CDF take credit for the same EDG being recovered, such recovery factors should be modified. In such cases, no credit should be taken.

A-1.3.4 Calculations of Transition Risk Transition risk is calculated to compare the risk of continuing operation in a given LCO to that of a transition to plant shutdown. Such comparisons can be used to decide which option is preferable and which alternatives may be used. Such evaluations particularly apply to systems used to remove decay heat. The following considerations apply in calculating transition risk:

Appendix A to RG 1.177, Rev. 2, Page A-6

a. Various stages of the shutdown cooling phases and the operators interactions should be modeled to assess the impact on the CDF of shutting down the plant in an LCO.

b. Any initiating event not modeled in the basic PRA but important during the shutdown phases should be modeled. Specific examples are those events that challenge the residual heat removal (RHR) system and that can render part of it unavailable. Additionally, the frequency of initiating events during the transition to shutdown may have to be reassessed since it may differ from that during power operation (e.g., more frequent loss of offsite power or loss of main feedwater during the transition to shutdown).

c. Different recovery paths applicable at various stages of shutdown should be modeled to realistically quantify the risk of shutting down, considering the diminishing levels of decay heat.

d. Available time margins for uncovering the reactor core and heating up the suppression pool (in a boiling-water reactor) or drying out the steam generator (in a pressurized-water reactor) should be modeled to evaluate specific accident sequences.

A-2. Data Needs for Technical Specification Change Evaluations A request for plant-specific TS changes should use plant-specific data and not rely solely on generic data or data from similar plant designs. Usually, TS changes are requested because plant operation indicates that such changes are needed and, accordingly, plant-specific data are expected to be available. For the components or systems for which TS changes are being considered, plant-specific data should be evaluated, and assurance should be obtained that these data are consistent with the plant experience. The licensee should justify the use of other than plant-specific data.

When a generic analysis uses a representative plant model, the incorporation of generic data from similar plants is acceptable. The generic data should bound the specific plants under consideration, not an average plant.

A-2.1 Care in Using Plant-Specific Data When using plant-specific data to update input parameters of the PRA during a TS change evaluation (in addition to those used during the latest update of the PRA), care should be taken to ensure that such data are consistently used both for the base case, where existing TS requirements apply, and the change case, where TS changes are incorporated. This provides assurance that the increase in the risk measure obtained is associated with the TS change only and not with the use of plant-specific data in aspects of plant operation.

This situation typically arises when recent plant-specific data are evaluated and reduced values of the parameters are obtained. Use of the reduced values may negate the risk increase from the TS change and may give an erroneous impression that the TS change has reduced the risk. When the base case is also updated, such difficulties are avoided. Sensitivity and uncertainty analyses should also be performed using the same set of input data.

A-2.2 Considerations When Generic Data Are Used When using generic data for the TS parameters in evaluating TS changes, the focus should be on justifying small changes that do not strongly depend on the data parameters. The licensee should present the reasons why generic data are being used and why generic data apply to plant-specific evaluations. In Appendix A to RG 1.177, Rev. 2, Page A-7

many cases, because of limited experience, the use of plant-specific data may result in very optimistic values, justifying the use of generic data.

A-2.3 Specific Data Needs Basic data needed for a TS change evaluation (using PRA information) for risk-informed regulation are those collected as part of the PRA. Comparative risk calculations for LCO changes require no additional data beyond those in the Level 1 PRAs for full-power operations and low power/shutdown.

The following sections discuss additional data needs for evaluating changes in TS requirements, such as SFs and CTs.

A-2.3.1 Maintenance Downtime Data Maintenance downtime data should be partitioned into plant-specific unplanned unavailability for unscheduled maintenance and planned unavailability for PM or testing. For this purpose, data are needed on the frequency of events leading to planned and unplanned maintenance (i.e., the number of occurrences of each type of downtime event during a given time period) and the time interval for each occasion the component was out of service. These data are also needed for judging whether an adequate CT is being provided to complete a repair. The distribution of downtimes also can be used to estimate the expected risk for a given CT.

The distribution of time for unscheduled maintenance may shift with a change in a CT. For this reason, information about such an influence on the distribution is not expected to be available when the CT change is being evaluated. The average downtime can be assumed to proportionally increase with the increase in the proposed CT for downtimes associated with unscheduled maintenance. For scheduled (preventive) maintenance, the downtime assumed can be representative of plant practices (e.g., one-half of the CT).

A-2.3.2 Maintenance Schedules and Frequency Maintenance schedule and frequency data include the maintenance scheduling used by the licensee to define the situations in which multiple equipment or system trains may be taken down for PM.

These schedules are important to ensure that components being down simultaneously, implicitly allowed by the TS change, do not create high risks. The maintenance frequency or frequency of downtime for a component may be from 3 to 10 times higher than the failure frequency. Since CTs can be used for maintenance, the frequency of maintenance should be incorporated in estimating the downtime frequency.

A-2.3.3 Data Relating to Component Testing The following data related to component testing, in addition to those available as part of the PRA

study, form part of a TS change evaluation relating to surveillance requirements:

a. The evaluation should list the components being tested, any component realigned from the safety position during a test, the duration of the test, and the test frequency recommended by the manufacturer.

b. The evaluation should include the efficiency of the test (i.e., the failure modes detected by the test with regard to aspects such as components and support system interfaces).

Bounding assumptions can be made if obtaining detailed data or related information is costly.

Appendix A to RG 1.177, Rev. 2, Page A-8

c. The analyses should account for any potential negative effects of surveillance testing (e.g., that may cause the introduction of plant transients or unnecessary wear of the equipment). Preliminary evaluations can be used to determine the need for a more detailed analysis.

d. The evaluation should state the test strategy used for the redundant components in a system (i.e., whether staggered or sequential testing is performed). The standard PRA

quantification assumes that components follow no specific schedule and are randomly placed. Staggering the test times of components in different trains will reduce the test-limited risk contribution for the same SFs as compared to the PRA assumption.

Conversely, if the tests are carried out sequentially, the test-limited risk will increase compared to the PRA assumptions.

A-2.3.4 Parameters for Component Unavailability The component unavailabilities used in a PRA contain several relevant parameters for evaluating TS changes. These parameters should be delineated, as modeled, to facilitate the evaluations and their review by the regulatory authority. The following desirable parameters contribute to the estimated component unavailability:

a. component failure rate, b. component test interval, c. maintenance/repair downtime contribution (i.e., maintenance frequency, downtime for scheduled and unscheduled maintenance),

d. test downtime, if applicable, e. human errors following test or maintenance, if modeled, and f. separation of cyclic-demand from the standby time contribution, if modeled.

A-2.3.5 Separating Demand and Standby Time Contributions to Unavailability Since the test-limited risk (typically defined as RD) is associated with a failure occurring between tests, the standby time-related failure rate should be used in calculating the test-limited risk. The standby time-related failure rate is associated with what could occur while the component is in standby between tests. Test-limited risk contributes to increases in risk associated with longer test intervals caused by the longer time to detect standby-stress failures. The time-related failure rate is expressed in units per time period, such as per hour. Estimating RD requires the standby stress failure rate of the component and the proposed SF.

The failure probability of a component consists of a time-related contribution (the standby time-related failure rate) and a cyclic, demand-related contribution (the demand stress failure probability).

The latter is the probability contribution associated with failures that are caused by demanding, starting, or cycling the component, which include (but are not necessarily limited to) test-caused transients (discussed in Section A-2.3.6). Since the test-limited risk, RD, is associated with a failure occurring between tests, the failure rate that should be used in calculating the test-limited risk is the time-related standby stress failure rate. From the total number of failures on demand, the number of failures caused by standby stress and the number of failures from demand stresses can be partitioned by either an Appendix A to RG 1.177, Rev. 2, Page A-9

engineering analysis of failure causes or by a graphical method based on the relationship between the observed number of failures and the SFs from which the failures came.

The test-caused contribution to risk is primarily composed of Rdown, the risk contribution caused by the unavailability of equipment from aligning the equipment away from its preferred position or state to conduct a test, when there is no automatic return to the preferred position. The additional data needed for estimating this parameter are the SF and the out-of-service time needed for each test.

Dividing the failure probability into a time-related and cyclic demand-related contribution results in a lower test-limited risk because only part of the components failure rate is treated as time related.

However, treating only part of the failure rate as time related when this is not the case underestimates the test-limited risk; therefore, such a breakdown of the failure rate should be justified through data or engineering analyses.

In addition, sometimes only the failure probability (i.e., the component unavailability, q) may be provided without giving a failure rate. In such a case, the effect of a change in the SF cannot be evaluated unless the component test interval previously used for T is used to convert the unavailability, q, in terms of and T. When the breakdown between time-related and cyclic demand-related contribution is unknown, all failures can be assumed to be time related to obtain the maximum test-limited risk contribution.

In summary, the data required for measuring a change in risk with a change in the SF are a breakdown of the failure probability of the component into its time-related and demand-related components, the proposed SF, and the out-of-service time for surveillance testing of the component.

A-2.3.6 Test-Caused Transients To evaluate and identify the test-caused transient risk (typically defined as RC), transient events, as well as those caused by a test, should be identified. In most cases, this requires reading through the description of transients that have occurred and noting those caused by the test. When reduced SFs are allowed, the resulting reduction in test-caused transients per unit of time tends to cause decreases in risk because there are fewer adverse effects of testing over that longer test interval (which, however, will be partially or wholly balanced by increases in RD that are caused by the longer time period before the detection and correction of failures).

The transient events are obtained from the following plant operating data:

a. Performance indicator reports list the number of reactor trips and safety system actuations at each plant, the date of the events, and the numbers of the relevant licensee event reports (LERs).

b. LERs, in the LER system, describe reactor trips.

When test-caused transients for a single plant are evaluated, the plant-specific data may be sparse unless the plants operating experience covers a substantial period. When plant-specific data are sparse, more data may be used from the operating experience of other plants of similar vintage (e.g., other Type 4 boiling-water reactors), assuming the likelihood of occurrence of test-caused transients is similar for all the plants in the database. (The performance indicator reports categorize plants according to design classes.) Testing, however, tends to be very plant specific; therefore, cross-plant data applicability needs to be evaluated in detail.

Appendix A to RG 1.177, Rev. 2, Page A-10

A-2.3.7 Data for Evaluating Transition Risk Data available in a PRA for full-power operation provide the basic information for evaluating the transition risks when a plant is being shut down for an LCO. In addition, the PRA for low-power and shutdown operations, if available, will significantly ease the acquisition of the data necessary for evaluating the risk of shutdown. The low-power and shutdown PRAs typically contain relevant data, such as the durations of shutdown phases and the frequencies of initiators that may occur during shutdown operation (e.g., loss of RHR).

The full-power PRA is available for most operating plants, but the low-power and shutdown PRAs are available only for some plants. Hence, the following data are needed to evaluate transition risk if only data from a full-power PRA are available:

a. Plant-specific data on shutdown operations: To analyze shutdown phases in detail, the analyst may need plant-specific information, such as operating and abnormal procedures, shift supervisor logbooks, or monthly operating reports. Data on timing of the plant shutdown and operational preferences of equipment during plant shutdown can be extracted from this information.

b. Plant-specific deterministic data: The evaluation of heatup and recovery scenarios, including estimates of heatup time, requires some design data on the plant, such as the temperature of the ultimate heat sink or the cooling capacity of the RHR system. These data typically are available from the plants final safety analysis report.

c. Frequency of transients during controlled shutdown: The analyst may need to review the LERs for the plant to evaluate the likelihood of transients during controlled shutdown.

The analyst should consider that the likelihood of a transient during a shutdown may differ from that during power operation.

Appendix A to RG 1.177, Rev. 2, Page A-11

REFERENCES 2

1. U.S. Nuclear Regulatory Commission, Handbook of Methods for Risk-Based Analyses of Technical Specifications, NUREG/CR-6141, BNL-NUREG-52398, December 1994, ADAMS

Accession No. ML093090361.

2 Publicly available NRC published documents are available electronically through the NRC Library on the NRCs public website at http://www.nrc.gov/reading-rm/doc-collections/ and through the NRCs Agencywide Documents Access and Management System (ADAMS) at http://nrc.gov/reading-rm/adams.html. The documents can also be viewed online or printed for a fee in the NRCs Public Document Room (PDR) at 11555 Rockville Pike, Rockville, MD. For problems with ADAMS, contact the PDR staff at (301) 415-4737 or (800) 397-4209; fax (301) 415-3548; or e-mail pdr.resource@nrc.gov.

Appendix A to RG 1.177, Rev. 2, Page A-12

Regulatory Guide 1.177

Contents

A. INTRODUCTION

B. DISCUSSION

4. The regulations in

s. Assumptions that CT

d. To support TS

l. CRMP

s. The CRMP

D. IMPLEMENTATION

=

Information Requests

=

=

Information Requests

=

s. In many PRA

Navigation menu

Regulatory Guide 1.177

A. INTRODUCTION

B. DISCUSSION

4. The regulations in

s. Assumptions that CT

d. To support TS

l. CRMP

s. The CRMP

D. IMPLEMENTATION

=

Information Requests

=

=

Information Requests

=

s. In many PRA

Navigation menu

Search