ML20195H647

From kanterella
Jump to navigation Jump to search
Draft NRC Insp Manual,Inspection Procedure 71111, Reactor Safety-Initiating Events,Mitigating Systems,Barrier Integrity
ML20195H647
Person / Time
Issue date: 05/07/1999
From:
NRC
To:
Shared Package
ML20195H628 List:
References
71111, NUDOCS 9906170108
Download: ML20195H647 (154)


Text

r l

71111RVO.WPD 5/7/99 l

l NRC INSPECTION MANUAL PIPB i

INSPECTION PROCEDURE 71111 REACTOR SAFETY-INITIATING EVENTS, MITIGATING SYSTEMS, BARRIER INTEGRITY q

71111-01 INSPECTION OBJECTIVE:

To independently gather baseline inspection i

indicators to determino whether licensee performance meets the following cornerstone objectives:

01.01 Initiating Events: To limit the frequency of those events that upset plant stability and challenge critical safety functions, during shutdown as well as power operations.

01.02 Mitigating Systems:

To ensure the availability, reliability, and capability of systems that mitigate initiating events to prevent reactor accidents.

01.03 Barrier Integrity:

To ensure that abysical barriers protect the public from radionuclide releases caused by accicents.

71111-02 INSPECTION REQUIREMENTS:

02.01 Plan and perform inspections in the following inspectable areas:

Adverse Weather Preparations (I.M Attachmer.t 01)

Changes to License Conditions and Safety Analysis Report (M.B Attachment 02)

Emergent Work (I M Attachment 03)

Equipment Alignment (I.M.B Attachment 04)

Fire Protection (I.M Attachment 05)

Flood Protection Measures (I.M Attachment 06)

Fuel Barrier Performance (B PI verification only)

Heat Sink Performance (I.M Attachment 07)

Identification and Resolution of Problems and Issues (I.M.B see IP 71152)

Inservice Inspection Activities (I.B Attachment 08)

Inservice Testing of Pumps and Valves (M Attachment 09)

Large Containment Isolation Valve Leak Rate and Status Verification (B Attachment 10)

Licensed Operator Requalification (M.B Attachment 11)

Maintenance Rule Implementation (I.M.B Attachment 12)

Maintenance Work Prioritization and Control (I.M.B Attachment 13)

Nonroutine Plant Evolutions (I.M.B Attachment 14)

Operability Evaluations (M Attachment 15)

Operator Workarounds (M Attachment 16)

Permanent Plant Modifications (M.B Attachment 17)

Piping System Erosion and Corrosion (deleted) l Post Maintenance Testing (M Attachment 19)

Issue Date: DRAFT Page 1 of 154 71111 DRAFT NO N00 NO O cy

Refueling and Outage Activities (I.M.B Attachment 20)

Safety System Design and Performance Capability (M Attachment 21)

Surveillance Testing (M.B Attachment 22)

Temporary Plant Modifications (M.B Attachment 23)

The above listing indicates which cornerstone (s) apply to each inspectable area l

(I-Initiating Event. M-Mitigating Systems, and B-Barrier Integrity).

Use the attached ins)ectable area procedures to plan and perform inspections in these areas. Find ngs from these inspections must be earmarked by the inspector as to which cornerstone they a) ply.

Each finding must be aligned with only one cornerstone following app'ication of the SDP, in order to avoid double counting in the assessment of performance by cornerstones. The Fuel Barrier inspectable area is integrated into the PI Verification inspection procedure.

02.02 As part of inspecting in the above inspectable areas the inspector will review related areas in the licensee's corrective action-program using the Identification and Resolution of Problems inspection procedure and as discussed in Inspection Manual Chapter 2515*, Appendix A.

03 INSPECTION GUIDANCE 03.01 Applicable Performance Indictors The inspections conducted under this procedure are intended to provide performance information in areas that are not measured by the following performance indicators (PIs): unplanned scrams, scrams with loss of normal heat removal and transients (Initiating Events Cornerstone); safety system performance indicator unavailability and safety system failures (Mitigating Systems); and reactor coolant system (RCS) specific activity. RCS leak rate and containment leakage (Barrier Integrity).

In fulfilling the inspectable area inspection requirements, the inspector needs to exercise care so as to not spend time ins)ecting activities or characteristics that are already covered'by a PI, altlough the PI Verification Procedure (not an "inspectable area") does gather such information.

03.02 Risk-Informed Inspection Planning This section provides guidance on the risk-informed aspect of planning the performance based inspections in the baseline inspection. program.

In accordance with NRC Commission Policy, a " risk-informed" approach to regulatory decision-making represents a philosophy whereby " risk insights" are considered together with other factors to establish requirements that better focus licensee and regulatory attention on design and operational issues connensurate with their importance to public health and safety.

This Policy defines the term " risk insights" as the results and findings that come from risk assessments.

It is in this context that the terms " risk-informed" and " risk insights" are used in the following discussion of performing risk-informed inspection planning, the determination of what to inspect using a risk-informed approach.

As discussed in the Manual Cha)ter on the baseline program, inspections are to be performance based (i.e. emplasis on results over process and method), Also, the inspector should refer to 2515. App C. "Use of Probabilistic Risk Ranking Information" in conjunction with the guidance provided here in this section on f

inspection planning in a risk-informed manner. As noted in 2515. App C. SSCs are l

assumed to also include operator actions, maintenance activities, and other basic I

DRAFT 71111 Page 2 of 154 Issue Date: DRAFT

elements that are modeled in a typical PRA.

Because human performance contributes significantly to the risk of severe accidents, the inspectable areas do incorporate some reviews of factors that influence human error, such as procedure adherence, work control and training.

Risk-informed inspection planning (i.e. the selection of risk-informed inspection targets) is based on the following:

o extracting risk insights from a risk model, e using these insights to select SSCs and plant activities for inspection e using insights from plant-specific and industry operational experience to add SSCs into the inspection sample Frequently used risk insights that are normally accessible for inspection planning purposes can be obtained from IPEs.

If available it is preferable to use an updated plant-specific PRA to extract risk insights. The following types of information that are normally available from the IPEs:

  • Lists of dominant accident sequences and their contribution to CDF and LERF e Lists of accident initiators, components, systems, and operator. actions ranked

'by importance measures (e.g., RAW. RRW, Birnbaum. F-V).

It should be noted that, in some PRAs. not all imaortance measures may be provided (e.g., system importances are not provided aecause system-level cutsets may not have been determined).

e Lists of accident sequence cutsets and system level cutsets [can be deleted unless the inspector wants to review the PRA model in detail]

e List of potential severe-accident vulnerabilities These PRA insights are useful in selecting SSCs. but are only a first step in a risk-informed approach to inspection. As plant configurations change due to on-line maintenance or plant modifications, the relative importance of an SSC or an accident sequence may change.

Since plant risk changes dynamically due to operational activities (e.g., surveillance testing) in combination with ongoing maintenance activities, inspection planning process should be flexible to consider changes in SSC importance for inspection priority.

In addition to the frequently used risk insights listed above, the following items are considered general guidance for developing and using other risk insights throughout the inspection process.

e The inspectors should consider the inputs to the Significance Determination Process throughout the inspection process, both planning and implementation.

Since, the SDP screens out inspection findings that affect only one train of mitigating system equipment for a single initiating event, inspectors should consider planning inspections that target combinations of SSCs that are related within an accident sequence and affect more than one train.

o In considering the SDP, inspectors should maintain an awareness. via Plant Status of potential SDP candidates (i.e. single train failure during testing).

and plan inspections to determine if the SDP level 1 screening criteria are satisfied. While a single train unavailability does not by itself trigger the SDP. the inspectors should use the inspectable area inspections to verify that no other conditions existed concurrently that would provide input to the SDP.

e inspectors are encouraged to use resources in addition to the plant-specific IPEs.

Although, the IPEs are generally the most valuable resource in extracting risk insights, they have not been reviewed or approved by the NRC, Issue Date: DRAFT Page 3 of 154 71111 DRAFT

7 and are not living documents.

Therefore, inspectors may need to use other resources to evaluate certain PRA assumptions regarding system success criteria, operator actions / human errors.

Insights from industry operational experience can be an excellent resource for planning and focusing inspections.

Since many licensees are maintaining updated plant-specific PRAs as "living PRAs", these PRAs should be used when available.

Risk-informed inspection planning is expected to vary depending on the type of inspection being conducted.

Listed below are some examples of ris'k-informed inspection planning techniques along with some examples in capturing risk insights.

Refuelina Outa'ae Insoection Plannina Examole Refueling and shutdown activities generally are periods of high activity, less defense in depth due to equipment outages, and are potentially high risk periods.

The inspectable area Refueling and Outage Activities, in addition to other inspectable areas will be used to perform inspections during this period.

Inspection planning should be conducted prior to the outage and should review the licensees outage plan and schedule and the licensee's risk assessment.

The inspection planning should identify the following things:

i

. Major maintenance and modification activities during the refueling outage.

e Periods of heightened risk in the outage risk profile, including mid-loop j

configuration, open containment configuration, electrical equipment outages, j

and switchyard activities.

  • Mitigating system availability and operator compensatory measures, including temporary modifications, identified for maintaining key plant safety functions.

Using this information, the risk-informed inspection plan can be developed to evaluate the effectiveness of the licensee's program / practices such as post-maintenance testing for modifications that if improperly installed or implemented j

could affect the function of mitigating system equipment, temporary modifications i

used as backup electrical power supplies, equipment alignment of electrical power supplies during switchyard, activities.

In addition to the licensee's outage risk assessment, inspectors are encouraged to use other resources, including shutdown risk insights from similar plants and insights from shutdown risk studies performed by the NRC (provide resource information).

Reactor Safety Cornerstone Team Insoection Plannina Examole The baseline program provides for three separate team inspections. Fire Protection. Safety System Design and Performance Capability, and Problem Identification and Resolution.

Each of these inspectable area procedures specifically provide for Senior Reactor Analyst involvement prior to the inspection.

The SRA will review the licensee's IPE or IPEEE prior to the inspection and provide risk insights to the inspection team.

Resident and Reaion-Based Insoections Examoles Many of the inspectable areas must be coordinated with the licensee's schedule or other plant conditions that cannot be anticipated during the annual planning meeting. In these cases, inspection planning can be done by the inspectors using the licensee's maintenance and surveillance schedule, risk assessments, and the IPE.

Many licensees use a 12 week scheduling process or a similar tool.

DRAFT.71111 Page 4 of.154 Issue Date: DRAFT J

Inspectors should determine the appropriate period for inspection planning based on the individual plant eork scheduling process but should also factor in changes in plant conditions (i.e., emergent work) into the inspection plan. During Plant Status reviews, inspectors will gather plant information that should be used to alter the inspection plan.

Inspection planning should identify the following things:

  • Periods of heightened risk due to on-line maintenance activities that affect mitigating systems, or could potentially cause an initiating event.

In particular, attention should be given to activities that have increased potential for initiating a plant upset when mitigating capability is decreased (e.g., switchyard maintenance activities when an emergency diesel generator or turbine-driven AFW pump is unavailable).

. Planned testing activities, including surveillance tests. IST tests. and post-maintenance tests.

  • Planned on-line installation of modifications Using this information, the inspection plan can be developed to include such items as the verification that planned on-line emergency diesel generator maintenance unavailability is properly performed in accordance with maintenance rule requirements (i.e., performing required risk assessments), unavailability hours are properly captured under the maintenance rule and performance indicators, and those hours are consistent with assumptions of unavailabilty in the IPE. Consistency between the IPE assumptions and actual plant practices is important so that risk ranking and relative importance of the SSC is accurately represented in the IPE.

These types of verifications would be 3erformed using the maintenance rule implementation, maintenance work prioritizat on and control, post maintenance testing, and PI verification inspectable area procedures. Risk informed inspection planning for this example might also include an equipment alignment inspection or surveillance testing inspection of another EDG train or other mitigating system train that is important for a loss of offsite power event.

Similarly, if during the period of EDG maintenance, emergent work or

]

adverse weather conditions occur, the inspectors should alter the inspection plan to cover these ins)ectable areas since combinations of degraded conditions tend to increase risk t1e most.

In order to track progress in completing the baseline inspection program requirements, the senior resident inspector and the DRP branch chief should review on a quarterly basis the status of the completion matrix. The matrix is provided as a tool for this purpose and can be found on Appendix A to IMC 2515*.

I

\\

1 l

1 l

Issue Date: DRAFT Page 5 of 154 71111 DRAFT

i DRAFT 71111 Page 6 of 154 Issue Date: DRAFT 1

Adverse Weather Preparations INSPECTABLE AREA:

Adverse Weather Preparations April 21,1999 CORNERSTONES:

Initiating Event Mitigating Systems INSPECTION BASES:

Weather conditions leading to LOOP. freezing temperatures, high temperatures, high winds, and flooding dominate external risk.

Adverse weather can lead to common mode loss of multiale trains and loss of redundant equipment.

This inspecta]le area verifies aspects of the associated cornerstones for which there are no indicators to measure performance.

LEVEL OF EFFORT:

As conditions require, prior to seasonal susceptibilities.

(Estimated hours 18 per year)

-01 INSPECTION OBJECTIVE (S)

This inspection will focus on verifying that the licensee's preparations for adverse weather limit the risk of weather related initiating events and adequately protect mitigating systems from adverse weather effects.

-02 INSPECTION REQUIREMENTS:

Note: This inspection is site-specific and shall be performed for the types of weather related risks identified in the licensee's IPE. IPEEE or plant history.

Baseline Inspection Procedure 71111. Attachment 7. " Heat Sink Performance."

includes inspection for external natural occurrences such as clogging of cooling water sources by natural growth. Baseline Inspection Procedure 71111. Attachment

6. " Flood Protection Measures." includes inspections for flooding preparations.

02.01 Inspection Planning Using plant-specific data, identify which external weather sources have the highest risk ranking (s) and the times of the year when this risk is highest.

Identify safety significant SSCs that are potentially the most affected by the external weather. Using the site specific risk information and Appendix A.

identify one non-failure-tolerant SSC and one site-specific high risk ranking SSC for review.

For purposes of this inspection, a non-failure-tolerant SSC shall be defined as a component or system which is not a major contributor to plant risk (low contributor to core damage frequency) because it is highly reliable but if it were to fail it would increase the conditional core damage probability.

This inspection should be performed prior to the period when adverse weather conditions are expected at specific sites.

02.02 Conduct of Inspection a.

By observation of equipment and review of maintenance records, verify that equipment protection is adequate to ensure that the equipment will-remain functional when chal.lenged by the adverse weather.

b.

If operator actions are assumed / required, verify that these actions will support system operability. Note that operator actions must be Issue Date: DRAFT Page 7 of 154 71111 DRAFT

assumed to be performed under the specified adverse conditions (e.g.,

accessibility of controls, indications, and equipment) using existing procedures and minimum required staffing.

02.03 Severe Weather Check to see if the licensee has instructions for a reactor shutdown (or power reduction) for severe weather, such as a hurricane.

If the components / systems selected for inspection is required for shutdown, consider also verifying that this system would be available for performance of the reactor shutdown under the worst weather conditions assumed prior to the shutdown.

02.04 Problem Identification and Resolution During-plant status reviews, check whether the licensee has identified any significant weather related problems in a corrective action program, and if the problem could affect multiple systems (common cause), check the adequacy of the licensee's resolution. See Baseline Inspection Procedure 71152, " Identification and Resolution of Problems " for additional guidance.

-03 APPENDIX A INSPECTION GUIDANCE Cornerstone Inspection Risk Priority Example Objective Initiating Events Inspect for Site specific Adequacy of heat (20 %)

adequate tracing for equipment For cold weather, outside piping i

protection to high risk exists systems.

preclude a for weather induced components /sensin Adequacy of initiating event g lines located protection of in areas with equipment outside Inspect for the natural air structures from accessability and intake or located high winds usability of the outside (tornadoes and/or selected system structures hurricanes)

Mitigating Inspect for the Site specific Adequacy of cold Systems ability of the weather (80%)-

selected For cold weather, 3rotection of mitigating system high risk exists RWST/ CST level to perform its for sensing lines design function components /sensin under projected g lines located Adequacy of cold worst case in areas with weather external weather natural air protection for intake or located cooling lines for outside service water structures pumps

-04 REFERENCES Baseline Inspection Procedure 71111. Attachment 6.

" Flood Protection Measures" Baseline Inspection Procedure 71111. Attachment 7, " Heat Sink Performance" DRAFT 71111-Page 8 of 154 Issue Date: DRAFT I

Baseline Inspection Procedure 71152, " Identification and Resolution of Problems" Issue Date: DRAFT Page 9 of 154 71111 DRAFT

i l

l l

1 1

l DRAFT 71111 Page 10 of 154 Issue Date: DRAFT

L i 2 Changes to License Conditions and Safety Analysis Reports i

5/6/99 I

INSPECTABLE' AREA: Changes to License Conditions and Safety Analysis Report CORNERSTONES:

Mitigating Systems I

Barrier Integrity l

Emergency Preparedness l

Physical Protection INSPECTION BASES: This inspectable area provides monitoring of the effectiveness of the'11censee's programs for implementing changes to facility

SSCs, risk significant normal and emergency operating procedures, test programs, UFSAR, emergency plans, and physical

)

security plans, and ensures that the changes were in accordance with the requirements of 10 CFR 50.54 and 10 CFR 50.59. This inspectable area provides assurance that the facility changes

'l have not reduced the safety margins of the SSCs or reduced the effectiveness of the facility emergency and physical security plans.

This inspectable area verifies aspects of Mitigating Systems. Barrier Integrity, Emergency Preparedness, and the Physical Security cornerstones for which there are no indicators to measure performance.

LEVEL OF EFFORT:

Review a minimum of five licensee 10 CFR 50.59 evaluations annually.

Review at least one emergency plan and one physical security plan change annually.

Estimated Hours:

32 hours3.703704e-4 days <br />0.00889 hours <br />5.291005e-5 weeks <br />1.2176e-5 months <br /> / year for Mitigating Systems and Barrier Integrity cornerstones 8

hours / year for Emergency Preparedness cornerstone 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> / year for Physical Protection cornerstone

-01 INSPECTION OBJECTIVE (S):

01.01 Verify that licensees obtain NRC approval prior to implementing changes to licensing bases that result in a more than minimal increase in risk.

l 01.02 Verify that the licensees obtain NRC approval prior to implementing changes-to the site emergency and physical security plans that decrease the effectiveness of.the plans.

-02 INSPECTION REQUIREMENTS:

02.01 Insoection Comoosition This inspection should be performed by inspectors knowledgeable of the affected subject area.

For example, review of 10 CFR 50.59 evaluations l

would typically be performed by an engineering specialist.

Review of emergency plan changes, would typically be reviewed by.an emergency Issue Date: DRAFT Page 11 c' 154 71111 DRAFT

preparedness specialist.

Review of 3hysical security plan changes would l

typically be nerformed by an physical security specialist.

02.02 Screenina:

Screen licensee submittals and/or 10 CFR 50.59 evaluations which describe changes to the licensing documents but are not identified as requiring NRC approval.

(Licensee submittals, such a license amendments, which already identify themselves as requiring NRC approval should be reviewed as a licensing action rather than as an inspection activity under this inspectable area.)

The specific submittals which should be screened include:

l 10 CFR 50.59/10 CFR 50.71(e) change evaluation summary reports 10 CFR 50.54(q) Emergency Plan changes 10 CFR 50.54(p) Physical Security Plan changes l

Additionally, completed 10 CFR 50.59 evaluations not yet described in a summary report submittal may also be screened and reviewed under this l

inspectable area.

02.03 In-Deoth Review:

a.

Based on the screening, perform an in-depth review of licensee submittals l

or 10 CFR 50.59 evaluations which appear to:

affect mitigation capability or barrier integrity OR e

be a change in intent OR potentially reduce the effectiveness of a physical security or e

emergency plan b.

Over the course of a year, the in-depth review effort should include i

submittals or 10 CFR 50.59 evaluations for each cornerstone as outlined below:

Cornerstone Annual Review Effort Mitigating Systems a one 10 CFR 50.59 evaluation l

2 five 10 CFR 50.59 l

Barrier. Integrity a one 10 CFR 50.59 evaluations evaluation Emergency Preparedness 2 one licensee submittal describing changes to emergency plan Physical Protection 2 one licensee submittal describing changes to physical security plan l

NOTE: Although it is intended that submittals (or evaluations) for each cornerstone be reviewed annually, such review may not be possible because licensees may not make submittals for each cornerstone in a l

given year.

For example, a licensee may not submit any changes to DRAFT 71111 Page 12 of 154 Issue Date: DRAFT

the emergency plan during a given year. Consequently, there may not be associated inspection effort for the Emergency Preparedness cornerstone for the year.

c.

Obtain additional information from the licensee as needed to perform in-depth - review.

For example, review of a 10 CFR 50.59 evaluation would l

typically require review of the completed evaluation plus any supporting analyses or calculations.

02.04 Actions:

If-any of the conditions listed below are identified, a license amendment l

may be required. Either refer the issue to the Office of Nuclear Reactor Regulation (NRR) or address the issue with the licensee to restore compliance.

Referral of issues to NRR should be coordinated through the NRR Project Manager for the site.

10 CFR 50.59 criteria for requiring license amendment prior to implementation met Reduction in approved emergency plan effectiveness Emergency plan change does not meet 10 CFR 50.47(b) or 10 CFR 50.

Appendix E Reduction in physical security plan effectiveness or commitments e

02.05 Identification and Resolution of Problems As it relates to 10 CFR 50.59 evaluations, emergency plan changes, and physical security plan changes, select a sample of problems identified by the licensee in the corrective action program and verify effectiveness of corrective actions. Use Inspection Procedure 71152, Identification and Resolution of Problems, forguidance to perform this review.

-03 INSPECTION GUIDANCE:

I"$kct5e t1o" Cornerstone Ob Risk Priority Example Mitigating Verify facility Changes which Decreasing the Systems changes have not affect the flow rate of an reduced the ability to residual heat safety margins mitigate an removal pum) to of SSCs.

accident less than tlat analyzed in the safety analysis report Issue Date: DRAFT Page 13 of 154 71111 DRAFT

1 Barrier Verify facility Changes which Increasing Integrity changes have not affect barrier stroke time of a reduced the integrity containment safety margins isolation valve of SSCs.

to greater than that analyzed in j

the safety analysis report Emergency Verify plan Changes which Reduction in Preparedness changes have not affect risk emergency reduced significant planning effectiveness emergency plan commitment attributes without concomitant reduction in bases for that commitment r

Physical Verify plan Changes which Reduction of Protection changes have not affect the compensatory reduced ability to posting effectiveness prevent requirements for radiological degraded sabotage security barriers

-04 REFERENCES Emergency Preparedness Position (EPPOS) on Emergency Plan and Implementing Procedure Changes EPPOS No. 4. Rev. 1 l

l l

l DRAFT 71111 Page 14 of 154 Issue Date: DRAFT 3

Emergent Work l

INSPECTABLE AREA: Emergent Work April 21, 1999 CORNERSTONES:

Initiating Event l

Mitigating Systems INSPECTION BASES: Industry experience has shown that inadequate control of repair activities.to equipment, including troubleshooting have resulted in initiating events, inoperable mitigating systems, and/or loss of redundancy.

This inspectable area verifies aspects of the associated cornerstones for which there are no indicators to measure performance.

LEVEL OF EFFORT:

Inspect two activities a month.

(Estimated hours 60 per year)

-01 INSPECTION OBJECTIVE (S)

. This inspection will focus on verifying that the licensee has taken the necessary steps to demonstrate that emergent activities are adequately planned and controlled to avoid initiating events and ensure functional capability of mitigating systems.

NOTE This' procedure is closely related, and in some cases parallels.

referenced Baseline Inspection Procedure 71111. Attachment 13.

" Maintenance Work Prioritization and Control:" Attachment 19. " Post Maintenance Testing:" Attachment 4.

" Equipment Alignment:" and 2. " Maintenance Rule Implementation."

-02 INSPECTION REQUIREMENTS:

02.01 Selection of Activities Based on information gathered during review of plant status, select two emergent activities for further review. This inspection is intended to ascertain that the licensee is maintaining adequate control of emergent work when combined with planned work already in progress or when the emergent work, by itself could initiate an unplanned event.

Ins)ectors should review site specific risk information concerning the unavailabi'ity of multiple systems. however, the risks for initiation of events or degradation of mitigating systems from specific maintenance errors are not included in risk studies. Therefore. the inspectors shall also consider if potential maintenance errors could initiate an event or affect the defense-in-de)th principal when selecting activities to review.

This inspection should be 'imited to emergent activities that could cause an initiating event to occur or affect the functional capability of mitigating systems.

Refer to Appendix A for additional guidance.

02.02. Work Planning and Risk Management a.

Verify that the licensee has appropriately considered the prioritization, timing of repairs, and risks associated with the combination of planned and emergent work.

Verify minimum required mitigating systems and or redundant components remain operable.

Verify that the repair activities are factored in with other Issue Date: DRAFT Page 15 of 154 71111 DRAFT

previously planned maintenance or surveillance activities such that the risk of initiating events is minimized.

b.

Verify thet the combination of planned and emergent work is allowed by TS criteria.

02.03 Work Observation, a.

Observe the work in progress. Verify that troubleshooting evolutions and maintenance activities are adequately controlled at the job site to minimize risk to the system /com)onent being worked and that all activities are within the approvec work control boundary.

Verify that precautions have been taken to preclude affecting adjacent components / systems.

b.

Observe ecuipment line-ups and tagging, when potential errors could affect otler operating systems.

When appropriate verify that redundant components are maintained in an operable status.

02.04 Equipment Restoration and Post Maintenance Testing a.

Verify that equipment reliability / operability is adequately demonstrated by post-maintenance testing.

b.

After the test is complete, verify that equipment is restored to the position / status required to maintain the system operable and confirm that systems adjacent to the work activity were undisturbed by the activities. See Baseline Inspection Procedure 71111. Attachment 19.

" Post Maintenance Testing " for additional guidance.

02.05 Identification Resolution of Problems During plant status reviews, monitor the licensee's identification of emergent work problems for problems which have the potential for common mode failure of 4

other related components or systems.

Verify the adequacy of the licensee's resolution of significant problems with common cause potential.

See Baseline Inspection Procedure 71152

" Identification and Resolution of Problems." for additional guidance.

i 1

j i

DRAFT 71111 Page 16 of 154 Issue Date: DRAFT l

\\

l L

-. -APPENDIX A:.

INSPECTION GUIDANCE:

Cornerstone Inspection Risk Priority Example Objective Initiating Events Identify any Troubleshooting Troubleshooting (40 %)

emergent work activities which of electrical which could cause are not well equipment an initiating defined by the associated with event.

implementing or adjacent to procedure.

safety-injection initiation Repairs near circuits.

equipment, which j

if inadvertently bumped, will cause plant transients with higher risk than a reactor trip Mitigating Identify any Emergent work Emergent repair Systems mitigating when high risk of room cooling (60%)

system, credited configurations equipment when by the licensee already exist, other mitigating as o)erable.-

due to planned systems / component whic1 is on-line s are already out adversely maintenance.

of service 3

impacted by emergent work Emergent work on planning or support systems-performance, which may affect multiple components / system s

-04 REFERENCES Baseline Inspection Procedure 71111 2. " Maintenance Rule Implementation" Baseline Inspection Procedure 71111 3, " Maintenance Work Prioritization and Control" Baseline Inspection Procedure 71111 Attachment 4. " Equipment Alignment" Baseline Inspection Procedure 71111. Attachment 19, " Post Maintenance

-Testing" Baseline Inspection Procedure 71152, " Identification and Resolution of Problems" I

l Issue Datei DRAFT Page 17 of 154 71111 DRAFT

I l

l l

i 1

l l

l l

l l

1 l

l l

i 1

i l

l l

l DRAFT 71111 Page 18 of 154 Issue Date: DRAFT l

i

m 4

. Equipment Alignment

'INSPECTABLE AREA: Equipment Alignment CORNERSTONES:-

Initiating Events Mitigating Systems Barrier Integrity INSPECTION BASES: High risk configurations may occur during normal operations.

on-line maintenance, and outage activities due to multiple out-of service structures, systems, and components (SSCs), and such configurations can lead to high Core Damage Probability.

This inspectable area verifies aspects of the associated cornerstones not measured by performance indicators. In the Mitigating Systems Cornerstone, the Safety System Unavailability (SSU) Indicator measures unavailability of several risk-important systems.

Unplanned unavailability of these systems due to ecuipment alignment problems would be captured by this incicator.

LEVEL OF EFFORT:

Periodic control room equipment alignment checks.

Partial system walkdowns approximately monthly (12 per year) to verify operability of redundant train / system with other train / system inoperable or out-of-service.

One complete risk-important system walkdown approximately every 6 months (2 per year).

Estimated hours:

76 hours8.796296e-4 days <br />0.0211 hours <br />1.256614e-4 weeks <br />2.8918e-5 months <br /> / year inspection 3

-01 INSPECTION OBJECTIVES 01.01 To determine plant status with respect to equipment alignment problems that affect system availability.

01.02 To assist the inspector in planning inspections.

01.03 To verify equipment alignment and identify any discrepancies that impact the function of the system and therefore potentially increase risk.

01.04 To verify that the licensee has properly identified and resolved equipment alignment problems that cause initiating events or impact mitigating system availability.

-02 INSPECTION REQUIREMENTS:

Periodic control room equipment alignment checks are intended to be brief inspections to be performed as part of Plant Status with respect to equipment alignment problems and to assist the inspector in planning the partial and complete system walkdowns. Twelve partial walkdown inspections will be performed to verify the operability of redundant trains / system when the other train / system is out-of-service.

This inspection activity supports IE. MS and BI cornerstones and is )erformed during both shutdown and operating conditions. Two complete wal(downs will be performed which support only the MS cornerstone.

02.01 Periodic Equipment Alignment Checks:

Issue Date: DRAFT Page 19 of 154 71111 DRAFT

a.

During Plant Status reviews, observe control room indications and review operating logs to identify any occurrences of equipment alignment problems.

Perform a control room panel walkdown to verify correct equipment alignment of a sample of I

mitigating systems. Each week sample one or two systems using

}

the plant-specific risk analysis or RIM 2, For further followup see 02.04.

02.02 Partial Walkdown:

L a.

Select a redundant or backup system / train to a currently out-of-service or inoperable train.

b.

Review documents to determine correct system lineup. Consider plant procedures including abnormal and emergency operating l

procedures and drawings.

c.

Verify critical portions of the redundant or backup system / train and identify any discrepancies between the existing equipment lineup and the correct lineup.

02.03 Complete Walkdown:

1 a.

Select a risk-important system.

Consider site specific risk study, RIM 2, plant mode, previous walkdowns.

b.

Review documents to determine correct system lineup. Consider plant procedures including abnormal and emergency operating procedures, drawings, the updated final safety analysis report, system engineer notebooks, and vendor manuals.

c.

Review outstanding maintenance work requests on the system and note any deficiencies that affect the ability of the system to perform its' function.

d.

Perform walkdown. Identify any discrepancies between existing system equipment lineup and correct 11neup. Listed below are examples of items to review during the walkdown.

Valves are positioned correctly and do not exhibit leakage that would impact the valve's function Electrical power is available as required Major system components are correctly

labeled, l

lubricated, cooled, ventilated, etc.

Instrumentation is correctly installed and functional Hangers and supports are-correctly installed and functional Essential support systems are operational e

Ancillary equipment or debris does not interfere with e

system performance 1

02.04 Problem Identification and Resolution a.

If an equipment alignment problem occurs and affects the ability of a mitigating system or barrier to perform its' function, perform j

DRAFT 71111 Page 20 of 154 Issue Date: DRAFT l

L

1 l

additional review to determine if the problem is accurately described J

l and classified in the licensee's corrective action program.

1 b.

During each complete system walkdown inspection, sample the licensee's corrective action program records (approximately 2 to 4 i

issues) to evaluate equipment alignment problem identification and i

resolution.

This review includes equipment alignment problems for

)

all risk-important mitigating systems and is not restricted to the system being inspected.

i

-03 INSPECTION GUIDANCE General Guidance Ins Section findings which may affect risk would involve equipment alignment pro)lems which affect the system function (e.g. valves misaligned in the suction, discharge, or recirculation flowpaths or an alternate electrical lineup which could affect the system function under certain accident sequences) rather than minor alignment problems (e.g., valves misaligned in drain or vent paths that do not affect the system function).

See attachment A for insSection guidance to assist the inspector in selecting inspection activ' ties to achieve each cornerstone objective and to those activities that have a risk priority.

Issue Date: DRAFT Page 21 of 154 71111 DRAFT

inspection Guidance Table Corner-Required Inspection Risk Priority Example stone Inspection Objective i

5 l

Initiatin 2 partial Identify any shutdown - Equipment System lineups during I

g Events walkdown equipment lineups during PWR mid-loop operation (30%)

inspections alignment special tests or or BWR vessel draindown.

during plant discrepancies evolutions i

shutdown that could Misalignment of result in a electrical equipment risk during shutdown could significant cause LOSP and affect initiating decay heat removal.

event Ang impact the-availability and functional capability of plant equipment.

l Mitigatin' 8 partial Identify any operating -

Safety trains on the g Systems walkdown equipment Equipment lineups remaining emergency bus (60%)

inspections alignment following system when one EDG is 005 or during plant discrepancies restoration or

failed, operating or that could equipment lineups shutdown impact risk that support other conditions significant train / alternate mitigating system when 2 complete system maintenance rule walkdowns availability system is 005.

during plant and functional operating capability, shutdown - Equipment Safety trains on the I

conditions lineups that affect remaining emergency bus shutdown risk or when one EDG is 00S or equipment lineups failed.

that support other j

train / alternate system when maintenance rule I system is 00S.

l 1

DRAFT 71111 Page 22 of 154 Issue Date: DRAFT

Ccrner-Required Inspection Risk Priority Example stone.

Inspection Objective s

Barrier 2 partial Identify any Operating - Fuel Verifications of Integrity walkdowns.

equipment cladding degradation reactivity control (10%)

One each alignment can result from both systems (e.g., control during-discrepancies inadequate human and rod drives, rod block operating that could equipment monitors, rod worth and shutdown.

degrade fuel performance..

minimizers,etc.)

conditions.

barrier Reactivity control integrity..

systems must be RCS Inspection not reactor properly configured required during coolant system to prevent and/or operating conditions.

integrity, or mitigate adverse containment reactivity.

Containment - Inspection integrity, transients and not required because neutron flux significant deviations distributions, from design limits are not expected since the plant is equipped with various design features (alarms and interlocks) and because compliance with technical specification requirements for containment parameters is adequate.

shutdown - Equipment Containment I

lineups that affect configuration during RCS inventory and risk-significant containment evolutions (e.g., PWR mid-loop operation, BWR cavity drain down.

Provisions for achieving 4

containment closure in a timely manner during periods when the contairvnent is permitted to be open.

\\

l Issue Date: DRAFT Page 23 of 154 71111 DRAFT

1 l

l 1

1 l

l l

i l

l i

l i

1 1

1 1

1 1

1 1

I l

l l

l l

l l

\\

l 1

DRAFT 71111 Page 24 of 154 Issue Date: DRAFT

l 5 Fire Protection INSPECTABLE AREA: Fire Protection CORNERSTONES:

Initiating Events (10). Mitigating Systems (90)

INSPECTION BASES: For most reactor plants fire is the dominant risk contributor to external events (earthquakes, floods, high winds, etc.).

Fire protection defense-in-depth is accomplished through control of combustibles and ignition sources, mitigation of fires that do occur through fire detection and automatic and manual suppression capability, and a well analyzed and implemented post-fire safe shutdown capability.

Safe shutdown capability includes the existence of adequate fire barriers to establish the fire area or fire zone configuration and to ensure the shutdown equipment functionality assumed in the aost-fire safe l

shutdown analysis.

If defense-in-depth is not maintained t1 rough a well functioning licensee fire plant may be challenged. protection program, post-fire safe shutdown. of the This inspectable area verifies aspects of the Mitigating Systems cornerstone for which there are no indicators to measure performance.

LEVEL 0F EFFORT: On a monthly basis, the resident inspector will tour high fire risk plant areas to assess: control of transient combustibles and ignition sources, fire detection, manual and automatic suppression capabilities, and barriers to fire propagation.

In addition, every 3 years, an inspection team consisting of a fire protection engineer, a mechanical engineer, and an electrial engineer will conduct a one week, risk-focused, onsite inspection of all three components of defense-in-

depth, with major emphasis on post-fire safe shutdown capability and configuration management.

01 INSPECTION OBJECTIVE The inspection objective is to assess whether the licensee has implemented a fire protection program which adequately controls combustibles and ignition sources, provides adequate fire detection and suppression capability, and ensures that procedures, equipment, fire barriers, anc systems exist so that the capability to safely shutdown the plant is ensured.

02 INSPECTION REQUIREMENTS 02.01 Routine Insoection.

Conduct routine reviews of fire protection program observables.

The resident inspector's assessment of the licensee's control of i

transient combustibles and ignition sources is addressed on a more frequent basis in the Plant Status inspection procedure.

Select high fire risk areas based on the plant specific risk study or on RIM 2.

h.

Monthly the resident inspector will tour high fire risk plant areas to assess fire detection and manual and automatic suppression capabilities, barriers to fire propagation, and fire protection related compensatory measures.

1 Issue Date: DRAFT Page 25 of 154 71111 DRAFT I

E 1

1.

Annually the resident inspector will observe a fire brigade drill in a high risk-fire area, or actual response of a plant fire brigade in any plant area.

02.02 Triennial Insoection. Conduct a one-week triennial team inspection of the l

licensee's fire protection program emphasizing post-fire safe shutdown capability l

and configuration management.

a.

The inspection team leader will manage and coordinate a 2-3 day information gathering site visit accompanied by the team members and the senior reactor analyst (SRA) designated to support the team. The l

SRA will provide a report to the team leader containing fire risk results. The team leader will use the fire risk results report and input from the other team members to develop an inspection plan.

b.

The team leader will manage and coordinate the conduct of a one week triennial fire protection inspection emphasizing post-fire safe shutdown capability and configuration management.

The inspection should be either plant area-based or system-based.

The triennial inspection will also include observation of a simulated post-fire safe shutdown from outside the control room -(e.g. from a remote shutdown panel and/or remote control stations), and observation of a fire brigade (and possibly offsite fire-department) drill for a simulated fire in a high risk area.

INSPECTION GUIDANCE:

General Guidance Triennial Insoection.

The triennial inspection is intended to apply, in an integrated, risk-focused and synergistic manner. sufficient resources for the potential development of risk significant findings.

The inspection will focus

)

on selected plant area post-fire safe shutdown scenarios and/or systems.

General topical areas requiring team member review are: the power plant's design, layout, and equipment configuration: the current licensing basis (i.e., fire protection regulatory framework): and the licensee's strategy / methodology for accomplishing post-fire safe shutdown.

Additionally, prior to the site visit (and using any modification packages obtained during the information gathering visit), the team members should become knowledgeable regarding plant design changes or modifications implemented since the plant's post-fire safe shutdown i

i capability was last reviewed by the NRC staff.

The team members should determine the plant's current post-fire safe shutdown licensing basis through review of NRC safety evaluation reports (SER) on fire i

protection, the plant's operating license. Updated Final Safety Analysis Report (USAR), and approved exemptions or deviations.

The team members should, before the inspection, examine the licensee's methodology for accomplishing post-fire safe shutdown conditions. This will be accomplished through a review of plant specific documents, calculations, and analyses including the Updated Final Safety Analysis Report (USAR). the latest version of the Fire Hazard Analysis (FHA), the latest version of the Post-fire Safe Shutdown Analysis (SSA), fire protection / post fire safe shutdown related 10 CFR 50.59 documentation, plant P& ids, and emergency / abnormal operating procedures. This effort will determine:

DRAFT 71111 Page 26 of 154 Issue Date: DRAFT l

l

o The licensee's methodology for achieving safe shutdown conditions in the event of fire in any area of the plant, e

The systems credited by the licensee as surviving the fire for accomplishing required shutdown functions (e.g.,

reactivity control, reactor coolant make-up, decay heat removal),

o The support system requirements of each shutdown system, and The licensee's approach for identifying and resolving associated circuits e

of concern.

This electrical review should consider the validity of assumptions and boundary conditions used in the performance of the analyses.

The procedures in place for accomplishing post-fire safe shutdown.

e The team members should assess the historical record of plant-saecific fire protection issues through review of plant specific documents includ ng: previous NRC Inspection results. internal audits performed by the reactor licensee (e.g.,

self assessments and Quality Assurance audits). Licensee Event Reports (LERs) submitted in accordance with 10 CFR 50.73, and Event Notifications submitted in accordance with 10 CFR 50.72.

Specific Guidance 03.01 Routine Insoection.

a.

The Specific Guidance Section and Appendices A and B of the referenced draft FPFI inspection procedure provide guidance for the review of fire detection and manual and automatic suppression capabilities, and barriers to fire propagation.

Guidance for the review of compensatory measures is in IN 97-48. " Inadequate or Inappropriate Interim Fire Protection Compensatory _ Measures."

2.

The Specific Guidance section and Appendix A of the referenced draft FPFI inspection procedure provide guidance for annual observations of fire brigades.

03.02 Triennial Insoection.

The triennial inspection is intended to 3rovide a risk focused look at all three components of defense-in-depth wit1 major emphasis on post-fire safe shutdown capability and configuration management.

The inspection will adopt, as appropriate, techniques developed in the referenced draft FPFI inspection procedure, which was written for the more extensive (two weeks onsite) " full-scope" pilot FPFI inspections.

The insaection team should consist of a fire protection engineer, a mechanica' engineer, and an electrical engineer. The risk focus will be provided by a senior reactor analyst who will provide extensive input into the planning process.

3.

Information gathering site visit and inspection plan development The senior reactor analyst will develop and present to the ins)ection team leader a fire risk results report using the methodo'ogy of Appendix I of the referenced draft FPFI inspection procedure.

The report will identify plant-specific, fire risk significant plant areas, structures, systems, components (SSCs), and operator actions Issue Date: DRAFT Page 27 of 154 71111 DRAFT

developed from risk information such as Independent Plant Examinations of External Events (IPEEEs).

The fire risk results report may also consider:

resident and regional inspector developed inspection results.

e plant-specific and non-plant s)ecific fire event information, 1

e e

licensee developed fire hazarcs analyses and plant-specific post-fire safe shutdown operating procedures, e

licensee developed fire protection program self-assessment documentation.

The development, presentation and finalization of the plant specific fire risk report may initially require approximately two weeks of work. However, it is expected that in most cases the report for the previous triennial inspection may only need validation and minor updates based on plant modifications or changes to fire protection methodology implemented since the previous inspection.

]

1 The inspection plan for the triennial inspection should take into account:

the results of previous fire protection inspections inc,luding j

e resident, regional, and team inspections; i

e the results of licensee self-assessments; e

the fire risk report, i

e previous industry problems, i

The plan should also consider the scope of previous triennial fire inspections, so that the inspections are not repetitively focused on the same area, fire zones and/or shutdown systems.

The ins plan should also be either plant area-based or system-based.pection b.

The inspection is planned for a one week onsite inspection period.

The areas or systems selected for review will be determined by the inspection' plan.

For those features selected in the plan specific inspection guidance pertaining to the features is contained in the referenced draft FPFI inspection procedure.

The SRA will provide input to the inspection report if significant problems are found regarding the validity and/or completeness of the IPEEE information and the degree to which it is reflected in the licensee's fire protection program and implemented in the licensee's post-fire safe shutdown capability.

The inspection team leader should ensure that, when risk significant inspection findings are developed in one or two of the three areas of defense-in-depth, adequate inspection effort is a lied in the inspection of the other area or areas of defense-in-d th.

RESOURCE ESTIMATE:

This procedure is estimated at 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> per year for routine inspection and 108 l

hours every 3 years for the triennial inspection.

REFERENCES:

)

DRAFT 71111 Page 28 of 154 Issue Date: DRAFT 1

J

IN 97-48, " Inadequate.or Inappropriate Interim Fire Protection Compensatory Measures," July 9, 1997;.

NRC ~Firef Protection Functional Inspection (FPFI) Draft for Prairie Island Inspection, April 6, 1998.

ROUTINE INSPECTION GUIDANCE TABLE CORNERSTONE RISK PRIORITY EXAMPLES INITIATING EVENTS (10)

Equipment or actions that could Transient combustibles (rags, wood, cause or contribute to initiation ion exchange resin. lubricating of fires in high fire risk areas or oil, or Anti Cs) are not in areas near equipment required for safe where transient combustibles are

shutdown, prohibited. Transient combustible amounts in other areas do not exceed administrative controls.

Ignition sources (welding.

grinding, brazing, flame cutting) have a fire watch. Planning includes precautions and additional fire prevention measures where these activities are near combustibles.

Issue Date: DRAFT Page 29 of 154 71111 DRAFT

MITIGATING SYSTEMS 190)

Fire Barriers in high fire risk Doors and dampers that prevent the

areas, spread of fires to/or between high fire risk areas remain in place and Detection Systems for high fire are functional, risk areas Electrical cable fire wraps and Automatic suppression systems for

. penetration seals that protect the high fire rask areas post fire safe shutdown train are not damaged.

Manual suppression from fire brigade Fire detection and alarm system is functional for high fire risk Compensatory measures for degraded

areas, fire detection equipment, suppression features and fire Automatic suppression system propagation barriers.

Sprinklers are not blocked.

Fire brigade performance indicates a prompt response with proper fire fighting techniques for the type of fire encountered.

Manual fire suppression equipment is of the proper type and has been tested.

Degraded fire detection equipment.

suppression features and fire propagation barriers are adequately compensated for on reasonably short-term bases.

i l

i DRAFT 71111 Page 30 of 154 Issue Date: DRAFT i

6 Flood Protection Measures INSPECTABLE AREA:

Flood Protection Measures April 21. 1999 CORNERSTONES:

Initiating Events Mitigating Systems INSPECTION BASES: Flooding has been shown to be a significant contributor to risk at some facilities.

In addition, flooding has the potential to make multiple trains of equipment and support equipment inoperable which would result in a significant increase in risk to the plant.

Flooding also has a significant consequence of preventing or liiniting operator mitigation and recovery actions.

LEVEL OF EFFORT:

Periodically inspect internal and external flood protection barriers (EstiL ad hours 20 per year)

-01 INSPECTION OBJECTIVE (S)

This inspection will focus on verifying that the licensee's flooding mitigation plans and equipment are adequate.

-02 INSPECTION REQUIREMENTS:

02.01 Inspection Preparation j.

Review the FSAR and related flood analysis documents to determine those areas that can be affected by flooding, including water intake facilities. Review plant specific risk studies for both external and internal flooding and the guidance of Appendix A.

For external

flooding, review seasonal susceptibilities.

Review licensee documentation that shows the design flood levels for areas containing safety equipment.

b.

Based on the risk studies, select an inspection sample from the activities listed below. Determine'the flood level for internal or external flooding. For sites where external flooding is a risk, use weather related information gathered during plant status reviews or from external news sources to assist in performing this inspection prior to the season of highest risk. Review of licensee preparations for other weather related plant che'lenges are contained in Baseline Inspection Procedure 71111. Attach.4nt 1. " Adverse Weather."

02.02 Inspection Activities a.

Inspect a sample of areas. rooms, and/or bunkers containing risk important equipment which are below design flood levels.

b.

Walkdown the selected area or room.

The following is a list of walkdown attributes to be considered for the inspection.

Only inspect those attributes which are significant for the site specific installation.

Sealing of equipment below the floodline. such as electrical I

conduits Issue Date: DRAFT Page 31 of 154 71111 DRAFT

l Holes or unsealed penetratioris in floors and walls between i

flood areas Adequacy of watertight doors between flood' areas.

Common drain system and sumps, including floor drains, between flood areas including operable check valves, when credited for isolation of flood areas.

Operable sump pumps i

Sources of potential internal flooding that are not analyzed j

or not adequately maintained, for example failure of flexible piping expansion joints, failure of fire protection system sprinklers, roof leaks, rest room backups, and failure of J

service water lines c.

Ins)ect underground bunkers / manholes subject to flooding, if these buncers contain multiple train or multiple function cables and are determined to subject to flooding.

By observation / design review

- consider the following attributes.

Only inspect those attributes which are significant for the site specific installation.

Operable sump pumps with adequate capacity to limit design flooding

)

Operable level alarm circuits j

Cables / splices qualified for submergence.

j Adequate drainage away from the bunker / manhole j

02.03 Operator actions For those areas where operator actions are credited, observe that the procedures can reasonably be usec to achieve the desired actions, including whether the flooding event could limit or preclude the required operator actions. Determine whether transient activities could encumber these actions and if so, whether the licensee has recognized and addressed the situation.

02.04 Severe Flooding If the potential for severe flooding from rising river levels / hurricanes exists, check to see if the licensee has instructions for shutdown.

If applicable, select a system and verify that this system would be available to perform a reactor shutdown under the worst case water levels assumed, prior to requiring the shutdown. Verify that the licensee has adequate equipment on hand to install flood barriers (stoplogs, sandbags, floodwalls) where required by design.

02.05 Problem Identification and Resolution I

Flooding has the potential to cause common mode failure of equipment in multiple areas.

During plant status reviews verify that the licensee has entered identified problems in their corrective action system. For significant problems, which have the potential to impact multiple plant areas and systems, verify licensee resolution.

See Baseline Inspection Procedure 71152, " Identification and Resolution of Problems," for additional guidance.

DRAFT 71111 Page 32 of 154 Issue Date: DRAFT l

m 03 APPENDIX A:

INSPECTION GUIDANCE:

Cornerstone Inspection Risk Priority Example Objective Initiating Events Identify internal Potentials for Adequate (40%)

or external common-cause maintenance of.

flooding which failures expansion joints could cause on high initiating events Barriers between volume / low l

flood areas pressure systems Unanalyzed Firewater sources of sprinkler l

internal flooding maintenance Areas below the Unusual testing flood plane configurations for large volume Locations water systems containing high volume / low Mitigating Identify internal pressure systems.

Water-tight doors Systems or external such as (60%)

flooding events firewater, sump pumps and which could cause service water and alarms loss of safe-component cooling shutdown water. especially Adequate sealing equipment in areas contain of safe-shutdown flexible piping electrical expansionjoints equipment below the flood line Site specific:

hurricane Check valves in river / level open drain caused flooding systems comon to different flood areas 04 REFERENCES Baseline Inspection Procedure 71111. Attachment 1. " Adverse Weather" l

Baseline Inspection Procedure 7115?.. " Identification and Resolution of Problems"

\\

l Issue Date: DRAFT Page 33 of 154 71111 DRAFT l

i

DRAFT 71111 Page 34 of 154 Issue Date: ORAFT i

J

, 7 Heat Sink Performance 5/6/99 INSPECTABLE AREA: Heat Sink Performance CORNERSTONES:

Initiating Events (20%)

Mitigating Systems (80%)

INSPECTION BASES: Heat.exchangers and heat sinks are required to remove decay heat.

and provide cooling water support for operating equipment.

Degradation in performance can result in' failure to meet system success criteria, and lead to increased risk primarily due to common cause failures.

This inspectable area verifies aspects of the associated cornerstones for which there are no indicators to measure performance.

LEVEL OF EFFORT:

One observation per year of heat exchanger performance testing. One heat sink performance inspection by a specialist every two years.

Estimated hours: Annual review 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Biennial review 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />

-01 INSPECTION OBJECTIVES 01.01 To identify any potential heat exchanger performance testing deficiencies which could mask degraded performance.

01.02 To identify any potential common cause heat sink performance problems that have the potential to increase risk.

01.03 To verify that the licensee has adequately identified and resolved heat sink erformance problems that could result in initiating events or affect multi le heat exchangers in mitigating systems and thereby increase risk.

-02 INSPECTION REQUIREMENTS 02.01 Annual Review a.

Once per year. observe a heat exchanger performance test or inspection.

Select a heat exchanger in a system that is ranked high in the 11 ant specific risk assessment, or is in a system listed in MC 2515*. Attac1 ment l

S. " Risk Information Matrix No. 2.~

Verify the following items:

Test acceptance criteria (differential temperatures, differential l

3ressures, and flows) or inspection are consistent with the design Jasis.

Test or inspection acceptance criteria and results have appropriately considered differences between testing conditions and design conditions (functional testing at design heat removal rate may not be practical).

Issue Date: DRAFT Page 35 of 154 71111 DRAFT

Frequency of testing or inspection is sufficient (given the potential o

for fouling) to detect degradation prior to loss of heat removal capabilities.

]

Test results have considered test instrument inaccuracies and differences.

Additional background information and guidance is provided in Generic j

Letter 89-13, " Service Water System Problems Affecting Safety-Related l

Equipment" and other references listed at the end of this inspectable area.

b.

During the Plant Status review, identify issues related to heat sink performance and determine if the issue is aroperly described in the licensee's corrective action program and if t1e issue / condition has the

)

potential to increase the frequency of an initiating event or if the issue / condition degrades mitigating system performance.

The inspector j

should focus on events or conditions that could cause the loss of a heat sink due to events such as ice buildup, grass intrusion, or blockage of f

pipes and components by other foreign materials.

The inspector should determine if the licensee has appropriately considered common-cause failures. Refer to IP 71152 " Identification and Resolution of Problems."

for further guidance in this area.

02.02 Biennial Review q

a.

Select 2-3 heat exchangers/ sinks for systems that are ranked high in the l

plant specific risk assessment or are listed in MC 2515*. Attachment 5.

" Risk Information Matrix No. 2.~ for in-depth review. Consider both normal l

and ultimate heat sinks for review.

b.

For the selected heat exchangers/ sinks.

verify that testing or l

inspection / maintenance is adequate to ensure proper heat transfer.

l (1)

For testing, review the method and results of heat exchanger / sink i

performance testing.

Verify the following items:

Test acceptance criteria (differential temperatures, l

differential pressures, and flows) are consistent with the design basis.

Test acceptance criteria and results have appropriately considered differences between testing conditions and design conditions (functional testing at design heat removal rate may not be practical).

Frequency of testing is sufficient (given the potential for fouling) to detect degradation prior to loss of heat removal capabilities.

Test results have considered test instrument inaccuracies and differences.

(2)

For maintenance / inspection verify that maintenance and inspection activities are sufficient to assure adequate heat transfer.

Applicable maintenance and inspection activities may include heat treatments of cooling systems. Dackflushing, assessment and control DRAFT 71111 Page 36 of 154 Issue Date: DRAFT

of biotic fouling and corrosion (such as shells, seaweed, corbicula, and microbiological induced corrosion), and tube leak monitoring.

c.

For the selected heat exchangers, verify condition and operation is consistent with design assumptions in heat transfer calculations.

For example, verify tube plugging is consistent with design assumptions.

d, During the two year inspection, select for review 2 -3 issues in the licensee's corrective action 3rogram related to degraded heat sink 3erformance including issues re'ated to silting, corrosion. fouling, and leat exchanger testing.

If any loss of heat sink events have occurred, these should-receive the priority for review.

Review the corrective actions to determine if actions were sufficient to prevent recurrence of i

the problem.

Refer to IP 71152, " Identification and Resolution of I

Problems," for further guidance in this area.

f

-03 INSPECTION GUIDANCE Refer to the guidance below for selecting inspection activities to achieve l

each cornerstone objective and to those activities that have a risk priority.

Cornerstone Inspection Risk Priority Example Objective Initiating Evaluate licensee Common-cause Icing of a

)

Events problem issues affecting circulating (20%)

identification and heat removal water and resolution for capabilities.

service water events, issues, or intake conditions structure.

involving the degradation or loss of both the normal and ultimate heat sinks.

Mitigating Identify any Heat exchanger Degraded Systems potential degraded selection should containment (80%)

performance of heat focus on the cooling or exchangers potential for component common-cause cooling water failures or on heat exchanger potentially high performance due risk heat corrosion, exchangers with

fouling, a low margin to silting, etc.

their design

)oint or the ligh potential for fouling.

-04 REFERENCES NUREG 1275 Vol. 3 Operating ' Experience Feedback Report-Service Water System Failures and Degradatjons i

NUREG/CR-5865 Generic Service Water System Risk-Based Inspection Guide Issue Date: DRAFT Page 37 of 154 71111 DRAFT

NUREG/CR-0548 Ice Blockage of Water intakes Generic Letter 89-13 Service Water System Problems Affecting Safety-Related Equipment IE Bulletin 81-03 Flow blockage of Cooling Water to Safety System components by Corbicula (Asiatic Clams) and Mytilus (mussel)

Information Notice 81-21 Potential Loss of Direct Access to Ultimate Heat Sink Information Notice 85-30 Microbiologically Induced Corrosion of Containment Service Water System Information Notice 86-96 heat Exchanger Fouling Can Cause Inadequate Operability of Service Water System Information Notice 88-37 Flow Blockage of Cooling Water to Satisfy System Components Information Notice 90-39 Recent Problems With Service Water Systems Information Notice 94-03 Deficiencies Identified During Service Water system Operational Performance Inspections Information Notice 94-79 Microbiologically Influenced Corrosion of Emergency Diesel Generator Service Water Piping Information Notice 96-36 Degradation of Cooling Water Systems Due to icing Information Notice 96-45 Potential Common-Mode Post-Accident Failure of Containment Coolers Information Notice 98-02 Nuclear Power Plant Cold Weather Problems and Protective Measures DRAFT 71111 Page 38 of 154 Issue Date: DRAFT

I

' 8

^

Inservice Inspection Activitios 5/6/99

-INSPECTABLE AREA: Inservice Inspection Activities CORNERSTONES:

Initiating Events (50%)

Barrier Integrity (50%)

INSPECTION BASES: ISI activities can detect precursors to RCS pressure boundary failures.

Degradation of the reactor coolant -system, steam generator tubes, or safety related support systems would result in a significant increase in risk. This inspection is intended to verify that the licensee has an effective program for monitoring degradation of reactor coolant system boundary.

This inspectable area verifies aspects of the Initiating Events and Barrier Integrity cornerstones for which there are 'no indicators to measure performance.

LEVEL OF EFFORT:

Sample of inservice inspection activities to be reviewed once per refueling cycle.

Estimated Hours:

24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> / refueling outage

.-01 INSPECTION OBJECTIVE (S):

01.01 Verify that the program for monitoring degradation of reactor coolant system boundary is effective.

-02 INSPECTION REQUIREMENTS:

02.01 Insoection Comoosition This review should be performed by an inservice inspection specialist.

02.02 Scope:

The scope of this inspectable area is limited to the reactor coolant system

)

pressure boundary components.

02.03 Refuelina Cycle Review:

a.

Once per refueling cycle, review a sample of non-destructive examination (NDE) activities.

The review sample should consist of:

2 2 types of non-destructive activities Order of Preference for Reviewed NDE activities:

1.

Volumetric Examinations 2.

Surface Examinations 3.

Visual Examinations For each NDE activity reviewed, perform the following through either direct observation (preferred method) or record review:

Issue Date: DRAFT Page 39 of 154 71111 DRAFT

Verify that the activities are ' performed in accordance with Code o

requirements.

Verify that indications and defects, if present, are appropriately dispositioned, b.

Review a sample of rejectable indications / defects which have been accepted by the licensee for continued service.

Verify that the licensee's acceptance for continued service was appropriate, c.

Review radiographs for at least three welding activities. Verify that the welding and acceptance were performed in accordance with Code requirements.

d.

Review a sample of Section XI Code repairs and replacements.

Verify repairs and replacements meet Code requirements.

e.

Verify that a sample of identified problems associated with or by the inservice inspection program have been entered into the licensees corrective action program. Verifythat theinservice inspection program has been reviewed as part of the licensee's audit process. Use Inspection Procedure 71152,

" Identification and Resolution of Problems," for guidance to perform this review.

02.04 Periodic Review As required, review non-Code re) airs. Verify that the non-Code repairs are performance in accordance with 'icensee commitments concerning the repairs.

-03 INSPECTION GUIDANCE:

Cornerstones Inspection Risk Priority Examples Objective Initiating

. Verify that the RCS Penetration Reactor Vessel Events program for Piping Ultrasonic (50%)

monitoring Examination degradation of Reactor Vessel Barrier reactor coolant Steam Generator Integrity system boundary Steam Generator Tube Eddy Current (50%)

is effective Tubes Testing Recirculation Piping Significant Non-Code Repairs

-04

REFERENCES:

ASME Boiler and Pressure Vessel code Sections III. V. IX, and XI DRAFT 71111 Page 40 of 154 Issue Date: DRAFT

, 9 Inservice Testing of Pumps and Valves

]

f 5/5/99 i

INSPECTABLE AREA: Inservice Testing of Pumps and Valves - ASME Section XI I

{

CORNERSTONES: Mitigating Systems INSPECTION BASES: Inservice testing provides indication of equipment availability and reliability. Improper testing could result in undisclosed i

problems that last until the next required testing, unless i

discovered through failure while in service earlier, creating long periods of unknown equipment availability.

This inspectable area verifies aspects of the Mitigating Systems j

cornerstone for which there are no indicators to measure i

performance, j

LEVEL 0F EFFORT:

Select 2 tests per month.

For component selection, use plant specific information if available. Selection will also be based on the history of previous licensee implementation problems in this area, any adverse trends identified within the Section XI pump or valve trending program, and/or following significant maintenance or modification activities on specific components.

For valve testing, select samples from different valve groups to increase the inspection's sensitivity to common cause failures. (Estimated hours - 64)

Hours assumes observation of 24 tests on high risk components with associated identification and Resolution of problems / Issues time.

01 INSPECTION OBJECTIVE Perform evaluations of mitigating system equipment to determine the effectiveness of the program to determine equipment availability and reliability.

02 INSPECTION REQUIREMENTS:

02.01 Select Components to Review. Select 2 components each month based from plant specific risk information (if plant specific risk information is not available, generic guidance from MC 2515 Appendix C may be used).

02.02 Valve Testing.

Evaluate test procedures in the following areas to ensure testing is being conducted in accordance~ with the code requirements for valve testing as applicable to the selected valve:

a.

For power-operated valves, evaluate the test method, acceptance criteria (including the limiting value for stroke time), and required corrective action for stroke timing power-operated valves. Verif3 ' hey are in agreement with the IST program and applicable version of ASME action Issue Date: DRAFT Page 41 of 154 71111 DRAFT

Xl.

Verify during testing that the valve is declared inoperable if the limiting stroke time is exceeded. Verify during testing that the licensee follows the Code requirements for corrective action if the stroke-time acceptance criteria is exceeded.

b.

For power-operated, manual, and passive valves with remote position indication, verify these valves are subject to position indication verification once every two years.

For all valves that have leak rate test requirements (Category A),

c.

evaluate the leak rate testing if this testing is being performed.

d.

For check valves, evaluate the adequacy of check valve flow testing, mechanical exercising, and disassembly and inspection where applicable.

e.

For manual valves, ensure that exercising is performed in accordance with the Code.

f.

For safety and relief valves, verify the set pressure test frequency and method 02.03 Pump Testing. Evaluate pump testing in the following areas for each test selected:

a.

Review pump testing methods, acceptance criteria, and required corrective action, specified in the pump test procedure. Verify that they are in accordance with the IST program and applicable version of ASME Section X1.

b. Ensure that testing is performed at established reference values.

c.

For pump test instrumentation, verify the range and accuracy requirements of the code are met or that appropriate relief for Code deviations has been obtained.

d.

For pump testing where minimum-flow recirculation flow paths are used during testing in accordance with the guidance in NRC Generic Letter 89-04 Position 9, verify that the staff has issued an approved relief request and that the test meets the guidance of Position 9.

e.

For pumps which have a parameter in the " Alert Range " verify that the J

test frequency has been doubled from the previous test and that the pump parameter is maintained in the " Alert Range" until the cause of the deviation is determined and the condition corrected.

f. For aump test results in the " Required Action Range". verify that pumps l

are dec'ared inoperable in completed test procedures.

Verify compliance with applicable technical specification ACTION statements and applicable reporting requirements when components are declared inoperable as a result of the inservice test. Ensure that the Code-specified corrective actions were taken.

j 02.04 Test Results (Problem Identification and Resolution) l DRAFT 71111 Page 42 of 154 Issue Date: DRAFT l

a.

For those tests that do not meet acceptance criteria, review method of test data comparison to previous tests and actions taken on components to determine whether problem is repetitive.

b.

Review the documented results of engineering evaluations performed for inoperable components, particularly root cause analysis of the problem and the bases for returning the components to opcrable status.

03 INSPECTION GUIDANCE:

Certain pumps and valves are subject to inservice testing requirements of 10CFR

)

50.55a. Those pumps and valves that are designated American Society of Mechanical Engineers (ASME) Code Class 1. 2. or 3. and per the ASME Boiler and Pressure j

Vessel Code (BPV Code) or the ASME Operations and Maintenance Standards or Code

{

(OM Code) are required to perform a specific function in shutting down a reactor to the safe shutdown condition, in maintaining the safe shutdown condition, in mitigating the consequences of an accident. or in providing over pressure

. protection. Only pumps performing these functions which are provided with an emergency power source, other than solely for operating convenience, are included in the scope. In addition to the ASME BPV Code and OM Code, guidance has been

)

issued by the NRC in Generic Letter (GL) 89-04 and NUREG-1482.

The following documents will provide the history of the IST program: (1) all current NRC IST safety evaluations: (2) the IST program document (s) which may include administration procedures and the current revision of the IST program; and (3) any submittal to the NRC that includes revisions to the current documents.

Procedures for implementing the testing will generally be operating procedures i

or surveillance 3rocedures specific to a component or a group of components (e.g.

one procecure may test only a pump, while another may test a pump and a group of valves, or may be limited to a group of valves). The calibration of the instruments will generally be performed onsite. though some instruments (e.g.,

vibration monitoring) may be calibrated at an offsite facility. Training for the individuals conducting the testing will generally be included in special classes or as part of a broader course on various surveillance requirements.

The inspector should review the test procedure and the piping and instrument diagrams for the components selected prior to the test.

Detailed inspection guidance on programmatic areas of IST is contained in Inspection Procedure 73756.

03.01 Select Sample Components to Review. Select 2 components each month based on plant specific risk information. If plant saecific risk information is not available, generic guidance from MC 2515 Appencix C may be used. RIM 2 does not reach the component specific level but may be used as a last choice to obtain systems based on risk. The selection of components within the system would then have to be made based on history and inspector experience.

Selection will also be based on the history of previous licensee implementation problems in this area, any adverse' trends identified within the Section X1 pump or valve trending program, and/or following significant maintenance or modification activities on specific components. For valve testing, select samples from different valve groups to increase the inspection sensitivity to common cause failures. At least one pump test should be observed every 3 months.

03.02 Valve Testing Issue Date: DRAFT Page 43 of 154 71111 DRAFT

a. The licensee should determine changes in stroke times of power-operated valves by comparing measurements to either a reference stroke time value or the previous test measurement. If stroke time measurements are compared to reference values this method of comparison should be documented in the program.

Ensure that the limiting values are based on stroke times measured when the l

valve is in good condition and operating properly. The limiting value should represent a reasonable deviation from the reference stroke time.

Verify that limiting stroke times do not exceed any design values. Ensure stroke time limits are readily accessible during testing and that l

instructions are provided for actions to take if criteria is exceeded.

However, ra)id-acting valves can have a limiting stroke time of 2 seconds (reference position 6 of GL 89-04).

b.

The Code requires that valves with remote position indications shall be observed locally at least once every 2 years to verify that valve operation is accurately indicated.

Guidance on position indication verification is given in Sections 4.2.5 and 4.2.6 of NUREG-1482.

l c.

Valves that have a specific leakage limit are designated as " Category A" valves. The leakage test may be of an individual valve or a group of valves. For pressure isolation valves, generally an individual leakage test l

is required. See Sections 4.4.5, 4.4.7. and 4.4.8 of NUREG-1482.

d.

Check valves are tested by ensuring the capability to full-stroke to the position (s) required to fulfill the safety function (s) of the valve.

The acceptance criteria established in the test procedure should ensure that this requirement is met.

Guidance on testing check valves is given in GL 89-04. Positions 1 and 2. and in Section 4.1 of NUREG-1482.

e.

Active manual valves are required to be exercised by the Code.

Guidance on manual valves is given in Section 4.4.6 of NUREG-1482.

f.

A valve which has a stamped set pressure and can be adjusted is considered a relief valve. Check valves may serve a relief valve function, l

but if they do not have a stamped set pressure and cannot be adjusted, they should be tested in accordance with the requirements for check valves.

Guidance on testing safety and relief valves is given in Sectwn 4.3 of I

NUREG-1482. Valves which provide an overpressure protection,uaction but do not have their own safety function are the subject of recent Code action which may eliminate the requirements for additional valve testing for certain types of pressure relief devices. See Section 4.3.9 of NUREG-1482.

1 03.03 Pump Testing a.

Test procedures should include all steps necessary to comply with code requirements and to ensure repeatable test conditions. Acceptance criteria should be included in the test procedure with instructions for actions to take if the criteria is exceeded.

b.

The Code requires that reference values from the results of either l

preservice tests or the first inservice test, shall be taken at points of operation readily duplicated, and only be established when the pump is known to be operating acceptably.

For systems with constantly changing l

demand, the licensee might establish multiple sets of reference values per DRAFT 71111 Page 44 of 154 Issue Date: DRAFT j

the code. The use of a reference curve does not meet the code recuirements.

I Guidance on the use of pump curves is given in Section 5.2 of hUREG-1482.

c.

Pump test instrument ranges and calibration accuracies must meet the code requirements. Guidance is given in Section 5.5 of NUREG-1482.

d.

Evaluate cases where the minimum-flow line is the only pump test flow path and verify the installation of flow rate instruments. Ensure the code i

requirements are met. Evaluate the basis for determining that the flow rate through pumps tested in a low flow condition is sufficient to prevent pump j

damage.

(

Determine if there are cases where flow can be established only through a

(

non-instrumented minimum-flow path during quarterly pump testing, but a path exists that could be used for testing during cold shutdown or refueling outage conditions. In these cases, an increased interval between tests is acceptable.

Ensure that oump differential pressure, flow rate, and bearing vibration are measured curing cold shutdown or refueling outage testing. Verify at least pump differential pressure and pump bearing j

vibration are measured quarterly.

Ensure data is recorded. Trending of test data is desirable. Ensure that pumps tested in this manner are

)

identified in the IST program.

NRC Bulletin 88-04 requested that licensees investigate and correct two potential design concerns in safety-related pump minimum flow systems: (1) strong - weak pump interaction, and (2) installed minimum flow capacity.

The inspector may review the response (s) and determine whether the pumps selected were addressed in the licensee's response and that their proposed resolutions were implemented.

e.

Although a pump in the alert range is still considered operable, the justification for maintaining components in the alert range and the reasons why timely corrective action has not been implemented should be evaluated.

(Refer to IN 97-90 in relation to the effect of pump degradation on the design basis of the system) f.

The code requires that a pump be declared inoperable when the required action limits are exceeded. If a problem with instrumentation is suspected, instruments may be re-calibrated and the test rerun. If a pump exceeds the alert limits, the test frequency is to be doubled (i.e., for a quarterly pump test, the test would be performed once every six weeks).

03.04 Test Results (Problem Identification and Resolution) a.

Evaluate the test data trending. if the licensee trends the data, and i

actions taken for components found to be degraded or that require frequent corrective maintenance. For these components. determine if an engineering evaluation was performed that adequately addressed the root cause. Assess the -licensee's actions if the components represent a generic class of components at the plant or if the mode of degradation is likely to affect other components in the system. Review any engineering evaluations which were performed to return a component to operable status in lieu of other corrective actions.

b.

The component should have been declared inoperable in a timely manner and ap Range.propriate actions taken for test results in the " Required Action For components addressed by plant technical specifications that.

Issue Date: DRAFT Page 45 of 154 71111 DRAFT

if declared inoperable, would result in entering an ACTION statement.

verify appropriate information is in the test plans or test records such that those responsible for the test can make a timely determination whether the data meets the acceptance criteria and the component is operable.

Determine if the licensee is complying with applicable reporting requirements of the code and of 10 CFR 50.72 and 50.73.

04 RESOURCE ESTIMATE This inspection procedure is estimated to take 64 hours7.407407e-4 days <br />0.0178 hours <br />1.058201e-4 weeks <br />2.4352e-5 months <br />.

05 REFERENCES 05.01 American Society of Mechanical Engineers:

Boiler and Pressure Vessel Code Section XI, Subsections IWP and IWV, various editions.

Doerations and Maintenance Standards, Parts 6 and 10, OMa-1988 Addenda.

Operations and Maintenance Code, 1990 Edition.

05.02 U. S. Nuclear Regulatory Commission:

Bulletin 88-04, " Potential Safety-Related Pump Loss." May 5, 1988.

Code of Federal Reaulations. Title 10 Part 50 Section 50.55a, " Codes and Standards."

Generic Letter 89-04, " Guidance on Developing Acceptable Inservice Testing Programs," April 3, 1989.

Information Notice 97-90, "Use of Nonconservative Acceptance Criteria in Safety-Related Pump Surveillance Tests," December 30, 1997 4

NUREG-1482,

" Guidelines for Inservice Testing at Nuclear Power Plants,"

April 1995.

DRAFT 71111 Page 46 of 154 Issue Date: DRAFT

IST INSPECTION GUIDANCE TABLE CORNERSTONE RISK PRIORITY EXAMPLES MITIGATING SYSTEMS Valves that provide an Valves that change i

important function to position to provide a l

mitigating systems as safety injection flow L

designated from plant path to the Reactor specific risk studies.

Coolant System.

)

Pumps for systems Valves that have a designated from plant containment isolation specific risk studies or function.

from RIM 2 that provide an important safety Pumps that provide function.

injection water on a safety injection signal.

l Pump and valve types l

that could be Pumps that provide contributors to common cooling water for cause risk concerns equipment needed for l

safe shutdown.

j e

i i

)

l l

Issue Date: DRAFT Page 47 of 154 71111 DRAFT

1 l

i i

i l

s I

l l

l DRAFT 71111 Page 48 of 154 Issue Date: ORAFT 0

Large Containment Isolation Valve Leak Rate and Status Verification (5/12/99)

INSPECTABLE AREA Large Containment Isolation Valve Leak Rate and Status Verification CORNERSTONES:

Barrier Integrity (100%)

INSPECTION BASES: Inspection of the large containment isolation valve leak rate and status verification area supports the Barrier Integrity cornerstone because the valvesi of most concern from a PRA viewpoint tend to be large valves (i.e..

>81nches) with rubber seats (i.e., containment ventilation isolation valves).

Industry experience has shown that the valve seats tend to dry out over long periods and fail to maintain their leakage integrity. Pressurized water reactor containment purge valves are routinely opened during plant operation to reduce containment pressure.

Frequent cycling of these valves results in degradation of the valve seats, along with other critical containment penetrations (as described in this baseline inspection procedure) continue to meet the design j

leakage requirements and that the maintenance and testing efforts are

{

appropriate.

The limited inspection activities detailed in this inspectable area help verify j

the accuracy of the containment penetration leakage performance indicator (PI) 1 of the Barrier Integrity cornerstone.

LEVEL OF EFFORT:

Resident Staff (Estimated hours - 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> per year)

INSPECTION OBJECTIVE (S):

At pressurized water reactors (PWRs), monthly verify the number of hours the containment on-line purge valves were open, looking for increasing trends.

At refueling intervals (PWRs & BWRs). observe one local leak rate test (LLRT) for a large valve, preferably with large flexible seat areas (e.g.,

on-line containment exhaust valves, containment supply and purge valves and suppression pool vacuum breakers and hardened vents).

Verify that the licensee has established containment integrity prior to commencing heat up of the reactor coolant system (RCS) above 200*F.

Evaluate the adequacy and implementation of the licensee's process designed to ensure and maintain containment integrity.

Evaluate the adequacy and implementation of the licensee's process designed to mitigate a radioactive release in the event of a loss of containment integrity following a loss-of-coolant accident (LOCA).

INSPECTION REQUIREMENTS:

02.01 Insoection Comoosition: The resident staff will select applicable portions of the baseline inspection procedure when completing the monthly and refueling interval review using both performance and risk in selecting the areas inspected.

It is not the intent of this baseline inspection procedure, for the resident staff to complete all of the activities included in this procedure.

Issue Date: DRAFT Page 49 of 154 71111 DRAFT

02.02 Containment intearity checks: This inspection should be performed during each unit cold shutdown outage before a final containment closeout in preparation for RCS heat up above 200 F.

Observe a selected portion of the containment isolation lineup and independently verify whether large valves, dampers and airlock doors are in their required positions, shut, capped and locked if required.

Where possible confirm control room large valve position indication by direct observation of valve mechanisms.

For large valves that isolate on a containment isolation signal, verify proper breaker position and availability of power supply. Also, for large motor and air-operated valves, verify they are not mechanically blocked and power is available, unless.it is required to be otherwise.

Inspect large piping and the associated test for possible leakage paths. Alternate which items are inspected so that accessible large containment penetrations are periodically inspected. Prioritize the selected items based on safety significance and performance history.

Considering both past valve performance (as reflected in the licensee's 10 CFR 50 Appendix B. program) and plant risk, review the following items.to determine the effectiveness of the facility's ability to maintain containment integrity.

j.

Verity through local observation the proper positioning of electrical and mechanical barriers and isolation valves associated with several separate containment penetrations (emphasis should be place on large penetrations and air locks, and Appendix J. Option B components, with poor LLRT history which have a pathway to the environment).

k.

Witness the ecuipment and/or personnel air lock local leak rate test performec after final containment closure.

12.

Walk down an assessable portion of a system designed to maintain containment integrity or to mitigate a radioactive contamination release in the event of a LOCA. The walkdowns conducted should cover containment penetration isolation actuation systems (not including the actual isolation valves) with emphasis on large penetrations and air locks and Appendix J. Option B components, with poor LLRT history which have a pathway to the environment.

13.

The inspector should verify the proper alignment of each component in the containment support system inspected.

If warranted by previous facility performance and any observation noted during this portion of the inspection, review the applicable portions of the licensee's corrective action program to assess the effectiveness of i

its containment integrity program and to implement appropriate corrective actions.

j 02.03 Surveillances of orimary containment intearity:

Observe the licensee's periodic surveillances of primary containment integrity as required by Technical Specifications (TS).

This review should cover surveillances performed during unit operation with RCS temperature above 200 F.

Considering both past valve performance and plant risk review the following items to determine the effectiveness of the facility's ability to test primary containment integrity.

DRAFT 71111 Page 50 of 154 Issue Date: DRAFT l

lhe following periodic surveillances should be included in the reviewed:

j.

Verification of the time, as applicable, proper alignment, operability, and isolation for primary containment )enetrations.

A monthly alignment check of each penetration tlat is required to be closed for'an LOCA and is not capable of being closed by o)erable automatic isolation valves should be performed.

This cleck is not required for any closed penetration located inside containment if that penetration is locked, sealed, or otherwise secured in the closed position.

However, these penetrations should be verified closed during each cold shutdown.

Most plants today run 100-200 days at a time and are only in a cold shutdown condition during refueling outages, which are normally less than 45 days.

(Emphasis should be place on large penetrations and air locks and A)pendix J. 0) tion B components, with poor LLRT history whic1 have a pat 1way to the environment.).

Demonstration of air lock operability Demonstration of the operability of TS specified containment isolation valves (a) by verifying actuation upon initiation of a containment isolation test signal during a cold shutdown or refueling at least once per 18 months (emphasis should be place on large penetrations and air locks and Apaendix J. Option B components, with poor LLRT history whic1 have a pathway to the environment).

(b) by verifying that the valve isolation time is within TS limits at the frequency prescribed by the ASME Boiler and Pressure Vessel Code and applicable Addenda (emphasis should be place on large penetrations and air locks and A3pendix J. Option B components, with poor LLRT history w11ch have a pathway to the environment).

Verification of the operability and alignment of the containment purge supply and cinaust isolation valves (PWRs) or the drywell and suppression chamber purge supply and exhaust isolation valves on boiling water reactors (BWRs)

Verification of the operability and alignment of the containment

+

vacuum relief valves or the suppression chamber - drywell vacuum breakers and the reactor building - suppression chamber vacuum breakers (Mark I BWRS).

Determination that required containment and drywell penetrations are isolated before conducting containment purge system operability checks.

Verification of the BWR main steam isolation valve (MSIV) reliability and leak tightness.

If warranted by previous facility performance and any observation noted during this portion of the inspection, review the applicable portions of the licensee's corrective action program to assess the effectiveness of its containment integrity program and to implement appropriate corrective actions.

02.04 Containment air locks and orimary containment isolation valve checks:

Considering both past air lock and valve performance and plant risk, review the following items to determine the effectiveness of the facility's process to maintain containment air locks and primary containment isolation valves integrity.

Issue Date: DRAFT Page 51 of 154 71111 DRAFT i

E 11.

Determine it post-maintenance operability taas verified during the past 6 months for containment air locks and several large primary containment isolation valves prior to RCS heat up above 200*F.

02.05 TS reauired surveillances checks:

Considering both past surveillance l

performance and plant risk, review the following items to determine the effectiveness of the facility's ability to maintain containment air locks and i

L primary containment isolation valves integrity.

le control of containment building venting and purging operations l

02.06 Findinas:

The inspector should document inspection results including inspection findings.

These inspection findings should be previously reviewed and documented to' include the following:

issues which prevented successful verification of inspection attributes l..

used the Significance Determination Process (SDP) use the Enforcement Strategy e

l REFERENCES 10 CFR 50 Appendix J including Option B Standard Technical Specifications l

ACRONYMS:

BWRs boiling water reactors LLRT local leak rate test i

.LOCA loss-of-coolant accident MSIV main steam isolation valve

,/

PI performance indicator PWRs pressurized water reactors RCS reactor coolant system i

SDP Significance Determination Process TS Technical Specifications END l

l i

DRAFT 71111 Page 52 of 154 Issue Date: DRAFT 1

Licensed Operator Requalifications (4/30/99)

CORNERSTONES:

Mitigt. ting Systems (E%)

Barrier Integrity (25%)

+-

Emergency Preparedriess' INSPECTION BASES: Inspection of licensed operator requalification area supports the Mitigation Systems. Barrier Integrity and Emergency Preparedness cornerstones because it can assess operator performance adequacy in responding to events.

This inspection evaluates operator performance in mitigating the consequences of events.

Poor operator performance results in increase risk due to its impact on the human factors terms, and assumed operator recovery rates and personnel induced common cause error rates assumed in the facilities individual plant examinations (IPEs). Human performance errors and failures to recover from accident. events are the most risk important events at a facility.

This inspectable area verifies: (1) procedure quality (operation procedure-post events) and human performance (human error-post events) key attribute of the Mitigating Systems cornerstone for which there are no indicators to measure performance: (2) human performance (human error-post accidents / events) key attribute of the Barrier Integrity cornerstone for which there are no indicators to measure performance; and (3) emergency response organization (ERO) performance

[self assessment, severe accident management guides (SAMG) implementation & actual event response] key attributes of the Emergency Preparedness cornerstone for which there are no indicators to measure performance.

LEVEL OF EFFORT:

Biennial review by Regional Specialist (Estimated hours

.96 biennially)

Note: (1) Includes in office review of tests performeo by the regional specialist.

(2) It is expected that the actual hours required to complete the -inspection may vary from the estimate. The inspection hours allocated for the inspection procedure are an estimate for the typical plant for budgeting purposes. Inspections at superior performers would normally be completed in less than the estimated hours.

The hours expended during an inspection should be tailored for the facility licensee and accurately recorded.

(3) Depending on availability. resident staff members can assist the regional specialist during the biennial review.

Simulator review by Resident Staff (Estimated hours - 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> per quarter)

INSPECTION OBJECTIVE (S):

Issue Date: DRAFT Page 53 of 154 71111 DRAFT

Verify that the licensee's requalification program for licensed reactor operators (R0s) and senior reactor operators (SR0s) ensure safe power plant operation and include training on high risk operator action based on senior reactor analysis (SRA's) input.

Verifying the facility licensee's effectiveness in evaluating and revising the requalification program for licensed operators based on their operational performance, including requalification examinations; verifying the facility licensee's effectiveness in ensuring that the individuals who are licensed to operate the facility satisfy the conditions of their licenses as specified in 10 CFR 55.53 and verifying the performance of the facility licensee's licensed operators' requalification program and determining the need for additional inspections or NRC-conducted examinations.

INSPECTION REQUIREMENTS:

02.01 Team Comoosition (Biennial Review):

l The inspection team should include qualified oaerator examiners with expertise relevant to the plant (s) being eva'uated.

Normally, an inspection team would include individuals with operations backgrounds and individuals with plant-specific knowledge.

(0uarterly Review):

The resident staff will use applicable portions of the procedure when completing the simulator review each quarter.

02.02 Samole Selections:

The following guidance should be used when selecting areas to inspect within the licensed operator requalification process. This guidance was issued by the NRC commissioners in the white paper referenced in yellow announcement 19.

" Risk-Informed. Performance-Based Approach": risk-informed, performance-based approach to regulatory decision-making combines the

" risk-informed" and

" performance-based" elements, and applies these concepts to NRC rulemaking, licensing, inspection, enforcement, and other decision-making.

Stated succinctly, a risk-informed, performance-based regulation is an approach in which risk insights, engineering analysis and judgment including the principle of defense-in-depth and the incorporation of safety margins, and performance history are used, to (1) focus attention on the most important activities. (2) establish objective criteria for evaluating. performance.

(3) develop measurable or calculable parameters for monitoring system and licensee performance. (4) provide flexibility to determine how to meet the established performance criteria in a way that will encourage and reward improved outcomes, and (5) focus on the results as the primary basis for regulatory decision-making.

02.03 Facility's operatino history:

l Verify operator. performance since the last requalification program evaluation (inspection or examination) to determine if performance deficiencies have been addressed through the requalification training program. Consult the table below for guidance in completing this assessment.

DRAFT 71111 Page 54 of 154 Issue Date: DRAFT 1

o Plant Issue Matrix (PIM), and Plant Performance Review (PPR).

Recent examination and inspection reports (e.g., emergency e-preparedness or emergency operating procedure (EOP) inspections) related to operator training or performance.

Resident ins aerformance.pector observations and reports regarding operator e

_icensee event reports (LERs).

e Other indications of operator performance, such as technical specific 6cion (TS) violations, internal event reports. Human Factors Information System (HFIS), licensee's self-evaluations.

l and NRC assessment performance indicators (e.g., safety system failures,' transients, scrams, risk important scrams, and ERO indicators).

)

02.04 Facility's licensee's recualification examinations:

Verify the adequacy of the facility licensee's written examinations and operating l

I tests for requalification.

Areas to verify include the facility licensee's examination materials (questions, scenarios, and job performance measures (JPM) banks), sample described below. plans, and proposed and completed examinations and tests as The inspector should not interfere with the facility licensee's requalification examination process by suggesting modifications to test items or examination schedules.

If there are significant concerns regarding the quality of the examinations, inform the facility licensee and refer the concerns to regional management as soon as possible.

Consult the table below for guidance in completing this assessment.

Review a representative sample of the facility licensee's examination materials:

e The checklists for open reference written test items. JPMs. and dynamic simulator scenarios in Appendix A'provided guidance.

Compare plant changes to examination materials to determine whether system and procedure changes are being incorporated into the appropriate written questions, JPMs. and dynamic i

simulator scenarios. The resident inspectors, other,

knowledgeable personnel from the Division of Reactor Projects, and the NRR 3roject manager may be able to provide information regarding su)stantial procedure or system modifications that should have been incorporated into the continuing training and testing programs.

The 10 CFR 50.59 periodic reports also contain information on plant changes.

e For plants at which operators hold multi-unit licenses, review the methodology for incorporating unit differences in the facility licensee's requalification examinations.

Include both written examinations and operating tests using the simulator in this review.

Review the extent to which unit differences are identified in training materials and the simulator as they are used in requalification training and examinations.

Evaluate exceptions to training guidelines and simulator fidelity i

standards taken in the requalification program for negative training potential.

Verify that operators receive specific training on unit differences.

Issue Date: DRAFT.

Page 55 of 154 71111 DRAFT

Review the methodology (i.e.. sample plan) that the facility licensee uses to construct its requalification examinations.

Verify whether the facility licensee's comprehensive written e

examinations and licensee's annual op(erating tests point to areas in which retraining is needed 10 CFR 55.59(c)(4)(I)).

(a)

Determine if the facility licensee addressed the operator performance deficiencies.

(b)

Determine if the facility licensee has incorporated current industry events applicable to the facility into training and testing, as appropriate.

l e

Verify whether the facility licensee's written examinations measure the operators' knowledge of subjects covered in the requalification program and provide a basis for evaluating l

their knowledge of abnormal-and emergency procedures (10 CFR 55.59(c)(4)(ii)).

o Determine if the operating tests are consistent with activities described in the Updated Final Safety Analysis Report (UFSAR).

Determine if operator response times specified in the accident l

analysis are evaluated during the operating test. Be careful about determining if the simulator scenario accurately matches the assumptions in the accident analysis.

Operating test scenarios may include equipment malfunctions beyond those assumed in the accident analysis.

In such a case, the operating test scenario may not be a valid measure of (UFSAR) operator response times.

Determine if the licensee has incorporated PRA insights into l

the comprehensive written examinations and licensee's annual operating tests.

Coordinate with regional Senior Risk Analysts (SRA) to provide risk insights.

Evaluate the quality and content of a sample of the facility l

licensee's comprehensive written examinations and licensee's annual operating tests for the current requalification program cycle.

e Verify the ability of the examinations to discriminate operators who possess a satisfactory level of safety significant knowledge, skills, and abilities.

e Ensure the examination items are operationally valid.

If the facility is not administering a written examination during the l

current inspection and if examinations were not reviewed during the previous inspection, review a sample of the examinations that were last given.

e The following activities facilitate this evaluation:

review the following items to determine the effectiveness of the facility's licensed operator requalification examination.

Determine. Analyze and Verify the following:

e Determine if the examinations are consistent with the sample plan, and verify that the same test items are not being repeated from one test week to the. next and from one year to the next.

e Analyze and compare the comprehension level tested on selected written examinations and operating tests administered during the period under review with the comprehension level tested on other examinations administered or planned during that requalification cycle, e

Determine whether the expected performance standards are clear, objective. and relevant.

e Verify that the R0 and SR0 written examinations adequately DRAFT 71111 Page 56 of 154 Issue Date: DRAFT

l 02.05 racility's Licensee's Practices in Administerina Reaualification Examinations Observe examinations and tests in progress and interview personnel to verify the facility, licensee's effectiveness in conducting written examinations and operating tests to ensure -operator mastery of the requalification training i

program content.

l J

1 l

l l

l-l 1

Issue Date: DRAFT Page 57 of 154 71111 DRAFT

I Observe as many examination activities'as possible to verify the facility licensee's effectiveness in conducting written examinations and operating tests.

Focus on those activities that give the greatest insight into the facility licensee's ability to evaluate its operators' mastery of the training program content. The resident inspectors periodically observe simulator training for licensed-operators noting deficiencies and discrepancies in the training and assessing operator performance.

Coordinate with the resident inspector (s) to ensure that all pertinent issues are understood and that actions and staffing levels in the simulator are consistent with normal control room practices. The following activities facilitate this assessment:

e

'1.

Determine whether the examinations are conducted as planned and whether any errors in administration are detected and corrected for subsequent examinations.

e 2.

Determine whether the facility licensee's examination i

practices gave proper consideration to minimizing undue operator stress (e.g., scheduling, timing of segments, security measures) and the potential for negative training (e.g., testing crew configuration different from operations).

e 3.

Verify the facility evaluators' use of performance standards by grading selected written examination l

cuestions and operating tests in parallel and assessing ciscussions regarding crew and operator performance following the administration of the operating tests.

If there are concerns regarding the facility licensee's I

grading practices inform the facility licensee of the concerns and refer the concerns to regional management as soon as possible.

The following activities facilitate this assessment:

(a)

Determine whether the performance standards are applied consistently and objectively.

(b)

Determine whether crew and operator performance errors made during simulator evaluations are detected and adequately addressed by the facility's evaluators.

(c)

Determine whether any errors made by individual operators during the walk-through examinations are detected and adequately addressed by the facility's evaluators.

i (d)

Determine whether the facility evaluators

)

effectively identify individuals and crews requiring remediation, arn appropriately indicate i

when removal from shift a.. ivities is warranted.

1 (e)

Determine whether post-examination critiques of operators and crews are effective in pointing out strengths and weaknesses and if they accurately appraise the observed performance.

e 4

Determine whether plant events are factored into the requalification training program based on the review of LERS and plant performance indicators.

e 5.

Determine the licensee's use of industry experience in the requalification training program.

e 6.

Verify the facility licensee's Operations Department

-level of involvement in the requalification testing.

DRAFT 71111 Page 58 of 154 Issue Date: DRAFT

I Verify the simulator's performance and its fidelity to the reference plant to determine if it is adequate to support the requalification program. Also verify the safety im)act of any negative training caused by simulator deficiencies.

Refer to 10 CFR Part 55.59 (c)(3).

e 1.

Record any simulator performance deficiencies noted during the inspection, particularly while observing the dynamic simulator operating tests.

e 2.

If any deficiencies are noted, complete a simulator fidelity report as outlined in ES-501 of NUREG-1021, and include it in the inspection report.

Interview an operator, an instructor, a training supervisor, and an evaluator regarding the facility's policies and practices for administering examinations.

If the interviews result in conflicting information, additional interviews may be needed to clarify the differences. Refer to the suggested interview topics in Appendix B when conducting these and other interviews.

These interviews assist the inspector in determining whether:

e 1.

The training staff understands the operating test performance standards and how they are to be im)lemented.

e 2.

Management guidance and expectations parallel tie actual conduct of testing as it was observed.

e 3.

The operators understand the facility licensee's policies and practices and what is expected of them during the examinations.

e 4.

The operators are aware of simulator performance deficiencies and the potential for negative training.

e 5.

The interviewees' perception and knowledge of examination security are consistent with administrative procedures.

Review examination security measures to ensure comn11ance with 10 CFR 55.49, which prohibits applicants, licensees, and scility licensees from engaging in any activity that compromises th integrity of any application, test, or examination required by 10 cFR Part 55.

The following activities facilitate this review:

e 1.

Review the facility licensee's process for maintaining examination security. Review facility guidelines on allowed overlap between examinations in current exam cycle tests and prior year examination.

2.

Monitor the examination while it is being administered and review the results to determine if there is any indication of examination compromise.

e 3.

If examination security problems were noted in the past, determine what corrective action (s) have been taken to preclude recurrence.

Observe the activities of one or more operating crews in the control room and compare this performance with performance observed in the simulator on requalification examinations.

Examples of activities to compare are: performance of surveillances, supervisory oversight, command and control, communication practices, logkee)ing, crew assignments and responsibilities, staffing levels, s11ft turnover, and management presence.

Coordinate this observation with the Resident Inspectors observations of control room activities.

02.06 Facility's Licensee's Trainino Feedback System Verify the effectiveness of the facility licensee's process for revising and maintaining its licensed operator continuing training program up to date, Issue Date: DRAFT Page 59 of 154 71111 DRAFT

including the use of feedback from plant events and industry experience information.

Evaluate whether the facility licensee's use of employee feedback from operators, instructors, and supervisors is effective.

The following activities facilitate this evaluation:

e Determine who is responsible for obtaining employee feedback and compare that individual's understanding of the program goals to the management expectations for the program.

Review and evaluate a representative sample of the employee comments to determine if the program's consideration of the comments, recommendations, and their implementation are appropriate. Determine if requalification 3rogram changes are backlogged and the cause for the backlog.

Jetermine whether program changes are prioritized on the basis of safety.

Compare these findings with management expectations.

e Interview facility personnel to determine whether they know of, i

use, and are satisfied with the system used to gather and implement feedback.

Refer to item 03.03.c for related guidance and to Appendix B for suggested interview topics.

e If warranted by previous facility performance, review the facility quality assurance / quality control (0A/0C) oversight activities in accordance with 10 CFR Part 50 (Appendix B) and evaluate the licensee's ability to verify the effectiveness of its requalification program and to implement appropriate corrective actions.

02.07 Facility's Licensee's Remedial Trainino Proaram:

Verify the adequacy and verify the effectiveness of the remedial training conducted since the last requalification examinations and the training planned for the current examination cycle to ensure that it addresses weaknesses in licensed operator or crew performance identified during training and plant operations.

Remedial training includes the additional training provided to operators to correct deficiencies that prevent them from successfully passing the requalification examination 'and the training provided to owrators to correct generic or individual weaknesses observed during t1e previous requalification cycle examination.

The following activities facilitate this review:

Review examples of operator and crew performance weaknesses since the last inspection and determine whether the facility licensee identified their root causes and implemented appropriate corrective actions.

e Determine if the facility licensee confirms the effectiveness of its corrective actions at the completion of retraining with a suitable evaluation method.

Review the remediation plans (e.g., lesson plans, reference materials, and attendance documentation) to verify the effectiveness of the remedial training.

When possible, observe applicable simulator and JPM instruction e

to verify the effectiveness of the remedial training.

e Interview selected facility personnel.to verify the effectiveness of remedial training.

Refer to Appendix B for suggested interview topics.

DRAFT 71111 Page 60 of 154 Issue Date: DRAFT

f 02.nB Conformance With 00erator License Condition:

l Review the facility licensee's program for maintaining active operator licenses l

and ensuring the medical fitness of its licensed operators. Verify the facility and operator licensees' compliance with the requirements for maintaining license conditions in accordance with 10 CFR 55.53.

At a minimum, sample the following activities during alternate l

inspections to verify the facility and individual licensees' conformance with the requirements of 10 CFR Part 55.

In an effort to focus the review, the inspector is encouraged to solicit observations and insights in this area from resident inspectors.

Review the facility licensee's program for maintaining active 03erator licenses and verify compliance with 10 CFR 55.53(e) and (f).

T1e following activities facilitate this review: following activities facilitate this review:

Sample records for at least one operating crew to determine if e

crew members are maintaining active licenses.

Review staff o)erators (i.e., those not assigned to shift crews) to ensure tlat their licenses have been activated prior to standing watch.

Determine if any operator licenses were reactivated since the e

last inspection and verify that the operator's qualifications i

were current and the required operator functions were performed i

"under direction."

l Determine if all requalification training is completed on e

schedule or made up in accordance with the facility's program.

Sample. training attendance records to include the end of the i

last two-year requalification cycle.

I Review the facility licensee's program for ensuring the medical fitness of its licensed operators and verify compliance with 10 CFR Part 55, Subpart C. " Medical Requirements," and Subpart F.

" Licenses," item 55.53(I).

The following activities facilitate this review:

Review a representative sample (i.e., approximately 10 percent) e of the licensed operators' medical records to verify that the required physical examinations are being performed and documented.

e Verify that operator licensees are complying with special license conditions, as applicable, and that those operators who do not meet medical standards are precluded from performing licensed duties.

02.08 Residents' Ouarterly Review of Licensed Ooerators' Recualification Simulator anc "rainino Activities:

Once per quarter, observe simulator training for SR0s and R0s, note deficiencies and discrepancies in the training, and assess licensed operator performance.

Determine if the program includes training on high risk licensed ope'rator actions, operators' activities associated with the Emergency Plan and previous lessons learned items or plant l

experiences are incorporated in simulator training.

l i

Issue Date: DRAFT Page 61 of 154 71111 DRAFT

e l

Review simulator evaluations for previously identified weaknesses.

and observe those areas during control room activities.

Suggested observation areas are:

crew 3erformance in terms of clarity and formality of communication; a)ility to take timely action in the safe direction: prioritizing, interpreting and verifying alarms: correct l

use and implementation of procedures including the alarm response I

procedures: timely control board operation and manipulation.

l including high risk operator actions; oversight and direction provided by the Shift Supervisor including ability to identify and implement appropriate TS action and EP actions; and the group dynamics involved in crew performance.

The inspector may observe different crews to understand differences in personality, performance, and group dynamics involved. The inspector may factor this experience in daily observation of control room operation to draw conclusion on the effectiveness of simulator training. The inspector should discuss any concerns, findings or insights with the applicable regional specialist.

Compare simulator board configurations with actual control room board j

' configuration for consistency. especially with recent modifications implemented in the control room.

02.08 Findinas:

l The types of inspection findings which should be reviewed and documented to include the following:

e violation issues issues which prevented successful verification of inspection attributes e

e used the Significance Determination Process (SDP) e use the Enforcement Stategy 1

1 i

l l

l DRAFT 71111 Page 62 of 154 Issue Date: DRAFT

, REFERENCES 10 CFR 50.54. Conditions of Licenses 10 CFR Part 55.

OPERATORS' LICENSES Site-specific Technical Specifications L

ANSI /ANS-3.1-1981. " Selection. Qualification, and Training of Personnel for Nuclear Power Plants" (or other standards committed to by the licensee)

ANSI /ANS 3.4-1983. " Medical Certification and Monitoring of Personnel requiring

~ Operator. License for Nuclear Power Plants" ANSI /ANS 3.4-1996. " Medical Certification'and Monitoring of Personnel requiring Operator License for Nuclear Power Plants" ANSI /ANS 3.5-1985. " Nuclear Power Plant Simulators for Use in Operator Training" l

Regulatory Guide 1:134. Revision 3. " Medical Evaluation of Licensed Personnel at Nuclear Power Plants" (or Revision 2 of the Regulatory Guide)

Regulatory Guide 1.149. Revision 2. " Nuclear Power Plant Simulation Facilities for Use in Operator License Examinations" (or earlier version of the Regulatory Guide committed to by the licensee)

Regulatory Guide 1.8. Revision 2. " Qualification and Training of Personnel for Nuclear Power Plants" NUGEG-1021. " Operator Licensing Examination Standards for Power Reactors" NUREG-1220. Revision 1. " Training Review Criteria and Procedures" SECY-98-043,

" Annual Status Re) ort on the Administration of NRC's Requalification Program and the ::nitial Operator Licensing Examinations -

Response to Staff Requirements Memorandum (M8800098)"

NRC Information Notice No. 91-08. " Medical Examinations for Licensed Operators" NRC Information Notice No. 95-24. " Summary of Licensed Operator Requalification l

Inspection Program Findings" NRC Information Notice No.

94-14. Supplement 1. dated April 14. 1987 " Failure to Imalement Requirement for biennial medical examinations and notification to the NRC of changes in licensed operator medical conditions" l

NRC Inspection Procedure (IP) 71001. " Licensed Operator Requalification Program

' Evaluation" NRC Inspection Manual Chapter 0304. " Plant Performance Review" l

NRC I.nspection Manual Chapter 2515. " Light-Water Reactor Inspection Program.

Operations Phase" NRC Inspection Manual Chapter 2515. Appendix C. "Use of Insights Derived from Probabilistic Risk Assessment (PRA)"

Inspection Procedure 41500. " Training and Qualification Effectiveness" L

Issue Date: DRAFT Page 63 of 154 71111 DRAFT

l Inspection Procedure IP-71707. " Plant Operations" Inspection Procedure IP-71715. " Sustained Control Room and Plant Observation" l

l-Appendices:

Appendix A. " General Guidance" i

Appendix B. " Checklists for Evaluating Facility Testing Material" Appendix C. " Suggested Interview Topics" l

l 1

l

)

l DRAFT 71111-Page 64 of 154 Issue Date: DRAFT

APPENDIX A GENERAL GUIDANCE Facility licensees are required by 10 CFR 50.54(I-1) to have in effect a Commission-aparoved operator requalification program which must, as a minimum, meet the requ rements of 10 CFR 55.59(c). In lieu of paragraphs (c)(2), (3), and (4) of that section, the Commission may approve a program developed by using a systems approach to training (SAT), as defined in 10 CFR 55.4.

In accordance with 10 CFR 55.59(a), each licensed individual must successfully complete the requalification program developed by the facility licensee and pass a licensee's annual operating test and a comprehensive written examination administered at the end of each requalification cycle, not to exceed 24 months in duration.

This core inspection procedure is intended to determine if a facility licensee's requalification program meets elements (4) and (5) of a SAT-based program as defined in 10 CFR 55.4. Inspectors should prioritize their activities to ensure that inspection requirements 02.02 and 02.03 are completed first. Inspection requirements 02.04, 02.05, 02.06 are to be considered and performed to the extent necessary to conclude that the objectives of the inspection procedure have been met.

In some cases a specific inspection requirement need not be addressed i

because the inspector is satisfied from inspections already conducted or from

{

other information that the licensee's activities are acceptable.

If regional management determines that the facility licensee's licensed operator I

requalification program is not based on a systems approach to training as defined in 10 CFR 55.4, consult with the headquarters program office regarding the appropriate response. Regional management should submit all proposed enforcement actions related to 10 CFR Part 55 to the NRR staff for review before issuing them.

The region should announce its intent to conduct requalification inspection activities at a facility.

Although most of the inspection activities will be conducted while the facility licensee administers its licensee's annual operating l

tests, the region may exercise discretion regarding where and when it completes some of the inspection requirements.

For example, if the region asks the facility licensee to submit specific examinations to the NRC before the site visit, the ins)ectors can comf ete portions of inspection requirements 02.01 and 02.02 before t1ey travel to t1e facility.

It is anticipated that two inspectors will then be able to complete the remaining inspection requirements during a one-week visit to the site.

If the region does not ask the facility licensee to submit its examinations in advance, the region may send an inspector to the site to review the examination materials in preparation for the primary inspection.

As a third option, the region may dispatch three inspectors to complete all the inspection requirements during a one-week site visit. When planning inspection efforts, keep in mind that the regulations only require the facility licensee to administer a comprehensive written examination every two years unless its approved requalification program requires more frequent examinations.

In accordance with 10 CFR 55.59(c), facility licensees are required to submit to the Commission, upon request, the licensee's annual operating tests or l

comprehensive written examinations used for operator requalification. The region may request those tests and examinations in writing by sending the licensee a corporate notification letter similar to the one that is used for NRC-conducted examinations. Usually, the region will ask the facility licensee to submit only those examinations and tests that will be administered during the week of the inspection.

Other examination materials, such as previously administered Issue Date: DRAFT Page 65 of 154 71111 DRAFT

examinations and tests, question banks. and sample plans, are normally reviewed on site.

Regional managers will consider overall facility performance in the results of the NRC's inspection programs and initial examinations. Generally, only the inspection requirements of this procedure will need to be conducted; however, augmented activities can be initiated in accordance with program office guidance 1

when necessary to ensure safe plant operation.

Tnose activities could include a full " Training and Qualification Effectiveness" inspection in accordance with 1

Ins]ection Procedure (IP) 41500, "for cause" examinations in accordance with NUREG-1021. " Operator Licensing Examination Standards for Power Reactors," or operational evaluations of on-shift crews.

Since the inspection process relies on sampling a basically sound facility program, the NRC would conduct examinations at the facility only when it has lost confidence in the facility licensee's ability to conduct its own examinations or when the staff believes that the inspection process will not provide the needed insight.

Regional management should consider conducting "for cause" requalification examinations.or operational evaluations when any of the following conditions exist:

Requalification inspection findings that indicate an ineffective licensee requalification program.

Operational problems to which operator error is a major contributor.

Allegations regarding significant training program deficiencies.

Implement "for cause" examinations tnrough the normal resource planning process, since an inspection activity would be replaced with more resource-intensive examinations.

Using the existing inspection planning process will ensure that the regional office and NRR consider the need for conducting examinations with the alternative expanded inspection tools available, and will allocate the required resources. Operational evaluations should be considered as a reactive effort based on immediate safety concerns.

4 i

DRAFT 71111 Page 66 of 154 Issue Date: DRAFT

i APPENDIX B CHECKLIST FOR EVALUATING FACILITY TESTING MATERIAL

.(Circle yes or no)

Written Examination Ouestions Checklist Y/N 1.

Does each cuestion have a documented link to important licensee tasks, knowledge and abilities (K/As), and/or facility learning objectives?

Y / N 2.

.Is each question operationally oriented (i.e., is there a correlation between job demands and test demands)?

Y/N 3.

Is each question written at the appropriate level of knowledge (fundamental knowledge, comprehension, or application / analysis)?

Refer to Appendix B. " Written Examination Guldelines," of NUREG-1021, " Operator Licensing Examinations for Power Reactors," for guidance.

Y/N 4.

Is the context of each questions realistic and free of window dressing and backwards logic?

Y/N 5.

Does each question possess a high K/A importance factor (3 or greater) for the job position?

.Y / N 6.

Does each question appear to have the ability to discriminate between an operator who possesses a satisfactory level of safety significant knowledge?

Y/N 7.

Is each question appropriate for the written examination and the selected written examination format (e.g., short answer: multiple choice)?

Y/N 8.

Does any question have the potential of being a " double jeopardy" question?

Y/N 9.

Is each question clear, precise, and easy to read and understand?

Y / N 10.

Is there only one correct answer to each question?

Y / N 11.

Does each question pose situations and problems other than those presented during training?

ADDITIONALLY, FOR OPEN-REFERENCE QUESTIONS:

Y / N 13.

Does each question require an appropriate use of references (i.e.,

use of analysis skills or synthesis of information either to discern what procedures were applicable or to consult the procedures to obtain the answer)?

Y / N 14.

Is any question a " direct look-up" question (i.e., one that immediately directs an operator to a particular reference where the answer is readily availa:>1e)?

Y/N 15, Are there any questions given in a static scenario setup that takes advantage of the simulator control room setting?

Job Performance Measure (JPM) Quality Checklist Y/N1.

Is each task supported by the facility's job task analysis?

Y/N2.

Is each task operationally important (i.e., meets threshold criterion of K/A at 3 or above or as determined by the facility)?

l Y/N3.

Is each task designed as either SRO only, R0/SR0, or A0/R0/SRO?

Y/N4.

Does each JPM include the items listed below? (Refer to Appendix C,

" Job Performance Measures Guidelines," of NUREG-1021, Operator Licensing Examinations for Power Reactors ~ for guidance.)

Y/N Initial conditions Y/N Initiating cues Y/N References, including associated procedures Issue Date: DRAFT Page 67 of 154 71111 DRAFT

1 Y/N Performance standards that are specific in that exact control and indication nomenclature and criteria (switch position, meter reading) are s)ecified, even if these criteria are not specified in the procecural step Y/N System response cues in the performance standards that are complete and correct so that the examiner can properly cue the operator. if asked Y/N Statements describing important actions or observations that should be made by the operator Y/N Criteria for successful completion Y/N Identification of the critical steps and their associated performance standards Y/N Validated time limits (average time allowed for completion)

Y/N JPMs identified as time critical or not time critical Y/N

. Restrictions on the sequence of steps Simulator Scenario Review Checklist Qualitative Attributes Y/N1.

Is each scenario of the appropriate scope, depth, and complexity with clearly stated objectives? (refer to Appendix D. " Simulator Testing Guidelines", of NUREG-1021. " Operator Licensing Examinations for Power Reactors", for guidance.)

Y/N2.

Are the initial conditions realistic, in that some equipment and/or instrumentation may be out of service, but it does not cue crew into expected events?

Y/N3.

Does each scenario consist mostly of related events?

Y/N4.

Does each scenario event description include:

Y /.N the point in the scenario when it is to be initiated?

Y/N the malfunction (s) that are entered to initiate the event?

Y/N the symptoms / cues that will be visible to the crew?

Y/N the expected operator actions (by shift position)?

Y/N the event termination point?

Y/N5.

Is no more than one non-mechanistic failure (e.g.

pipe break) incorporated into each scenario without a credible prece' ding incident such as a seismic event?

i Y/N6.

Is each event valid with regard to physics and thermodynamics?

Y/N7.

Is the sequencing / timing of each event reasonable, and does it allow for the examination team to obtain complete evaluation results

)

commensuratewiththescenarioobjectives?

Y/N8.

Has the simulator modeling been altered?

Y/N9.

Can each rating factor in each crew. competency be evaluated?

Y / N 10.

Has each scenario been validated?

Y / N 11.

If the sampling plan indicates that the scenario was used for training during the requalification cycle, has the facility determined whether it should be modified or not used?

Note:

The following criteria list scenario traits that are numerical in nature. A second set of numbers indicates a range to be met for a set of two scenarios.

Therefore, to com31ete this part of the review. the set of scenarios must be available.

1 Quantitative Attributes-Y / N 12.

Total malfunctions inserted: 4 to 8 / 10 to 14 Y / N 13.

Malfunctions that occur after E0P entry: 1 to 4 / 3 to 6 DRAFT 71111 Page 68 of 154 Issue Date: DRAFT

F2 i

Y / N:-14 Abnormal Events: 1 to 2./ 2 to 3 l

Y / N 15.-

MajorTransients: 1 to-2 / 2 to 3 i

r

-Y / N-16.

~ E0Ps used beyond primary scram response E0P: 1 to 3 / 3 to 5

)

I Y /'N 17.

.EOP Contingency Procedures used: 0 to 3 /.1 to 3 Y / N'18.

Approximate. scenario run time: 45 to 60 minutes (one scenario'may approach 90-minutes)

Y / N 19.

Crew Critical Tasks: 2 to 5 / 5 to 8 Y / N 20.

Are Technical: Specifications exercised during the test?

)

l

. COMMENTS:

1

)

l i

[-

i 1

. Issue Date: DRAFT Page 69 of 154 71111 DRAFT L

1 r

APPENDIX C SUGGESTED INTERVIEW TOPICS Activity Suggested Interview Topics /0uestions General Former positions at the facility:

How long? Licensed?

Current position and duties:

How long? Licensed?

Requalification program responsibilities?

Exams.

Examinations:

How developed? Sampling plan? Appropriate performance coverage? License level? Practiced / covered in training?

standards.

Duplicate quizzes? Too easy /hard? Too long/short? Were simulator, references necessary? How compare with NRC exams?

.rity Performance standards:

How are they formulated? Operations versus training? Are they endorsed by management? Are they objective? How are they communicated to evaluators? Do the operators know what is expected of them? Are they applied consistently?

Performance feedback:

Is it timely? Is it objective? What happens if you fail? How could feedback be improved?

Administration: Operating / training crew - test crew? What happens if you miss an exam? Measures to mitigate undue stress?

Simulator:

Does it res Is hardware current?

Any negative training? pond correctly?

Security:

Are exams common? How is security ensured? Are 3

there formal procedures? Who is responsible ~ Do you feel comfortable with process? Do security measures cause undue stress? Are you aware of any incidents? What would you l

change if you could?

Feedback Feedback collection:

How is it done? Who collects comments?

system Who is solicited? Does the 0A/0C Department oversee the program?

Comment resolution: Who does it? Are they timely? Safety basis for changes? How is management involved? How are changes promulgated? Were they resolved to your satisfaction? Feedback to originator? Recent examples?

Overall, how effective is your training program? The examination program? The feedback system? How would you improve it?

Remedial Program development: How are remedial training needs training identified?

Individual / crew exam results? On-the-job program performance, events? Generic weaknesses? Who develops remedial treining programs? How is Operations involved?

Implementatun:

Is it appropriate? Is it effective? How is remediation verified? How would you improve it?

END DRAFT 71111 Page 70 of 154 Issue Date: DRAFT 2

Maintenance Rule Implementation (5/12/99)

INSPECTABLE AREA: MAINTENANCE RULE IMPLEMENTATION CORNERSTONES:

INITIATING EVENTS (10%)

. MITIGATING SYSTEMS (80%)

BARRIER INTEGRITY (10%)

INSPECTION BASES: Tracking and documenting structures, systems and components (SSCs) availability and reliability for the plant's risk im)ortant systems are performed under the Maintenance' Rule (MR). These estimates impact the plant risk model, in addition to actual plant risk.

LEVEL OF EFFORT:

Inspections should focus on categorization of failures and events used in tracking conditions of important 3

systems, and goal setting and get well programs j

(corrective actions) for risk significant (a)(1) and (a)(2) systems.

Residents sample portions of two (2) l l

SSCs per month. (216 hours0.0025 days <br />0.06 hours <br />3.571429e-4 weeks <br />8.2188e-5 months <br /> / year for the resident staff)

Inspection should also' focus on the effectiveness on the MR when assessing the licensee's performance of the periodic evaluation. Sample selections for the once per refueling cycle, not to exceed 2 years inspection should be made with input from the Senior Reactor Analysts (SRA). (40 hours4.62963e-4 days <br />0.0111 hours <br />6.613757e-5 weeks <br />1.522e-5 months <br /> / year for the regional specialist)

The overall level of effort includes a 40-hour review each refueling cycle by regional-based specialist: 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> per month of resident inspection activity: and 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> per month of identification and resolution of problems / issues.

INSPECTION OBJECTIVES Inspection activity includes a review of goal setting.

l performance monitoring, repetitive failure determinations, evaluation of functional failures and i

maintenance preventable functional failures, and an assessment of the licensee's. periodic evaluation. This inspection would include those systems covered under the maintenance rule, other risk significant SSCs and a review of licensees' implementation of the maintenance rule requirements for those systems. On occasion, it should be noted that several medium and/or low risk SSCs activities might result in a high risk configuration.

INSPECTION GUIDANCE:

l (Every Month - Resident Staff)

It is not the intent of this inspection procedure to perform a programmatic review of the maintenance rule.

Emphasis should be placed on selecting samples using a risk-informed, performance-based process and approach.

This procedure may be used by resident inspectors to review performance related maintenance activities and follow up to maintenance problems that l

Issue Date: DRAFT Page 71 of 154 71111 DRAFT

resulted in reactor trips, safety system actuations, accidents, equipment l

damage, etc.

Both preplanned (scheduled),

on-line (unscheduled) maintenance activities, actual-maintenance related events and failures should be considered for the samples to be reviewed.

Because of more on-line maintenance work and changes in the schedules for preplanned work occur, expect to review ongoing performance related maintenance activities and/or failures as they occur or those identified during plant walk down.

Maintenance is the primary means of mitigating and, managing the effects of l

component degradation and failures. Operating expenence shows that lack of maintenance (component deficiencies not corrected) or improperly, performed i

maintenance (maintenance activities not well controlled) can greatly contnbute to the y

risk for event initiation, and may cause SSCs to not function properly if called upon j

to mitigate the consequence of an event.

l Flow charts are included as part of this inspection procedure to assist the

)

inspector in completing this activity.

The attached flow charts provide l

general guidance and a structured approach for evaluating the licensee's l

implementation of the maintenance rule.

Flow chart 1 is to be used on a monthly bases by the resident staff on assessing actual SSC performance.

l Flow chart 2 is to be used on a refueling cycle bases by Division of Reactor Safety (DRS) to assess the licensee's maintenance rule periodic i

evaluation.

1 Beain the auestionina crocess when SSC exhibit oerformance oroblems The inspector should be aware of performance problems occurring in the plant, through observations, attendance at meetings, discussions with licensees or other inspection activities.

The following instructions pertain to Flow Chart 1 (Attached).

It is not the intent of this inspection procedure for the inspector to observe periodic maintenance activities. Sample considerations should be i

based on future risk information (risk informed) and past SSC performance l

(performance-based).

If problems or failures occur and are traced to a cause related to a specific maintenance activity, then it would be l

acceptable for the inspector to inspect the performance related maintenance j

activity.

i l

DRAFT 71111 Page 72 of 154 Issue Date: DRAFT

Flow Chart 1 - Start Select two activities or SSCs which have performance problems, preferably high safety significant MR SSCs.

Select events, systems with problems, and/or failures:

Follow up on Maintenance-Related Plant Events, Trips and Safety System Actuations. Select a sample of performance related maintenance l

activities for review.

e Attend the licensee's maintenance planning meetings or review maintenance schedules to determine what )erformance related l

maintenance activities are ongoing or scleduled.

e When there are many ongoing maintenance activities to choose from, as during a refueling outage, both Jerformance issues and risk should be predominant for deciding w11ch activities to inspect.

Other areas to consider as part of the sample include e

maintenance failures, and SSCs whose failure caused or were associated with RX SCRAMS, Turbine trips ESFAS actuations.

e When there are few maintenance activities to choose from, as is sometimes the case during power operation, the item listed below may be used to Qtermine if it is worthwhile to inspect any of these maintenanu activities.

Problematic SSCs Focus on maintenance of equipment that has 3 roved to be unreliable or failed repeatedly. either at tlat plant or at a similarly configured plant.

The inspector should be aware of the SSC risk classification and concentrate inspection effort on those SSCs that are designated as high safety significant.

The inspector should evaluate if changes in safety significant (risk) have been made to the licensee's program since the maintenance rule baseline inspection (MRBI). The inspector should consult with regional and NRR knowable (trained) resources when evaluating this l

area. Any changes should be reviewed with the regional SRA.

Issue Date: DRAFT Page 73 of 154 71111 DRAFT

Item (1). Flow Chart 1 - High safsty signific:nt (HSS) orlow s:fsty significant (LSS) standby Continue evaluating this SSC by determining its safety e

significance as it relates to the failure or event.

Consider the risk significance of the SSCs as one input in the e

selection of a sample of inspection items. The maintenance rule (10 CFR 50.65), as implemented using NUMARC 93-01, recommends that the results of a probabilistic risk assessment (PRA) be considered when categorizing SSCs within the scope of i

the maintenance rule as either "high safety significant" or

" low safety significant."

t e

If safety significance has changed since the MRBI obtain the related information using PRA (summary) information expert panel minutes; if the SSC/ function one of the "to)" PRA cutsets: get risk achievement worth (RAW) and risc reduction worth ( RRW) values; and consult the SRA.

(Note: do not independently verify the new classification. This should be done through the SRA).

Verify that the high safety significance (HSS) SSC was being e

monitored at the train level with reliability AND availability performance criteria (PC). The low safety significance (LSS)

)

SSC was being monitored at the train level with reliability OR availability performance criteria (PC).

e Obtain initial PRA information from licensee PRA specialists, t

if possible.

If necessary, contact NRC PRA specialists (e.g..

Senior Reactor Analysts or NRR Probabilistic Safety Assessment Branch) for assistance.

)

All high safety significant SSCs and low safety significant SSCs that are in standby should be in the scope of the maintenance rule.

Low safety significant SSCs may or may not be scoped in the rule.

If the SSC is not in the scope of the rule the inspector should select other SSCs that are in the scope of the rule.

I

)

{

DRAFT 71111 Page 74 of 154 Issue Date: DRAFT

D Item (2), Flow Chart 1 - Is the SSC in Scope.

Verify that the selected LSS SSC was included within the scope e

of the maintenance rule and that the plant level monitoring requirements of the rule were satisfied.

Contact the licensees

  • maintenance rule cognizant person (i.e.,

e MR coordinator. System Engineer, etc.) if needed, for additional information and explanation in this area, such as scoping information.

e maintenance rule included the following types of SSCs:

Safety-Related SSCs or non-safety-related (balance-of-plant) SSCs that are relied upon to mitigate accidents or transients; or are used in plant emergency operating procedures: or whose failure could prevent Safety-Related SSCs from fulfilling their Safety-Related functions; or whose failure could cause a reactor scram or actuation of a Safety-Related system, e

To implement the maintenance rule, each licensee should have developed a list of SSCs that are within the scope of the i

maintenance rule.

Refer to this list to determine which SSCs are within the scope of the rule.

If there is a concern that the licensee's scoping list may be incorrect, independently evaluate the licensee's scoping activities.

(Note: this action should only be accomplished if there are performance issues associated with the SSC).

The inspector should be aware of and understand the performance criteria (PC) developed for in-scope SSCs based on the safety significance.

)

Item (3), Flow Chart 1 - Did the Inspector review the performance criteria (PC).

The inspector should verify that a low safety significant standby SSC should have at least train level performance criteria and the licensee is tracking availability OR reliability.

e High safety significant SSCs should have at least train level performance criteria and the licensee is tracking availability AND reliability.

If warranted by previous facility performance and any observation noted during this portion of the inspection, review the applicable portions of the licensee's corrective action program to assess the effectiveness of its maintenance rule program and to implement appropriate corrective actions.

All failures of SSCs are not treated equally. SSCs may have failures that do not prevent the SSC from performing its scoped function, Issue Date: DRAFT Page 75 of 154 71111 DRAFT

I Item (4), Flow Chart 1 - Was it a functional failure (FF).

e Continue evaluating the SSC performance problem by determining if this event and related failure resulted in an actual functional failure, e

To be considered a FF, the SSC must have experienced a failure of the fun ~ction that caused it to be scoped into the maintenance rule.

e The functions of each SSC should have been identified in the l

scoping section of the licensee maintenance rule program.

Remember to consider both the scoped function and applicable

]

l mode of operation. The licensee's Maintenance Rule cognizant i

person should be able to assist the inspector in locating l

scoped functions.

l If warranted by previous facility performance and any observation l

noted during this portion of the inspection, review the appliccble portions of the licensee *s corrective action program to assess the effectiveness of its maintenance rule program and to implement appropriate corrective actions.

I 1

The evaluation of failures must consider the cause of the failure.

The maintenance rule focuses on those failures that could or should have been l

prevented by appropriate maintenance activities. Maintenance in this case, is very broad and includes all activities associated with the planning.

l scheduling, accomplishment, post-maintenance testing, and return-to-service activities for surveillances and preventive and corrective maintenance.

These activities are considered maintenance regardless of which organization performs the activities (e.g.,

maintenance, operations, contractors).

l Item (5), Flow Chart 1 - Was it a maintenance preventable functional l

failure (MPFF).

If the inspector determines this to be a functional failure.

e continue evaluating this functional failure by determining if this event and related failure resulted in an actual maintenance preventable functional failure (MPFF).

)

e-The inspector can determine if there was an MPFF using the l

following: pertinent trouble reports / condition reports; i

interview experienced operators. mechanics, etc.: and equipment I

history.

l (Note: Some licensees do not evaluate if functional failures (FFs) are maintenance preventable unless the failure is a repetitive failure.

This is an acceptable practice.

1 Repeat failures caused by maintenance have a negative effect not only on SSC i

performance but plant performance as well.

l 1

DRAFT 71111 Page 76 of 154 Issue Date: DRAFT

Consider common cause failures when comple, ting this task item (6) Flow Chart 1 -Was it a repetitive maintenance preventable l

functional failure (RMPFF).

If the inspector determines this to be an MPFF, continue e

evaluating this MPFF by determining if this event and related failure were repetitive and resulted in a re)etitive l

maintenance preventable functional failure (RMPFF).

l-e Generally, to be considered a repeat, the failure must have the same ty)e failure with the same cause.

l Verify RMPFF using the same general guidance as discussed under e

the MPFF decision.

If warranted byy previous facility performance and any observation I

I noted during this portion of the inspection, review the applicable portions of the licensee's corrective action program to assess the effectiveness of its maintenance rule program and to implement 1.

appropriate corrective actions.

Based on - the results of this evaluation process. the inspector will i

l determine if the SSS and related function should be monitored under (a)(3) l I

.or (a)(2) of the maintenance rule.

i 1

i i

l l

l l

1 Issue Date: DRAFT Page 77 of 154 71111 DRAFT

Flow Chart 1 - Evaluated the reasonableness of the (a)(1) goals Has the licensee considered the SSC as (a)(1) e Areas to consider during this evaluation process include the e

following:

(1)

Are the goals addressing the problem with the SSC and including related corrective action [i.e.. not just i

repeating the initial PC when under (a)(2)]:

(2)

Are there additional goals established; (3)

Are the goals being monitored:

(4)

Will the corrective action plan improve performance:

(5)

Is the corrective action ap For those SSCs considered under (propriate.

1 a)(1) of the rule, verify that e

the licensee:

(

(1)

Is monitoring the performance or condition of structures, systems, and components (SSCs) against licensee established goals in a manner sufficient to 3rovide reasonable assurance that such SSCs are capa)le of fulfilling their intended functions. (Note: Some i

licensee's use condition monitoring of SSC performance.

such as vibration, temperature monitoring and the corrosion / erosion programs)

(2)

Has established goals commensurate with safety and, where practical, has taken into account industry-wide operating experience.

(3)

Has taken appropriate corrective action when the performance or condition of an SSC does not meet established goals.

Also, Goals have been established and monitoring been performed e

under (a)(1) for any SSC that has experienced a repetitive maintenance preventable functional failure or has exceeded (not I

achieved) its performance criteria.

If SSC is not considered (a)(1), has the licensee demonstrated adequately that it should remain in an (a)(2) category.

Compare SSC performance to performance criteria.

(Note: The number of SSCs monitored under (a)(1) must not be used as an indicator of poor licensee maintenance performance. The number of SSCs monitored under (a)(1) can vary greatly because of factors that has nothing to do with the quality or effectiveness of licensees

  • maintenance activities).

The inspector should be able to determine if the SSC and related function l

are being monitored under (a)(2).

In addition, it is important for the inspector to understand changes that have been made to performance criteria and the reasons for those changes.

Consult the regional SRA when the licensee changes performance criteria without an appropriate bases.

i i

DRAFT 71111 Page 78 of 154 Issue Date: DRAFT 4

i

Floe Chart 1 - Evaluate the Reasonableness of the (a)(2) PC.

Determine if SSC performance remains bounded by the PC.

If the PC has been exceeded, then the licensee should consider the SSC and related function for (a)(1).

As this evaluation process continues, the inspector determines i

e if the SSC and related function are adequately monitored under (a)(2) of the MR.

For those SSCs under paragraph (a)(2) of the rule, verify that the licensee:

(1)

Has established performance criteria and is monitoring the SSCs against those criteria to demonstrate that the condition of an SSC is being effectively controlled through the performance of appropriate preventive maintenance, (Note: Some licensee's use condition monitoring of SSC performance, such as vibration.

temperature monitoring and the corrosion / erosion programs),

(2)

Has made the determination that the SSC is inherently reliable and has low safety significance and that therefore, preventive maintenance was not re I

the SSC could be allowed to run to failure. quired and The licensee would have made and documents this decision prior to establishing this position.

Areas to consider during this evaluation process include the e

4 following: review the availability and/or reliability data: has the PC changed since the MRBI.

If the PC was changed, can the j

licensee show how the changes to the PC are still linked to the PRA? Consult with the regional SRA for assistance in making this decision.

The inspector should note the regulatory review block spaced throughout the flowchart.

These are provided at critical points throughout the process to provide the inspector with assistance for clarification for their fincing.

Flow Chart 1 - Regulatory Review e

As this evaluation process continues, the inspector should make rogulatory reviews and related decisions.

If any potential enforcement is considered, coordinated this effort with the NRR MR enforcement panel, regional enforcement, then develop a regulatory position and document it in the inspection report.

Parts of this regulatory review process include the following:

(1)

Inspectors' own judgement and peer review.

(2) contact with supervision.

4 (3) contact with knowable (trained) and ex)erts in certain l

field (i.e., immediate supervision wit 1 coordination and direction, DRS and 10MB on the MR. SRA and PSA on risk determination and the risk characterization of inspection findings:

MR enforcement panel and OE on enforcement).

l The inspection findings should be previously reviewed and e

documented to include the following:

(1) use of the Significance Determination Process (SDP)

(2) use of the Enforcement Strategy.

1 Issue Date: DRAFT Page 79 of 154 71111 DRAFT

L If warranted bv previous facility performance and any observation-noted during tf11s portion of the inspection, review the applicable portions of the licensee's corrective action program to assess the effectiveness of its. maintenance rule program and to implement appropriate corrective actions.

To complete the process, the inspector must have determined that the licensee effectively monitored the performance of the selected SSC and related functions or develop a regulatory position on their evaluation of the licensee's monitoring activities.

Flow Chart 1 - End e

The inspector will exit the process through a final evaluation and develop a regulatory position and document the results of the inspection.

e The inspector should document inspection results including inspection findings.

These inspection findings should be documented to include the following:

(1) violation issued (2)

. issues which prevented successful verification of the inspection objectives / attributes.

Periodic Evaluation (PE) of the Licensee's Maintenance Rule Procram l (Once oer refuelino cycle. not to exceed 2 years - DRS. SRA. Resident Staff)

INSPECTION GUIDANCE:

This procedure may be used by regic M DRS staff, SRAs and resident inspectors to perform a refueling cycle review c' the licensee periodic evaluation of their maintenance rule program.

This mpection will be used to verify that maintenance activities for structures, systems, and components (SSCs) within the scope of the maintenance rule are being conducted in a manner sufficient to ensure reliable, safe operation of the plant and plant equipment and to meet the requirements of the maintenance rule, and other regulatory requirements.

As part of this inspectable area, this portion of the inspection is to ensure that the licensee is conducting appropriate periodic evaluations of their MR program and making appropriate changes to the program to improve overall performance and reduce risk and improve performance from the previous cycle of plant operations.

l The following ' instructions pertain to Flow Chart 2 (Attached).

i l

l DRAFT 71111 Page 80 of 154 Issue Date: DRAFT

l Considering both past performance and plant risk, selc;ct a sample to i

be assessed by this PE review process to determine the effectiveness of the licensee's MR program.

l (1) Flow Chart 2 - Periodic Evaluation.

i e

Verify that the PE has been completed within the time l

l restraints defined in the MR and captures applicable areas to include the following:

(1) balancing reliability and unavailability; (2) reviewing (a)(1) SSC activities to include making I

adjustments to the program:

(3) reviewing (a)(2) SSC activities to include making changes to the program: and (4)- considering the use of industry operating experience.

Verification includes ensuring that the licensee review its i

e goals, monitoring, and areventive maintenance activities, and makes any adjustments tlat resulted from that review.

(In the unlikely event that there was no SSCs in the (a)(1) category, this would be briefly stated in the inspector's write up However, the inspector should ascertain the validity of this finding before accepting it at face value).

The inspector should perform all three parts on the flow chart. [i.e.,

balancing. (a)(1) and (a)(2)]

(2) Flow Chart 2 - Balancing Licensees' efforts at balancing reliability and unavailability.

e This verification includes a review to ensure that the licensee balanced reliability and unavailability during the last refueling cycle,

.This verification should include a sample selected by the e

l inspector including a high safety significant SSC.

The licensee should have reviewed the (a)(1) activities for goals and made adjustments as appropriate.

(3) Flow Chart 2 - (a)(1) Activities e

Licensees' efforts at establishing goals, monitoring (a)(1) performance and the use of industry operating experience.

e Verification should also include ensuring (a)(1) goals were met, corrective action was appropriate to correct the defective condition and (a)(1) activities and related goals were adjusted as needed.

This verification should include a sample selected by the e

inspector including a high safety significant SSC.

Note: Some l

licensee's use condition monitoring of SSC performance, such as i

vibration, temperature monitoring and the corrosion / erosion

programs, i

The licensee should have reviewed the (a)(2) activities for PC and made adjustmentasa The licensee should be able to justify changes to the program.ppropriate.

l l

Issue Date: DRAFT Page 81 of 154 71111 DRAFT l

l

l (4) Flow Chart 2 - (a)(2) Activities e

Licensees' efforts at establishing (a)(2) performance criteria.

monitoring (a)(2) performance, proper identification of MPFF, RMPFF and (a)(2) SSCs that exceed their PC.

e Verification should also include ensuring the licensee examines any SSCs that failed to meet their performance criteria (PC) or any SSCs that have suffered repeat maintenance preventable j

functional failures (RMPFF).

e This verification should include a sample selected by the inspector including a high safety significant SSC. Note: Some I

licensee's use condition monitoring of SSC performance, such as vibration, temperature monitoring and the corrosion / erosion programs.

The inspector should note the regulatory review block spaced throughout the flowchart.

These are provided at critical points throughout the process to orovide the inspector with assistance for clarification for their finc ing.

(5) Flow Chart 2 - Regulatory Review e

As this evaluation process continues, the inspector should make regulatory reviews and related decisions.

If any potential enforcement is considered, coordinated this effort with the NRR MR enforcement panel, regional enforcement, develop a regulatory position and document it in the inspection report.

4 e

Parts of this regulatory review process include the following:

1 (1)

Inspector's own judgement and peer review.

(2) contact with supervision.

(3) contact with knowable (trained) and ex)erts in certain field (i.e.. immediate suaervision wit 1 coordination and direction, DRS and 10MB/NRR on the MR, SRA and PSA on risk determination and the risk characterization of inspection findings: MR enforcement panel and OE on enforcement).

e The inspection findings should be previously reviewed and documented to include the following:

(1) use of the significant Determination Process (SDP)

(2) use of the Enforcement Strategy.

If warranted by previous facility performance and any observat' ion noted during this portion of the inspection review the applicable portions of the licensee's corrective action program to assess the effectiveness of its maintenance rule program and to implement appropriate corrective actions.

To complete the process, the inspector must have determined that the licensee effectively monitored the performance of the selected SSC and related functions or develop a regulatory position on their evaluation of the licensee's monitoring activities.

j i

DRAFT 71111 Page 82 of 154 Issue Date: DRAFT 4

(6) Flow Chart 1 - End e

As this evaluation process continues, the inspector could exit i

the process through a final evaluation and develop a regulatory position and document the results of the inspection, The inspector should document inspection results including e

inspection findings. These inspection findings should be documented to include the following:

(1) violation issued (2) issues which prevented successful verification of the

)

inspection objectives / attributes.

j

REFERENCES:

1.

U.S. Code of Federal Regulations, " Requirements for monitoring the effectiveness of maintenance at nuclear power plants," 10 CFR 50.65.

2.

U.S. NRC, " Maintenance Rule," Inspection Procedure 62706, August 31, 1995.

3.

U.S. NRC, " Monitoring the Effectiveness at Nuclear Power Plants,"

Regulatory Guide 1.160. Revision 2.

4.

Nuclear Management and Resources Council, " Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants,"

NUMARC 93-01, Revision 2.

5.

U.S. NRC, " Relaxation of Staff Position in Generic Letter 83-28. Item 2.2 Part 2. ' Vendor Interface for Safety-Related Components, '" Generic Letter 90-03, March 14, 1990.

6.

Z.T. Pate Institute of Nuclear Power Operations, letter to James M.

Taylor, U.S. NRC, transmitting the guideline " Managing Maintenance During Power Operations," March 1, 1995.

ACRONYMS:

ASP Accident Secuence Precursor CM Corrective Faintenance DRS Division of Reactor Safety FF functional failure HSS High safety significant 10MB Ouality Assurance Vendor Inspection Maintenance and Allegation Branch LSS low safety significant MPFF maintenance 3reventable functional failure MR Maintenance tule MRBI maintenance rule baseline inspection NRR Office of Nuclear Reactor Regulation OE Office of Enforcement 005 out-of-service PC performance criteria PM preventive maintenance PRA probabilistic risk assessment RAW risk achievement worth RMPFF repetitive maintenance preventable functional failure RRW risk reduction worth SA safety assessment SDP Significant Determination Process l

SSCs structures, systems, and components SRA Senior Reactor Analysts 1

Issue Date: DRAFT Page 83 of 154 71111 DRAFT

Sht. 2 Maint5 nance Rula Field Flow Chart As

-SM-

^ " " ' ' '

  • eriodic Evaluation person No PE done?

Yes No Reg verify PE Review Verified?

done in RFC Yes I

l BALANCING at ACTIVITIES a2 ACTIVITIES

's*orN*u at review a2 review Re9 balance performed?

perfortned?

Revsew

  • *"*0 M C' Yes l

ru m.-

._1 Verify:

y,,

-90als, monitoring, y,,

PM octivit6es reyeewed.'

lOE used No d or 5

.~

fy"*

9 Vertfy RFC Dalance:

-sampio HSS SSCs No Verified?

Reg Reve,w Yes Yes No was SSC I88 In 81 i R ev w o

at goals at activites verdied?

Reg met?

adjusted?

Reveew No Yes y,,

Yes Reg Yes CAs Rev6ew appropriate?

-E ND-Evaluate Re0ulatory Review (s), gevelop regulatory positton and i

document mrsht2r2. cts rev 3/23/99 i

DM 71111 Page 84 of 154 Issue Date: DRAFT i

l i

[Begin the Quesnoning Procesa

= Start.

Mainten$nce Rule Field Work Chart Ask Licensee's if SSC Performance Problems MR person:

applies to at, a2, b UI Should no (2) no

. genoeng.

no no HISS-g g, is the 8t M '

orLSS gg gg SSCin g, g Stby?

9 Scope?

9, E'*

yes yes yes l Regulatory l g

g Low (or Non) Safety Slgnificant j

Review l" Regulatory l I

SBCs should have Plant Level PC.

Rowl.w no Low SS Standby and Hi SS should be in no Stepe of the MR la PC.,

Did leap.

PC Low SS Standby SSCs s5ould have et Wi least Train Level PC and tracklag rehabHity OR evailability j

yes Hi SS should have et least Traan Level Regulatory l PC and tracking rehabitaty AND movi,w g yes avaHability System Sagineer should be tracking no funstlens.

' Wee no (4)

Was it a FFT The FF is a failure of the Function that gol

it a PP _

?

the SSC en the Scope of the Rule.

Check if failure was a steped funstlen muni e Checa E Regulatory I 08"*8" yes Causar I

Review E aene,i, Failure mm no Remember

  • Look at:

'. Wee it ggy i

was it en

1) Portment Trouble Reports / Condition Reports en MPPP =

ggppp9

2) Interviews: esp. operators, mechanics, etc.

9..

j

3) Equipment histories RO yes l" Flegulatory l yes Review g

no wee it

,e

,,3 RMPPP e Some Fellure Same Cause san p"p, 9 (see MPPP above)

FF.

)

p l Regulatory 3 yes Review l g

Fe*

Evoluete the reesenablenese no no n

f e esta Regulatoy is it Should att

/,

Cheek that PC(availabitity endler rollability)

F Reasonable Review g

has not been esseeded.

-?

,pE Has PC changed since MRSl?

(8) yes yes Y*8 I

I Re0ulatory g

g Review Evarunte sne reasonsoreness of af goats:

-S N D-Process Stope, evaluate Regulatory Review, The goal.s shotesiive-se riate and. e.uon. m develop regulatory positoon and document.

uld be approp menno, he.

sorreciiv mrst rev4.cli rev. date 03/24/99 Issue Date: DRAFT Page 85 of 154 71111 DRAFT

r.

f f

e l

j DRAFT 71111 Page 86 of 154 Issue Date: DRAFT 3

4 Maintenance Work Prioritization and Control (5/12/99)

INSPECTABLE AREA: MAINTENANCE WORK PRIORITIZATION AND CONTROL CORNERSTONES:

INITIATING EVENTS (10%)

MITIGATING SYSTEMS (80%)

BARRIER INTEGRITY (10%)

INSPECTION BASES: Control of alant risk and configuration through appropriate planning anc control of maintenance activities minimizing the plant's aggregate risk.

Work prioritization and risk evaluation prior to outages and while on-line minimizing risk significance configurations and ' maximizing barriers to radiological releases.

LEVEL OF EFFORT:

Sample portions of one (1) system, structure or component (SSC) per month for times when on-line maintenance involving multiple component outages are planned simultaneously, or for those times when planning decisions were made for expediting equipment returns to j

service because of component failures, especially during back shift when normal planning was unavailable.

Use risk specific tool, if available.

Prior to planned refueling and maintenance outages, review the outage plan, and its risk evaluation.

34 hours3.935185e-4 days <br />0.00944 hours <br />5.621693e-5 weeks <br />1.2937e-5 months <br /> / year for the resident

staff, which includes 4

hrs / year of identification and resolution of related problems / issues.

INSPECTION OBJECTIVE:

Inspection activities in this area would focus on the effectiveness of the licensee's program for work prioritization and control during shutdown and power operations.

This activity includes licensee work l

prioritization methodologies.

level of maintenance sup) ort, and assessment of integrated risk of the work bacciog would be reviewed by the inspector.

INSPECTION GUIDANCE:

(Every Month - Resident Staff)

This inspection will be used to verify that maintenance activities for structures, systems, and components (SSCs) within the scope of the maintenance rule and other risk significant SSCs, such as fire protection, are being I

conducted in a manner sufficient to ensure reliable, safe operation of the plant and plant equipment and to meet the requirements of the maintenance rule, and i

other regulatory requirements.

As part of this inspectable area, this portion of the inspection provides for the inspector's review of licensee safety assessment and management activities that are performed whenever a safety-significant SSC, or other SSCs are taken out of service (00S), regardless of operating mode.

This inspection is performed both on an, ongoing basis as applicable SSCs (that meet the criteria) are taken out of service for on-line maintenance and during refueling and maintenance outages.

Also, inspect the licensee *s work prioritization methodologies and level of maintenance support.

Irsue Date: DRAFT Page 87 of 154 71111 DRAFT

Emphasis on work orders associated with potential high risk configurations and high priority work items.

It is not the intent of this inspection procedure to perform a programmatic review of the maintenance rule program.

Emphasis should be on samples selected using a risk-informed, performance-based process and approach.

It should be noted that,-on occasion, several lower risk SSCs being out of service at the same time might result in a high risk configuration. This procedure is to be used by resident inspectors to perform a review of the licensee on-line and shutdown safety assessment (SA).

Operating experience also shows that for risk significant events identified through the Accident Sequence Precursor (ASP) program, work control and failure to maintain equipment represents the majority of causes. Appropriate identification, prioritization, i

planning, scheduling, and completion of risk significant work is essential to safe plant operation.

One specific area that should be included in inspection of this area is the control of risk significant work in the switchyard. A large percentage of loss-of-offsite power events occurred when either some major electrical power source was out of service prior to the event and/or some major electrical power source failed during the event. It is important that work occurring in the switchyard be well controlled to prevent an unplanned loss of a power source due to maintenance errors. Also, the simultaneous removal of multiple electrical power sources from service should be avoided, particularly during shutdown conditions.

1 SA related information provided amplifies information and draws heavily from the discussion of this topic found in the NUMARC 93-01 document.

The inspector should determine if a safety assessment should have been performed by the licensee as a result of them having taken a safety-significant SSC out-of-service.

After a period of time at the site the inspector's plant-specific knowledge should be sufficient to make this determination.

Initially, however, there will be reliance an the interview process [ maintenance rule (MR) l coordinator, system engineer, control room staff, work planning staff, etc.) and control room logs or MR documentation MR expert panel minutes and/or the MR program listing of safety significant SSCs].

The licensee's process for i

aerforming these safety assessments should be scrutible and repeatable. Known imitations in the assessment process should be described in the licensee's MR program documentation. The licensee s maintenance rule expert panel should review this process to ensure that the process is sufficiently robust and comprehensive. The sophistication of the SA should be commensurate with the complexity of the configuration. The inspector should develop a complete understanding of the licensee's program for conducting SAs.

A sample of critical elements of a risk-informed maintenance work prioritization and control process to determine effectiveness would include: (1) use of PRA and reliability maintenance data.

(2) designation of critical SSCs.

(3) prioritization schemes for maintenance of critical SSCs, (4) acceptability of PM and CM frequencies, (5) appropriate adjustments to risk considerations for maintenance performed during online and shutdown conditions (6) an integrated l

risk assessment of taking a risk important SSC out of service for monitoring or maintenance while other supporting or accident mitigation SSCs are not available, and (7) on-line work activities.

On-line work activities may not be well planned or appropriately risk-categorized because of their work complexity, the desire to continue plant operations, minimal pre-job briefing, and the lack of ideal plant conditions for rigorous post-maintenance testing.

l l-DRAFT 71111 Page 19 af 154 Issue Date: DRAFT

(1) Flow Chart 3 - Safety Assessment (SA) - Start e

Verify SA has been completed within the time restraints defined in the licensee's MR program and captures applicable areas to include the following:

a.

was the assessment completed; b.

usability of the SA to plant

)ersonnel, i.e., " risk-monitor" or other tools used )y operators; c.

limitations of SA tools are clearly' identified and described in the MR program:

d.

users of SA tools have sufficient knowledge and familiarity with the tool's limitation and training on the limitations are provided; e.

was the database or other tools current:

f.

what was the impact of the out-of-service (005) item as it relates to total plant safety and C.

did the licensee consider other 005 SSCs and use site PRA input and develop contingencies.

Verify that the SA is initiated following discovery of emergent failures (2) Flow Chart 3 - Was Impact Assessed?

The following is a representative licensee approach to assess-e the impact on overall plant safety functions upon removal of SSCs from service:

a.

Identify key plant safety functions to be maintained; b.

Identify SSCs that support key plant safety functions; c.

Consider the overall effect of removing SSCs identified above from service on key plant safety functions.

The key safety functions are Containment Integrity (comprised of Containment Isolation. and Containment Pressure and Temperature Control). Reactivity Control. Reactor Coolant Heat Removal, and Reactor Coolant Inventory Control.

The inspector should sample the validity of the information received. The NUMARC 93-01 document refers to IPE vulnerability assessments being used to establish risk significant criteria to determine the overall effect of taking SSCs out of service.

Issue Date: DRAFT Page 89 of 154 71111 DRAFT

l (3) Flow Chart 3 - Power Ops / Shutdown Ops Verification During the planning and scheduling phase and prior to e

authorizing the removal of SSCs from service, each planned maintenance activity that results in the removal of a safety significant SSC from service should be assessed for its impact on key plant safety functions.

This assessment applies during all modes of plant operation and should take into account current plant configuration as well as expected changes to plant configuration.

e The following is an example of things that could be taken into account for scheduling maintenance that requires auxiliary feedwater pumps being out of service:

a.

plant mode or condition, b.

an assessment of when auxiliary feedwater would be least

needed, c.

scheduled availability of other sources of feedwater, d.

and the time auxiliary feedwater would be unavailable Additionally, prior to actually removing the system from e

service for maintenance, the condition of the

]lant should be reviewed to verify that conditions are accepta)le to take the system out of service. On-line maintenance should be carefully managed to achieve a balance between the benefits and potential impacts on safety, reliability or availability. The decision to take equipment out of service for maintenance durirg )ower operation should also take into consideration the likelilood and possible consequences of an event occurring while the equipment is out of service.

e Insights gained from available operating experience and analytical tools (such as probabilistic safety assessments) can be incorporated into the on-line maintenance process by the licensee.

Such insights can be used to identify the systems or equipment that can be removed from service, considering assessments of when the system would be least needed. These insights can also be used, where appropriate, to establish specific criteria for use in making decisions about planned equipment removal, frequency, and duration. Actions to manage risk should generally be directed at properly controlling out-of-service time and maintaining configuration control by the licensee to ensure defense-in-depth when certain systems or equipment are made unavailable, o

The licensee normally has a number of systems that are identified as risk significant and have performance criteria established for allowable unavailability and reliability.

The total time that a risk significant system (or train) is out of service due to all causes (total unavailability) is monitored against the performance criteria and controlled to avoid inadvertently increasing the risk of a significant event.

Follow the guidance provided in Reg Guide 1.160 to address the following areas:

o Removal of a Single SSC from Service (Power Operation) o Removal of Two SSCs from Service (Power Operation) o Removal of More Than Two SSCs from Service (Power Operation) o Maintenance Activities during Shutdown Conditions o

Other Risk-Significant Configurations DRAFT 71111 Page 90 of 154 Issue Date: DRAFT

The inspector should note the regulatory review block located throughout the flowchart.

These are arovided at critical points throughout the process to provide the inspec;or with assistance for clarification of their findings and observations.

(4) Flow Chart 3 - Regulatory Review l

As this evaluation process continues, the inspector should make e

regulatory reviews and related decisions.

If any potential enforcement is considered, coordinate this effort with the NRR MR enforcement panel, regional enforcement, then develop a regulatory position and document it in the inspection report.

Conclusions formulated from the regulatory review process e

include the following:

(1)

Inspector's own judgement and peer review.

(2) contact with supervision.

(3) contact with ex>erts in certain fields (i.e.. immediate supervision wit 1 coordination and direction. DRS and 10MB on the MR. SRA and PSA on risk determination and the risk characterization of inspection findings: MR enforcement panel and OE on enforcement),

The inspection findings should be previously reviewed and e

documented to include the following:

(1) use of the Significant Determination Process (SDP)

(2) use of the Enforcement Strategy.

If warranted by previous facility performance and any observation noted during this portion of the inspection, review the applicable q

portions of the licensee's corrective action program to assess the effectiveness of its maintenance rule program and to implement appropriate corrective actions.

4 To complete the inspection process, the inspector must either determine that the licensee effectively monitored the performance of the selected SSC and related functions or develop an assessment or regulatory position of the licensee's monitoring activities.

(11) Flow Chart 1 - End The inspector will exit the inspection process through a final e

evaluation and develop an assessment or regulatory position and document the results of the inspection.

The inspector should document inspection results including e

inspection findings. These-inspection findings should bedocumented to include the following:

(1) issues which prevented successful verification of inspection objectives (2) concluding statements of the assessment or regulatory position of the licensee's monitoring activities.

REFERENCES:

1.

U.S. Code of Federal Regulations. " Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." 10 CFR 50.65.

2.

U.S. NRC. " Maintenance Rule." Inspection Procedure 62706. August 31, 1995.

Issue Date: DRAFT Page 91 of 154 71111 DRAFT

3.

U.S. NRC, " Monitoring the Effectiveness at Nuclear Power Plants "

Regulatory Guide 1.160. Revision 2.

4.

Nuclear Management and Resources Council, " Industry Guideline for Monitoring' the Effectiveness of-Maintenance at Nuclear Power Plants,"

NUMARC 93-01, Revision 2.

5.

U.S. NRC, " Relaxation of Staff Position in Generic Letter 83-28. Item

-2.2. Part 2. ' Vendor Interface for Safety-Related Components. '" Generic

. Letter 90-03. March 14, 1990.

6.

Z.T. Pate. Institute of Nuclear Power Operations, letter to James M.

Taylor. U.S. NRC, transmitting the guideline " Managing Maintenance During Power Operations," March 1, 1995.

ACRONYMS:

ASP Accident Secuence Precursor CM Corrective Faintenarice

DRS Division of Reactor Safety 10MB Quality Assurance Vendor Inspection Maintenance and Allegation Branch MR Maintenance Rule OE Office of Enforcement 00S out-of-service PM preventive maintenance PRA probabilistic risk assessment SA safety assessment SDP Significant. Determination Process SSCs structures, systems, and components DRAFT 71111 Page 92 of 154 Issue Date: DRAFT L

START-Safety Assessment Sht. 3 j

Maintenance Rule Field Flow Chart AppHes to a3

-Daily Ops, all modes-Inspector knowledge i

safety significant SSC is OOS

{

i 1

1 Power Ops Shutdown Ops Yes


~~--e Only 1 ssC Qualitative Eval Dy Ops.

j Out of servicet N not modeled

~ ~ - -.

_ ' ~ '

in PRA. use Qualitative Analysie

. ~

.m_..,_

No Yes r.- ~. ~ o_.-

m Only a ssC's Ouelitat6ve AND/OR Cut of service?

Quantative Eval Dy Ops.

~.. - -,

...-~n..-

No

~~p2sSCs. -.. -.

Focus on PRA Analysas

... ~ _.,, _. _,.

\\

Was impact I

adequately Reg I

assessed?

l Rev6ew g Yes u.+-

. n.

+s Verity:

-Usability of tools No

-users knowledge of Verified?

Reg tool hmitations l Review

-tool was used appropriately i

i s

-End-Evaluate Regulatory i

Review, develop i

regulatory position and

document, rev 3/30/99 mrshtsr3. cts Issue Date: DRAFT Page 93 of 154 71111 DRAFT 4

i l

l I

l i

l DRAFT 71111 Page 94 of 154 Issue Date: DRAFT

4 Nonroutine Plant Evolutions 5/5/99 INSPECTABLE AREA: Nonroutine Plant Evolutions CORNERSTONES:

Initiating Events Mitigating Systems Barrier Integrity INSPECTION BASES: Human errors, particularly recovery actions from event initiators, are the major contributors to plant risk.

Performance during nonroutine operations can be used as an l

indicator of plant personnel performance during emergencies.

4 LEVEL OF EFFORT:

The level of effort for this inspection is based on

)

reviews of six occurrences per year of operator l

performance during off-normal or transient operations.

l one post-reactor trip review, and ten LER reviews focusing on operator performance.

Actual level of i

effort will depend on the numbers of occurrences of off-normal or transient operations.

Estimated hours:

102 hours0.00118 days <br />0.0283 hours <br />1.686508e-4 weeks <br />3.8811e-5 months <br /> / year inspection i

1

-01 INSPECTION OBJECTIVE l

01.01 Review operator performance during off-normal or transient l

operations.

01.02 Review selected licensee event reports focusing on those involving operator response to off-normal conditions or that contain operator errors.

01.03 Review operator response after reactor trips which require more than routine expected operator response to a trip or which involve operator errors.

-02 INSPECTION REQUIREMENTS 02.01 Review Operator Performance 1.

This review will generally be performed after an off-normal event or transient has occurred; however, inspectors should attempt to observe operator performance in coping with transients. if possible.

2.

Review operator logs, plant computer data, or strip charts to determine what occurred and how the operators responded.

3.

Compare actual operator response to actions required by abnormal or emergency operating procedures and training.

Issue Date: DRAFT Page 95 of 154 71111 DRAFT

4.

Determine if actual operator response was in accordance with the response required by procedures and training, 5.

Evaluate the occurrence and subsequent operator response using the Significance Determination Process.

02.02 Problem Identification and Resolution a.

Review LERs that involve an operator error. Compare personnel performance, if possible, to human errors modeled in the probabilistic risk assessment.

Determine if operator actions were in accordance with procedures and training. Determine if the licensee identified and initiated corrective action for any 1

operator performance deficiencies.

Review and evaluate the effectiveness of the corrective actions in preventing recurrence of the event.

b.

Independently evaluate operator response to any unplanned reactor trip which involved more than routine expected operator actions in response to the trip or which involved operator errors to determine if operator response was appropriate to the event and in accordance with procedures and training. Review plant data and procedures as necessary.

c.

Evaluate LERs involving operator errors using the Significance Determination Process.

-03 INSPECTION GUIDANCE General Guidance This inspectable area is intended to review operator response to off-normal and transient conditions.

In most cases, since these occurrences are unplanned, the inspector will not directly observe operator performance and will be required to review the occurrence and operator response after stable plant operations have been resumed.

This inspectable area is related to Event Followup. Licensee event reports will be screened as part of Event Followup and those that involve operator. errors will be reviewed under Nonroutine Plant Evolutions.

See attachment A for inspection guidance to assist the inspector in selecting inspection activities to achieve each cornerstone objective and to those activities that have a risk priority.

1 DRAFT 71111 Page 96 of 154 Issue Date: DRAFT

-)

INSPECTION GUIDANCE Cornerstone Inspection Objective Risk Priority Example Initiating Events Review operator Operator or equipment Operator errors which (33%)

performance during performance under affect the function Mitigating nonroutine plant actual off normal or of mitigating system Systems (33%)

evolutions transient conditions equipment during a Barrier Integrity that differs from transient.or off (33%)

the expected or normal event (e.g.,

intended response.

operator turns off safety injection)

Transients during which operators use abnormal operating procedures.

References:

Human Factors Information System (HFIS)

Issue Date: DRAFT Page 97 of 154 71111 DRAFT t

t l

I l

l l

l 1

4

)

I l

i DRAFT 71111 Page 98 of 154 Issue Date: DRAFT 5

Operability Evaluations INSPECTABLE AREA: Operability Evaluations CORNERSTONES:

Mitigating Systems INSPECTION BASES: Improperly evaluated degraded and/or non-conforming conditions may result in continued operation with a structure, system, or

-component that is not capable of performing its design function.

This inspectable area verifies aspects of the Mitigating System Cornerstone for which there are no indicators to measure performance.

LEVEL OF EFFORT:

Review a sample of operability evaluations of degraded and non-conforming conditions which impact mitigating systems.

Estimated hours:

60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> / year inspection

-01 INSPECTION OBJECTIVES Review operability evaluations affecting mitigating systems to ensure that operability is properly justified and the component or system remains available, such that no unrecognized increase in risk has occurred.

-02 INSPECTION REQUIREMENTS 02.01 Review approximately two operability evaluations per month.

J.

Select two operability evaluations involving mitigating systems. Use RIM 2 and plant-specific information to identify the mitigating systems.

k.

Evaluate the technical adequacy of the evaluation, and determine if operability is justified.

Refer to the FSAR and other design basis documents during the review. If operability is justified, no further review is required.

1.

If the operability evaluation involves compensatory measures, determine if the measures are in place, will work as intended, and are appropriately controlled.

Determine if the compensatory measures affect the o)eration of the system as modeled in the licensee's probabilistic risk assessment or require a 50.59 evaluation.

m.

If operability is not justified:

Determine impact on any Technical Specification LCOs.

Determine the effect of the inoperability on the availability of the mitigating system. Identify the plant conditions under Issue Date: DRAFT Page 99 of 154 71111 DRAFT

which the system or component would be unable to fulfill its' function.

Relate those conditions to probabilistic risk assessment accident sequences to determine the effect on availability of the component or system.

Determine if other plant conditions or mitigating system configurations existed concurrently that could have impacted plant risk.

Use the Significance Determination Process to evaluate the risk significance of the equipment inoperability.

02.02 Problem Identification'and Resolution a.

Ensure any identified operability evaluation problems are J

captured in the licensee's corrective action program.

j b.

Review any identified operability evaluation problems that are potential Significance Determination Process candidates.

-03 INSPECTION GUIDANCE 03.01 The inspection frequency is two operability evaluations per month.

The intention is to sample operability evaluations for mitigating systems to determine that operability is justified, such that availability is assured, and no unrecognized increase in risk has occurred.

If no operability evaluatio.1s were performed that month or no evaluations involving mitigating systems were performed, then defer this inspection until the intended sample is available.

03.02 Generic Letter 9118. " Resolution of Degraded and Non-Conforming Conditions" and NRC Inspection Manual Part 9900 " Operable / Operability

- Er.suring the Functional Capability of a System or Component" provide's additional guidance in this area. In particular. as stated in section 4.5.4 of Generic Letter 91-18, some licensees may refer to documents or processes that establish operability of SSCs as JCOs or Justification for Continued Operation. The NRC has defined a JC0 as the licensee's technical basis for requesting authorization to

)

o>erate in a manner that is prohibited absent such authorization.

T11s procedure is not intended to review formal JCOs as defined by the N3C but does cover evaluations referred to by licensees as JCOs which establish operability of structures, systems or components.

j 03.03 See Attachment A for inspection guidance to assist the inspector in selecting inspection activities to achieve each cornerstone objective i

and to those activities that have a risk priority.

i i

DRAFT 71111 Page'100 of 154 Issue Date: DRAFT

l Inspection Guidance Cornerston Inspection Risk Priority Example e

Objective Mitigating Identify any Operating - mitigating system Improper conclusion on-Systems improperly as determined by plant-operability of the HPCI evaluated degraded specific information or RIM 2.

system such that the and/or system could not nonconforming Shutdown - Mitigating systems perform its' function conditions which that perform key safety during a station could potentially functions during shutdown blackout event impact mitigating (decay heat removal inventory concurrent with planned system availability control, electrical power unavailability of the and result in an availability, reactivity RCIC system (another unrecognized control, and containment) mitigating system for increase in risk.

the SB0 event).

REFERENCES:

Generic Letter 91-18. " Resolution of Degraded and Nonconforming Conditions" Inspection Manual Part 9900. " Operable / Operability - Ensuring the Function Capability of a System or Component" Information Notice 97-78

" Crediting of Operator Actions in Place of Automatic Actions and Modification of Operator Actions, including Response Times" i

Issue Date: DRAFT Page 101 of 154 71111 DRAFT

l l

l l

l l

1 i

4 i

4 I

i 1

DRAFT 71111 Page 102 of 154 Issue Date: DRAFT

p l'

l l

l 6 Operator Workarounds INSPECTABLE AREA: Operator Workarounds l

. CORNERSTONES:

Mitigating Systems INSPECTION BASES: Operator workarounds can impact human performance during event l

response, due to increasing complexity of tasks and more limiting time to perform required actions.

l This inspectable area verifies aspects of the Mitigating System Cornerstone for which there are no indicators to measure performance.

LEVEL 0F EFFORT:

Monthly review of two operator workarounds.

Semiannual-l review of cumulative effect of operator workarounds.

Estimated hours:

30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> / year

-01 INSPECTION OBJECTIVE l

Review a sample of operator workarounds to identify any potential to affect the function of mitigating systems.

-02 INSPECTION REQUIREMENTS 02.01 Once per month review two selected operator workarounds.

d f.

Inspectors should identify operator workarounds for review during Plant Status reviews and sample workarounds involving mitigating systems for further evaluation. Use RIM 2 and plant specific risk information to identify mitigating systems.

g.

Review the selected operator workarounds to determine if the functional capability of the system or human reliability in responding to an initiating event is affected.

Specifically evaluate-the effect of the operator workaround on the operator's ability to implement abnormal or emergency operating procedures.

h.

Use this procedure for any operator workarounds that are i

identified through other inspection activities.

02.02 Twice per year review the cumulative effects of operator workarounds.

a.

Review the cumulative effects of operator workarounds on the reliability, availability, and, potential for misoperation of a system.

b.

Review the cumulative effects of operator workarounds that could increase an initiating event frequency or that could affect multiple mitigating systems.

Issue Date: DRAFT Page 103 of 154 71111 DRAFT 1

l

i c.

Review the cumulative effects of operator workarounds on the ability of operators to respond in a correct and timely manner to plant transients and accidents.

02.03 Problem Identification and Resolution-a.

Ensure any identified operator workaround problems are captured in the licensee's corrective action program.

l

-03 INSPECTION GUIDANCE General Guidance An operator workaround is defined as a degraded or non-conforming condition that complicates the normal operation of plant equipment and is compensated for by operator action.

Soecific Guidance 03.01 The inspection frequency is two operator workarounds per month. The intention is to sample operator workarounds for mitigating systems to determine if the mitigating system function is affected or the operator's ability to implement abnormal and emergency operating procedures is affected.

If no operator workarounds existed in a particular month or no operator workarounds involving mitigating systems existed, then defer this inspection until the intended sample is available.

03.02 See attachment A for inspection guidance to assist the inspector in selecting inspection activities to achieve each cornerstone objective i

and to those activities that have a risk priority.

DRAFT 71111 Page 104 of 154 Issue Date: DRAFT

INSPECTION GUIDANCE Cornerstone Inspection Objective Risk Priority Example Mitigating Identify operator Plant and Operator Systems workarounds that can have control room workarounds that an adverse effect on the deficiencies increase operator functional capability of a that affect response time to mitigating system or that mitigating manually initiate can impact human system mitigating reliability in responding performance.

systems beyond to initiating events.

the time available or assumed in the design basis and PRA.

References:

Temporary Instruction 2515/138

~ Evaluation of the Cumulative Effect of 0)erator Workarounds" NRC Inspection Manual Part 9900

" Resolution of Degraded and Non-Conforming Conditions" l

Issue Date: DRAFT' Page 105 of 154 71111 DRAFT

r-l i

l i

DPAFT 71111 Page 106 of 154 Issue Date: DRAFT 7

Permanent Plant Modifications 5/3/99' INSPECTABLE AREA: Permanent Plant Modifications l

CORNERSTONES:

Mitigating Systems (80%)

Barrier Integrity (20%)

INSPECTION BASES: Modifications to risk-significant SSCs can adversely affect their availability. reliability. or functional capability.

Modifications to one system may affect the design bases and functioning of other interfacing systems.

Similar modifications to several systems could introduce potential for common cause failures that affect plant risk.

Modifications performed on-line or during high risk plant configurations could place the plant in an unsafe condition. This inspectable area verifies aspects of the Barrier Integrity and Mitigating Systems cornerstone for which there are no indicators to measure performance.

LEVEL OF EFFORT Biennial review of 3 to 5 modifications.

Periodic review of risk significant modifications performed on-line as they occur.

Estimated Hours: Biennial Review - 80 hours9.259259e-4 days <br />0.0222 hours <br />1.322751e-4 weeks <br />3.044e-5 months <br /> Periodic Review - 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> / year

-01 INSPECTION OBJECTIVE (S):

01.01 Verify design bases and performance capability of risk significant SSCs have not been degraded through modifications.

01.02 Verify modifications performed on-line or during. risk ' significant configurations do not place the plant in an unsafe condition.

-02 INSPECTION REQUIREMENTS:

i 02.01 Insoection Comoosition The biennial reviews should be performed by an engineering specialist.

Periodic reviews could be performed by either an engineering specialist or l

a generalist inspector.

l l

02.02 Select Modifications and Determine ADolicable Insoection Activities i

i l

This procedure is performed both as an biennial and a periodic (as needed) review.

Select modifications to be reviewed, depending on the type of review to be performed. as outlined in the following table.

Issue Date: DRAFT Page 107 of 154 71111 DRAFT

Review Frequency Scope and Focus Applicable Type Inspection Activities Biennia 1 per two 3 to 5 modifications to Section 02.03 1

years Maintenance Rule SSCs Design Review Review emphasis on modifications which Section 02.05 affect high safety significant Testing Maintenance Rule SSCs/ functions Review (modifications which affect SSCs/ functions with high Section 02.06 probabilistic risk analysis (PRA)

Updating rankings may be chosen as an Review alternative)

Section 02.07 primarily modifications which Problem affect mitigating systems Identificatio n and at least one modification which Resolution affects barrier integrity Periodi 2 1 per as needed as identified by Plant Section 02.03 c

year Status review Design Review Review as needed modifications planned to be Section 02.04 performed when the plant is either Implementatio on-line or during a risk n Review significant plant configuration Section 02.95 modifications for which Testing performance and testing of could Review affect high safety significant Maintenance Rule SSCs/ functions (modifications which could affect SSCs/ functions with high PRA rankings may be chosen as an alternative) 02.03 Desian Review:

Review the adequacy of the modification design. Determine which parameters could be affected by the modification and outlined in the following table accordingly. perform inspection activitiesEmphas those parameters not verified by testing.

DRAFT 71111 Page 108 of 154 Issue Date: DRAFT

l Affected Parameter Inspection Activity Energy Needs Verify energy requirements can be supplied by

. electricity supporting systems when required under

. steam accident / event condition,s.

l

. fuel + air

. air Verify energy requirements of modified SSCs will not deprive other SSCs of required energy under accident / event conditions.

Materials / Replacement Verify materials / replacement components are Components compatible with physical interfaces.

. material compatibility

. functional properties Verify material / replacement component

. environmental properties serve functional requirements under qualification accident / event conditions.

. seismic qualification

. classification Verify materials / replacement components are environmentally qualified for application.

Verify replacement components are seismically qualified for application.

Verify Code and safety classification of replacement SSCs is consistent with design bases.

Verify rep / equipment qualification life.

lacement schedule consistent with inservice Timing Verify that any sequence changes are bounded

. sequence by accident analyses and loading on support

. Response Time systems are acceptable.

. Duration Verify SSC response time is sufficient to serve accident / event functional requirements assumed by design analyses.

Verify modified SSC response time does not cause an unintended interaction with other SSCs.

Verify equipment will be able to function for duration required under accident / event conditions.

Heat Generated Verify that heat removal requirements can be i

addressed by heat removal support systems under accident / event conditions.

Control. Signals Verify that control signals will be

. initiation appropriate under accident / event conditions.

. shutdown

. Control Issue Date: DRAFT Page 109 of 154 71111 DRAFT

r Affected Parameter Inspection Activity Equipment Protection Verify that equipment protection barriers and

. Fire systems have not been compromised.

. Flood

. Missile e Steam

. Freeze Operations Verify that affected operation procedures and training have been identified and necessary changes are in process.

Flowpaths Verify that revised flowpaths serve functional requirements under accident / event conditions.

Pressure Boundary Verify pressure boundary integrity not compromised.

Ventilation Boundary Verify that changes to ventilation boundaries do not increase risk of spreading contamination.

Verify that changes to ventilation boundaries do not adversely affect functionality of ventilation system under accident / event conditions.

Structural Verify modified SSCs structural integrity acceptable for accident / event conditions.

Verify modified SSCs structural effects upon attachment points acceptable.

Verify modified SSCs effect on seismic evaluations acceptable.

Process Medium Verify that affected process medium properties

. Fluid Pressures Will be acceptable for both modified SSCs and

. Fluid Flowrates unmodified SSCs under accident / event voltages conditions.

. Currents Licensing Basis Verify that necessary Technical Specification 10 CFR 50.s9 changes have been identified and NRC approval, if re uired. obtained prior to modification im lementation.

Failure Modes Verify that failure modes introduced by the modification are bounded by existing analyses.

02.04 Imolementation Review:

NOTE: For biennial reviews, this inspection activity is optional.

DRAFT 71111 Page 110 of 154 Issue Date: DRAFT

Verify that modification preparation, staging, and implementation does not

[

impair the following:

in-plant emergency / abnormal operating procedure actions key safety functions e

1 operator response to loss of key safety functions e

1 02.05 Testina Review:

NOTE: Licensees often use existing procedures, such as surveillance procedures, for post-modification testing. Although performance of existing procedures may have been reviewed by inspectors for other inspectable

areas, inspectors still need to verify the appropriateness of using the existing procedures for validating the modification (as opposed to simply confirming continued operability).

However, if the procedures used have been previously reviewed, the depth of review may be reduced accordingly Verify that post-modification testing will maintain the plant in a safe configuration during testing.

Verify that post-modification testing will establish operability by:

verifying that unintended system interactions will not occur verifying acceptable SSC performance characteristics which could have e

been affected by modification validating the appropriateness of modification design assumptions demonstrating that the objectives of modification have been met e

02.06 Vodatina Review:

NOTE: For periodic reviews, this inspection activity is optional.

a.

Verify that design basis information documents have either been updated or i

are in the process of being updated to reflect the modifications. Examples of design basis documents which could be affected by modifications are:

Updated FSAR Drawings e

Supporting Calculations and Analyses Plant Equipment Lists Vendor Manuals PRA models Issue Date: DRAFT Page 111 of 154 71111 DRAFT

b.

Verify that significant plant

. emergency operating procedures: procedures.(e.g., normal, abnormal and and testing / surveillance procedures) are updated prior to use to reflect the effects of the modification.

02.07. Problem Identification and Resolution NOTE: For periodic reviews, this inspection activity is optional.

As,it relates to modifications and the modification ^ process, select a sample of problems-identified by the licensee in the corrective action 3rogram and verify effectiveness of corrective actions.

Use Inspection

'l 3rocedure 71152, " Identification and Resolution of Problems," for guidance to perform this review.

-03 INSPECTION GUIDANCE:

Cornerstone Inspection Risk Priority Examples Objective Mitigating Modifications which Modification of Systems affect reactor building 80%

e protection drain system against external events such as Replacement of a fire, weather, and low pressure Verify flooding safety injection modifications

  • risk-significant system injection i

have maintained design features and valve with a system assumptions valve of a availability.

. functionality of different design reliability, and mitigating systems functional used,during risk-capability.

significant

~

accident sequences Barrier Modifications which Modification of Inte affect fuel 3ersonnel access 20% grity cladding, reactor latch seal i

coolant system, or containment 9

DRAFT 71111 Page 112 of 154 Issue Date: DRAFT 8

5/7/99 Piping System Erosion a.u Corrosion t

DELETED l

Issue Date: DRAFT Page 113 of 154 71111 DRAFT

i l

DRAFT 71111 Page 114.of 154 Issue Date: DRAFT i

l 9 Post Maintenance Testing INSPECTABLE AREA: Post Maintenance Testing April 21, 1999 f

CORNERSTONES:

Mitigating Systems i

INSPECTION BASES: Inadequate maintenance activities that are not detected prior to returning the equipment to service can result in a 3

significant increase in unidentified risk for the subject system and in common mode /cause failures and potential for loss j

of function or redundant trains and identical components in i

other systems. This inspectable area verifies aspects of the mitigating system cornerstone not measured by performance indicators. In this cornerstone. the safety system performance indicator (availability) indirectly measures the quality of maintenance and testing procedures.

LEVEL OF EFFORT:

Review an average of two testing activities a month.

f (Estimated hours 72 per year)

-01 INSPECTION GUIDANCE This inspection will focus on verification that post maintenance test procedures and test activities are adequate to verify mitigating systems remain available 4

and functionally capable.

NOTE: This procedure is closely related to, and in some cases parallels Baseline Inspection Procedure 71111. Attachment 3. " Emergent Work." The adequacy l

of post maintenance testing should also be considered when accomplishing other maintenance related baseline inspections.

-02 INSPECTION REQUIREMENTS:

02.01 Work Planning Based on plant information gathered during plant status reviews, select post-maintenance testing activities associated with mitigating systems using Appendix A and the following criteria.1) systems or components which have a high risk ranking in the licensee's IPE, or RIM 2. and 2) systems or components for which I

there are recent records of maintenance performance errors which indicate a potential for common mode or progrnnatic failure.

j j

02.02 Work Observation a.

By both witnessing tests and reviewing data determine if the scope of testing adequately verifies that the work performed was correctly completed and demonstrates that the equipment is functional and operable.

b.

The following is a list of post-maintenance test attributes to be considered for the inspection.

Only those attributes which are significant for the particular test should be inspected.

1 I

Issue Date: DRAFT Page 115 of 154 71111 DRAFT l

l l

1 Effect of testing on the plant has been adequately addressed by control room personnel and/or engineering personnel Extent of work assumed in test is correct Acceptance criteria is clear and demonstrates operability Test equipment has current calibration Test is performed as written Jumpers installed or leads lifted during testing are controlled and restored Test data is complete and meets procedure requirements Test equipment is removed after testing After completion of testing, equipment is returned to the positions / status required to maintain the system operable.

]

2.03 Problem Identification and Resolution During plant status reviews verify that the licensee has entered significant post maintenance testing problems in their corrective action program and as appropriate select the saecific testing for future baseline inspection.

For significant problems wit 1 common cause potential, check the adequacy of the licensee's resolution. See Baseline Inspection Procedure 71152, " Identification and Resolution of Problems," for additional guidance.

-03 APPENDIX A:

INSPECTION GUIDANCE:

Cornerstone Inspection Risk Priority Example Objective Mitigating Identify any Select activities Post maintenance Systems mitigating with potential testing of (100%)

system, credited for common mode by the licensee failures and on-line emergency as activities where diesel generator operable /availabl there is a recent engine repairs e,

which is record of-adversely maintenance /testi newly installed impacted by ng errors.

electrical failure to components which adequately test, Select activ1 ties control realign, or across technical integrated /multip remove test disciplines le mitigating equipment after

[ electrical, systems, for maintenance mechanical. I&C) example LOOP /LOCA circuits Select activities that are more difficult to test at power.

-04 REFERENCES Baseline Inspection Procedure 71111.

Attachment 12.

" Maintenance Rule Implementation"

' DRAFT 71111 Page 116'of 154 Issue Date: DRAFT

. Baseline Inspection Procedure 71111.

Attachment 13.-

" Maintenance Work Prioritization and Control" Baseline Inspection: Procedure.71111. Attachment 4. " Equipment Alignment" Baseline Inspection Procedure 71111, Attachment 3. " Emergent Work"

. Baseline Inspection Procedure 71111. Attachment 22 " Surveillance Testing" k

k i

i 1

i

- Issue Date: DRAFT Page 117 of-154 71111 DRAFT

i l

l I

l l

1

?

l 1

DRAFT 71111 Page 118 Of 154 Issue Date: DRAFT l

0

~

Refueling and Outage Activities 4/21/99 INSPECTABLE AREA: Refueling and Outage Activities CORNERSTONES:

Initiating Events (20). Mitigating Systems (70), and Barriers (10)

INSPECTION BASES: Shutdown risk will be high if vital SSCs are not available.

Due to potentially high number of out-of-service SSCs during the refueling period. configuration risk can be high.

Times of reduced inventory are the most critical. This inspectable area verifies aspects of the associated cornerstones for which there arr no indicators to measure performance.

I LEVEL OF EFFORT:

Licensee's outage risk assessment to guide inspectors to risk significant activities. Performed on Outage basis, not annual.

Inspection should focus on:

RHR.

Containment Isolation during reduced water inventory.

{

mid-loop operations (PWR). cool down/heatu)/startup, availability of alternate power sources /switc1 yard, and Refueling operations. Includes 30/ hrs of Identification and Resolution of Problems / Issues per refueling.

(Estimated Hours - 80/ outage)

-01 INSPECTION OBJECTIVE Evaluate licensee outage activities to ensure that licensees consider risk in developing outage schedules; adhere to administrative risk reduction methodologies they develop to control plant configuration: have developed mitigation strategies to losses of key dafety functions and adhere to operating license and Technical Specification requirements that ensure defense-in-depth.

-02 INSPECTION REQUIREMENTS 02.01 Review of Outaae Plan.

Prior to the outage, review the licensee's outage risk control plan and verify that the licensee has appropriately considered risk, industry experience and previous site specific problems. Confirm the licensee has mitigation / response strategies for losses of key safety functions, j

02.02 Monitorina of Shutdown Activities.

Observe portions of the cooldown process to _ verify that technical specification cooldown restrictions are followed.

i 02.03 Licensee Control of Outaae Activities.

Issue Date: DRAFT Page 119 of 154 71111 DRAFT

a.

Outaae Confiouration Manaaement. Verify that the licensee maintains defense-in-depth commensurate with the outage risk control plan for key safety functions and applicable TS when taking equipment out of service. Verify that configuration changes due to emergent work and unexpected conditions are controlled in accordance with the outage risk control )lan. For plants that use remote work centers, verify that contro~

room operators are kept cognizant of plant configuration.

j b.

Review of Outaae Activities.

Pick several items per week in the following areas based on risk.

Reviewing risk significant items or activities should take precedence over completion of the list..

Clearance Activities. Verify that tags are properly hung and that associated equipment is appropriately configured _to support the function of the clearance.

Reactor Coolant System Instrumentation. Verify that reactor coolant system (RCS) pressure, level, and temperature instruments are installed and configured to provide accurate indication; and that instrumentation error was accounted for. Perform only when licensee.

has changed instrumentation available to operators.

Electrical Power.

Verify that the status and configurations of electrical systems meet TS requirements and the licensee's outage risk control plan. Verify that switchyard activities are controlled commensurate with safety and are consistent with the licensee's outage risk control plan assumptions.

Decay Heat Removal (DHR) System Monitorina. Observe DHR parameters to verify that the system is properly functioning.

For pressurized water reactors (PWRs), when the licensee is relying on the steam generators to provide a backua means of DHR by single-phase natural circulation, verify that the licensee has confirmed the viability of this method of cooling.

Soent Fuel Pool-Coolina System 00eration.

Verify that outage work i

is not impacting the ability of the operations staff to operate the spent fuel pool cooling system during and after core offload.

Inventory Control.

Verify that the flow paths, configurations, and alternative means for inventory addition are consistent with the outage risk plan.

For activities which have the potential to cause a loss of inventory, verify that there are adequate controls in place to prevent inventory loss.

Reactivity Control.

Verify that the licensee is controlling reactivity in accordance with the technical specifications. Verify that activities or SSCs which could cause unexpected reactivity changes are identified in the outage risk plan and are controlled accordingly.

Containment Closure.

For PWRs. verify that licensees control containment penetrations in accordance with the refueling operations DRAFT 71111 Page 120 of 154 Issue Date: DRAFT

2 TSs and can achieve containment closure at all times.

For BWRs.

)

verify that licensees maintains secondary containment as required by TS.

02.04 Reduced Inventory and Mid-Loon Conditions Review the licensee's commitments from GL 88-17 and confirm by sampling that they are still in place and adequate. Periodically during the reduced inventory and mid-loop 1

conditions, verify that the configuration of the plant systems are in

)

accordance with those commitments. During mid-loop operations, observe the effect of distractions from unexpected conditions or emergent activities on operator ability to maintain required reactor vessel level.

02.05 Refuelino Activities Verify that fuel handling operations (removal, inspection, sipping, reconstitution, and insertion) and other ongoing activities are being performed in accordance with TS and approved procedures.

Verify that the location of the fuel assemblies is tracked, including new fuel, from core offload through core reload.

02.06 Monitorina of Heatuo and Startuo Activities.

Verify on a sampling basis that TSs. license conditions, and other requirements, commitments, and administrative procedure prerequisites for mode changes are met prior to changing modes or plant configurations.

The inspector should review the establishment of tile barriers by reviewing RCS 30undary leakage and the

, setting of containment integrity.

The inspector should walkdown containment prior to reactor startup to verify that debris has not been left which could affect performance of the containment sumps; Review reactor physics testing results to verify that core operating limit parameters are consistent with the design.

i 1

-03 INSPECTION GUIDANCE l

General Guidance.

The inspector should consider that this activity is also addressed in other inspectable areas (i.e. maintenance work prioritization and control).

In a refueling or other outage this procedure should take precedence in relation to outage planning and configuration management reviews.

The inspector should consider that for PWRs, the step increase in risk that occurs when the RCS boundary is breached and steam generators cannot be used for DHR, and the step increase in risk'that occurs when mid-loop operation conditions are reached should be apparent in the outage risk planning. The inspector should

' For PWRs. containment closure is met if all containment penetrations (including temporary penetrations, the equipment hatch, and the personnel hatch) have a differential capability equal to ultimate pressure or would be expected to remain intact following an accident. Leakage requirements as described in Appendix

]

J are not a concern. Results from the RES Surry shutdown PRA show that containment pressure (in a sub-atmospheric containment) Sllowing a core damage event at shutdown can be high.

Issue Date: DRAFT Page 121 of 154 71111 DRAFT

consider for BWRs. the risk significance of maintaining safety relief valve (SRV) operability until the vessel head is removed, the risk significance of establishing an alternate DHR path via the suppression pool, and the risk significance of maintaining DHR isolation on Level 3 to control potential reactor coolant drainage.

In addition. a licensee for a PWR or BWR should have an outage plan that ensures that barriers required for flood and/or fire control are intact or ensure that compensatory measures are taken to protect operable SSCs and SSCs which provide a key safety function.

Soecific Guidance.

03.01 Review of Outaae Plan. Defense-in-depth should be maintained: Backup SSCs should be identified for those taken out of service when removal of the SSC from service affects a key safety function.

Risk of overlap or potential overlap of activities should be considered. Consider the risks associated with handling of heavy loads, scaffolding erection and the increased potential for a fire or internal flood.

Also observe whether human performance could be impacted by the plan and how that is taken into account.

03.02 Monitorina of Shutdown Activities. Cooldown rates should be spot checked to ensure they meet Technical Specification requirements, thus avoiding overcooling which can challenge the reactor coolant system boundary. The period during transfer to shutdown cooling can be a time when risk of overcooling is the greatest.

03.03 Licensee Control of Outaae Activities.

a. Outaae Confiouration Manaaement. This item is an important issue related to shutdown risk.

The adequacy of the methods used and the operators' understanding of plant configuration are key to controlling shutdown risk.

1 When equipment is taken out of service for maintenance, declaring an SSC available should be consistent with the SSC's functional requirements.

Operators and outage control personnel should be aware of which equipment is relied on for the key safety functions. This extends to the containment sum) (PWRs) or the suppression pool (BWRs), and associated water flow

)atis.

Equipment designated to perform a key safety function should not

)e adversely affected by outage activities.

Contingency plans for restoring key safety functions should be available.

Contingency plans should include a prioritization of equipment to use.

Emergent work (maintenance, surveillance, etc.) or planned work which exceeds scheduled time windows should be controlled to prevent overlap with other activities when such overla) can potentially perturb the plant or affect a key safety function.

Risk assessments should be maintained current with respect to emergent work and schedule changes.

Licensees DRAFT 71111 Page 122 of 154 Issue Date: DRAFT

should assess overlapping or potentially overlapping activities and the effects of these activities on the key safety functions.

10.

Review of outaae activities:

Other baseline inspection procedures address observation of some activities ~during an outage. This area should focus on only those functions or components that are not being addressed through other inspectable areas.

The sampling of the activities should be based on the risk importance of the function or equipment in the particular mode or configuration.

As such the observation of these key risk significant areas may be time sensitive.

PWR risk insights indicate that. Normal and Emergency AC power RHR. RCS pressure boundary, reactivity control. RCS pressure relief, and level instruments in mid-loop are the major contributors to outage risk.

Clearance Activities.

Improper performance of clearance activities can increase risk by causing internal flooding causing increased ignition sources. and affecting defense-in -depth.

Clearance tags for boundaries associated with risk significant maintenance or modifications should be hung on the proper equipment and equipment configured such they do not increase the risk associated with the relied upon remaining equipment.

Examples of risk significant clearance activities include: 1) boundaries for a water system that will be open for maintenance in areas that are in close proximity to risk important ecuipment: 2) clearance removal where return of electrical power to particu' ar motor-operated valves could cause the valves to reposition due to locked in signals. in particular those that have direct interaction with the reactor coolant system, decay heat removal, or spent fuel pool cooling.

Reactor Coolant System Instrumentation.

Instrumentation plays a key role in risk reduction during shutdown conditions.

In particular, level instrumentation is a key factor during reduced inventory and mid-loop, and pressure indication during loss of decay heat removal. RCS pressure, level and temperature instruments and associated components (including piping.

RCS and connected system vents, etc.) should be installed and configured to provide accurate indication.

Indeperident instrumentation for each parameter should be provided to minimize the potential for common cause failure.

For Hvel instruments: Tubing runs should not have elevation changes that could t 'ap either liquid or vapor / gas in the instrument lines (i.e., loop seals).

If normal operating level instrumentation is used, the effects of changes in water density (due to lower temperature) should be considered.

Operators should be aware of the effect of loss of DHR on the plant's level instrumentation due to heatup and pressu41zation.

For temperature instruments:

Operators should be aware of the effect of loss of DHR on the plant's temperature indication and the potential for discrepancies between the temperature indications and the actual plant state.

Temperature may be measured in the DHR loop in which case Issue Date: DRAFT Page 123 of 154 71111 DRAFT

interruption, bypass, or partial bypass of DHR flow could lead to incorrect and non-conservative temperature indications.

Electrical Power.

Loss of offsite power and station black out are major factors in shutdown risk.

Control of electrical power to components is critical to risk during outages since components are deenergized and reenergized with systems in unusual / disassembled configuration.

This can cause unexpected drops or increases in RCS level, internal flooding, false protective system actuations, as well as significant personnel hazards.

fhe most important are those that would contribute to loss of decay heat removal.

In addition. the defense-in-depth called for in the outage risk control plan should be maintained.

DHR System Monitorina. Loss of decay heat removal is a primary contributor to shutdown risk at PWRs.

An important attribute to look at when decay heat removal is lost is RCS pressure relief due to the pressure increase I

with temperature.

For PWRs. when the licensee is relying on the steam generators to provide a backup means of DHR by single-phase natural 2

circulation procedures for these methods should be derived from analyses and the required equipment available: RCS pressure boundary should be closed; steam generator tubes should be full: Pressure control capability in the RCS should be maintained to ensure subcooling margin: Capability to feed the steam generators: Capability to remove steam from the steam generators (e.g., atmospheric relief valves, condenser with steam dump capability.

etc.).

Soent Fuel Pool Coolina System Ooeration. Spent Fuel Pool Cooling recovery procedures based on current / bounding heat loads should exist for situations involving loss of spent fuel pool cooling. Operators should be trained on backup equipment and procedures for spent fuel cooling.

Equipment designated in the recovery procedures should be readily available, dedicated, not obstructed by outage activities, and compatible with equipment that it must be connected to. Instrumentation, alarms, equipment.

(

instructions, and training should be provided to alert operators for the need and enable them to add water to the spent fuel pool if it becomes necessary.

Inventory Control. Problems with the RCS pressure boundary have been found to be significant in analyzing shutdown risk insights.

Examples of loss of inventory paths include DHR to suppression pool on BWRs; main steam line paths including SRV removal, automatic depressurization system testing.

I 8 Single-phase natural circulation should not be relied upon to maintain the plant in cold shutdown condition since boiling in the steam generators will take place resulting in primary system temperatures above the cold shutdown mode definition.

8 NUREG-1410 Conoseal flow area information is incorrect. Actual flow area is a factor of 20 larger. Consequently, unsealed Conoseals can allow a significant inventory loss rate, yet not provide sufficient venting for pressure control.

DRAFT 71111 Page 124 of 154 Issue Date: DRAFT

main steam isolation valve maintenance, etc. on BWRs: DHR system cross tie valves, thimble tube seals, and steam generator nozzle dams for PWRs: and l

maintenance activities on connected piping or components that are at an elevation lower than the vessel flange on all plants. For BWRs. automatic isolation on low level should not be disablec.

This signal can mitigate a loss 'of inventory from the DHR system to the suppression pool.

Maintaining this signal operational is recuired by some Tss.

In addition,

. main steam lihe plugs should be considerec for work activities on the main steam system.

Reactor cavity seal should be inspected and maintained to preclude potential seal failure. Systems required for proper operation of l

the reactor cavity seal (e.g., instrument air) should also be maintained I

to prevent failure of the seal..

Adequate vents should be provided to accomplish gravity feed and low pressure makeup when relied upon. For BWRs i

only, SRV operability should be maintained until the head is removed in order to provide venting for low pressure makeu). Also paths for inter-system LOCA such as maintenance and testing on tie non-operating loop LPI I

train or LPI testing on return back to RWST.

Reactivity Control. For PWRs the licensee should identify and implement appropriate administrative controls on potential boron dilution paths.

Uniform RCS boron concentration is important, therefore, addition of water with a lesser boron concentration or starting of reactor coolant pumps which could inject water with a lesser boron concentration into the core should be controlled.

Containment Closure.

No inspection guidance.

03.04 Reduced Inventory and Mid-looo Conditions The period of reduced inventory and mid-loop are the times of greatest risk during shutdown. The inspector should review the planned activities during those conditions and consider what the risk effect of those activities could be on the critical parameters that affect time to boil.

The following is a list of key attributes from GL 88-17 that the inspector should use in evaluating licensee plans for mid-loop and operating performance during the reduced inventory /mid-loop condition.

A.

The inspector should review GL 88-17 and the licensee's commitments in their written response.

B. Ensure the licensee has reviewed their controls and administrative procedures goveming mid-loop operation, and have conducted training for mid-loop operation.

C. Procedures are active and in use for the following:

1). Containmem closure capability _for mitigation of radioactive releases:

2). RCS temperature - at least 2 independent, continuous indications of core exit conditions are operable 3). RCS level - at least 2 independent, continuous indications of water level are operable and calibrated 4). RCS perturbations should be avoided 5). RCS inventory addition - at least 2 additional means of adding inventory must be available, in addition to RHR pumps Issue Date: DRAFT Page 125 of 154 71111 DRAFT

I 6). Nozzle dams - reasonable assurance is obtained that not all hot legs are blocked simultaneously unless the upper plenum is vented.

7). Electrical power - contingency plans exist to repower vital busses from attemate source if primary source is lost 8).

Emergency / Abnormal Operating Procedures that address reduced inventory operation.

Time to boil can be less than 30 minutes when decay heat removal is lost in mid-loop conditions.

During mid-loop operations the operator provides the only prevention / mitigating function for a loss of reactor vessel level prior to the loss of decay heat removal.

There generally are no alarms that provide indication of loss of level in the mid-loop condition.

Operator attention to plant conditions is the key prevention aspect for a loss of decay heat removal event. The inspector should observe operator performance during drain down and mid-loop conditions in relation to how distractions such as unexpected conditions and emergent work affect operator focus.

03.05 Refuelino Activities I

The inspector should verify that the periodic testing and operability verification of refueling-related equipment, systems, and interlocks required by TS are being accomplished to ensure that risk of breaching the fuel cladding barrier is minimized. Verify that refueling seals have been aroperly installed and tested. Observe that foreign material exclusion is aeing maintained in the refueling area. spent fuel area, and su)pression pool area. The inspector should select a sample of 5 fuel'assem) lies and verify that the correct assembles were loaded in the reactor core locations specified by the design.

Accomplish with combination of observation and record review. Based on discussions with licensee reactor engineers, pick the 5 based on greatest risk to fuel barrier damage if they were incorrectly located in the core.

Fuel loading should be performed in a manner to maintain coupling between the instruments used for monitoring reactivity and fuel loaded in any location within the vessel.

03.06 Monitorina of Restart Activities.

This activity should focus on the licensee having the required equipment available for mode changes to ensure that risk is kept to a minimum.

The activity can be conducted by direct observation of system / equipment operation documentation reviews, or a combination of both. The sampling should be adequate to provide reasonable assurance that the licensee is following the administrative )rogram laid out to ensure that risk is maintained at a minimum level.

T1e inspector should observe that TS RCS boundary leakage requirements are met prior to the applicable mode changes and that containment integrity is established prior to entering the applicable TS mode.

The inspector should review startup physics testing data sufficiently to conclude that core operating limit parameters are as predicted by the design so that the fuel cladding barrier will not be challenged.

DRAFT 71111 Page 126 of 154 Issue Date: DRAFT

1 i

-04 RESOURCE ESTIMATE This inspection procedure is estimated to take 80 hours9.259259e-4 days <br />0.0222 hours <br />1.322751e-4 weeks <br />3.044e-5 months <br /> per refueling outage.

-05 REFERENCES GL 88-12, " Loss of Residual Heat Removal (RHR) While the Reactor Coolant System (RCS) is Partially Filled " July 9, 1987.

NUREG-1269, " Loss of Residual Heat Removal System, Diablo Canyon, Unit 2 April 10, 1987," June 1987.

GL 88-17, " Loss of Decay Heat Removal, 10 CFR 50.54(f)," October 17,1988.

TI 2515/101, " Loss of Decay Heat Removal (Generic Letter No.

88-17) 10 CFR 50.54(f)," February 16, 1989.

TI 2515/103, " Loss of Decay Heat Removal (Generic Letter No.

88-17) 10 CFR 50.54(f), Programmed Enhancements (Long Term) Review," December 18, 1989.

i NUREG-1410, " Loss of Vital AC Power and the Residual Heat Removal System During Mid-Loop Operations at Vogtle Unit 1 on March 20, 1990 " June 1990.

TI 2515/113, " Reliable Decay Heat Removal During Outages," November 18, 1991.

NUREG-1449, " Shutdown and Low-Power Operation at Commercial Nuclear Power Plants in the United States," September 1993.

IN 93-72, " Observations from Recent Shutdown Risk and Outage Management Pilot Team Inspections," September 14, 1993.

NUREG-0700, REV.1, " Human System Interface Design Review Guideline," June, 1996 Generic Letter 98-02, " Loss of Reactor Coolant Inventory and Associated Potential for Loss of Emergency Mitigation Functions while in a Shutdown Condition," May 28, 1998 Information Notice 95-03 Loss of Coolant Inventory and Associated Potential Loss of Emergency Mitigation Functions while in a Shutdown Condition," January 12, 1995 i

INS?ECTION GUIDANCE TABLE Issue Date: DRAFT Page 127 of 154 71111 DRAFT

CORNERSTONE RISK PRIORITY EXAMPLES INITIATING EVENTS (20%)

Equipment or actions Inadvertent lowering of that could cause a loss reactor vessel level in of decay heat removal.

mid-loop due to operator inattention.

Actions that could Improper, hanging or affect reactor vessel restoration of clearance 3 eve).

tags that could affect reactor vessel level.

DHR. or electrical power Activities that availability.

contribute to loss of Actions that could cause off-site power or reactor vessel level I

station blackout.

indication to be inaccurate.

MITIGATING SYSTEMS Equipment used to Activities that affect (70%))

mitigate a loss of decay the ability of

) umps heat removal, designated in tie shutdown risk analysis to add water to the Equipment used to reactor vessel.

mitigate a loss of reactor vessel level.

Activities that affect the water source for any of the pumps designated in the shutdown risk analysis.

Activities that affect

{

the electrical power

~

1 sources designated in the shutdown risk analysis.

j i

Failure to verify i

refueling interlocks.

BARRIERS (10%)

Actions that affect the Exceeding the required fuel cladding barrier.

heatup or cooldown reactor vessel / reactor rates.

coolant system integrity, or affect containment' integrity.

Failure to establish containment integrity during fuel movement.

DRAFT 71111 Page 128 of 154 Issue Date: DRAFT

l

)

)

i Issue Date: DRAFT Page 129 of 154 71111 DRAFT

F' i

N 71111 Page 130 of 154 Issue Date: DRAFT

! 1 l

Safety System Design'and Performance Capability l

5/9/99 INSPECTABLE AREA: Safety System Design and Performance Capability CORNERS 10NES:

Mitigating Systems INSPECTION BASES: Inspection of safety system design and performance verifies the initial design and subsequent modifications and provides monitoring of the capability of the selected system to perform its design basis functions. As plants age. their design bases may be lost such that an important design feature may be altered or disabled. The plant risk assessment model is based on the capability of the as-built safety system to perform its intended safety function successfully. This inspectable area verifies aspects of the Mitigating Systems cornerstone for which there are no indicators to measure performance.

LEVEL OF EFFORT:

Biennially review one or two risk significant systems.

q Estimated hours:

320 biennially

-01 INSPECTION OBJECTIVE (S):

Verify that design bases have been correctly implemented for risk significant systems to ensure that the systems can be relied upon to meet their functional requirements.

-02 INSPECTION REQUIREMENTS:

02.01 Team comoosition:

The inspection team should be multi-disciplinary with expertise relevant to the system (s) being reviewed.

Preferably, an inspection team would include individuals with design experience in mechanical. engineering, electrical engineering, and instrumentation and controls.

If the system (s) to be reviewed require significant operator actions, consideration should also to given to including an individual with an operations background.

02.02 System Selection:

l Issue Date: DRAFT Page 131 of 154 71111 DRAFT

n l

Select one or two high safety significant maintenance rule systems used for mitigating an accident.

Consult the table below for guidance in system l

selection. Consult the regional SRA and the SRI for plant specific guidance.

l l

DRAFT 71111 Page 132 of 154 Issue Date: DRAFT l

1 l

System Selection Focus 1 or 2 mitigating systems systems with high safety significant Maintenance Rule e

SSCs/ functions (systems with SSCs/ functions with high probabilistic risk analysis (PRA) rankings may be chosen as an alternative) l Systems with design attributes which are not fully demonstrated l

through testing l

Systems which have had significant modifications, changes to design bases, and operating procedure changes Systems which have not received recent NRC review l

Systems which have multiple Maintenance Rule functions or which support multiple systems I

For selecting more than one system, the systems should complement l

each other for mitigating accidents (e.g., for a PWR, AFW and 4

l pressurizer PORVs: for a BWR, HPCI and ADS) 02.03 Obtain Information:

]

Obtain necessary information for review for determining SSC design and licensing basis functional requirements for selected systems. The following table shows suggested sources for obtaining information.

System Information Suggested Sources Design Bases Updated Final Safety Analysis Report (UFSAR)

Design Basis Documentation System Descriptions Design Calculations Design Analyses

)

Piping & Instrumentation Drawings Significant Design Drawings Issue Date: DRAFT Page 133 of 154 71111 DRAFT 1

System Information Suggested Sources i

Licensing Bases NRC Regulations Plant Technical Specifications UFSAR.

NRC Safety Evaluation Reports Commitment Letters (e.g., response to GLs, BNs)

Applicable UFSAR Accidents / Events Individual Plant Examination PRA analyses Emergency Operating Procedures (E0Ps)

System Changes System Modification Packages 10 CFR 50.59 Safety Evaluations

]

Temporary Modifications Work Requests 1

Setpoint Changes j

E0P Changes Industry Experience Licensee Event Reports Bulletins Information Notices Based on the information obtained, inspectors should be able to identify:

System Flowpaths Safety Feature Actuation Signals System Alignment During Accident Mitigation e

Safety Interlocks Fuctional Requirements for Active Components During Abnormal / Accident Conditions Operator Actions Required to Support System Functions Modifications made to the system that could have potentially changed the licensing and/or design bases DRAFT 71111 Page 134 of 154 Issue Date: DRAFT

02.04 Review System Needs:

Verify system needs are met by selecting a sample of system needs inspection attributes to be reviewed.

Selection of inspection attributes should focus on those attributes that are not fully demonstrated by testing, have not received recent in-depth NRC review, and are critical for the system function.

The table below. System Needs Attributes, is a listing of inspection attributes representing what a system may require to function.

Not all inspection attributes listed will apply to all systems.

Perform the inspection activities associated with the selected inspection attributes.

System Needs Inspection Attributes Inspection Activity Process Medium Verify process medium will be available and unimpeded during accident / event conditions

,,,t,,

Example:

For an auxiliary feedwater

  • 'I' system, verify the alternate water source

. electrical signal will be available under accident conditions.

Energy Source Verify energy sources, including those used for control functions, will be available and

. electricity adequate during accident / event conditions

. steam Example:

For a diesel driven auxiliary

. fuel + air feedwater pump, verify diesel fuel sufficient for accident duration.

. air Example:

For an air-operated pressurizer PORV, verify that either sufficient reservoir air will exist or instrument air will be available to support feed and bleed operation.

Control System Verify control system will be functional and provide desired control during accident / event

. initiation signal conditions

. c ntrol signal Example:

For refueling water storage tank i

. shutdown signal level instrumentation which provides signal for suction swap-over to containment sump, is the setpoint established to ensure sufficient water inventory and prevent loss of required net positive suction head?

l Issue Date: DRAFT Page 135 of 154 71111 DRAFT

1 System Needs Inspection Attributes Inspection Activity Operator Actions Verify that operating procedures (normal, abnormal, or emergency) specify correct

. initiation operator actions for accident / event conditions

. monitoring Example:

If accident analyses assume

. control containment fan coolers are running in slow speed, do procedures verify fan coolers are

. shutdown running in slow speed?

)

Verify operator actions can be performed in time required for accident / event conditions Example:

If accident analyses assume that l

e containment saray will be manually initiated witlin a certain time, verify procedures ensure manual initiation within assumed time and that time testing performed to validate the procedures was i

consistent with design basis assumptions.

Verify instrumentation and alarms available to operators for necessary decisions Example:

For swap-over from injection to recirculation, do alarms and level instrumentation provide operators with appropriate information and are controls and displays for proper system alignment adequate?

Environmental Verify equipment cualification suitable for Requirements environmental concitions expected for accident / event

. temperature Example:

Is equipment cualified for room

. humidity temperatures under accicent conditions?

. radiation Equipment Protection Verify equipment adequately protected Example:

Verify freeze protection adequate I

. fire na on.

. flood Example:

Verify that conditions and

=

  • "15 5"'

modifications identified by the licensee's

. steam high energy line break analysis have been implemented.

. seismic

. freeze DRAFT 71111 Page 136 of 154 Issue Date: DRAFT

1 System Needs Inspection Attributes Inspection Activity Heat Removal Verify that heat will be adequately removed from system

. cooling water Example:

For an emergency diesel

. ventilation generator, verify heat removal through service water will be sufficient for extended operation.

Emergency Diesel Generator Example: The applicable inspection attributes for consideration are Energy Source (fuel + air for continuous running, and air for starting). Control System (initiation and control signals). Environmental l

Requirements (temperature). Equipment Protection (depending on plant specific requirements), and Heat Removal (cooling water and ventilation).

Of those a)plicable inspection attributes, the inspectors may choose to focus on just t1e Control System and Heat Removal inspection attributes, depending on

-inspection resources available.

High Pressure Core Injection (HPCI) Example:

Verification of Process Medium and associated Control -System would be considered significant inspection attributes because the condensate storage tank, a non-safety related source, is used as the initial supply of water.

Use of the suppression pool as an j

injection source generally is not tested. Non-safety related components have not typically received as much design and inspection effort as safety related components. Failure to provide water with adequate net positive suction head from either source can fail the system function.

02.05 Review System Condition and Caoability:

)

Verify system condition and tested capability is consistent with the design bases and is appropriate. The table below. System Condition and Capability Inspection Attributes, is a listing of applicable inspection attributes.

Perform the inspection activities associated with the inspection attributes.

Issue Date: DRAFT Page 137 of 154 71111 DRAFT

System Condition and Capability Inspection Attributes Inspection Activity Installed Verify, by walkdown or other means, that Configuration system installed configuration will support system function under accident / event

. elevations conditions

. flowpath components Example:

Verify level or pressure instrumentation installation is consistent with instrument setpoint calculations.

Maintenance Verify that design attributes / assumptions not verified by testing have been ensured through

. age degradation maintenance or inspection activities

. service related wear Example:

For ice condensers verify e

inspection activities ensure air channels have been maintained consistent with design assumptions.

l Example:

For service water systems, verify piping has not degraded below minimum wall thickness due to flow accelerated corrosion (erosion / corrosion).

Operation Verify that operation and system alignments are consistent with design and licensing basis assumptions Example:

For a containment spray system, verify emergency operating procedure changes have not impacted design assumptions and requirements (such as single failure criteria).

Example:

For a service water system, verify flow balancing will ensure adequate heat transfer to support accident mitigation.

Design Verify identified issues relating to design have been a)propriately resolved.

(Such

. design issue resolution issues may )e identified through either the corrective action program or self-assessment program.)

Example:

If issues relating to system setpoint values are in the corrective action program, verify that resolution of the issues was appropriate.

l.

DRAFT 71111 Page 138 of 154 Issue Date: DRAFT

System Condition and Capability Inspection Attributes Inspection Activity Tested Parameters Verify that acceptance criteria for tested parameters are supported by calculations or

  • U *t' other engineering documents to ensure design

. pressure and licensing bases met Example:

Verify flowrate acceptance

. temperature criteria is correlated to the flowrate

  • "It*S' required under accident conditions with

. current associated head losses taking setpoint tolerances and instrument inaccuracies into account.

Verify that individual tests validate integrated system operation under accident / event conditions.

Example:

Verify that EDG sequencer testing properly simulates accident conditions and the ecuipment response is in accordance with cesign requirements.

02.06 Comoonent Selection:

l Select a sample of at least two significant components for in-depth inspection. Refer to the table below for guidance in selecting components for inspection.

Component Selection Focus n

Issue Date: DRAFT Page 139 of 154 71111 DRAFT

2 2 components e

Components whose failure will result in loss of system or train e

function Components which support multiple systems or trains Components with risk significant design features which are not validated by testing Consider passive as well as active components Components which have not received extensive review e

Components which have safety /non-safety related interfaces.

02.07 Perform II,-Death Comoonent Insoection Activities:

Perform inspection activities for a sample of inspection attributes which are significant for the selected components.

Component Inspection Component Inspection Activity Attribute Degradation Mechanisms Verify that potential degradation mechanisms monitored or prevented Example:

For an electrical breaker, verify that grease has not been allowed to age and harden.

Example:

For pumps and motors, verify that oil is changed periodically, an oil analysis program is in place, and that oil in equipment is clear.

Verify component replacement consistent with inservice / equipment qualification life.

1 DRAFT 71111 Page 140 of 154 Issue Date: DRAFT l

Component Inspection Component Inspection Activity Attribute Environmental Verify that environmental qualification is Qualification suitable for environment expected under accident / event conditions

. Temperature

. Humidity

. Radiation Seismic Qualification Verify that necessary seismic qualification demonstrated Verify that baseplates, hangers, and struts are installed properly.

Configuration Verify that component configuration has been maintained to ensure design assumptions have been maintained Example:

For a containment sump, verify that screen opening size has been maintained.

Component Verify that component inputs and outputs are Inputs / Outputs suitable for application and will be acceptable under accident / event conditions Procurement Verify that procurement process for component ensured that critical design attributes were

. specifications verified

. Receipt inspection

. Receipt Testing Operating Experience Verify that applicable insights from operating experience programs have been applied to the selected components.

02.08 Identification and Resolution of Problems l

As it relates to design issues, select a sample of problems identified by the licensee in the corrective action program and verify effectiveness of corrective actions.

Use Inspection Procedure 71152. Identification and Resolution of Problems, for guidance to perform this review.

l

-03 INSPECTION GUIDANCE:

General Guidance i

Issue Date: DRAFT Page 141 of 154 71111 DRAFT 1

Cornerstone Inspection Risk Priority Examples Objective Mitigating Verify system Design and Residual Heat Systems design bases functional Removal have been capability of maintained.

components that are not Auxiliary validated by in.

Feedwater Verify system plant testing availability, reliability, and RCIC functional Emphasis on capability has changes to been maintained.

design bases and CCW normal and emergency Verify that procedures Service Water safety margins have been maintained.

Risk significant EDGs design features and assumptions Verify that' not reviewed DC Power defense in depth previously

)hilosophy has

)een maintained.

General Desian Insoection Guidance Walkdowns:

During the walkdown of the selected system (s), inspectors should focus on:

Is the installed system consistent with the piping and instrument diagram?

Will equipment and instrumentation elevations support the design function?

e Has adequate sloping of piping and' instrument tubing been provided?

e Are required equipment protection barriers (such as walls) and systems (such e

as freeze protection) in place and intact?

Does the location of the equipment make it susceptible to flooding, fire, high e

energy line breaks, or other environmental concerns?

DRAFT 71111 Page 142 of 154 Issue Date: DRAFT

Has adequate physical separation / electrical isolation been provided?

Are there any non-seismic SSCs surrounding the system which require evaluation for impact upon the system?

Does the location of equipment provide for manual operator action, if required?

Desian Review j

The purpose of the design inspection is to verify that the system will function as required under accident conditions.

In the process of reviewing the design.

inspectors should verify the appropriateness of design assumptions, boundary i

conditions, and models.

Independent calculations by the inspectors may be required to verify appropriateness of the licensee's analysis methods.

The l

interfaces between safety related and non-safety related systems should also be reviewed.

In reviewing the functional adequacy of the selected system, the inspector should j

determine whether the design basis is met by the installed and tested configuration. The inspector should understand not only the original purpose of the design but the manner and conditions under which the system will actually be required to function during transients and accidents.

For example:

If UFSAR information was used for inputs for design or procedures, were these inputs consistent with the design bases?

For valves:

Are the permissive interlocks appropriate?

Will the valve function at the pressures that will exist during transient / accident conditions?

Will the control and indication power supply be adequate for system function?

Is the control logic consistent with the system functional requirements?

What manual actions are required to back up and restore a degraded function?

e For pumps:

Issue Date: DRAFT Page 143 of 154 71111 DRAFT

i Is the pump capabile of supplying required flow at required pressures under transient / accident conditions?

Is adequate ~ net positive suction head (NPSH) available under all operating e

conditions?

Is the. permissive interlock and control logic appropriate for the system e

function?

Is the pump control adequately designed for automatic operation?

e When manual control is required, do the operating procedures appropriately i

e describe necessary operator actions?

4 What manual actions are required to back up and restore a degraded function?

e Has the motive power required for the pump during transient / accident e

conditions been correctly estimated and included in the normal and emergency i

power supplies?

Do vendor data and specifications support sustained operations at low flow e

rates?

Isthedesignandqualityofbearingandsealcoolingsystemsagceptable?

e For instrumentation and sensors:

1 Are the required plant parameters used as inputs to the initiation and control system?

If operator intervention required. in certain scenarios, have appropriate e

alarms and indications been provided?

Are the range, accuracy, and setpoint of instrumentation adequate?

I Are the specified surveillance and calibrations of such instrumentation e.

acceptable?

Review of As-Built Desian DRAFT 71111 Page 144 of 154 Issue Date: DRAFT-

When comparing the as-built design with the design basis and the licensing basis for the selected system, the inspectors should consider the following questions:

. Are the assumptions upon which the original design was based adequate?

For example:

Are service water flow capacities sufficient with the minimum number of

. pumps available under accident conditions?

Are the voltage studies accurate and-will the required motor-operated valves and relays operate under end-of-life battery conditions and degraded grid voltages?

Are fuses and thermal overloads properly sized?

Are direct current loads within the capacity of the station batteries?

Is the instrumentation adequate in range and accessible to operators to control the system under normal and abnormal conditions?

Have modified equipment components falling under the scope of 10 CFR 50.49 l

been thoroughly evaluated for environmental equipment considerations such as temperature, radiation, and humidity? qualifications Are the modifications to the system consistent with the original design and licensing bases?

Issue Date: DRAFT Page 145 of 154 71111 DRAFT t

l

(

i l

i i

i 1

4 DRAFT 71111 Page 146 of 154 Issue Date: DRAFT

E l

2 i

Surveillance Testing INSPECTABLE AREA: Surveillance Testing April 21, 1999 CORNERSTONES:

Mitigating Systems Barrier ' Integrity INSPECTION BASES: Operating experience has shown that surveillance test procedure deficiencies may invalidate previously acceptable test results.

This inspectable area verifies aspects of the associated cornerstones not measured by performance indicators.

In the mitigating systems cornerstone, the safety system performance indicator - (availability) indirectly measures the quality of testing procedures.

LEVEL 0F EFFORT:

Review an average of two testing activities a month.

(Estimated hours 48 per year)

-01 INSPECTION OBJECTIVE (S)

This inspection will focus on maintaining operability of systems ranked high in importance in site specific IPE, IPEEE, PRA, or RIM 2.

-02 INSPECTION REQUIREMENTS:

02.01 Work Planning Based on information gathered during plant status reviews, select an average of two surveillance activities per month based on risk information contained in the licensee *s IPE, RIM 2, and the guidance contained in Appendix A.

02.02 Work Observation a.

By both witnessing tests and reviewing data determine if the testing met the surveillance requirements and demonstrates that the equipment configuration was operable.

b.

The following is a list of surveillance test attributes to be considered for the inspection.

Only those attributes which are significant for the particular test should be inspected.

Issue Date: DRAFT Page 147 of 154 71111 DRAFT

I Preconditioning Effect of testing on the plant 'has been adequately addressed by control room and/or engineering personnel Acceptance criteria is clear and demonstrates operability Test equipment has current calibration Test is performed as written Jumpers installed or leads lifted during testing are controlled and restored Test data is complete and meets procedure, and when applicable calculation requirements Test frequency was adequate to demonstrate operability (meets Technical Specification requirements)

Test equipment is removed after testing After completion of testing, equipment is returned to the positions / status required to maintain the system operable.

2.03 Problem Identification and Resolution During plant status reviews verify that the licensee has entered significant surveillance testing problems in their corrective action program and as appropriate select the s)ecific testing for future baseline inspection.

For significant problems wit 1 common cause potential, check the adequacy of the licensee's resolution. See Baseline Inspection Procedure 71152. " Identification and Resolution of Problems," for additional guidance.

-03

)

APPENDIX A INSPECTION GUIDANCE:

DRAFT 71111.

Page 148 of 154 Issue Date: DRAFT

Cornerstone Inspection Risk Priority Example Objective Mitigating Identify any Focus in areas Integrated Systems mitigating with potential safeguards (90%)

system, credited for common mode testing by the licensee failures.

as operable when accessing risk, emergency diesel which is Select start / load adversely surveillance testing impacted by tests which cross surveillance technical testing related disciplines battery failures such as (electrical, performance failure to mechanical, I&C) testing adequately test, failure to meet test critaria or, reactor realign equipment protection and after the safety injection surveillance.

instrumentation testing safety buss loss of voltage and degraded voltage relay testing Barrier Integrity Identify any containment containment isolation valve (10%)

integrity testing supporting system, credited by the licensee as operable when accessing risk, i

which is adversely impacted by surveillance test-failures such as failure to adequately test, failure to meet-test criteria or failure to realign equipment after the test Issue Date: DRAFT Page 149 of 154 71111 DRAFT

k

-04 REFERENCES Baseline Inspection Procedure 71111. Attachment 12, " Maintenance Rule Implementation" Baseline Inspection Procedure 71111, Attachment 13. " Maintenance Work Prioritization and Control" Baseline Inspection Procedure 71111. Attachment 4. " Equipment Alignment" Baseline Inspection Procedure 71111. Attachment 3. " Emergent Work" Baseline Inspection Procedure 71111 9. " Post Maintenance Testing" Baseline Inspection Procedure 71111. Attachment 9. " Inservice Testing of Pumps and Valves" Baseline Inspection Procedure 71152, " Identification and Resolution of Problems" i

i l

i DRAFT 71111 Page 150 of 154 Issue Date: DRAFT

, 3 Temporary Plant Modifications INSPECTABLE AREA: Temporary Plant Modifications April 21, 1999 CORNERSTONES:

Mitigating Systems Barrier Integrity INSPECTION BASES: Industry' experience has shown that temporary modifications to risk-significant SSCs may adversely affect their availability, reliability or functional capability. A temporary modification may result in a departure from the design basis and system success criteria, and can result in a configuration that may be an unreviewed safety concern.

Temporary or unrecognized risk changes due to the modification may evolve into high risk configurations.

This inspectable area verifies aspects of the associated cornerstones for which there are no indicators to measure performance.

LEVEL OF EFFORT:

Periodically screen active temporary modifications on systems which are ranked high in risk.

Review the details of 5-6 temporary modifications a year (or the impact of multiple temporary modifications

)

by reviewing one or two modifications each quarter of the j

year.

(Estimated hours - 28 per year)

-01 INSPECTION OBJECTIVE (S)

This inspection will focus on ensuring that temporary modifications have not affected the safety functions of important safety systems.

4

-02 INSPECTION REQUIREMENTS:

02.01 Inspection Planning During plant status reviews periodically review licensee's listings for temporary modifications.

Select one or tvio temporary modifications to risk important systems, as defined in the licensee's IPE, IPEEE. PRA. or RIM 2 for more detailed review after initial screening cf the modification indicates the modification or group of modifications could affect performance of a system.

Refer to Appendix A for additional guidance in selecting temporary modifications for review.

For Jurposes of this inspection, temporary modifications include changes introduced

)y jumper and leads lifted logs and other similar instructions which can introduce changes to plant design and operations.

Although the focus of this Issue Date: DRAFT Page 151 of 154 71111 DRAFT

i inspection is on active modifications, inspectors may choose to review a recently removed temporary modification for adequate restoration and testing.

{

I 02.02 Design Review Review the temporary modification (s) and associated 50.59 screening against the i

system design bases documentation, including FSAR and TS.

Verify that the j

modification (s) has not affected system operability / availability. See Baseline i

Inspection Procedure xxxx. " Permanent Plant Modifications," for additional i

attributes which may be considered.

Inspect only those attributes which may be significant for the particular modification (s) being reviewed.

1 02.03 Work Observation Consider inspection of the actual installation if an incorrectly installed or supported temporary modification could reasonably be considered to adversely

)

affect system operation.

Verify adequate configuration control of the modification. including adequacy of operating and maintenance procedures.

02.04 Testing

)

4 Review post-installation test results and planned testing after removal to ensure that actual effect of the temporary modification (s) on the permanent system and interfacing systems has been adequately verified by test.

02.05 Problem Identification and Resolution During plant status reviews verify that significant problems with temporary modifications are entered in the licensee's corrective action program.

For problems which required the modification, verify the licensee has a planned

)ermanent solution. See Baseline Inspection Procedure 71152, " Identification and Resolution of Problems," for additional guidance.

i

-03 APPENDIX A INSPECTION GUIDANCE:

i l

DRAFT 71111 Page 152 of 154 Issue Date: DRAFT m

Cornerstone Inspection Risk Priority Example Objective Mitigating Identify Temporary Use of alternate Systems temporary modifications material when modifications which could specified (90 %)

which could affect the design replacement parts affect the design bases and are not available basis or the functional functional capability of capability of interfacing plant mitigating systems During outages:

systems Temporary Multiple electrical power Emphasize temporary to equipment modifications modifications to required to which affect high a single system minimize safety or train.

shutdown risk significant especially during Maintenance Rule outages SSCs/ functions or Alternate water modifications sources for which affect Temporary equipment cooling SSCs/ functions modifications or fire with high PRA which require protection of rankings operator equipment workarounds required to minimize shutdown risk Barrier Integrity Identify Temporary changes (10%)

temporary to containment modifications isolation motor which could operated valve affect the design designs.

basis or the functional capability of During outages:

containment or Temporary power reactor coolant improperly routed system boundaries into containment when the ability to establish containment integrity is still required

)

-04

REFERENCES:

Baseline Inspection Procedure 71111 7, " Permanent Plant Modifications" Issue Date: DRAFT Page 153 of 154 71111 DRAFT

Baseline Inspectior. Procedure 71111. Attachment 2. " Changes to License Conditions and Safety Analysis Report" Baseline Inspection Procedure 71152. " Identification and Resolution of Problems ~

l i

DRAFT 71111 Page 154 of 154 Issue Date: DRAFT

_