Text

Summary of 981118 Meeting with NEI to Discuss Options for Revising Regulatory Oversight Process.Meeting Agenda & Written Info Exchanged Encl
	ML20196F285
Person / Time
Issue date:	11/24/1998
From:	Isom J; NRC (Affiliation Not Assigned)
To:	; NRC (Affiliation Not Assigned)
References
	NUDOCS 9812070002
	Download: ML20196F285 (84)
	v • d • e

_ - - _ . _ _.._ ______ . . _ . _ _ _ . _ . _ . _ _ _ . _ _ _ _ - .

l c i i..-- .;

l November 24, 1998 j l

MEMORANDUM TO: File FROM: James A. Isom, Operations Engineer ,

inspection Program Branch !

Office of Nuclear Reactor Regulation !

SUBJECT:

SUMMARY

OF THE NOVEMBER 18,1998 MEETINGS WITH THE NUCLEAR ENERGY INSTITUTE TO DISCUSS OPTIONS FOR REVISING THE REGULATORY OVERSIGHT PROCESS j i

l On November 18,1998, a public meeting was conducted between NRC and NEl to continue j exchange of information and views in developing improvements to NRC processes for i

, overseeing performance of operating reactors. The meeting agenda and written information t l- ' exchanged are attached. '

)

i I

i i

I i i l

I

\\ l

\\- !

i l

l s '

9812070002 981124

E

PDR REVGP ERGNUMRC l PM i

.s

! O d ,1 - 1 N b 1 gg g nce F 6

CONTACT: James A. Isom 301-415-1109 g g,7 _

! y .., ., .. - c, c> r L. gj

'h n w~~~~"'""'"*"'

i w n ,,,,rw._ , - ~- , - , -

-l l- . I 2

- Attachments: 1.

Agenda

2. List of Attendees

3. Initiating Events Cornerstone i l 4. Mitigating Systems Cornerstone

5. Barrier Integrity Cornerstone

6. NRC Nuclear Power Plant Baseline inspection Program 7.. Premises Handout

8. NEl Proposed NRC Inspection Finding Evaluation Matrix

9. Cover Letter Plant X

10. Cover Letter Plant Y

11. NRC Assessment Process Survey

12. Action Matrix ,

L t

-i DISTRIBUTION. !

- PUBLIC Central Files PIPB R/F F. Gillespie M. Johnson C. Holden A.: Madison i J. Isom l T. Frye '

J.Jacobson D. Gamberoni -

R. Barrett P. Baranowsky B. Mallet l

i I

^

l I

l.

DOCUMENT NAME: MTG1118. SUM l To receive a copy of this document, indicate in the box: "C" = Copy without enclosures "E" = Copy with enclosures !

I N" = No copy j

=

l OFFICE PIPB: DISP PIPB: DISP l/ l l ,

r NAME JAlsom MRJohnsoKNJh

l. DATE 11/ /98 11/ 7 /98 //

OFFICIAL RECORD COPY - ;

1 !

November 18,1998 NRC/NEl PUBLIC MEETING AGENDA 8:00AM Welcomelintroduction Alan Madison 8:15am Framework Development Team Patrick Baranowsky Discussion of cornerstone write-ups regarding Pis and inspection areas for initiating events, mitigating systems, and barriers Discussion of NEl and NRC analysis of risk sensitivity and threshold implications for reactor scram and SSPI reliability and availability indicators Discussion of NRC benchmarking of Pis 10:15am Break 10:30am inspection Rebaselining Team Bruce Mallett inspectable Areas and the Risk Information Matrix (RIM) 12:30pm Lunch 1:30pm Assessment Development Team Michael Johnson 3:15pm Future Interactions Alan Madison 3:30pm Adjourn I

~

. I NOVEMBER 18,1998, NRC/NEl MEETING ON PERFORMANCE ASSESSMENT PROCESS IMPROVEMENTS SIGN-IN SHEET NAME ORGANIZATION PHONE NUMBER Donna Alexander Carolina Power and Light 919-546-6901 P. W. Baranowsky NRC/AEOD 301-415-1111 Robert W. Boyce PECO Energy 610-640-5620 Stephen D. Floyd NEl 202-739-8078 Tim Frye NRC/NRR 301-415-1287 David Garchow PSEG 609-339-3250 Frank Gillespie NRC/NRR 301-415-1275 Lynnette Hendricks NEl 202-739-8109 l Don Hickman NRC 301-415-6829 Cornelius Holden NRC/NRR 301-415-1037 Tom Houghton NEl 202-739-8107 i Michael Johnson NRC/NRR 301-415-1241 W. D. Johnson NRC/R-IV 301-415-1325 Steve Lockfort NYPA 914-681-6868 Alan Madison NRC/NRR 301-415-6412 Bruce Mallet NRC/R-il 301-415-1425 j Mark McBumett STPNOC 512-972-7206 Jim McCarthy Virginia Power 804-273-2699 Alan Nelson NEl 202-739-8110 G. W. Parry NRC/NRR 301-415-1464 W. H. Ruland NRC/R-l 301-415-1380 R. L. Sullivan NRC 301-415-1123 i

i Attachment 2

Initiating Events Cornerstone General Description The purpose of this cornerstone is to limit the frequency of those events that upset plant stability and challenge critical safety functions, during shutdown as well as power operations. When such an event occurs in conjunction with equipment and human failures, a reactor accident may occur. Licensees can therefore reduce the likelihood of a reactor accident by maintaining a low frequency of these initiating events. Such events include loss-of-coolant accidents, losses of offsite power, and stearrhi"ne breaks.

ofinitiating events at a .

There are a few key attributes oflicensee performance that determine plant. $ the freqI M*' b, A p i Key Attributes of Licensee Performance That Contribut, to Event Frequency g Q f W [%9 Those attributes oflicensee performance that affect the frequency ofinitiating events a're shown in Figure

1. They include three that were identi6ed at the NRC's Performance' Assessment Public Workshop (configuration control, procedure quality, and human performance) pidthree additional ones (protection against external events, equipment performance, and designgC8mmonicimse failure, which was also {

identified at the Workshop, Sas been addressed elsewhere as 5 cross $utting is'ue. s The soundness of a l

licensee's performance in these attributes will affect its ability (1) to m'hiiktain a lhw frequency ofinitiating i

events that are under the licensee's control and (2) to limit the number of initiatin'g events caused by external factors. in the first case, the licensee cadontrol the frQuency ofiriitiating events by ensuring adequate human perfonnance, procedure qualit ,25quipm$nt pdforniancedlant design, and configuration control. In the second case, the licensee can limit the plant's Ytdnerability to factors that are outside its

~

direct control by providing adequate proteciihn against ihose external factors.

Protection Against External EventsN bf gyf f External events can cause initiatinghents and liave been shb. fn in some PRAs to be significant contributors to plant risk. Sucl[evdh includo'thositidt ale due to weather, floods, fires, accidents involving,toEic s'ubstances(5ctivities'in tie switcliyard, irid instability, and loss of access to the ultimate heat sink ^QVhile licensees Iannot' pre 9ent most of these events from occurring, they install protective l

systems, suhh as freek protectibn aixi Ilhtning arresters, and implement procedures, such as shutting down prior to the arrivdof a hurriddadto rdduce their impact on the plant. These actions help to limit the ,

number of plant upsets'dde io extern 51 events. Because external events are so rare, the lack of an initiating l

< event due to ad esterhdevenbioes not prbvide assurance that protection against such events is adequate.

l ins by/ pection of protective features.

This attribuid will be monitored p E' lluunlanl Performance hyr/

p

! 11uina'n errors can cause iiiitiating events, especially during activities associated with plant operations,

( m'aintenance, calibration,Tnd testing. Iluman-induced initiating events are relatively more frequent during i shutddkns than during%wer operations. The nature of the work being performed while the plant is shut do@n is quite diffednt from that of pcwer operations, with more frequent, direct interactions between

~

phnpersomielind plant equipment; likewise, work scheduling is more complex because of the higher nuniber:ofconcurrent work activities. Ilence there are more human-induced initiating events while shut down because there are more opportunities for such events. Effective planning and control of work is

, crucial to limiting the occurrence of human-induced initiating events, both while the plant is operating as well as when it is shut down. liuman errors that cause initiating events during both shutdown and power operations will be captured by performance indicators.

4 7

Revision 15 l November 18,1998

/WOcurqu7 $

FIGURE 1~

3-DRAFT-Key:

trutisting Event S = Scrams T = Transients SD = Shutdown Margin (Future)

Rif = Risk informed Inspections ,

MR = Maintenance Rule

V = Verification and Validation i ;

i f

t Protection :

Against Hurnan Procedure Equipment Con %uraten External Performance Quality t) esp N ;, ,, _ _ Control ,

Factors ,

i i

I Ficed Hazard n

% h IReegrNy Human Error Avalatulity Stah gp Operstmg Eqtipment I

trubal Desgn LN linote Promdtn Adequacy Reliatulity [

Loss of Heat Sank 16 *

(W tsst, ops))

g LOCA (S. M. L) Modecatons ;

Seiteyard Actiebes Refusiq#use [

M = 5. T. SD wseng mp Rn q . S, T. SD M = S. T. 90 Me 5, SD. T *IE Grtd Stability INEW gqn MN '[

i t

jdflota cfl l L

November 16.1996 1

i e

I r

_.m -. - _ _ _ . . ._..______._-__.__-________.______.m_ _ _ . _ _ _ _ _ _ ___m.. __-_ .-__ ____-_m._..__m_- _-. .._._._-___mi-._mm_m__ _ _ _ . - _ _ . _ . _ . _ _ _ _ . - . - _ -_-_--_m-_-.-a._-__..-__m_______.__.____.m.__ .._.-___m.._

Procedure Quality Inadequate procedures can cause initiating events by inducing plant personnel to take inappropriate actions during plant operations, maintenance, calibration, or testing. This can occur for reasons such as a missing step, ambiguous or confusing language or organization, or a typographical error. Procedural inadequacies that cause initiating events will be monitored by the Pls.

Equipment Performance j[?

Equipment failure or degradation can cause initiating events such as reactor scrams during power operations and losses of decay heat removal during shutdowns. These are expecthd t66riginate primarily in balance-of-plant (BOP) equipment while at power and in safet/-related equipment during shutdowns.

To limit challenges to safety functions due to equipment probleinitlicensees should haye programs in 8

~

place to achieve high availability and reliability of equipment'thit can cause Mitiitting' events, Strongf preventive and corrective maintenance programs would be as integral pariff those 'progmm'sfinitiati'n g events caused by equipment performance will be captured b PIs.Jn addition, licensees are'.roquirEd by the Maintenance Rule to establish performance criteria and goals for equipment that can estise' initiating events and to monitor performance against those criteria and gbals and to implement effective maintenance programs.

l Darrier-related initiating events (steam generator tube rupture, loss-of-c$oiantE achdent [LOCA),

interfacing system LOCA, and fuel handling error),w$ejudged to be unsditable for monitoring by an indicator due their low frequency and possible high riskMtisk-informed ins %tions will be performed to verify that the barriers have not degraded, particularly in those areas"wherethe safety margins are tne smallest. I j9 g,/.f/

Design p$Op y g inadequacies in either the design, the as-built configuration, of t$e post-installation testing of plant modifications can cause initiating e@ents. Also[as plants age ltheir design bases may be misunderstood or forgotten such*that an importanidisikn featurd may bE inadvertently removed or disabled during a plant modificatiodEDesign errors that result in initiliting' eve $ts will be revealed by Pls. Design errors that do not causlan' initiating evenEare mt reIevant to this cornerstone.

Ng'h Ng ^4 Configuration Control % %;Mp Loss of configuration contiel of risk-lignificant safety equipment (primarily support systems) can initiate a reactor transientnd simultariSusly codbromise mitigation capability (common-cause initiators). During power opdr$ ions, Pts ard not' viable,as indicctors of risk-significant configuration control problems because such events are rare and, with the extensive redundancy that exists, they would not lead immidiately to a plant trip $ V hk $

During shutdowns, however, w hen equipment is out of service for maintenance or testing, or.when off-normallineups or infrequent tests and evolutions are being conducted, configuration control problems are rhore likhly to resuit in initiating events. These events will be captured by Pls (in the future) but, because ofn hishiisk of shutdown events, Pls alone are insumcient. Risk-informed inspection of configuration control will b^e used to supplement the Pls during plant shutdowns.

Performance Indicators This section defines the Pls and describes the calculational methods used to monitor licensee perfonnance

! in limiting initiating events. PRAs have shown that risk is often detennined by initiating events oflow Revision 15 3 November 18,1998

4

+

frequency, rather than those that occur with a relatively higher frequency. Such low-frequency, high-risk l cvents have been considered in selecting the Pls for this cornerstone. All of the Pls used in this :

cornerstone are counts of either initiating events, or transients that could lead to initiating events (see Table 1). They have face validity for their intended use because they are quantifiable, have a logical relationship to safety performance expectations, are meaningful, and the data are readily available. The Pls by themselves are not necessarily related to risk. They are however, the first step in a sequence which could, in conjunction with equipment failures, human errors, and off-normal plant configurations, result in a nuclear reactor accident. They also provide indication of problems that, if uncorrected, increase the risk of an accident. In most cases, where Pls are suitable for identifying problems, they are s,unicient as well, since problems that are not severe enough to cause an initiating event (and thedfore resukin a PI count) are oflow risk significance. In those cases, no baseline inspectionjs requirediths exAiption is shutdown configuration control, for which supplemental baseline inspectiod isnecessiary)2 % !

/V &.

Not all aspects oflicensee performance can be monitored by Pis' Risk-significant. areas'not. covered bk O

Pls will be assessed through inspection. Figure 1 identifies thEtype of monitoring (E.g.lPIs or inspiciion) to be used for the elements of each attribute. (NEl proposed [ahd the Phformance Assssament Workshop recommended, a PI based on the NRC's Safety System Actuations [SSA] indicator; it wo6fd 061y include those SSAs that occur when a plant parameter actually exceeds its set p8 int. The framework team is continuing to look into the use of risk-significant scrams or SSXUo accSmt for potentially high-risk initiators.) Y [%

Performance Indicators for Power Operations

'74

% [6%k

$7 %q$

p C: M 1%. b

1. Scrams per 7,000 Critical Hourd - unplanned automatic'as I man' mal scrams while critical.

~

This measure is a count of events that upoEt plant stability'and shallsnge safety functions. The indicator includes all scrams while the reactor is critical thaiare ri6t directed by a normal operating or test procedure. It also includes scrimsjhat occ0r'during thdlcxecution of procedures in which there is a high probability of a scram but'thneram was not planndd. Examples of the types of scrams !

included are those that result fr6m'unplann$d dansients error, or those directed byfn6nSinal, emeriency,idann?,Vquipment unciator response procedures. This is the same failures, spi as theMAN'O indicator'that is used by all U,Siplatds, except that it also counts manual scrams '

beca$sedrian a risk peripootive, they arejust as important as automatic scrams.

CalculattomallWathod - ThEnumbEr'of scrams in the last four quarters are summed, divided by the number ofiritical h&rs in the'last four qbarters, then multiplied by 7,000. This will ensure that shutdown periods are treated consisiently in the Pl.

Thresholds W501sterybTBD Y g Safety:'TBDt , #4 aribeing reported accura [tdly.Voiffication Inspectidm Oh a$ ample b

$4 ya &q 2& Transients per 7,000 Critical Hours - unplanned changes in reactor power of greater than 20%

jihis indicator coasts unplanned events (excluding scrams) that could, in certain plant conditions, challenge safetyfunctions, it may be a leading indicator of risk-significant events. The Pi includes all l

k]'oluinges 'in rea5 tor power of greater than 20% that are not plan in"reactbEhower as well as unplanned controlled power reductions and shutdowns. Unplanned power i i

reductions and shutdowns are those that are initiated before the end of the weekend following the

' One year of operation with m availability factor of 0.80 is equivalent to 7,000 critical hours. Rate indicators are j susceptible to false positives w hen the denominator is small, as when a plant has been in an extended outage.

[

1 Revision 15 4 November 18,1998

4 discovery of an off-normal condition. Examples of the types of transients included are runbacks, power oscillations, power reductions conducted in response to equipment failures or personnel errors, and unplanned power reductions to perform maintenance. it does not include manual or automatic scrams or load following power changes. This is similar to the information that is included by all licensees in their monthly operating reports.

Calculational Method - The number of transients in the last four quarters are summed, divided by the number of critical hours in the last four quarters, then multiplied by 7. 000. This will ensure that shutdown periods are treated consistently in the Pl.

Thresholds-Regulatory: TBD

/f A

Safety: None, not a direct measure of risk. j#

Verification Inspection - On a sample basis, verify that the munber of tMas End the critical hours are being reported accurately, gh 4

f, Q/]y y

g%

3. High-RiskInitiators(future)-THD ff g $

Calculational Method - TBD Thresholds - TBD 4

Q

'?id;;Mh [#

}VMg /

Verification Testing - TBD k%w3 $y Performance Indicators for Shutdown Operations em %b i

4. Shutdown Margin (future)- the number of unjisamed decreases 11tle. safety margins of reactor

$ndNasdivity[during reic(or shutdown.

coolant level, This indicator countsreactor the events coolant that jeopadiftemperature (ic the chahilityscisesap66 decay he while shut down or could lead to unplaidEd criticalliY. E:fiparisiesJds shown that plant activities ;

while shut down with safety equipnad$ut of seridce can, uistsWertain circumstances, have serious consequences. It is important that feedor coolsi5ilevel andMmperature be controlled to maintain the -

heat removal capability and to prN5t inadvMrt5nt criticality.

Calculational Method - TQD $[

Thresholds,- RegulatorydTSDf [${(p[#

MMSafety: TaDC $

VerifteelleeTesting-TBDb A W

l sqm wf m s x g i l %$gdb gg

, Inspection Assest % Ngf l

gff"%

The acessey of the PI data reported by licensees will be verified through baseline inspections. In addititui[for those elementEof11oeiisee performance that are important to risk, maintenance of defense in degand maintenance ofjdi$iy margins and are not amenable to monitoring through Pls, licensee peshimance will be assessid through inspection. Table 2 identifies the type of regulatory monitoring (Pis d'im$ection) that will bie?used for the elements of each key attribute oflicensee performance associated t

iminating events gh w e;y' $V i #

! Revision 15 5 November 18,1998

1 1

\

l '

I

\

i l Table 1 Performance Indicators for the Initiating Event Cornerstone l

PI Measured Areas Definition Thresholds Scrams per lluman Error, Counts unplanned automatic and manual TBD l 7,000 Procedure Quelity, scrams while critical; calculated per 7,000 Critical Design, and Equipment critical hours to remove shut down periods llours Performance from the indicator Transients lluman Error, Counts unplanned power excursions or per 7,000

/TBD i Procedure Quality, controlled power reductions not inchided ing/ (No safety I Critical Design, and Equipment total scrams that result irt a change,in reactor threshold) j llours Performance power of greater than 20 percent;ialculated 3 l per 7,000 critic.al h ouis#

g 2- \g M 474, f?

liigh-Risk lluman Error, TBD j 1

%fITBD A f 9 g kJDQ[gf Initiators Procedure Quality, f 4 l (future) Design, and Equipment %#

Performance %v . , A.n .

jV . . t y ,.

Shutdown 11uman Error, Counts the number of unplanned decreases in TBD Margin Procedure Quality, the safety margin 7of reactor c' oolant level, (future) Design, Equipment reactor coolant tiEiperature, a'nd reactivity Performance and during reaEtor shutddwn 3

N 4

Equ.ipment Lineup p-%c gA A(Y Ny pfV yy R p@.f jb f;ty b(f !

Table 2 Initiating vents Ke,8yAttributes and Means to Measure Key At Areas to /3MMeans to h jI Attribu_tes ? S..M. easue d. , i_ Measure N4 Disci:ssion Protectiob [Abareas N/ScENelow Initiating events due to external factors, such as Against Q(beloh, k((js earthquakes, fires, and floods, are sufficiently rare that External o A VY f the absence ofinitiating events is no test for these 2

g'g @J ' heg ^ k.h'8 Factors protective features. Therefore, no Pls address these concerns. Risk-informed inspection will cover this !

g// hy/

fg V area. Each area will have its own risk-informed items that are to be inspected.

if if

$ Flood Hazard Risk- site-specific

, % M# informed x- % a i.~ A Inspect. ion Kj@ 1 $*r %,p W, R%lQ gyb*';f

%&MW l

l t

Revision 15 6 November 18,1998 l

Key Areas to Means to Attributes Measure Measure Discussion Weather Risk- This area includes all those protective features informed designed to prevent weather from causing an event Inspection that may be risk-significant. Since each plant has a unique set of conditions that may be important, the inspection would examine only those items and attributes that are shown to be significaitly the plant-specific PRA. [

Fire Risk- Risk-significant' fires would be counted in the scrams informed and the operding'6ansient -

inspection above, the pumber w ~n.

eventsofhasthose,Eindicatori.

. m been small As enough topdclude theN of a fNre perfonnance, indicator thalcould d6 vide an opportunity forlently interventionD Areadfor inspection for fire inhiators would incluMo (control rodn7'6a%of certain important area switchgedr' rooms 7 sable va$hs and tunnels etc.) for transient combus.tib6and slidination ofignition s,ou% ?!!A PsmA

%[

gv Loss oflicat Risk- loss Sink informed a$ cana l$njier no'ofco_ndense" heat Aink' steam occurs when the main from the power Inspection conversion sy,stemOThis .meludes loss of heat sink not N rolded to equipinent failure, which is covered under t Equipment Performance. An example would be g

1 g[8 [Iclogging /An infrequent site-specific review w

. material of circulating water strainers due to foreign g 7 conducted to verify that the potential causes ofloss of d7

h

%{p< ig g%g

,4 "4

w4

%%j.,4

" heat sink that could also cause a loss of mitigating or support systems are addressed.

NToxiENazard Rdy[ site-specific informed p ph4q{[j nspection Switchyanil vfRisk- This area was isolated from the other areas oflicensee

[M ActivitieV 9 informed Inspection performance since these activities are typically low frequency but can have risk impact since they may f //

j% jf result in a loss of offsite power. A review of c

Ay switchyard controls would be done infrequently, i 'hN %g focusing on those areas most likely to cause an h%gf ' b 9( f initiating event.

1 6

d Revision 15 7 November 18,1998 1

I

4 Key Areas to Means to Attributes Measure Mearure Discussion Grid Stability Grid stability is normally excellent, but under certain conditions, such as severe weather or extended plant shutdowns, grid instability can cause initiating events at nuclear plants. The NRC is aware when such conditions exist but no Pls are monitored nor inspections performed. g/

liuman lluman Error Scrams, h AV Iluman-induced initiating events tint' contribute to the Performance Transients, indicators are dir^ect measSus ofinitiating events for SD Margin scrams and tiie shEidown rdargin.:Tne Transient (future) indicator m$sfures eventsth~$t sna g

events. Si5d the traasNit indic'y leid'to initiating?

atdrlinkOsafelfis more indi/eckthere iihiil be no safet[thresholdLfor that indicator, $$ "W Procedure Procedure Scrams, QF 4 This factor onlyfaddneses Quality Adequacy Transients, deficient $uld r'en in'aN.those initiating event.procedures If those that, if (Maint., Test, SD Margin proceduretare inadEqsste"seSh othat initiating events Ops) (future) incnnIEedtisat decline diipardigrEance would be

.dStocted bydiciindicators[shice the Scram and S/D

'i ddicatdik aA%sEit measures of initiating events.

M Wa l Ry' Equipment Availability, Scram Any decreasiin licensee performance in this area will Performance Reliability,' Transients, be frianifested'idIicreased events due to equipment and SD'MaEgin jEfformance$i.ike procedure quality, this is a direct Maintenance .(Isr6te), cdeasure ofMitiating events. This area is also MR V&V . UiIlionitodisia the maintenance rule verification.

j}d!%I3arrier f@fk$ 4 Risk-QW$

QBarrier-related initiating events (S/G tube rupture, yINlategrity%f indbrmed LOCA, ISLOCA, & fuel handling event) were judged WS "h Niaspeision to be not suitable for monitoring by an indicator due hy % Ngw D p the low frequency and possible high risk of those Ohdh events. Inspections would be performed to verify that ifkyQg the barriers have not degraded, particularly in those areas where the safety margins are the smallest.

De Initial , Scrams, Any problems with the initial design that cause l

Q Transients, SD Margin initiating events will be picked up by the indicators. I l 1M (future)

'[ %M difications Scrams, Transients, Addresses permanent and temporary modifications.

Modification errors that cause initiating events would Ql] f SD Margin be captured by Pls. )

(future)

' \

j Revision 15 8 November 18,1998 l

l

M Key Areas to Means to Attributes Measure Measure Discussion Configuration Shutdown SD Margin Configuration control problems include incorrect Control Equipment (future) Ril equipment lineup, often due to frequently changing or Line-up off-normal configurations. The indicator monitors events that cause degradation of critical safety functions during shutdown due to system,.

configuration. Because of the high risfofshutdown events, the PI is supplement /d by ris41 fnformed inspection. a Operating Risk- Configuration /YbN[E control problem?'* f %, a trip and ##

as can cause Equipment informed the simultayus loss o{afitI%syiitem or Line-ups Inspection function (conimon-cause mitiating event not viable extensive r(because siiEli events are rdklhn not lead im5ediatelyio a plant trip.

gf Y-lf ' NIg

~ i h%..

gf@h Mj7 A: )

k&h e .ti hw([

w

.fh 'p3R _h l

,a db;4h $y hys m% -

gidgy c

] g

'n

Q{g77 y%gjk l

h h s y g. Q ,

l f

fh.?

g [Wf Ie f, m-: x >> , -i}

.e . q .

$19 G yydh'p f w + 's W

Revision 15 9 November 18,1998

l 1

. Mitigating Systems Cornerstone General Description l

l The purpose of this cornerstone is to ensure the availability, reliability, and capability of systems that i respond to initiating events to prevent undesirable consequences (i.e., core damage). When such an event occurs in conjunction with equipment and human failures, a reactor accident may result. Licensees therefore reduce the likelihood of reactor accidents by enhancing the availability and reibtiility of mitigating systems. Mitigating systems include those systems associated with~ safetyhjection, residual heat removal, and emergency AC power This cornerstone includes mitigating systems that respond to l both operating and shutdown events. There are several key attributes oflicdnsee perfo'rmance that ensure adequate mitigating system performance at nuclear power pland, h #7 9ljW %l,' ~% g

%y kx %m V .#

Key Attributes of Licensee Performance That Contrib. yute to Mitigating Systims Performance %'1 g3;g Those attributes oflicensee performanw that are important to mitiga~ ting system performance at a plant are: protection against external events, design, configuration control, eq' uipment' performance, procedure quality, and human performance. These attributes embrace and refine the key httributes described in a report entitled,"Results of the NRC's PerformanIMAsisssment Public Worksinop,"(LANL), October 25, 1998) and are shown in Figure 1. The quality 6fihese atkibutes%ill affedt'the licensee's ability to optimize the availability and reliability of the# mitigating' system functior[ The licensee can ensure mitigating system performance by supportin'g effectipe human frfoEmance, procedure quality, equipmen performance, plant design; and configsration control. //

jf k w &A s&

For each of these attributes, specific' elements have been identified. For example, the particular aspects of configuration ^ control to ensurdidqbate mitig'ating 'systeni performance include equipment lineup during operating asd sh'utdown mddes2 control of temporary fiiodifications and operator work-arounds, and risk-informed equipmedt maintehance sch$duling. As another example, the types of procedures that are stem p"erformance include maintenance, test, and operating procedures. The relevant to follow discussions thaf mitigating s sy$mmarize'the stationship between the key attributes and performance.gg[}

% (, A %#

j&

ProtectioiAgainst Extirmal Events Exterdi events can (~evedt mitigating systems from performing their intended functions by reducing their capability or rendering thhydt6ms inoperable. Most of these factors are site-specific, related to weather, lodof heat sink, toxic and flood hazards, and seismic hazards. Fire can also prevent mitigating systems fromifunctioning, and whs included in this area because fire is typically analyzed in the IPEEE. Due to the fareMt possibly riskdniportant nature of these events, no P1 was judged suitable to monitor licensee Mormance in th$ nica. Risk-informed inspection will be performed in these areas..

W)s Design **;)Y Inadequacies in the initial design or in the control of plant modifications can affect the capability of mitigating systems to perform their intended function as well as their availability and reliability. As plants age, their design bases may be lost such that an important design feature may be inadvertently altered or disabled. It is expected that Pts can be used to provide partial information regarding the adequacy of the initial design and the control of design modifications insofar as they monitor the availability and reliability I

l Nosember 18.1998 (7:12am) -I-ATTACHAeNT- 4

FIGURE 1 .

DRAFT Key:

SSPI = Safety System Performance Indicator Mitigatmg Init = lnitial Operator Exam Systems Requal = Operator Requal SD = Shutdown Margin (Future)

Ril = Risk informed inspections MR = Maintenance Rule V = Verification and Validation Protection Against Configuration Equipment Procedure Human sign Control Performance Quality External Performance Events i

Mamt & tesung ops Pnzodures Proedures g (Post + vent) (PN+ vet)

Design trutst Des 99n Tomc Hazard Equmpmert Lmeup Eqtmpment Lmeup RWiaWity Avalamtity m

w Error Mcates (at m) - AOP

,g (Shutdown (Pre + vents)

)

Sesmic

- EOP R e SSPI g MRV Ril M * $$PI Rtt (init,Regsal) g , ggpg RN M enone Ril MRV MRW pg , ggpg, pgg Rtqtnn, Requal) MRV seo3s cfl Nowetter13,1998 m--_._ .____.:. _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ . _ _ _ _ _ __-___._m.-- __ --._-___m._____.__.____m _____.-_-____.-.m_

_ -. - = _ -

of equipment. Many aspects of the original plant design have been adequately addressed by initial design reviews, start-up testing,50.54(f) reviews, and periodic surveillance programs. Inspection in this area should be limited to those risk-significant design features and design assumptions, if any, not adequately addressed in previous programs. In addition, periodic design basis reviews using plant modifications as a window into the original design, can help maintain confidence that mitigating systems will respond to events as intended. The modifications reviewed should be only those modifications that could alter the functionality of mitigating systems used during risk-significant accident sequences. Also, risk-informed j inspection of those areas that could affect the functionality of mitigating systems is warranted to insure .

that the design and design basis was not inadvertently altered. Pls are not expected to addiess the l understanding and control of conditions outside the design basis.

f Configuration Control Q Q >' %

Loss of configuration control of risk-significant safety iIiysteArodundancy is equipmNit compromise mitigation degraded due to misaligned valves orcapability. When safety systems are.nof availablep(y switches, that unplann$d'unavailabili for selected systems. For other systems not covered by the Pis7 risk-infdrmed verification of sy~ steins and components in a standby status is planned for both the operaiing endibutdown conditionPAlso, the maintenance rule and the associated verification will also mo Utor operstmg performance in this area.

Equipment Performance

[v%p3 y,A

\

Adequate availability and reliability of equipment important, to effectiv~e poiformance of mitigatmg i systems is critical to mitigating the impact ofinitiating events on plant safety 4The performance of certain !

mitigating systems are measured by the safety sysitemjerfonnandejndicatoi'(SSPI) to the extent that testing is adequate to measure functional availability and'reliabilityTin adilition to this indicator, the performance of all structures, systems, and dhmponentslSSCE)jinportsrd to the performance of mitigating systems will be monitored as part oflicensiebs' impleEentation of thfmaintenance rule. Consequently, !

, performance indicator data will be suphlesiented bNerificatioin'of maintenance rule implementation. -

AV Af pf ~N Procedure Quality To ensure proper functioning p ggp o,f mitigating sys[tems, thE procedures which contro testing operatkE inust be correctf MaintenancY and testing procedures influence the capability of mitigatirig systems to,respor'id to initiating events. The quality of such procedures are indirectly confirmed by the performance ofmitigatidg sysiem's'as monitored through the SSPI and verification inspection of maintenance rule m imploisentation.%mhp r

g 4 l

Emergency and ab'nor{m$'[(,al operating procedures are also essential for mitigating system performance.

initial and fequalificatioh" testing of operators provides an indication of the quality of operating procedWes, including abnormaljoperating procedures, standard operating procedures, and emergency oper$tfng procedures. MY

&}

lienskn Performance f

l humMn performance ibay-to-day, pre-initiator plant activities influences the performance of mitigating systems through M dbnduct of maintenance and test activities. Therefore, the licensee's problem identification'and Eesolution program is expected to identify and correct human errors that lead to dejraded plan performance which is measured by other plant performance indicators for mitigating l

systems, including those associated with design, configuration control, and equipment performance. Also, human errors that degrade equipment will be monitored through maintenance rule implementation Human actions are also clearly important in plant response to initiating events. Further, human performance is critical to mitigation in multiple-failure accident sequences. Examples of human actions 1

l November 18,1998 (7:12am) P:Wi!TIGAT8.WPD i

j that are important to the performance of mitigating systems are those associated with depressurization and cool down and actions involved in aligning and recovering backup cooling water systems. While few data are available to directly measure post-initiator human performance, operator performance during initial and requalification examinations provide an indirect indication of expected post-initiator operator performance.

Performance Indicators A

This section defines the Pls used to monitor licensee performance in mitigating the effects ofinitiating events, describes their calculational methods and thresholds, and identifies the(inspectioEs necessary to verify their accuracy (see Table 1). While safety systems and components ark generatiy thought of as l those that are designed for design-basis accidents, not all mitigating systemi haykts same risk l importance. PRAs have shown that risk is often influenced not only by front-line mitigating systems, b$i

-rel$ tid, also have been by considered supportinsystemsselecting theand equipment.

Pls for SuchPlssystems this cornerston$.fThe aEall direct'and countseduipment, of eitl botiidfet mitigating system availability or reliability or surrogates ofInitigatin face validity for their intended use because they are quantifiable, ve a logical relationshiftEsafetyha' gisystem p performance expectations, are meaningful, and the data are reddily available. Not all aspects oflicensee performance can be monitored by Pls. Risk-signiReant areaist hwered liy Pls will be assessed through

)

inspection. Figure 1 identiGes the type of monitoring (i.e.,'PIs or inspection) to be used for the elements W

i of each utribute. ,4 %

kW p &y,3 p V.g%p y 7A Performance Indicators for Power Operationsr Y? % g l ef afY%v ~ n. J W) l

1. Safety System Performance Indicator (SSPI) ,the INPO indicator of the performance of four of the most risk-significant safety syst4 mis. This iridicator nionitErs several generic risk-signi6 cant safety systems. The SSPI systemi for BWRs indlude high 'pfessure injection systems (high-pressure coolant injection or high-pressure leore spray or feedwater soolant injection), high pressure heat removal systems (reactor core isolation cooling or.isolatihn condenser), residual heat removal systems, l and emergency AC pow;ef s st$rns. For P[WRs, thisy' stems monitored include high-pressure safety injec powe,ti6n systems, NMD auxiliary

% feedw:ater systems / residual heat removal s r systems

%u- ,

%,h W4v A%

The SSPI iddicator'piovides a limited tst'useful sample of safety system performance information associated with equipm'eht import'antgrisk. Limitations in scope of the SSPI are augmented by review ofilhplem'sntation of the maintenance rule on those systems not covered by the SSPI, with focus"dn issues that c"ross corneirstones such as common cause failure and human performance.

N W?

eSSPI Availability. This iridicator measures the in-service availability of four generic risk-significant (Lssfety systems. The SSPI for each monitored system is the average of the unavailability of the f individual trains that somprise the system, n'&

L '

sayM

$bCalculation' Method - The SSPI for each monitored system is the average of the unavailabilities of V'the'individuaftrains that comprise the system. Each train unavailability is the ratio ofits unavailable hours td'the hours the system was required to be available. The train unavailable hours is the sum of

the planned, unplanned, and fault exposure unavailable hours. Detailed dennitions of these terms are l contained in INPO 96-003.

Thresholds TBD.

November 18,1998 (7:12am) PnMITIGAT8.WPD

Verification Inspection - Selected review of a sample of the SSPI systems to verify that unavailable data are reported accurately l

l fiSPI Reliability (future)- This indicator measures the demand unreliability of the above described generic risk-significant safety systems to start and/or operate for the prescribed period of time to perform a safety function. The SSPI for each monitored system is the average of the unreliability of l the individual trains that comprise the system. Each train unreliability is the ratio of the number of start (or run failures), to the number of demands or (run hours) respectively. Detailed definitions of these terms and prescriptions for combining failures are contained in INPO 96-003.

1, I Calculation Method - TBD h^

/4 I

Thresholds -TBD [g, Verification Inspection - Selected review of a sample of the SSPI 4k systenis l rifythat demand an'dtoie%

failure data are reported accurately.

[ 'N g/'

, 2. PI for Shutdown Operations (future)- mitigating systens availability during shutdownpMost licensees manage shutdown risk in accordance with NUMARC 9h06, " Guidelines foilnd$stry Actions to Assess Shutdown Management." They manag'd defense?in depth, through configuration control, for key safety functions (decay heat removal, invIrEti$contrSI, electrical power availability, l reactivity control and containment). This PI will measNb the peMont of outage time that each key -

safety function lacked defense in depth, either from installed equipinent or cSntingency actions. Since defense in depth for each area would need to be d5 fined add further additiAnil work is needed, this PI will be developed in the future. M 4

4f 4 hy;sw@ge%45[

Calculation Method -TBD Thresholds - TBD g/ll[f9y/r g"g MD g

Verification Inspection - TBD p /

l 6 A ##

Q, lh $ b I 'k ysN4ish h p@iE/ %g%

W

,gf ?

gy y f

seNb f

.h

% U %.

( g., NWQ[,efi kh yh November 18,1998 (7:12am) PfMITIGAT8.WPD

Table MITIGATING1. PERFORMANCESYSTEMS CORNERSTO.~f INDICATORS

, &/k FO{IE{TH PI Measureed Area Defirutiosii W A Thresholds axw -a SSPI Availability availability of specified risk-important For,w=h oa6 monitoredsysted. counts the average,erof TBD mitigating systems th/sinavailabiliskof the Individualb timit coMse the$ys' tem. Each Er$ia unavailability is thdratiEoFEs

e. .um unavailable hourslo thEhours the systemp required to be available. He train unavailable hours is the sum of the planned, unp' tanned,'amullfaunuposure unavailable hours.

m m SSPI Reliability reliability of mitigating systems ( WiF each of fotirmonitored systems, calculates the TBD (future) demalid unreliability.tdstart and/or operate for the gf,g# p._.O period 6f time to perform their safety g# fftinctionsAf7

,, , y ~s Mitigating system availability of mitigating systems to limit // Plan to calculate the outage time that each key TBD availability during shutdown risk. safety' function lacked defense in depth, either from shutdown (future) g j[$[ ,/

g}// / installed equipment or contingency actions. Since

, defense in depth for each area would need to be 3 A Ni pf % defined, this PI will be developed in the future.

%iY'

%[h %

Rf' ' a.

&c Q'M3

s V-8 %I4 Ni[ Q 4 [.

,rf l g

g ybq ,Ty gjfif m Ih OM #7 j

ftp #

h, g

%7%.,,mg((f

m November 18.1998 O. (7:12amRgsp4g[a P:WmGAT8.WPD

Inspection Areas for Mitigating Systems y A In <

)

The addition,accuracy for those elements of the Pi information oflicensee reported performance that are important to by risk, licensees will be verified maintesince of defenes depth, and maintenance of safety margins and are not amenable to monitoring thro ' Md licenslAM M@g l performance will be assessed through inspection. Table 2 identifies the type of r

Itory monitoifinsgGDEbs l (i.e., PIs or inspection) which wili be used for the elements of each key attribute. . licensee poissm associated with mitigating systems. [I 1:M h 12 %

ih l-Au p;;jP' e.y 9,lQ ~

19

. . . v ,r p -%g gpte

ypm 4;

v e, , .r A ,/

Ag f?kllV'i 9

Th ;

~bbhh '

g skT,hf!?.mt. -

" ?n.e 2B l$g};-

i i !

i i

l. i

{;

i November 18,1998 (7:12am) PAMITIGAT8.WPD

b Table 2. Mitigating System Key Attributes and Associated Performance Indicators und Inspection Areas

.A 3 [a%gAw Key Attributes Areas to Measure Means to Measure Com M TA n, yw -a ::

Protection against All external factors Risk-informed (R-1) External factors can prevent mitigating systems from responding external factors listed below. inspection i,fcalled upon?Since the systems that mitigate external events are' called upon so rarely, inspection (asuarranted) of mitigating kysteiEiaIn{d design modifications will verify that the systems remain ^ia~ place and are functional. Inspections of this key attribus will Se.very plant specific. Some plant features that are

<c x

<jmportant to risk *are discussed below.

Flood R-1 inspection gProtection%iSh agamst the effects of floods is afforded in a variety of g ' iways that inclu' des driins, encasing equipment in splash-proof .

j g herriers, and providing barriers, such as flood doors between g/P[ ~gtedundant fic trams of systems. Thes g sM' men'and should the riskbe subjected to anand inspection that is g

SUS /gf 5

com system.

siirate with importance of the feature fj7 g ff Weather In seneral, most safety systems are well protected against the y

R-I inspection A [Y [ 4[% +dEfTects of weather by being enclosed in protective str N 4 $dd {n" f Ilowever, there are certain portions of systems that are v

+%

keV h "

susceptible to effects of weather for w hich protection is provided by design Examples include: fluid lines outside buildings that

[H('(h %

k 9 3 _%

4( j could freeze may be protected by lagging or trace heating, ventilation intakes and roof drains that could become blocked gG g ~ b g"f % (, % %[ are protected by covers or grilles. The inspection will review those design features used to protect multiple mitigating systems

[g %i p from the effects of weather, including potential common cause bgg effects on mitigating systems.

p!# pV

/0/ Toxic hazard // R-l inspection Plant-specific.

gf21 -s N

[J p

.A

^ "yg

//g; ff?

hp z h.v-Wh

%>gt 3 November 18.1998 V;n , m.

(7:12am)igy#;/y P:\MITIGATR.WPD

Key Attributes Areas to Measure Means to Measure Comment m

4

[

Fire R-1 inspection System functions agitgpicall+y protected against fires by .

provyfag protegebib4gr$ie barriers with or without detection andinippr'ession, seigjetsblishing barriers between different trailms'of redundaaGjehjest$3he status of pMsive and active fire pfesiection meaimies sh3neteWpected idirisk-informed way.

1%d first araIIfor inspectEcksismiinMe the functionality of ferid suppression sy}iehM%luding the fire brigade)

Ioe,ses m rtant areas (e.g., control room, cable-spreading switchgear rooms, cable vaults and tunnels).

[.-< s the fire w'vedt'eddM5uished a kpection would be performed to verify that if (i.e., defense in depth is frective),M$lihudiild not spread (i.e., fire barriers are intact dMhNbose areas [simit $$portant alternate actions and stations are segueille to safehYshutdown the plant.

R-1 inspect 5n

$ M E%-$7 Seismic SiteyailgaiScant equipment is designed for seismic events by

/f/-

bein{selenfically qualified and having appropriate anchorage.

w . Since this is unlikely to change and has been reviewed industry-wiild(A-46, masonry walls. anchor bolts, pipe supports), the i

Indus of the inspection would be to ensure that plant 4

A A

Mbi f -5 fhinodifications (e.g., installation of scaffolding or removal of em own #"M7 # snubbers) have not compromised the capability of mitigating Wwh.

systems during seismic events and that the qualification of j

"db@6 MAa @Q.h 2 sos equipment was maintained to prevent the introduction of a new .

~: ews common cause failure, ky$14 &;pikh?

4 -

f ll@N&

n-4f.gf r . ::.

76 ;;F ,

-A El % W}/

November 18,1993 (7:12am)DMl?l%f L % Wg. PAMITIGAT8.WPD ,

_ . . _ _ . _...._._._._---__.._m. _. - _.____-._..___.._____m___ . __.______.__...m_____._..m_-_ _ _ . _ _ _ _ _____m.__.__._.________.________________.____m- . _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ .

I Key Attributes Areas to Measure Means to Measure Comment y

[

7. ,

Loss of heat sink R-1 inspection The ultimate heat sinlifor systems that provide cooling for the front-li' ne and sugiport sjs6ms is typically the same source as the circulatifg water 7although in some plants there is a dedicated supply. In either dese,[they[arS susceptible td'the same external effects as circulating water, such as clogging of strainers due to foreign material. Site-specific inspection"will assess whether the ~

fequired features to prevent 10ss'of. supply are not degraded.

This inspection ought to focus on the potential common-cause failures of thiheat sink, most notably service water heat ,

a v : - : \

% exchanger sg. foulu.

2 b Design initial design None gPls would olikindacde problems with the initial design after the jp/]5" Tmitigating systems are called upon to act, which t g ff years, particularly in response to the 50.54(f) Ictters. Further g // inspection ofinitial design would be performed in those areas pqJ f?g where planimodifications have been made.

py Design modifications R;l inspection off As above, Pls would not provide timely indication of faulty design modifications plant modifications. The focus ofinspection in this area is to gf7 [S hMehsure that risk-significant mitigating systems remain functional

[" h, g Afi (i #. f afler inspection modifications, bothonintentional and inadvertent.

e: % %;f g1 ought to focus the design interfaces, configuration That

% g'; A % management, post-modification testing, and those areas not

% N( %VC%k'% Y- s?

readily verilled by testing (EQ, scismic, etc.) that are risk significant.

}N 3% 'Q p.f Configuration Control Equipment! Line-uph SSP 1," MRV For those systems monitored, SSPI will provide some j(at power) %~fk "

information on the adequacy of configuration control, especially p on licensee programs and practices to maintain critical safety

[g' [gb}

functions with adequate margins. Inspections will monitor plant g77 / , configurations that affect mitigating system performance, j]

s

// especially for system restoration, as part of maintenance rule

& 4' b /?g/

/

verification [i.e., A(4)].

% ~ ,A%gf,f r,

o gj Q ey November 18,1998 (7:12amQ,p 10 mimarr8.wm

Key Attributes Areas to Measure Means to Measure Comment jf7 m o Equipment Line-up R-1 inspection A future PI may measure eyents that cause degradation of (shutdown) critical safety function during plant shutdown based on mitigatir@ systes configuration. In the interim, inspection will be' conducted of. tis licensee's' program to mAdage shutdown Equipment Performance Availability SSPI and MRV

~ e %.kkgf i

The SSPipill monitor the unavailability of certain important systems sad licensees also moriit8r'the availability of the SSCs ofrn'M' systems as part of Maintenance Rule iniplamentationh Sr y. 7A Reliability MRV Licensees monitsr the reliability of the SSCs of mitigating

/f,l systems as pdit ofMahitenance Rule implementation. This

$e.Jq[refiEw could belliniinated for those monitored systems when

,f[N M the SSPI reliability data is used for an additional Pl.

g g %{y "y

5. Procedure Quality Pre-event maintenance SSP 1, R-1 irispectionf Eqilipment p6rformance (e.g., as monitored through ;

& test procedures gj // maintdnidce rule implementation) and the SSPI will indirectly jfQ[ g co,nfirm the quality of maintenance and test procedures. In Af M addition, risk-informed inspection will monitor whether the tests

(( kAC/ intended risk-significant fimetions.

[k-.q g:[+M

/ , ja [ y/Ntually test the capability of mitigating (Post 4 vent operatingi, Initial operator%exams These procedures are not used until after an event occurs, thus a broceduresh, MM Mualification PI is not suitable to measure the quality of these procedures.

%% ' program inspections Use of emergency and abnormal operating procedures during

% ' IA $ . #' initial and requalification testing of operators provides some Q_ % $/ confirmation of the quality of mitigating system operating gy- ' %::

y Q procedures on a sample basis. Inspection as part of the review of 8

f; v arf design modifications also will identify procedure inadequacy.

jf laXA 8 '

m v}ll

$a % 49/

h $%A[k

'k)p -

November 18,1998 (7:12amL4gs#j, II PAMITIGAT8.WPD I

o Key Attributes Areas to Measure Means to Measure Commen.

a

.[

3

6. Iluman Performance Pre-event human SSPI Pre-event errors wlRbs nu!Indored by the SSPI since errors in errors the opasting and systesalunavailabihtt#%{ng vhen mitigating system the equipment equipment will b pdfoEmance is deinile MHe role of hu((an performance is JhiE$iAusee.as% ofits problem elipfected to%afp be'$nsessed((ioiM[

$lehtificatidind resolut

[; Q Q / /

Post-event human Initial operator exams ,

Ptsyvill not provide indidation of post-event human errors & requalification pe%};pperator performance during initial and program inspections crai qudiffleillion'emaminations y _:e a provide an indication ofpost-event operator m =-- .t h

.k ply /

a:l,sf h5 %ia

/A D 4 C $i gsN$% [1AAI (Mid#

k ,

?>

fQ fl Qg Nosemter 18,1998 fit +(7:12anoMp\iN>jf

' 12 P:WilTlGAT8.WPD

v ps' DRAFT 11/16/98 Barrier integrity Cornerstone A. General Description The purpose of this cornerstone is to provide reasonable assurance that the physical design barriers (fuel cladding, reactor coolant system, and containment) protect the public from radionuclide releases caused by accidents or events. These barriers play an important role in supporting the NRC Strategic Plan goal for nuclear reactor safety, " Prevent radiation-related deaths or illnesses due to civilian nuclear reactors." The defense in depth provided by the physical design barriers which comprise this cornerstone allow achievement of the reactor safety goal.

The first barrier is the fuel cladding. Maintaining the integrity of this barrier prevents the release of radioactive fission products to the reactor coolant system, the second barrier. Maintaining the integrity of the reactor coolant system reduces the likelihood 3f loss of coolant accident initiating events and prevents the release of radioactive fission products to the containment atmosphere in transients and other events. Even if significant quantities of radionuclides are released into the containment atmosphere, maintaining the integrity of the third barrier, the containment, will limit radioactive releases to the environment and limit the threat to the public health and safety. Therefore, there are three desired results associated with the barrier integrity comerstone. These are to maintain the functionality of the fuel cladding, the reactor coolant system, and the containment.

For this discussion, the scope of the fuel cladding barrier includes the fuel cladding during operations, shutdown, and refueling, both inside containment and in the spent fuel pool. The scope of the reactor coolant system barrier includes piping and pressure retaining components such as valves, pumps, seals, and gaskets it also includes portions of connected systems when the plant configuration is such that these connected systems form a part of the reactor coolant system pressure barrier. Although steam generator tubes are a part of the barrier, they are being addressed under the initiating events cornerstone. The scope of the structures, systems, and components related to the containment barrier includes the primary and secondary containment buildings (including personnel airlocks and equipment hatches), primary containment penetrations and associated isolation systems, and risk-significant systems and components necessary for containment heat removal, pressure control, and degraded core hydrogen control.

B. Key Attributes of Licensee Performance that Contribute to Barrier Integrity The concept of the cornerstone approach, including the barrier integrity cornerstone, was discussed in the Performance Assessment Workshop held in Bethesda, MD, on September 28 through October 1,1998. During a breakout session for further development of the barrier integrity cornerstone, the working group expanded its specific focus from containment systems to barriers. After extended consideration, the workshop attendees determined the barriers should be subdivided into three categories: fuel cladding, reactor coolant system, and containment. In order to achieve the desired results, the group then determined that the key attributes of these three elements should be: (1) Design Control, (2) Human Performance, (3)

Procedure Quality, (4) Configuration Control, and (5) Equipment / Barrier Performance. The Are woor C

v !

v I

DRAFT 11/16/98 2 NRC staff determined that these were the appropriate key attributes for further development.

l Specific areas to measure were identified for each of the noted key attributes. The means to l measure performance in each of these specific areas were also identified. These means j include the use of performance indicators, risk-informed inspection activities, and licensee corrective action programs. The following sections discuss each of the key attributes, the areas to measure, and the recommended performance indicators and risk-informed inspections and l oversight activities needed to suppo:t each of the three barriers comprising the overall barrier integrity cornerstone. Diagrams depicting the barrier integrity comerstone, along with the key attributes and the areas and means of measurement, are shown in Figures B1, B2, and B3.

Figure B4 is a summary table for the barrier integrity comerstone which provides further t information on the means of measurement. Figure B5 is a summary of the proposed performance indicators associated with the barrier integrity cornerstone.

B1. Key Attributes Affecting Fuel Cladding B1.1 Design Control Licensees are responsible for the oversight of nuclear fuel vendors regarding their design and manufacturing quality of the actual fuel pins. Vendor quality assurance programs and oversight should detect errors with regard to manufacturing, packaging, shipping, etc. Because of this, reactor licensees need not be individually inspected or assessed with regard to nuclear fuel design quality. Undetected fuel pin or assembly manufacturing errors should be revesied during startup physics testing. If significant problems were detected, shutdown would be accomplished and corrective actions taken, avoiding significant risk.

l Proper reactor core design is essential to assuring that subsequent power operation can be conducted without challenging the integrity of the fuel cladding. The core design analysis, l including the core operating limits report and the reload analysis, establishes the operational l limitations for core power operation, with sufficient margin to ensure that thermal limits are not exceeded during anticipated transients. Core design analyses must be completed with sufficient rigor and quality to demonstrate that, in the proposed core configuration, the nuclear fuel barrier will be preserved under design basis conditions.

The conduct of physics testing during startup following refueling activities in part prov ides a verification that the reactor core exhibits the characteristics predicted by the design eaalysis.

This testing is conducted prior to any significant power operation so that errors during testing would not be litely to cause any fuel cladding degradation. The proper completion of physics testing is essential to ensure that the core design will adequately support subsequent high power reactor operation without challenging the established thermal limits, and ultimately the i nuclear fuel cladding.

l The reactor coolant system activity performance indicator may be used as a means of measuring performance in this key attribute.

B1.2 Human Performance i

V i

g#

l DRAFT 11/16/98 3 l

Nuclear fuel cladding integrity can be challenged by inappropriate human actions, including improperly performed reactivity manipulations, inadequate chemistry control practices, and

inappropriately positioned fuel assemblies during refueling, as examples. Poor human performance associated with the implementation of foreign material exclusion programs could i

also increase the potential for a challenge to fuel cladding integrity. The introduction of foreign material into the reactor vessel or connected systems could lead to degraded fuel barrier

performance by limiting coolant flow past fuel pins or assemblies or by damaging fuel cladding

l. as a result of direct impact on fuel cladding surfaces. Foreign material could also cause

mitigating systems such as control rods to fail or be degraded.

l t The RCS activity performance indicator may be used as a measure of performance in this key l attribute. Licensee problem identification and corrective action programs should provide

! adequate assurance that adverse trends in human performance, particularly as they relate to ;

l the barrier integrity comerstone, are promptly identified and corrected. Some baseline inspection of licensee foreign material exclusion programs, as a potential" common cause failure" issue, should be considered.

l

~

B1.3 Procedure Quality

} Procedures that direct activities which have the potential to affect fuel cladding integrity must be adequately established and maintained. Examples of procedures included in this area involve those which govern reactivity control, foreign material exclusion, chemistry control, refueling activities, reactor vessel assembly, and physics testing. Inadequately established procedures, when implemented as written, could cause problems which lead to degradation of fuel cladding

integrity.

! The reactor coolant system activity performance indicator may be used as a means of l measuring performance in this key attribute. To the extent that there are procedure deficiencies associated with the above noted activities, they should be identified as root causes of problems in other areas, including the configuration control key attribute. Additionally, adverse trends involving procedure deficiencies should be resolved by effective implementation I

of individual licensee corrective action programs. I B1.4 Configuration Control Fuel cladding degradation can result from either inadequate human or equipment performance.

With regard to human performance, refueling operators must ensure that new and previously-used nuclear fuel assemblies are properly handled and stored, properly positioned, and correctly oriented in the specified core locations. Control rod positions (patterns) during plant operation must be properly established and maintained. Plant operators must conduct reactivity manipulations in a well-controlled and deliberate manner. With regard to equipment performance, reactivity control systems (including control rod drives) must be properly configured and maintained.

Some baseline inspection is warranted in this area because of the risk to fuel cladding integrity l associated with either inadequate human or equipment performance in the above described areas. Specifically, improperly placed or oriented fuel assemblies can lead to localized areas of l

i

u DRAFT 11/16/98 4 .

high neutron flux with adverse consequences. Abnormal control rod alignments or reactivity manipulations during plant operation can result in reductions in margins to core thermallimits and even challenge thermal limits during transients, leading to cladding degradation or failure.

Improperly configured or malfunctioning reactivity conkol systems may fail to prevent or mitigate areas of unacceptably high neutron flux in the core which could lead to fuel cladding damage.

Maintaining proper water chemistry in the reactor coolant system (RCS) is also essential to the long term reliability of both the nuclear fuel and the RCS pressure boundary. A failure to maintain the proper chemistry conditions has the potential to result in degradation (and ultimately failure) of the nuclear fuel cladding. The reactor coolant system activity performance indicator may be used as a means of measuring performance in this key attribute. Additionally, adverse trends involving configuration control should be resolved by effective implementation of i individual licensee corrective action programs.

B1.5 Equipment / Barrier Performance Though it would be preferable to assess the extent of fuel cladding degradation rather than monitor actual cladding failures, a practical means of conducting such an assessment is not available. As a result, a means of monitoring fuel cladding failures must be established. Since perforation of nuclear fuel cladding results in the release of fission products to the RCS, increases in RCS radioactivity levels can be directly correlated to the integrity of the fuel cladding barrier. A performance indicator which trends RCS radioactivity level provides an i objective means of assessing the overall performance of the nuclear fuel cladding. In boiling l water reactors, fuel cladding failures will also be detected by main steam line or condenser offgas radiation monitors.

Loose parts in the reactor coolant system, most importantly in the reactor vessel, can lead to various problems, including damage to the nuclear fuel cladding, either by direct impact on the l fuel pins or by limiting RCS fluid flow past individual pins or assemblies. Minimizing the number l l of frequency of loose parts in the reactor vessel is partly controlled by licensee foreign material l l exclusion (FME) programs, however loose parts can also be introduced by degradation or failures of components which are internal to the reactor coolant or connected systems.

Monitoring and limiting the frequency of reactor vessel loose part events should reduce the potential for fuel cladding failures. As with the FME concerns described in the human l performance key attribute, some baseline inspection activity should be considered to assess !

this potential" common cause" failure concern, since unpredictable consequences can result.

B2. Key Attributes Affecting Reactor Coolant System B2.1 Design Control Maintaining confidence in loss of coolant accident frequency estimates requires assuring the quality of design modification activities which can potentially impact the RCS strength margins

and therefore the likelihood of an RCS pressure boundary rupture. This assumes that the l original design of the RCS was adequate and has been proven through hydrostatic testing. The quality of RCS design modification implementation will be measured in a risk-informed manner i

I

%4 DRAFT 11/16/98 5 through specific requirements in the baseline inspection program. No performance indicator has been developed to measure the design control attribute.

B2.2 Human Performance

, Human performance can affect RCS integrity through routine operation and emergency l

operation (i.e., use of Emergency Operating Procedures), and through maintenance and surveillance activities. Proper performance of these activities helps maintain assurance that LOCA frequency does not increase significantly. !

l Operator errors which cause RCS heatup or cooldown or pressure / temperature limits to be exceeded provide a leading indication of the potential for future pressure boundary leaks.

Such events can cause existing microscopic cracks in passive RCS pressure boundary components to grow. Verification that the results of licensee engineering analysis following an event of either excessive heatup or cooldown, or operation outside of allowable pressure / temperature limits, is satisfactory and that related human factors have been corrected will be performed on a reactive basis as needed and will not be a part of the baseline inspectiN program. No performance indicator is available to measure the routine operation human performance attribute.

Licensed operator training program implementation in the area of mitigation of the potential for pressurized thermal shock (PWRs), water hammer within the RCS, and maintaining reactor coolant pump or recirculation pump seal cooling during off normal conditions will be examined in a risk-informed manner through specific requirements in the baseline inspection program.

No performance indicator is available to measure the emergency operation human performance attribute.

Most human performance deficiencies related to routine maintenance and surveillance testing of the RCS have nrj neun shown to be particularly risk significant and will be monitored by licensee corrective Action progrsms. The area of configuration control will be included in the baseline inspection program as noted below and will assess human performance as well as other causes of configuration control deficiencies.

Although Severe Accident Management Guidelines (SAMGs) may include strategies for dealing with issues that could impact RCS integrity, they will be considered under the Emergency Preparedness Cornerstone because they are generally only exercised during emergency preparedness drills. .

B2.3 Procedure Quality Adequate procedures for routine operations, maintenance, and surveillance testing, and for emergency operation conditions are necessary to maintain assurance that LOCA frequency estimates remain relatively low.

I The adequacy of routine operations and maintenance procedures that could affect the engineered strength margins of the RCS pressure boundary could appear as causal factors of deficiencies in other key attributes such as modification work quality, configuration control, and

v i n l l

DRAFT 11/16/98 6 equipment and barrier performance. Thus, no specific measurement of routine procedure quality is warranted. This area will be monitored by licensee corrective action programs. I Emergency Operating Procedure (and procedures invoked by EOPs) changes in the area of mitigation of the potential for pressurized thermal shock (PWRs), water hammer within the j RCS, and maintaining reactor coolant pump or recirculation pump seal cooling during off-normal conditions will be examined in a risk-informed manner through specific requirements in the baseline inspection program. No performance indicator is available to measure the emergency operating procedure quality attribute.

B2.4 Configuration Control Proper configuration contro! is necessary to maintain assurance that LOCA frequency estimates remain relatively low. Configuration control refers to maintaining operational control over physical conditions which, if such control is degraded, may result in a loss of RCS integrity.

Inspection activities related to maintenance and operational realignments of the RCS during shutdown conditions will be performed in a risk-informed manner through specific requirements i in the baseline inspection program. No performance indicator has been developed to measure the configuration control attribute.

Configuration control also includes maintaining operational control over RCS chemistry l- conditions (and possibly secondary chemistry conditions for PWRs) that could impact the engineered strength margin of RCS components. This area will be monitored by licensee corrective action programs.

B2.5 Barrier and Equipment Performance l RCS leakage is the most direct measure of RCS barrier performance. All other key attributes t l under RCS integrity are aimed at measuring or inspecting areas that are known to contribute to l the increased probability that RCS integrity could fail. An actual RCS leak is, by definition, a .

breach of F?CS integrity and a direct indicator of the performance of the RCS pressure boundary. Research sponsored by the industry and NRC has determined that the RCS pressure boundary passive components have a high probability of experiencing a leak prior to a rupture (i.e., " leak-before-break" analysis). Therefore, two performance indicators have been identified that can offer an objective perspective on the probability of more catastrophic failure l potential: the rate of occurrence and magnitude of small RCS pressure boundary leaks.

l l The condition of passive RCS pressure boundary componehts such as piping, welds, and j valves is monitored by the licensee to maintain confidence in LOCA frequency estimates as degradation can potentially impact the RCS strength margins and the likelihood of an RCS pressure boundary rupture. A performance indicator has been proposed for this area (i.e.,

inservice inspection Results). In addition to this performance indicator or until the indicator is fully developed, the baseline inspection program will assess the effectiveness of the inservice inspection program in a risk-informed manner, f Active RCS pressure boundary components are defined here to include safety relief valves,

! power operated relief valves, and reactor coolant pump or recirculation pump seats and i

I . , - . .

_~ - . . . . _ - . - - . _.

y -

w i l

DRAFT 11/16/98 7 associated seal cooling equipment. Failure of active component can have a direct impact on l RCS integrity. Inspection activities related to these components will be performed in a risk- l informed manner through specific requirements in the baseline inspection program.

83. Key Attributes Affecting Containment B3.1 Design The margins of safety in the containment design result in a containment ultimate pressure capacity substantially higher than design, and provide an inherent capability to withstand the extreme pressure loads associated with severe accident phenomena. The safety margins and therefore the likelihood of containment failure could be compromised if the containment structure and SSCs were not constructed and maintained consistent with the design, or if plant modifications which reduce the design margins are implemented. Therefore, it is important to assure that the containment structures and systems are constructed and maintained consistent with the original design.

)

The structural integrity W the containment building and the operational capability of SSCs important to maintaining containment functionality were established through the original licensing review and confirmed through the pre-operational test and inspection program. This included conducting baseline integrated leak rate tests and system-level tests to confirm containment structural integrity, containment heat removal capabilities, and containment isolation capabilities. Periodic leak rate testing in accordance with Appendix J provides assurance that containment structures and components will remain capable of resisting postulated design loads and preventing leakage in excess of technical specifications (for design basis accident conditions) for as long as the plant is operated. The licensee's implementation of the maintenance rule also assures that the operational capability of the containment structures and SSCs important to containment functionality is maintained consistent with targets derived from the plant-specific risk study.

Deficient modifications (e.g., erre s in design modifications or inadequate post-installation i testing) could degrade the performance and/or reliability and unavailability of the containment structure or SSCs important to containment functionality. This could result in a failure to achieve and maintain containment functionality in the manner assumed in the design basis or risk assessment study (e.g., additional containment isolation failures or reductions in the ultimate pressure capacity of containment). Design controlissues stemming from deficient modifications will be identified by inspection of risk significant plant modification packages and i post-modification testing.

B3.2 Human Performance !

Human errors during routine operations and maintenance activities (e.g., errors affecting configuration control or equipment / barrier availability or reliability) can affect the functionality of the containment and potentially 11 crease risk. The effectiveness of the control room operators and technical support center sta f in maintaining containment integrity during response to an i event will also impact risk. Issues related to human performance during routine operations and maintenance activities will be identified by the licensee's corrective action program, and will be

~

DRAFT 11/16/98 8 assessed through NRC oversight of these programs. Where significant problems in these areas are identified by the licensee corrective program dr by other means, inspection follow up of associated causal human performance deficiencies might be warranted and could be assessed in a reactive inspection. Issues related to performance under accident conditions will be identified through NRC observation of licensed operator training programs and through NRC's oversight of licensee self-assessment of Emergency Preparedness capabilities.

B3.3 Procedure Quality inadequate procedures can complicate plant response by causing plant personnel to take .

inappropriate actions during plant operations, maintenance, testing, and emergency response.

This can occur for reasons such as a missing step, ambiguous or confusing language or i organization, or errors in the procedure stemming from inadequate supporting technical analyses.

l j The adequacy of routine operations and maintenance procedures that could affect containment l functionality should be evident in activities under other key attributes such as modification work l quality, configuration control, and equipment / barrier performance. Thus, no specific ;

measure ~,ent of routine procedure quality is needed, and no specific performance indicators or !

routine inspections of operations, maintenance, or testing procedures are suggested. However, l this area could be a root cause of inadequate performance in configuration control or equipment / barrier availability / reliability. Where significant problems in these areas are identified by the licensee corrective program or by other means, inspection of associated causal

procedure quality deficiencies might be warranted and could be assessed in a reactive

! inspection.

l The quality of EOPs and other procedures invoked by the EOPs is central to assuring that appropriate actions will be taken by the operator to protect and preserve containment integrity j under accident conditions. Procedures which could significantly impact containment l functionality and offsite risk include EOPs related to depressurizing the RCS; controlling containment pressure, temperature, and hydrogen concentrations using engineered safety l , features; flooding containment; and venting containment. Problems related to procedure quality l will be identified through risk-informed inspection of licensee EOP modification packages.

t B3.4 Configuration Control Inadequate control of the lineup of containment penetrations and containment-related SSCs could decrease or directly compromise containment functionality. Examples of configuration control problems include mispositioning containment isolation valves, leaving containment penetrations open or unable to be rapidly closed during shutdown when needed, or inadvertently isolating containment heat removal systems. Licensee personnel must ensure that routine conduct of activities (operations, maintenance, surveillance) does not result in equipment configurations outside of those required or assumed in the plant-specific risk assessment. Procedures which have the potential to affect required configurations must be

, carefully developed to ensure that misalignment of containment systems or penetrations does not result. Performance indicators would not be expected to be useful for trending significant configuration control problems because such problems occur rarely. Problems related to L

i l

os 2

DRAFT 11/16/98 9 maintaining the risk-significant containment SSC's in their proper condition will be identified by the licensee's corrective action program, and by inspection of containment configuration during risk-significant evolutions.

It is also important that the plant be operated within containment design limits, such that the containment is in a condition ready to accommodate a design basis accident or severe accident. Significant deviations from design limits are not expected since the plant is equipped with various design features (e.g., alarms and interlocks) to protect key systems / functions and is operated in accordance with technical specifications. Also, the design of the containment structures and SSCs contains substantial margins such that modest deviations from design limits will not impact containment functionality. However, extreme deviations of certain containment parameters situations (such as low suppression pool level and loss of an inerted environment) could threaten containment integrity. Inspection is not required because compliance with technical specification requirements for containment parameters is adequate.

Noncompliance would generally be indicated by control room indications and alarms and would require reporting and prompt action to address.

B3.5 Barrier and Equipment Performance Containment integrity can be inferred if all of the following conditions are met for the risk-significant penetrations: (1) all normally closed containment isolation valves and hatches are in their appropriate position, (2) isolation valves and penetrations which are permitted to be open during power or shutdown can be closed in a timely manner, and (3) the total leak rate for all risk-significant penetrations is within acceptable limits. Failure to close containment penetrations or excessive leakage through large containment penetrations could result in a loss ,

of containment functionality and a risk-significant release to the environment. A high availability and reliability of the containment isolation function (and associated containment isolation valves and penetrations)is expected through implementation of the licensee's maintenance program.

Any problems related to containment isolation should be identified through NRC verification of the licensee's implementation of the maintenance rule. Finally, the leak rate for containment will be trended by a performance indicator.

Given that containment isolation is achieved, certain SSCs are required to assure that containment functionalintegrity will be maintained during design basis and severe accidents (e.g., containment sprays and hydrogen control). Failure of these SSCs could lead to loss of containment over-pressure or other containment release modes. A high availability and reliability of the containment-related SSCs is expected through the licensee's implementation of the maintenance rule. Any problems related to containment-related SSCs will be identified through NRC verification of the licensee's implementation of the maintenance rule.

C. Performance Indicators - Barrier Integrity C.1 Performance Indicators - Fuel Cladding integrity Reactor Coolant System (RCS) Activity Level This performance indicator provides an objective means cf measuring fuel cladding integrity in the equipment / barrier performance key attribute area. An increase in RCS radioactivity level

u ao

. DRAFT 11/16/98. 10

~

can be directly correlated to the performance (integrity) of the fuel cladding barrier since !

perforation of the cladding will result in the release of fission products to the RCS. Monitonng RCS activity is important from a risk-informed perspective since a failure of fuel cladding is by -

definition a breach of one of the three barriers to fission product release in the " defense-in-depth" protection scheme. This performance indicator could be the maximum calculated reactor coolant system activity per month, reported on a quarterly frequency. The data required to develop this performance indicator is already being generated on a daily basis at each reactor facility through conduct of RCS samples, therefore no extra work is required on the part of individual licensees to obtain the needed information.

One limitation of this performance indicator is that it will only indicate when fuel cladding has I actually failed, and will not indicate a slow degradation in cladding condition prior to penetration.

In spite of this limitation, this type of monitoring is sufficient to indicate the overall

health" of the ,

installed nuclear fuel. If unacceptably high radioactivity levels are indicated in the RCS, i individual licensee technical specifications would require that appropriate remedial actions be l j implernented before an unacceptable degree of fuel cladding failures occurred (e.g. plant ;

shutdown). !

Verification activities associated with this performance indicator could be conducted by I performing periodic observations of primary water chemistry sampling and evaluation to ensure l that licensee personnel are accurately collecting and recording the necessary data. l l !

C.2 Performance Indicators - Reactor Coolant System j RCS Leakage Two performance indicators could be used to measure equipment and barrier performance for the RCS. The first direct measure is "RCS leak rate". This indicator relies upon existing i technical specification definitions and therefore needs no new definition of terms or verification strategy. The second direct measure of RCS barrier integrity could be defined as, " Occurrence rate of individual RCS pressure boundary (as defined by technical specifications) leaks, measured on a per fuel cycle basis, that contribute to identified RCS leakage, that are not j primary-to-secondary leakage, and that exist when RCS integrity is required by technical specifications." This performance indicator may require further development.

RCS Inservice inspection Results l A potential performance indicator to monitor the degree of degradation ut the RCS barrier could be "the percentage of individual inservice inspection tests performed within [TBD) that require repair pursuant to technical specifications" (steam generator tube inspections are treated separately under the initiating Events Cornerstone). Such an indicator can be easily (i.e.,

objectively) derived and a threshold set that is related to historically good industry performance.

By using a percentage indicator, instead of an absolute number indicator, it is less likely to influence the assessment of non-destructive examination (NDE) examiners as the number l count of flaw indications increases. Verification and validation of this performance indicator should include ensuring that industry operating experience is being applied to the selection of areas for NDE. This performance indicator may require further development.

i

__ - . . - =

o be DRAFT 11/16/98 11 C.3 Performance Indicators - Containment Containment Leakage The estimated "as-found" integrated leak rate for the containment provides a reasonable indication of what actually existed during operation, and provides an indication of the leak-tight integrity of the containment barrier. Measurement data would be based on the last integrated !

leak rate test result, modified by the results of subsequent local leak rate tests. The data would be reported as a fraction of the design basis leak rate (L.). The threshold for increased regulatory oversight would be set at a leak rate corresponding to the plant's technical specification for allowable containment leakage. Use of the technical specification value provides considerable margin since offsite risk is not significantly increased until the containment leak rate approaches 100 percent per day (i.e., several orders of magnitude greater than L,. A threshold for regulatory action is not proposed since licensees are expected i to make repairs to the containment and to reduce the leak rate below L., in accordance with technical specifications.

Two limitations with this performance indicator should be noted:

(1) "As-found" leak rate data is not collected in a consistent manner at all plants.

~

Specifically, some plants perform the Type C test at the end rather than at the beginning l l of the refueling outage. The leak rate data for those plants may not reflect the actual leak rate that existed during power operation, particularly if the isolation valves are l cycled during the outage. Some changes to licensee practices may be needed to l achieve consistency.

(2) The data obtained from integrated and local leak rate tests is gathered relatively infrequently. In accordance with Appendix J, licensees are required to perform I integrated leak tests (Type A tests) on a frequency of 3 tests every 10 years, and to leak test Type B and Type C components during each reactor shutdown for refueling, but in no case at intervals greater than 2 years. Licensees adopting Option B of Appendix J can extend the integrated leak test frequency to one test every 10 years, and extend the test interval up to 60 months for Type B penetrations (except personnel airlocks) and Type C components (except main steam and feedwater isolation valves in BWRs, and containment purge and vent valves in PWRs and BWRs). The extended test interval for those excepted components would be limited to 30 months. Thus, depending on the l

licensee's test program, updates to the performance indicator would occur on an infrequent basis.

These limitations need to be considered in establishing the reporting interval for this performance indicator.

D. Inspection Areas - Barrier Integrity D.1 Inspection Areas - Fuel Cladding integrity I Configuration Control

.y.__ __ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _

DRAFT 11/16/98 12 While the RCS activity level performance indicator adequately monitors the overall performance of the nuclear fuel cladding for the equipment / barrier performance key attribute, certain inspections are warranted to monitor activities and conditions associated with other key attributes which could lead to degraded fuel cladding performance, before it can be measured by this performance indicator.

Fuel cladding degradation can result from both inadequate human and equipment performance.

Control rod configurations (patterns) must be properly established and maintained to ensure that abnormal alignments do not result in challenges to core thermallimits and ultimately fuel cladding integrity. Reactivity manipulations must be conducted in a well-controlled and deliberate manner to provide assurance that reactor power operation will remain within the limits established by technical specifications. Reactivity control systems must also be properly configured to prevent and/or mitigate adverse reactivity transients and neutron flux distributions. .

1 Suggestad performance-based inspection activities to address these issues include:

1

1. Periodic observations of licensed operators during the conduct of reactivity 1 manipulations (e.g. to ensure adherence to vendor-provided fuel preconditioning limits). I inspection in this area should be conducted during significant reactivity manipulations (e.g. >20% in the power range), and during plant startups and shutdowns.

2. Evaluations of maintenance activities associated with reactivity control systems (e.g.

control rod drives, rod block monitors, rod worth minimizers, etc.) to ensure that they j remain capable of performing their functions following the work. Periodic observation of ;

instrument channel calibrations and functional tests of reactivity control equipment should also be included. Control rod drive mechanism work, including hydraulic control !

units for BWRs, should also be periodically assessed. l

3. Verifications of nuclear instrument performance to ensure that they are properly calibrated and provide protection signals at the proper set points.

4. Reviews of computer-generated thermallimit reports to verify that defined safety limits and operating margins are preserved.

In addition, deficiencies associated with certain other activities which could affect fuel cladding integrity should be monitored during the planned baseline inspection of licensee corrective action programs. Possible focus areas include errors associated with:

Core design analysis Start up physics testing Human performance (e.g. procedure adherence, etc.)

Procedure quality Primary water chemistry control Refueling (i.e core loading)

Loose parts monitoring and foreign material exclusion Because of their unpredictable consequences, potential" common-cause" failure mechanisms

~

DRAFT 11/16/98 13 like loose parts and foreign material exclusion may warrant separate inspection beyond just reliance on licensee corrective action programs.

D.2 Inspection Areas - Reactor Coolant System Design Control The relatively low LOCA frequency estimates used in probabilistic risk analyses implicitly assume that quality assurance activities monitor and maintain the engineered strength margins i

of the RCS pressure boundary throughout its operating lifetime. One means of potentially reducing these margins over time are design modifications to the RCS Maintaining continued confidence in LOCA frequency estimates will therefore include measuring the quality of design modification or temporary modification activities that could increase the probability of an RCS pressure boundary rupture. The adequacy of the original design and earlier modifications to the RCS are assumed to have been proven through initial hydrostatic testing and satisfactory operating performance.

The definition of RCS pressure boundary used here, for inspection purposes, extands beyond the passive pressure retaining piping, valves, and other components covered by ASME code requirements. It also includes active components such as reactor coolant pump or recirculation pump seals and safety relief valves.

, As a measure of the quality of design control as it is related to the RCS barrier, an inspection should review a sample of proposed risk-significant modification packages that affect the RCS pressure boundary, including active components. These willinclude those which could simultaneously impact both RCS integrity and mitigation system reliability or performance. As opportunities occur to observe the quality of work in progress in this area, including post-modification testing, inspectors should assess the ability of the licensee to maintain the design pressure retention capability of the RCS pressure bourdary, which forms the basis for assurance that LOCA frequency estimates remain low. Because of their potentialimportance to risk during station blackout (SBO) conditions, plants having relatively significant contributions to CDF from SBO, reactor coolant pump or recirculation pump seal replacement or modification should receive high priority, particularly for those seals whose design has not been enhanced for high temperature service (e.g., Westinghouse high temperature RCP seals). In addition, because the presence of pressure relief valves (e.g., code safety valves and power operated relief valves) increases the opportunity for LOCAs due to failures to reseat following lifting, replacement or modification of these components should also receive high priority. The inspection procedure for this area should provide historicalinsights of causes for pressure boundary failures so as to alert the inspector to the most likely problem areas. For example, for passive components attention should be paid to modifications that might increase mechanical fatigue (e.g., small diameter piping attached to much larger diameter piping), or thermal fatigue (e.g., stratification of liquids or turbulent mixing of hot and cold fluids), or use of material compositions that could increase corrosion susceptibility (e.g., IGSCC, PWSCC), or that might increase the probability of water hammer *. Similar historicalinsights should be collected for pump seals and relief valves and used as inspection guidance.

Welding Research Council Bulletin #382 June 1993,

Nuclear Piping Criteria for Advanced Light-Water Reactors, Volurne 1 - Failure Mechanisms and Corrective Actions, ISSN 0o43-2326, provides an excellent

r DRAFT 11/16/98 .

14 l

overview of historical insights for piping degradation mechanisms.

Human Performance As a measure of post accident or event human performance, the inspection program should include licensed operator requalification program implementation with emphasis on simulator observation in the areas of mitigation of potential for pressurized thermal shock (PWRs), water hammer within the RCS, and maintaining reactor coolant pump or recirculation pump seal cooling during off-normal conditions.

l Emergency Operating Procedures LOCAs can occur as a consequence of certain non-LOCA-initiated accident sequences. The l contribution to core damage frequency from these consequential LOCAs can vary dramatically between plants. Usually an implicit assumption is that emergency operating procedures (EOPs) are relatively effective in preventing serious degradation of the RCS pressure boundary during such sequences. These operator actions include those that mitigate the impact to

, passive components (e.g., piping) from pressurized thermal shock and mechanical shock due L to water hammer, and to active components such as operator actions to restore cooling to

! active components such as reactor coolant or recirculation pump seals during a station I blackout.

I To measure the quality of emergency operating procedures as they relate to the RCS barrier, l inspection should sample modification packages for emergency operating procedures (and off-I normal procedures which are referenced) that could affect the RCS pressure boundary,

. including active components. Although this review should focus on the modification, it should l also include a broad review of the underlying EOP strategy in the area affected by the modification to ensure that the strategy remains sound and in accordance with its intended objectives as described in licensee EOP basis documents.

, Configuration Control Configuration control refers to maintaining system alignment control over active components of L the RCS pressure boundary (e.g., isolation valves, PORVs, pump seals) which, if such control L is degraded, may result in a loss of RCS integrity. This is not generally modeled in risk assessments of at-power conditions. However, inter-system LOCAs (ISLOCAs) are often modeled as catastrophic failures of normally closed valves whose function is to prevent high pressure RCS coolant from over pressurizing low pressure components such as those associated with decay heat removal systems. Although such events have a very low estimated ,

occurrence frequency, the resulting coolant loss is not recoverable in the containment and i therefore not available for long term core and containment heat removal. This makes ISLOCA !

contribution to risk very sensitive to the valve failure frequency estimate. However, spontaneous catastrophic failure of a valve is not nearly as likely as an operator mis-positioning j event. Such operator-induced events would be more likely during shutdown plant conditions ;

when maintenance and system re-alignments are in progress. Therefore, the risk significance of ISLOCA events is increased during periods of operator manipulation of active pressure l boundary components and in particular where an ISLOCA could degrade mitigation equipment ,

capability, j i

The baseline inspection program should assess configuration control as it relates to RCS l

u

% +-

DRAFT 11/16/98 15 barrier integrity during shutdown operations. This should include RCS and associated / attached systems (e.g., Low Temperature Overpressure Relief Valves) configuration and manipulations to assure that RCS integrity is maintained and controlled.

Barrier and Equipment Perfortnance The rate at which RCS pressure boundary leaks (ASME definition) occur is a proposed performance indicator, which in cambination with an RCS leak rate performance indicator gives :

a complete picture of the RCS barrier performance. However, until the " rate of leaks" indicator !

is fully developed, inspection is warranted to monitor the rate and cause (if known) of such !

leaks and to assess the adequacy of licensee corrective actions. l Similarly, until the inservice inspection performance indicator is fully developed, inspection is warranted to assess the adequacy of the inservice inspection program scope, including the use i of plant-specific risk insights and industry operating experience As another aspect of equipment performance, reactor coolant pump (PWR) or recirculation pump (BWR) seals and associated cooling equipment, and RCS pressure relief valves should be inspected. The focus of these inspections should be on performance that may indicate an i increasing probability of RCS pressure boundary failure (e.g., pump seal failure, stuck open .

relief valve). l 1

D.3 Inspection Areas-Containment Design Control l As a measure of how design control affects the containment barrier and in order to ensure that j the design basis and PRA assumptions remain valid, inspectors should perform a design review :

of a sample of risk-significant modifications or temporary modifications. In addition, for this limited set of modifications, inspectors should conduct a performance-based inspection of the i post-modification testing.

Priority should be given to review of modifications that may: ,

- - adversely impact the functionality of systems important to long term containment !

pressure control and degraded core hydrogen control (e.g., sprays, Mark I hardened vent, isolation condenser, igniters)

- increase the likelihood or magnitude of steam / fission products bypassing the L suppression pool or ice condenser (e.g., vacuum breakers, ice condenser components)

- reduce the availability / reliability of isolating large diameter containment penetrations (> 2

[ inches) which connect to the containment airspace (e.g., purge / vent valves, vacuum l- breakers, actuation system)

- extend the time required to achieve containment closure during shutdown

- reduce the containment ultimate pressure capacity or introduce new containment failure modes (temporary containment equipment hatches)

The inspector should consult the plant-specific risk study to identify the most risk-significant containment-related SSCs for a particular plant, and to establish a basis for selecting the design l

. changes to be reviewed.

l Human Performance As a measure of how human performance in an accident or event situation affects the

_ y . _. _ . _ _ . _ _ _ _ _ _ _ _ _ _ _ . _ . _ _ - _ _ _ __

DRAFT 11/16/98 16 l.

containment barrier, the NRC should continue to conduct inspections of licensed operator training to confirm that risk-significant human actions are addressed within the training program, and that control room crews are able to effectively carry out the risk-significant human actions during simulated accidents involving these actions. The NRC should also confirm the adequacy of the licensee's self-assessment of its severe accident management (SAM) capabi;ities as part of NRC's oversight of licensee emergency preparedness programs. The inspector should confirm that the licensee has implemented the major elements of the " formal industry position" on SAM (i.e., plant-specific SAM guidance, training on SAM, and periodic SAM drills) and has in place an effective self-assessment process. NRC reliance on utility self-assessment of SAM capabilities is appropriate since the industry is implementing SAM through a voluntary. industry initiative, and has committed to perform period SAM drills and self-assessments on an ongoing l

basis. The current emergency preparedness inspection procedure (s) will need to be modified to include guidance regarding SAM.

Emergency Operating Procedures l

Inspection is needed to confirm the quality of EOPs which affect the containment boundary.

The quality of the plant-specific EOPs was verified through the NRC's EOP inspection program l conducted in 1988-1991. Using the current EOPs as a baseline, information is needed only on l risk-significant changes to the procedures. The inspector should sample EOP modification i packages that could affect containment integrity, isolation capabilities or SSCs important to l LERF (such as ATWS response, containment venting, and manual depressurization). Although ;

l this review should focus on the modification, it should also include a broad review of the underlying EOP strategy in the area affected by the modification to ensure that the strategy l remains sound and in accordance with its intended objectives as described in licensee EOP basis documents.

Configuration Control Inspection is recommended to confirm the adequacy of configuration control as it affects the containment boundary and SSCs important to LERF. The risk-significant penetrations would be identified based on the plant-specific risk study, and are expected to comprise a small fraction of the total containment penetrations. The inspector should verify proper containment configuration during risk-significant evolutions (e.g. PWR mid-loop operation, BWR cavity drain l downs, etc.). This should include a review of the licensee's provisions for achieving containment closure in a timely manner (i.e., prior to RCS steaming) during periods when the containment is permitted to be open. Inspections in this area are important because the high safety significance of these activities.

Barrier and Equipment Performance Inspection is needed as a measure of equipment performance related to the containment barrier. Reliability and availability data for containment penetrations which constitute the major pathways for release to the environment provides an indicator of the reliability of the containment isolation function. As part of the baseline inspection program for maintenance rule oversight, the inspector should perform a periodic review of the availability and reliability information for those penetrations important to LERF. These penetrations would be identified based on the plant-specific risk study, and are expected to comprise a small fraction of the total containment penetrations. The penetrations are expected to include the large diameter piping penetrations through which the containment air space or reactor coolant system could l

l 1

, - - . - .--.. . . - - . - - - - - - . _ _ . - - _ . . - . . ~

is DRAFT 11/16/98 17 communicate with the outside environment (e.g., purge / vent penetrations and MSIVs),

l personnel airlocks, and equipment hatches.

l The inspector should also review the information from the licensee's maintenance program for l each SSC judged to be important for controlling the LERF. The risk-significant SSCs are containment- and plant-specific and should be selected by the NRC on the basis of their importance to large release frequency in the plant-specific risk study. The SSCs which should be considered for monitoring include those critical for: )

short and long term pressure control (e.g., containment spray and fan coolers in PWRs; suppression pool cooling, isolation condenser, drywell/wetwell sprays, and drywell/wetwell vents in BWRs), and l

degraded core hydrogen control (i.e., hydrogen igniters for ice condenser and Mark 111 l - containments and inerting in Mark I and 11 containments).

l l The necessary reliability and availability data for the major containment isolation components l j and SSCs important to LERF are expected to be available from the licensee's implementation of the maintenance rule. The inspector should verify that the licensee accurately collects, assesses, and reports the needed data. Verification could be performed by performing a periodic review of information contained in the licensee's problem identification / corrective action program.

In addition, deficiencies associated with certain other activities whicli could affect containment functionality should be monitored during the planned baseline inspection of licensee corrective action and self-assessment programs. Possible focus areas include licensee follow-up of- I instances in which measured leakage is found to exceed La human errors impacting containment integrity that are identified as root causes of problems in other areas procedure deficiencies impacting containment performance that are identified as root causes of problems in other areas failures to maintain the proper status of risk-significant containment isolation valves and penetrations failures to maintain containment parameters within design limits l

l l

l i

L

C DRAFT 11/16/98 FIGURE B4 -

SUMMARY

- BARRIER INTEGRITY CORNERSTONE Key Attributes Areas to Measure Means to Measure Comment Fuel Cladding Core Design Analysis Performance Design errors could lead to cladding defects or failures, Integrity - Indicator (RCS the effect of which would be seen in the performance Activity) indicator. Gap release is assumed in certain design basis Design Control aCCKlents. Design errors Would not be expected to Cause a risk-significant increase in the gap release. Errors in the core design analysis should be detected during start up physics testing and data review Physics Testing Corrective Action Physics testing is conducted while low in power; where Program design errors are not likely to challenge cladding integrity.

Should significant problems be identified, shutdown and corrective actions would be accomplished.

. Fuel Cladding Procedure Performance Failure to adhere to procedures, assuming that it results Integrity - Adherence ' Indicator (RCS in adverse consequences, would be seen in the RCS Activity), Corrective activity performance indicator or should be identified as a Human Performance Action Program root cause of problems measured in other key attribute areas (see Fuel Cladding Integrity - Configuration Control)

Foreign Materials Performance The corrective action program would be expected to Exclusion (FME) Indicator (RCS identify and correct FME problems. In some cases, FME Activity), Corrective problems could lead to cladding defects which would be Action Program, identified by the RCS activity performance indicator.

Inspection Consider inspection since problems with foreign material (Potential) exclusion controls can be characterized as a potential 3

" common cause" failure concern (i.e. could negatively impact performance of both fuel and control rods) with unpredictable consequences.

_ _ _ _ _ _ _ _ _ _ _ . . _____..._.__._.____.._.._..__.______m_ _ _ _ . _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ . _ . _ _ . _ _ _ _ _ _ _ _ _ _ _ _. _ __m_ _ _ _ _ _ . _ . _ _ _ _ _ _ _ _ . _ . . _ _ _ . _ _ _ _

o DRAFT 11/16/98 2 Key Attributes Areas to Measure Means to Measure Comment Fuel Cladding Quality of Petformance in the worst case, inadequate procedures could result in Integrity - . Procedures Which Indicator (RCS fuel cladding damage, which would be reflected in the Could Impact Activity), Corrective RCS activity performance indicator. Less significant Procedure Quality Cladding Action Program procedure deficiencies should be captured as root causes of problems measured in other key attribute areas Fuel Cladding Reactivity Control inspection Monitor those activities which could lead to fuel cladding Integrity - degradation. Abnormal control rod alignments or reactivity manipulations during plant operation can result in Configuration Control reduction in margins to core thermal limits and even challenge thermal limits during transients, leading to cladding degradation or failure. Misconfigured or malfunctioning reactivity control systems may fail to prevent or mitigate areas of unacceptably high neutron flux in the core which could lead to fuel cladding damage.

Cladding perforation is by definition a breach of the fuel barrier and a reduction in the defense-in-depth for prevention of fission product release to the environment.

Primary Chemistry Corrective Action Problems resulting from inadequate water chemistry Control Program, controls tend to develop slowly and should be adequately Performance identified and resolved by effective implementation of Indicator (RCS licensee self-assessment and corrective action programs.

Activity) The RCS activity performance indicator would provide a back-up.

DRAFT 11/16/98 3 Key Attributes' Areas to Measure Means to Measure Comment Core Loading Corrective Action Fuelloading errors committed during the refueling process Program, should be detected while very low in power during start up Performance physics testing. Improperty placed or onented fuel Indicator (RCS assemblies can lead to localized areas of high neutron flux Activity) with adverse consequences. Fuel assembly mispositioning errors should be identified during independent verification of the core configuration prior to vessel head re-insta!lation. The licensee's corrective action program is expected to identify and resolve this type of problem, as well as problems involving cladd.g damage during

. handling. The RCS activity performance indicator would provide a back-up.

Fuel Cladding Reactor Coolant Performance RCS radioactivity level measurements provide a reliable Integrity - System (RCS) Indicator (RCS means of indicating when nuclear fuel cladding has been Activity Activity) compromised, resulting in a direct and objective measure Equipment / Barrier of the integrity of the fuel cladding barrier. This Pi is Performance important from a risk-informed perspective since a failure of fuel cladding is by definition a breach of one of the three barriers to fission product release in the " defense-in-depth" fission product release protection scheme.

Loose Parts Performance Besides FME issues (described in the " Fuel Cladding Indicator (RCS Integrity - Human Performance" key attribute above), loose Activity), parts can be introduced into the reactor vessel by poor inspection maintenance practices or failures of intemal structural (Potential) components. In some cases, loose parts could lead to cladding defects which would be identified by the RCS activity performance indicator. Consider inspection since this is a potential " common cause" failure concem with unpredictable consequences i

~

l G

DRAFT 11/16/98 4 Key Attributes Areas to Measure Means to Measure Comment Reactor Coolant Modification Work Inspection Review proposed permanent or temporary modification System Integrity - Quality packages for risk-significant SSC's, including the associated 10 CFR 50.59 safety evaluations. This effort Design Control should ensure that design bases and risk analyses assumptions are preserved. Inspection should also focus on post-modification testing to verify that "as-left" equipment or barrier performance is satisfactory. The scope of this effort should focus on the most risk-significant modifications, for example those which could simultaneously impact both RCS integrity as well as mitigation system performance or reliability.

Reactor Coolant Errors in Routine Corrective Action Errors (including failures to adhere to established System Integrity - Operations, Program procedures) should be captured as root causes of Maintenance, and problems measured in other key attributes Human Performance Surveillance Performance Errors in Post- Initial Operator Observe licensed operator initial and requalification Accident or Event Exams and examinations with focus on actions which are designed to Performance Requalification protect the integrity of the RCS barrier. These actions Program inspections include those that mitigate the impact to passive components (e.g. piping) from direct thermal impacts (e.g.

pressurized thermal shock) and mechanical shocks (e.g.

water hammer), and actions to restore cooling to reactor coolant / recirculation pump seals during conditions affecting the adequacy of cooling to these seals.

e C

DRAFT 11/16/98 5 Key Attributes Areas to Measure Means to Measure Comment Reactor Coolant Routine Operations, Corrective Action Procedure deficiencies should be captured as root causes System Integrity - Maintenance, and Program of problems measured in other key attributes Surveillance Procedure Quality procedures which could effect RCS integrity Emergency inspection focused review of proposed risk-significant changes to Operating EOPs. The quality of EOPs and other off-ncrmal Procedures (EOP) procedures go hand-in-hand with effective human and Related Off- performance to provide adequate assurance that RCS Normal Procedures pressure boundary components will be protected during accidents or events involving these procedures. The quality of these procedures is equally risk significant as that noted for the human performance area discussed above. During the review of proposed EOP changes, consider the conduct of a broader review of the subject EOP to ensure that the overall accident mitigation strategy is still valid (to account for prior changes which may have been made since the initial EOP validation effort).

Reactor Coolant System Alignment inspection Periodically verify during plant shutdown periods (when System Integrity - operator manipulation of RCS pressure boundary components like isolation valves is most frequent) that the Configuration Control configuration of the RCS and connected systems is properly maintained. The consequences of mis-positioned RCS boundary valves resulting in a LOCA can be high when the resulting coolant loss is not recoverable in the containment and therefore not available for long term core and containment heat removal.

DRAFT 11/16/98 6 Key Attributes Areas to Measure Means to Measure Comment Primary and Corrective Action Problems resulting from inadequate water chemistry Secondary Chemistry Program controls tend to develop slowly and should be identified Control and resolved by intemal licensee processes

DRAFT 11/16/98 7 Key Attributes Areas to Measure Means to Measure Comment Reactor Coolant Reactor Coolant Perfonnance Monitor the extent of RCS leakage. An actual RCS leak System Integrii/ - ; 3ystem Leakage Indicator (RCS Leak is, by definition, a breach of RCS integrity and a reduction Rate) in the defense-in-depth for protection against fission Equipment / Barrier product release. RCS leakage is a direct indicator of the Performance performance of the RCS pressure boundary. Research has determined that the RCS pressure boundary has a high probaoility of experiencing a leak prior to a rupture (i.e. " leak-before-break"). Therefore, the extent of such leaks offers an objective perspective on the probability of a more catastrophic failure.

Performance Monitor the rate of occurrence of RCS pressure boundary Indicator (RCS Leak leaks. RCS pressure boundary leaks, by definition, are Occurrence Rate) breaches of RCS integrity and reduce defense-in-depth for (Potential) protection against fission product release. Research has determined that the RCS pressure boundary has a high probability of experiencing a leak prior to a rupture (i.e.

" leak-before-break"). Therefore, the rate of occurrence of such leaks offers an objective perspective on the probability of a more catastrophic failure.

Inspection Until the above potential performance indicator is available for rate of occurrence of RCS pressure boundary leaks, the baseline inspection program will monitor the rate and cause (if known) of such leaks and assess the adequacy oflicensee corrective actions.

C DRAFT 11/16/98 8 Key Attributes Areas to Measure Means to Measure Comment inservice inspection Inspection ISI programs, when effectively implemented, provide a (ISI) Results proactive means to assess the overallintegrity of the RCS.

Emphasis will be placed on the use of industry operating experience to assess the adequacy of the inservice inspection program scope, including the use of plant-specific risk insights.

Performance Monitor tne number of RCS defects identified during Indicator (RCS ISI licensee ISI. Implicit in the generally low LOCA frequency Results) estimates resulting from plant risk assessment studies is (Potential) the expectation that effective quality assurance activities (such as ISI) will monitor and maintain the engineered strength margins of the reactor coolant pressure boundary.

A relatively large number of identified defects resulting from ISI wou!d indicate either a robust ISI program, deficient RCS design or construction, or poor RCS pressure boundary maintenance.

Active RCS Inspection (or Monitor the performance of reactor coolant or recirculation Component Maintenance Rule pump seals, safety / relief valves, etc (i.e. active SSC's).

Performance Verification) Poor performance associated with the active RCS components invalidates the assumptions made in risk assessment studies and increases the potential for LOCAs.

Containment Integrity Structuralintegrity Performance Established during the initial licensing and pre-operational Indicator testing and inspection process; continuing adequacy in (Containment this area is assessed through inspection of related Design Control Leakage) modifications (see below) and is monitored by leak rate testing (the performance indicator is described below).

9 C

DRAFT 11/16/98 9 Key Attributes Areas to Measure Means to Measure Comment Operational Maintenance Rule Established during the initial licensing and pre-operational Capability Verification testing and inspection process; continuing adequacy in this area is assessed through inspection of related modifications (see below) ar.d through verification of effective implementation of the Maintenance Rule.

Modification Work Inspection Review proposed permanent or temporary modification Quality packages for risk-significant SSC's, including associated 10 CFR 50.59 safety evaluations, to ensure that design bases and risk analyses assumptions are preserved.

Inspection should also focus on post-modification testing to verify that "as-left" equipment or barrier performance is satisfactory.

6 f

_ _ _ _ _ _ - _ _ - _ - _ _ _ _ _ _ _ _ _ _ _ - - - _ _ - _ _ _ _ - - _ = _ _ _ _ - - _ _ _ _ _ _ - - _ _ _ - - _ _ _ _ _ _ _ - . . - _ - - - - - _ _ _ .

.y i

C DRAFT 11/16/98 10 Key Attributes Areas to Measure Means to Measure Comment Contamment Integnty Routme Operations, Corrective Action Human performance errors dunng routine operations, Mamtenance, and Picy.iii maintenance, and survedlance (includmg failures to Human Performance Survedlance adhere to established procedures) should be captured as ..

, Performance root causes of problems measured in other key attnbutes 1 Post-Accident or Initial Operator Continue to assess licensed operator training, with focus Event Performance Exams and on actions design to protect containment integnty. Risk Requalificaten studies indicate that certain operator actions can have a !

Prey iiinspections- significant impact on plant risk. In BWRs these include j actions to inhibit the automatic depressurization system ;

and subsequently depressurize the RCS manually, align i suppression pool cooling, control reactor level during an :

ATWS, and vent the contamment For PWRs these i include actions to switch over from the injechon to the j recirculation phase of core coolmg, feed and bleed using l HPl and PORVs, and recover normal and emergency 6 power. j i

Containment integnty Routine Operations, Corrective Action Procedure deficiencies should be captured as root causes l Maintenance, and Program of problems measured in other key attnbutes ;

Surveillance !

Procedure Quality Procedures which j could affect !

containment integnty ;

I

[

l

)

I i

i f

I

_ . _ _ _ . _ _ _ _ - _ .- _ _ _ _ . _ - _ . _ _ - _ _ _ _ . - _ - - - _ . _ _ _ _ _ _ . _ _ _ _ _ . _ _ _ . _ _ - - . _ _ _ - _ _ . _ - - - - _ _ - _ _ . _ - - _ _ _ _ - _ _ _ _ . _ . - - _ - _ . _ _ _ _ _ , - -._..u

i e

DRAFT 11/16/98 11 Key Attributes Areas to Measure Means to Measure Comment Emergency inspection Focused review of proposed risk-significant changes to Operating emergency operating procedures. The need for effective Procedures human performance under emergency conditions goes hand-in-hand with the need for quality EOPs.

During this review of proposed EOP changes, consider the conduct of a broader review of the subject EOP to ensure that the overall accident mitigation strategy is still valid (to account for prior changes which may have been made since the initial EOP validation).

Containment Integrity Lineup of Corrective Action Errors in maintaining the proper status of risk-significant Containment Program containment penetrations and SSCs should be infrequent Penetrations and and identified via control room alarms and indications and Configuration Control SSCs important to routine surveillances LERF Inspection Verify that the containment is in the proper configuration and that open penetrations can be closed in a timely manner during risk-significant evolutions (e.g. "mid-loop

operation with fuel in the vessel at a PWR). Since defense-in-depth protection against a fission product release is already reduced in these circumstances, added assurance of the viability of timely and effective containment isolation is needed Containment Design Corrective Action Errors in maintaining the proper containment design Parameters Program parameters, many established by technical specifications Maintained (e.g. torus level in BWR), should be infrequent and easily identified (i.e. via control room alarms and indications).

r 1

6 DRAFT 11/16/98 12 Key Attributes Areas to Measure Means to Measure Comment Containment integrity Steam Generator Covered under equipment performance attribute of the initiating Events Tube Integrity and Comerstone and configuration control attribute of RCS barrier ISLOCA Prevention Equipment / Barrier Performance Containment Performance Monitor the "as-found* containment leak rate data. "As-Isolation Systems Indicator found" data is important because it provides an objective Reliability and (Containment and reasonable indication of what actually existed during Availability Leakage) previous plant operation. The PI would be reported as the combined total leak rate of all the penetrations, as a fraction of the site-specific l .

Maintenance Rule inspection should provide oversight of the licensee's Verification implementation of the maintenance rule, which includes monitoring the performance of containment isolation SSCs which constitute major release pathways to the environment (i.e. important to LERF).

Risk-Important Maintenance Rule Inspection should provide oversight of the licensee's Support Systems Verification implementation of the maintenance rule, which includes Availability and monitoring the performance of containment support Reliability systems which could adversely impact the functionality of the containment. For example, these systems could include containment spray and hydrogen ignitors.

e DRAFT - 11/16/98 FIGURE B5 -

SUMMARY

OF PROPOSED INDICATORS FOR THE BARRIER INTEGRITY CORNERSTONE l Measure Purpose indicator Thresholds RCS Activity To provide indication of fuel Maximum calculated activity level per month TBD barrier integrity and occurrence of cladding failure RCS Leak To provide indication of the Maximum calculated leakage rate per month TBD Rate potential for a breach of the RCS RCS Leak To provide a measure of the Occurrence rate of individual RCS pressure TBD Occurrence frequency of RCS leaks boundary leaks (as defined by technical Rate specifications), measured on a per fuel cycle basis, (Potential) that contribute to identified RCS leakage, that are not primary-to-secondary leakage, and that exist when RCS integrity is required by technical ,

specifications ?

RCS Inservice To provide indication of the The percentage of individual inservice inspection TBD inspection potential for RCS failure tests performed within [TBD] that require repair Results pursuant to Technical Specifications (Potential)

Containment To provide indication that Totalleakage from containment as determined from TBD Leakage containment leakage will remain the last integrated leak rate test, updated by the "as below levels corresponding to a found' results of subsequent local leak rate tests ;

large radiological release, given required by 10 CFR 50, Appendix J l that containment closure is achieved

.;,e y

s. .

I 1

!1 r

o

!.f de f:

Eu I

c is

' kt -

' , 2 18 h 6 E5

?

5 z

! <5 5 8 g ex.

an J IEE E=

b!b

< 6f "E z [l g

EL

E $E$

5:2

- g lha uma ag ,,.

w !

a

<o UKg h

Y~ fh a3 1

y "

n ..

ff :

y 28 e ela' a8 y y

I

! *---- .i ..

4-.--.

=!!

i ga a wy .

$ h$

4 Cf g

$h fg h C fIs l

l E8 t

NF

. Y h .;$. ,f, E

Ec 3 N ,

t

.o T;hk

, x es ac~;.$ff$$i

! 1 e $.0 k ,_'

~

c I

= il,

,t w I ! 15 1,

U l

Y I

Eh! r i

,. i

- .g *> ( .

- T N -

_ ) ,

d e

_ i f

i t . P n n h A e C C _

io d

i tao l

n k r r

. u J ut gn o d, f inC e o C

_ i f

i

- t 5 n c

_ e ' S e

d e i( e ,

- d e

W j

l g f R

a

- k

_ e

_ e mL s ,

a r

n m io ge ot et c r st

- Pyaen y _

n SRposi t

- : me

_ y ot enc u

_ f ot n

e in t

c landp ci e Q ntye K Ao er esr : k nlo gr L t

re t

i iaant mn l

eCcr v

o umI J it sn eo J W n

nia i t r c oe DC t e

ikt a coof cv s Mctn no uC r ckini et r aa ks e r G e

e 4

o eeis so F R

. CRLRn I t

===

G M

L M s PSR gO ey rb ACOil I S gdt ud CRLRI mede e s P

gtemcmO r o ear #

gRMPiE n P

( k Y

J y T M

r g *

"Y

.e ' .

t n **3 P A

I r *"

" C ie r " ~

r a

B e.-

Wt

e n v

) tsE^

o r Pe7

- M e

n c ~

- k an a m rm J

uo Tce Hf r

_ e M n_

P eAA a .

5^.. P g

eP RO7 A

C

_ m

- f d oda yl nt C i

ia t n e lal n u ietFo wert na ts ye k) ue nr e e ea s.

Fl c n u on N puWe mb H.

ot ceM #.

p e

- ir c ue a n '

- qr g "'

k J

Era mr j '

SBo ' t S

C f r

" t R &eP 8 o

lu Pn s e

e s.

s i

e G, w.

g E .

o L -

t

_. e S .

_ e C :

R

_ L

_ S *t

_* C to R P

_ e

LT t .

~ .-J Matrdain Matntain Functionality of ) Barrier integrity ( Functionahty of RCS Pressure Boundary Nuclear Fuel Cladding JL Key:

CONT = Contamment Leekage Maintain V = Verification / Validation Funct#onality of Containment Ril = Risk Informed Inspections MR = Maintenance Rule CAP = Corrective Action Program Jk Jk JL JL JL ssC t. Procedure Design Human Barrier Quality Control Configuration Performance Performance Centrol s/G Tube integrey Centeenmeed tsetenen Po,e Aceteent e niergewy h*I ISLOC A Preveneen SSC Rehab-Hty/AveReblMy (m event)

- @'"M operating afedHleenen c" Y'eI C-' CetmW

,,,,, ,,,i e en, as r,

-'-'"-- - "Oe' (Ops. Maint.

- o,e,e.e.e.

Cepetuity 0"e'."e'. r_,,,,

Systems f unciten ,g SWV)

Covered by RCS and Instleting event Pt

CONT CAP p,.cogT eornerstone MRV PR ,, ,q Rft. C AP CAP CAP WRW November 16,1998 g, g

. . - - . . . n. - . , a--.a -..~.-.--a.m.a., ..~..n .s m e-o s e s w . . . ._x. a .u-- aw -.u a...u+...s.a. . - - s..--~n -.n-.-.

!- DRAFT 4

f e

NRC NUCLEAR POWER PLANT i

I t , -

s ,

4 BASELINE INSPECTION , -

\

i ,

1 c.

I

.i j PROGRAM 6

?

i. l b

e u61 A TT/C t4 M t rd I h

. DRAFT NRC POWER REACTER BASELINE INSPECTION PROGRAM

l. Program overview II. ' Inspectable areas required in Jhe baseline program List by comerstone I Linked to Agency mission Ill. Basis documents for inspectable areas Scope of inspectable area I Linkage of inspectable area to performance indicators !

Justification for why each inspectable area is in baseline program Activity and SSC selection methodology IV. Proces.s for selecting activities and SSCs to be inspected within inspectable areas Generic- first cut approach using RIM Plant specific - using PRA database /SRA input / licensee site specific data V. Process for determining frequency and how much time to expend inspecting ,

within each inspectable area VI. Process for verification of performance indicators Vll. Process for evaluating problem identification and resolution programs.

Vill. Risk information matrices (RIM)

IX. Definitions of terms used in the baseline inspection program X. Projected resources for baseline inspection program DRAFT l

4 i

l

SECTION 1: PROGRAM OVERVIEW e

i i

1 i

l I

l e

n e

9 4

l l

l t

i I

! t DRAFT l

l l NRC Power Reactor Basiline inspection Proaram Proaram Overview '

I The NRC power reactor baseline inspection rogram defines the planned activities to evaluate licensee performance and followup on identi ed problems with that performance. The objective of the program is to monitor all power reactor licensees at a defined level of effort to assure the licensees are using radioactive materials safely as defined by the goals specified in the NRC's l

Strategic Plan. The general goais from the Strategic Plan are listed below:

General Goals: Prevent radiation-related deaths or illnesses due to civilian nuclear reactors.

Ensure treatment, storage, and disposal of wastes produced by civilian use of nuclear materials in ways that do not adversely

affect this and future generations.

! Prevent the loss or theft of special nuclear materials regulated by the NRC.

To effectively determine whether the goals have been met, the baseline inspection program first divides the goals into seven " cornerstones of safety". These comerstones are those risk- ,

significant areas of a licensee's operation of a nuclear power reactor that are necessary to assure the goals are met. Next, the baseline program establishes a population of inspectable areas within each cornerstone. inspectable areas define activities of a licensee's operation of a nuclear power reactor that must be monitored to assure the goals of safety are met. The total population of inspectable areas are listed in Table 1 by comerstone of safety.

Licensees and the NRC have established a set of performance indicators that provide information as to whether the goals of safety have been met. Where there are adequate performance indicators in each comerstone of safety, the NRC has determined that the baseline inspection program does not need to be conducted. The NRC has also determined that the baseline program needs to include a verification process. The goal of this process is to determine that the performance indicators continue to provide the designed information.

l A key indicator of licensee performance has been their identification and resolution of problems and/or issues. Therefore, the baseline inspection program includes a review of this performance at all power reactor plants.

Based on the objectives described above, the baseline inspection program has three key parts:

Part 1: Review of inspectable areas. These are identified in the baseline program as those areas where there are no performance indicators or the performance indicators are limited in their coverage of the activity.

Part 2: Verification of the established performance indicators, i

Part 3: Review of licensee programs for identification and resolution of problems and/or issues.

The following pages of this document describe these three parts of the program.

DRBET I

1 I

l SECTION 11: INSPECTABLE AREAS REQUIRED IN THE BAS'dLINE PROGRAM t

e 4

f

Table I: Inspectable Areas by Cornerstone A. Initiating Events Comerstone Inspectable Areas (Important attributes in parentheses): ;

Adverse weather (extemal factors)

Equipment alignment (equip. perf. and config. control) ,

Emergent work (configuration control) l Fire protection (extemal factors)

Flood protection (extemal factors) )

Identification and resolution of problemshssues

, inservice inspection activities (equipment performance)

Licensed operator requalification (human performance)

Maintenance rule implementation (equipment performance)

Operating experience review (design)

Operator shift turnovers (configuration control) i Operator workarounds (design and configuration control)

Permanent plant modifications (design)

Piping system erosion and corrosion (equipment performance)

General plant walkdowns Post maintenance testing (human performance) .

Post modifications testing (design)

Pre-job briefs (human performance) I Refueling activities (equip. perf. and config. control) '

Safety system performance capability (design) l

, Technical specification surveillance testing (human performance)

Temporary plant modifications (design)

Testing of pumps and valves (human performance)

B. Mitigation Systems Comerstone i Inspectable Areas (Important attributes in parentheses):

Equipment alignment (equip. perf. and config. control)

Emergent work (configuration control)

Event followup (equipment performance)

Fire protection (design and equip. perf.)

Flood protection (design)

Heat exchanger performance (equipment performance)

Identification and resolution of problems / issues Licensed operator requalification (human performance)

Maintenance rule implementation (equipment performance) 4 Maintenance work prioritization control (configuration control)

Off-normal plant operations (human performance)

Operability evaluations (equipment performance)

Operating experience review (design)

Operator shift tumovers (configuration control)

Operator workarounds (design)

Permanent plant modifications (design)

General plant walkdowns k 2

)

1 DRAFT; J Post maintenance testing (equipment performance)

Post modifications testing (design)

Refueling activities (configuration control)

Safety evaluations (design)

Safety system performance capability (design and equip. perf.)

Technical specification surveillance testing (equipment performance)

Temporary plant modifications (design and config control)

Testing of pumps and valves (equipment performance)

C. Barrier Integrity Comerstone inspectable Areas (Important attributes in parentheses):

Event followup (barrier and equipment performance)

Fuel barrier performance (cladding performance and config. control)

Identification and resolution of problems / issues l Inservice inspection activities (barrier performance) l Large containment isolation status verification (SSC barrier performance)

Licensed operator requalification (human performance)

Maintenance work prioritization control (configuration control)

Operating experience review (design)

Permanent plant modifications (design) .

General plant walkdowns a -

Post modifications testing (design)

Refueling activities (fuel: human perf., design and config. control)

D. Emergency Preparedness Comerstone inspectable Areas (Important attributes in parentheses):

Alert and notification system availability (equipment readiness)

Drill / exercise performance (ERO performance)

EAL change review (procedure quality)

Emergency response organization augmentation (ERO readiness)

Identification and resolution of problems / issues Licensed operator requalification (ERO performance)

E. Occupational Exposure Comerstone inspectable Areas (important attributes in parentheses)-

Access control to radiologically significant areas (equipment / facilities)

ALARA planning and controls (program / process)

Event followup identification and resolution of problems / issues General plant walkdowns

Radiation monitoring instrumentation (equipment) l Radiation worker performance (human performance)

F. Public Exposure Comerstone Inspectable Areas (Important attributes in parentheses):

i DRET l

.' DRAFT l l !

3 Event followup Gaseous and liquid effluent treatment systems (equipment)

Identification and resolution of problems / issues Radioactive material processing and shipping (program / process) l l

!. Radiological environmental monitoring program (program / process) '

l

_G. Physical Security Comerstone l

inspectable Areas (important attributes in parentheses):

Access authorization program (personnel screening, FFD, behavior obs.) ;

Access control (search, ID and authorization, security locks and key control) identification and resolution of problems / issues Physical protection system (barriers, intrusion detection, alarm assessment)

Security plan and procedures modifications (system design control) l Response contingencies for events (protective and implementation strategy) l General plant walkdowns i l Protection of safeguards information (system design control) i L 1 1

l :

I 4

! DRAPT l

- l 1

Dp Aq PREMISES 1 Pilot .

1 Moe' "1 cation before Issuance to all Utilities 1 NEI Focus Group Intact 4 Utility Buy-In

' A77AcueswT- - 7 9

l. '

December 1998 Dec. 25 NSAC Meeting (Brief results of NRC/NEI effort.

Answer raised / resolved utility by in) !

! January 1999 Jan.1 Select Utility Pilots )

BWR/PWR 2 / region l

selected to validate performance l

l Jan.10 - xx - NRC to Commission February 1999 Feb.1 Data Fonnat Rules to Utilities / Regions l

Feb.10 Public Workshop (to describe new process : Wash.:)

i l Feb.15 l l Meeting w/ Pilot Utilities (common).

4 Feb.15 - Mar.15 -

Regional discussions on utility meeting to air concerns.

__. 1 , ,,

m a _ . - . -- -aa.._ s. _ . - . _ . - - ..a .

x March 1999 Mar.15 NEI/NRC - Steering group meetings to resolve any issues before issuing data.

April 1999 Pilot starts -

E data from J-M submitted by 15th ,

E Previous 2 yr. (2) rolling average data submitted.

E Risk informed inspection in parallel.

(draft reports)

May 1999 May 1 E NEI check in with Pilot Utilities E NRC/NEImeeting May xx -

NSAC review pilot June 1999 June 15 - Enforcement rules in place.

l.'.*

\

July 1999 l July xx - Pilot inspection reports due.

- Qtly. Data

! - consistency check

NRC Review with regions & NEI l August - September 1999 l Aug.1 NRC Report out Aug.15-xx - NRC/NEI Review Critique Aug. xx- Sept.15 - Revised reporting requirements submitted to all utilities.

November 1999 Nov.1 NRC/NEI review results.

l Nov.15 - Issue any updates on the data j submittals.

January 2000 - June 2001

- Utility Report

Feb. 2000 - assessment of all utility data -

NRC/NEI.

June 2001 - review with NEI.

1 4

y* r gL ,

e NEI Proposed NRC Inspection Finding Evaluation Matrix DRAFT 11/17/98 R1 ,

Purpose:

i l The purpose of this matrix is to provide basis for determining the risk-informed significance of.NRC inspection findings and to provide criteria / thresholds for increased ,

regulatory attention or required regulatory action consistent with the performance f indicators for the same cornerstone related to the inspection module. !

t Assumptions: !

l

! e Programmatic and human performance issues assmiated with implementing NRC requirements are identified and corrected in the licensee corrective action program 3 l' required by 10CFR50 Appendix B. Timeliness of corrective actions are consistent with the safety significance of the identified non-confonnance.

Prompt operability determinations are made following identification of non-I '

conformances in accordance with NRC Generic Letter 91-18R1. ' This requires that l prompt evaluation / action in accordance with facility operating license (Technical l Specifications) occurs. Technical Specifications require plant shutdowns when non-l conformances affect multiple trains and components of required safety equipment.

L e Inspections for licensee programs (ISI, IST, Operator Training, Emergency Planning, Security, Radwaste shipping, etc) have identified risk informed criteria related to the ability of the cornerstone objective to be met. Findings need to be based on concrete i examples that demonstrate the criteria are not met.

Definitions:

. An Inspection Discrepancy is defined as NRC identified non-conformance with NRC requirements that have little or no safety significance. Licensees are allowed to capture discrepancy in the licensee conective action program and restore conformance in a time frame consistent with safety significance.

t * - An Inspection Finding is defined as NRC or licensee identified non-conformance(s) that if uncorrected, would compromise the ability to meet the objective of the cornerstone linked to the inspection module. Comerstone objectives can still be met pending completion of corrective actions with implementation of compensatory measures.

A Risk Significant Finding is defined as NRC or licensee identified non-conformance(s) that if uncorrected significantly challenge the ability to meet the cornerstone objectives relative to public safety. Non-conformances exist in multiple !

barriers such that comerstone objectives can not be assured without completion of l significant corrective actions e Increased Regulatory Oversight describes the assessment region in which licensee l

performance in a specific cornerstone as measured by PI's and Inspection Findings ;

demonstrates cornerstone objectives compromised. Licensees are required to validate I

JQTr+CHMM &

W i g iM extent of condition. NRC monitoring / inspection to ensure effectiveness and timeliness oflicensee corrective actions.

Required Regulatory Action describes the assessment region in which licensee performance in a specific comerstone as measured by PI's and Inspection Findings demonstrates that a comerstone objective is not met. The NRC is required to perform ,

an assessment of the extent of condition and acceptability of proposed corrective actions. The licensee is required to formally commit to corrective actions necessary to meet the comerstone objective. The NRC utilizes Confirmatory Action Letters to ensure licensee conformance.

Inspection Non-Conformance Evaluation Matrix Attribute Obsen'ation Finding Risk Sig.

Finding l

l No impact to ability of single SSCs to perform X l Safety function l Impact to I train of SSCs ability to perform X safety function for period of time in excess ]

of TechnicalSpecifications AOTs Impact to all trains of SSC such that ability to X '

meet a cornerstone objecti:ve is lost I Single example inspectio.2 criteria not X i met in a comerstone area with comerstone J objective met based on redundant baniers and/or compensatory action

)

j Multiple examples ofinspection criteria not X met in a cornerstone area with comerstone objective assured due to multiple barriers and/or j compensatory action Multiple examples ofinspection enteria not X met in a comerstone area with comerstone i objective not met l

[

lC , ,

/' Cover Letter

' p.

i Plant X 2

Plant X provides an adequate level of protection of public health and safety. I As shown on the attached Plant Issues Matrix, all of the performance indicators for all cornerstones met the established regulatory thresholds.

NRC inspection activity and licensee self assessments did not identify any findings ,

that challenge the performance indicator results.

No enforcement action was taken during the period.

i The NRC oversight of Plant X will be accomplished through the core inspection !

program. ]

I

)

l 1

1 4

1 l

l

[4 TTA(64 MENT }

Plant Issues Matrix Plant X Initiating Mitigation Barrier Emergency Public Worker Physical Events Systems Integrity Preparedness Radiation Radiation Protectio Safety Safety n Performance Exceed Exceed Exceed Exceed Exceed Exceed Exceed Indicators regulatory regulatory regulatory regulatory regulatory regulatory regulatory threshold threshold threshold threshold threshold threshold threshold Inspection No findings No findings No No findings No findings No findings No findings Results findings Enforcement None None None None None None None Actions i

3

- - - - _ _ - - _ _ _ _ _ _ _- _ _ _ _ _ . __ __ - , . + - e 1,-

a Cover Letter

?

Plant Y Plant Y provides an adequate level of protection of public health and safety.

As shown on the attached Plant Issues Matrix, all of the performance indicators for all cornerstones met the established regulatory thresholds except for the unplanned ,

transients greater than 20% indicator in the initiating events cornerstone and the !

AFW system availability indicator under the mitigation systems cornerstone.

NRC inspection activity confirmed that configuration control problems contributed to several unplanned transients. A design error related to the AFW system caused reduced availability of the AFW system. The licensee has performed a root cause analysis of both problems and has identified corrective actions. NRC inspection activity and licensee self assessments did not identify any findings that challenge the performance indicator results in other cornerstone areas.

One Level III violation was issued due to loss of one train of AFW during an actual demand resulting from a design error. The other trein functioned as required..

The NRC oversight of Plant Y will be accomplished through the core inspection program. In addition, the NRC will monitor implementation oflicensee corrective actions to reduce initiating events and improve mitigation system availability.

1 t i I !

l l

l I

l IO AT1 x u M e n T* -fM

- - . , , e, .

a

, Plant Issues Matrix Initiating Mitigation Barrier Emergency Public Worker Physical Events Systems Integrity Preparedness Radiation Radiation Protection Safety Safety

) Performance Unplanned AFW Exceeds Exceeds Exceeds Exceeds Exceeds Indicators transients > system regulatory regulatory regulatory regulatory regulatory 20% below reliability threshold threshold threshold threshold threshold j regulatory below threshold. All regulatory other PIs threshold.

exceed All other regulatory PIs exceed threshold regulatory threshold Inspection Configuration An error in No No findings No No No findings Results coutrol a design findings findings findings problems mod contributed to contributed several to several unplanned failures of transients. the AFW system, including loss of one train.

during an actual demand.

Enforcement None One Level None None None None None Actions III violation issued 9

m. 2..- .im 42&A d.4.4,4.s , .-.e.m -ed'- E--4--a. Om..a O a '

s '

r/2 cc Cn O

O O l u

M i e

N O

b m

Cn O

cc CD :

0 M

4 .

e 6

Objectives KISS Repeatable across plants / time E-mail Point & Click

e: m i

G i

Sections Process Product Overall

Format Question

Rating

- Section - Performance Attribute - Importance

Survey NRC Importance '

A.What is your perception of the Performance current assessment pre"ess ?

12345 12345 Fairness Accuracy 12345 12345 Safety significance 12345 12345 Consistency 12345 12345 '

Predictability 12345 12345 Objectiveness 12345 12345 l= poor / low 5= excellent /high

~

Survey NRC

~~

Importance -

B. What is your perception of the Performance !

benefit of the current assessment process ? ,

. Feedback 12345 12345 Resource assignment 12345 12345 Utility 12345 12345 Regulator ;

Safety Significance 12345 12345 Public communication 12345 12345 i

i i

i l

Survey

. . Performance Importance C.What is your overall perception of 12345 12345 the current assessment process ?

DRAFT ACTION MATRIX PERFORMANCE INCREASING SAFETY SIGNIFICANCE >

u) pu

^

' All A'ssessmerd i Any IndividualWhitd. .One Degraded : ,

Repetitive Degraded Overall Red ( ;.

b '. -).

Inputs (Pis_ andf Pls or inspection Cornerstone (2-3g Cornerstone,- ,

(Unacceptable)( ;

] ,

p'; Inspection Areas), Areas , g Assessment inputs Multiple Degraded y Performance: 4 m f

_Greeni.i -

White or 1' , ... Cornerstones, or 0 ' -

i; 1

';.g e, . ,/ Assessment input - Multiple Yellow- . L >

ww, .

c. ,

,y ,1;ow); . 3 ; ~ Assessment inputs? -

VF '

Mdn~ag6 ment Routine Resident SRl/BC Meet with DD/RA Meet with EDO Meet with Senior Commission meeting IMeetingp*' *' ' Inspector Licensee Licensee Licensee with Senior Licensee c y Interaction Management Management Management r+ .

(Licensee) J Licensee Licensee Corrective Licensee Self Licensee Performance

' Action ; EN W Corrective Action Action with NRC Assessment with NRC Improvement Plan y Oversight Oversight with NRC Oversight -

Z O NRC) [ d ~

Risk-informed Regionallnitiative Inspection Focused on Team inspection

inspection ' Baseline inspection inspection Cause of Degradation Focused on Cause of

@ w Program Overall Degradation w

[ .-

Regulatoryd. None -Document Response -Docket Response to -10 CFR 50.54(f) Order to Modify,

! Actions f y (ConsiderN+1 to Degrading Area in Degrading Condition Letter . Suspend, or Revoke Exemption for 2 Inspection Report - CAllOrder Licensed Activities Consecutive -Remove Performance

. Cycles in This Mitigating Factorfrom Ranae) Enforcement 2

Assessmenti DD review / sign DD review / sign RA review / sign RA review / sign - .

RA review / sign 2 Report! N: assessment report assessment report (w/ assessment report (w/ assessment report (w/ - assessment report (w/

Q ,,,v: r- ; (w/ inspection plan) inspection plan) inspection plan) inspection plan) inspection plan) 9 5 . ,

3 ..Public: y 3. SRI or Branch SRI or Branch Chief RA Discuss EDO Discuss Commission Meeting 8 Assessment; Chief Meet with Licensee Meet with Licensee Performance with Performance with with Senior Licensee

! Meeting b ' ~

Licensee Senior Licensee Management to Discuss

Licensee Performance Manaoement

< Reaional Review Only I Headauarters Review z DRAFT -- n.

ML20196F285

Contents

Text

SUBJECT:

SUMMARY

SUMMARY

SUMMARY

===

Purpose:

Navigation menu

ML20196F285

Text

SUBJECT:

SUMMARY

SUMMARY

SUMMARY

===

Purpose:

Navigation menu

Search