ML20202A459

From kanterella
Jump to navigation Jump to search
IMC 0609 App K Maintenance Risk Assessment and Risk Management Significance Determination Process
ML20202A459
Person / Time
Issue date: 10/16/2020
From: John Hughey
NRC/NRR/DRA/APOB
To:
Hughey J
Shared Package
ML20206K969, ML20289A806 List:
References
CN 20-051, DC 20-017
Download: ML20202A459 (13)
v  d  e


Text

NRC INSPECTION MANUAL APOB INSPECTION MANUAL CHAPTER 0609 APPENDIX K MAINTENANCE RISK ASSESSMENT AND RISK MANAGEMENT SIGNIFICANCE DETERMINATION PROCESS Effective Date: 01/01/2021 0609K-01 PURPOSE To determine the significance of inspection findings related to licensee assessment and management of risk associated with performing maintenance activities under all plant operating or shutdown conditions in accordance with baseline Inspection Procedure (IP) 71111.13, Maintenance Risk Assessments and Emergent Work Control.

0609K-02 BASIS NRC requirements in this area are set forth in paragraph (a)(4) of 10 CFR 50.65, Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants. Detailed bases information for this appendix is provided in Inspection Manual Chapter (IMC) 0308, Reactor Oversight Process (ROP) Basis Document, Attachment 3, Appendix K.

0609K-03 GENERAL GUIDANCE Appendix K is to be used as a Phase 1 / 2 Significance Determination Process (SDP) tool for assessing the significance of inspection findings related to compliance with Maintenance Rule (a)(4) requirements. The input to this SDP evaluation tool is a more-than-minor inspection finding that results from the licensee's underestimate of plant risk or lack of risk assessment from ongoing or completed maintenance activities and/or the licensee's ineffective implementation of risk management actions (RMAs). Examples of more-than-minor inspection findings are provided in Appendix E, Examples of Minor Issues, of IMC 0612, Issue Screening. In addition, minor and SDP screening questions are included in IMC 0612 Appendix B, Additional Issue Screening Guidance. A licensee performance deficiency of the paragraph (a)(4) of 10 CFR 50.65 requirements must exist for the significance of a finding to be evaluated using this SDP. If appropriate, a more detailed assessment may be performed in an SDP Phase 3 evaluation (detailed risk evaluation). provides the assumptions and defined terms used in this SDP. Flowcharts 1 and 2 are used to categorize individual inspection findings as either Green, White, Yellow, or Red.

Specifically, flowchart 1 provides guidance to determine the significance of inspection findings related to inadequate risk assessment and risk management actions. Flowchart 2 is to be used for evaluating the significance of failure to implement risk management actions when the maintenance risks are adequately assessed.

Issue Date: 10/16/20 1 0609 Appendix K

It is expected that resident inspectors will support Senior Reactor Analysts (SRAs), or other risk analysts, as necessary to assess the significance of maintenance rule (a)(4) related inspection findings.

Note: This guidance does not apply to the following situations: (1) those licensees who only perform qualitative analyses of plant configuration risk due to maintenance activities, or (2) performance deficiencies related to maintenance activities affecting SSCs needed for fire (unless quantitatively analyzed) or seismic mitigation. When performance deficiencies are identified with either 1 or 2 above, the significance of the deficiencies must be determined by an internal NRC management review using risk insights where possible in accordance with IMC 0612, Issue Screening.

0609K-04 SPECIFIC GUIDANCE 04.01 Step 4.1 - Determination of Actual Risk This SDP uses the incremental core damage probability (ICDP) metric rather than change in core damage frequency (CDF), the annualized risk increase, used in other reactor safety SDPs. The ICDP accounts for the amount of the time in which the plant configuration change existed. Attachment 1 provides the mathematical formulas for these metrics.

The risk deficit for performance deficiencies is determined in an increasing order of magnitude to reflect the amount of the risk increase due to an inadequate risk assessment and lack of risk management actions. Specifically, the incremental core damage probability deficit (ICDPD) and the incremental large early release probability deficit (ILERPD) are the risk metrics used to evaluate the magnitude of the error in the licensees inadequate risk assessment of the temporary risk increases due to maintenance activities/configurations.

04.01.01 Step 4.1.1 - Licensee Evaluation of Risk When the inspector has identified that the licensee has performed an inadequate risk assessment, or none at all, the actual maintenance risk configuration-specific CDF must first be adequately or accurately assessed. The inspector should discuss the results of the risk assessment with the licensee before proceeding with any further risk assessment. The new risk assessment value may be obtained in several ways including having the licensee perform the omitted maintenance risk assessment; or re-perform the assessment, correcting those errors and/or omissions that rendered the original risk assessment inadequate. It is expected that having the licensee re-evaluate the actual maintenance configuration would be the norm for (a)(4) issues.

04.01.02 Step 4.1.2 - NRC Evaluation of Risk Alternatively, the inspector may request the regional SRA or other risk analyst to independently evaluate the risk if there are specific concerns regarding the adequacy of the licensees assessment such as:

a. The licensees maintenance configuration change excluded multiple systems.
b. There are notable limitations with the licensees configuration risk assessment tool Issue Date: 10/16/20 2 0609 Appendix K

(e.g., does not address potential changes to initiating event frequencies).

c. There are known quality issues with the licensees configuration risk assessment tool (e.g., is not consistent with the plant PRA).
d. The quantitative risk assessment contained invalid assumptions and/or omissions.

To request an independent risk assessment, the inspector should provide the following information to the regional SRA or risk analyst:

a. Structures, Systems, and Components (SSCs) configuration in the specific time window of concern with actual time of SSCs removed from service and when returned to service.
b. Description of testing or other maintenance activities that potentially increased the likelihood of an initiating event.
c. Description of actual compensatory actions implemented.
d. Licensees risk assessment.

If the finding involves maintenance activities during shutdown conditions, then the appropriate checklist reflecting the plant shutdown mode from IMC 0609, Appendix G, Attachment 1, should be checked and provided to the SRA.

For findings that have significance preliminarily determined to be White, Yellow, or Red, an SRA may perform a Phase 3 analysis, if necessary.

04.02 Step 4.2 Determination of Risk Deficit If the licensee failed to perform a risk assessment, the actual risk increase (ICDPactual ) is the product of the incremental CDF and the annualized fraction of the duration of the configuration

[i.e., ICDPactual = ICDFactual x (duration in hours) ÷ (8760 hours0.101 days <br />2.433 hours <br />0.0145 weeks <br />0.00333 months <br /> per reactor-year)], where ICDFactual = CDFactual - CDFzero-maintenance.

The risk deficit, ICDPD, is equal to ICDP when the licensees performance deficiency involves not conducting a risk assessment.

For a flawed risk assessment, the risk deficit, ICDPD, = ICDP actual - ICDPflawed assuming the ICDPactual > ICDPflawed.

If the actual, correctly assessed ICDP, is significantly greater than 1E-6 (i.e., one order of magnitude or greater), the net risk deficit is determined by subtracting 1E-6 from the risk deficit (ICDPD) as determined above, prior to determining an SDP color.

The significance of the licensees underestimate (or lack of estimate) of the risk (i.e., ICDPD) is then determined by using Flowchart 1. The significance of the ILERPD, if applicable, is determined in a similar fashion.

Issue Date: 10/16/20 3 0609 Appendix K

04.03 Step 4.3 - Evaluation of Risk Management Actions As discussed in NUMARC 93-01, Revision 4F, Section 11.3.7.4, Risk Management Actions, the following categories of appropriate RMAs can be used to manage risk associated with a maintenance activity:

  • increasing risk awareness and control,
  • reducing duration of maintenance activity,
  • minimizing magnitude of risk increase,
  • establishing action thresholds such that risk significant configurations are not normally entered voluntarily.

Because the risk benefits of some of these RMAs are generally not quantifiable, the approach chosen for quantitatively determining the significance of failure to manage risk is to assign credit for these actions in reducing the risk impact of the assessed configuration. Therefore, the simple screening rule used in this SDP is to assign a credit of one-half order of magnitude reduction in risk to the correctly calculated risk if the licensee effectively implemented one or two categories of the RMAs to manage risk. The RMAs credited for risk reduction are only those for which credit was not already taken in the risk calculation. If the licensee effectively implemented three or more categories of the RMAs that have not already been evaluated in the risk calculation, an order of magnitude reduction in risk is credited against the actual maintenance risk. This approach allows the significance of failure to manage risk to be expeditiously determined without using quantitative approaches that would likely require intensive resources.

If the risk is inadequately assessed, or not assessed at all, the significance of the performance deficiency is evaluated using this SDP. The resultant failure to take RMAs due to lack of risk recognition merely provides no mitigation of the risk deficits.

When the risk is adequately assessed, the licensee will normally be expected to effectively implement only those RMAs prescribed for the assessed risk by site procedures. Under certain circumstances, specific compensatory measures may also be prescribed by license conditions, technical specifications, notices of enforcement discretion, and/or special commitments, as applicable. Flowchart 2 is provided to evaluate the significance of a licensees failure to implement one or more categories of RMAs either as prescribed by any of the sets of requirements discussed above. The adequacy of licensees RMAs should be assessed using the specific guidance provided in baseline IP 71111.13 and licensees applicable implementing procedures.

Issue Date: 10/16/20 4 0609 Appendix K

Flowchart 1 Assessment of Risk Deficit 10 CFR 50.65 (a)(4)

Performance Issue Is finding related to RMAs only?

Yes No Go to flowchart 2 Determine actual risk (Step 4.1)

Determine risk deficit (Step 4.2)

Is Risk Deficit Is Risk Deficit

> 1 E-6 (ICDPD) or No Green Finding Yes < 5 E-6 (ICDPD) or No

> 1 E-7 (ILERPD)? < 5 E-7 (ILERPD)?

Yes Yes Yes White Finding Is Risk Deficit 3 or more RMAs 1 or 2 RMAs

> 1 E-5 (ICDPD) or No taken? No No taken?

> 1 E-6 (ILERPD)? (Step 4.3)

Yes Is Risk Deficit Yes > 1 E-4 (ICDPD) or

> 1 E-5 (ILERPD)?

No 3 or more RMAs 1 or 2 RMAs No taken? taken?

3 or more RMAs No 1 or 2 RMAs taken? No taken? No Yes Yes Yes Yes White Finding Yellow Finding Red Finding Yellow Finding Is Risk Deficit Yes < 5 E-5 (ICDPD) or No Is Risk Deficit No < 5 E-6 (ILERPD)?

Yes < 5 E-4 (ICDPD) or

< 5 E-5 (ILERPD)?

Issue Date: 10/16/20 5 0609 Appendix K

Flowchart 2 From Flowchart 1 Assessment of RMAs 10 CFR 50.65 (a)(4) performance issue associated with RMAs only Is Is ICDP > 1 E-6 or No Green Finding Yes ICDP < 5 E-6 or No ILERP > 1 E-7 ? ILERP < 5 E-7?

Yes Yes Yes White Finding Is 3 or more RMAs 1 or 2 RMAs ICDP > 1 E-5 or No taken? No No taken?

ILERP> 1 E-6?

Yes Is Yes ICDP > 1 E-4 or ILERP > 1 E-5?

No 3 or more RMAs 1 or 2 RMAs No taken? taken?

3 or more RMAs No 1 or 2 RMAs taken? No taken? No Yes Yes Yes Yes White Finding Yellow Finding Red Finding Yellow Finding Is Yes ICDP < 5 E-5 or No Is No ILERP < 5 E-6?

Yes ICDP < 5 E-4 or ILERP < 5 E-5 ?

END Issue Date: 10/16/20 6 0609 Appendix K

ATTACHMENT 1 ADDITIONAL GUIDANCE The following assumptions and defined terms regarding licensee risk assessments and risk management actions (RMAs) are necessary to understand and efficiently use this maintenance rule (a)(4) SDP evaluation tool.

1.0 RISK ASSESSMENTS AND RISK MANAGEMENT ACTIONS The intent of paragraph (a)(4) is for licensees to appropriately assess the risks of proposed maintenance activities that will:

  • directly, or may inadvertently, result in equipment being taken out of service,
  • involve temporary alterations or modifications that could impact SSC operation or performance,
  • be affected by other maintenance activities, plant conditions, or evolutions, and/or

Paragraph (a)(4) requires management of the resultant risk using insights from the assessment.

Therefore, licensee risk assessments should properly determine the risk impact of planned maintenance configurations to allow effective implementation of RMAs to limit any potential risk increase when maintenance activities are actually being performed. Although the level of complexity in an assessment would be expected to differ from plant to plant, as well as from configuration to configuration within a given plant, it is expected that licensee risk assessments would provide insights for identifying risk-significant activities and minimizing their durations. In general, the following two types of licensee performance deficiencies in meeting (a)(4) requirements can be defined.

A. Failure to Perform an Adequate Risk Assessment. The failure to perform an adequate risk assessment in accordance with 10 CFR 50.65 (a)(4) prior to the conduct of maintenance activities includes the following deficiencies which result in underestimating the risk.

1. Failure to perform a risk assessment for maintenance configuration changes.
2. Failure to update a risk assessment for changes in the assessed plant conditions (e.g., changes in maintenance activities or emergent conditions). However, performance or re-evaluation of the assessment should not interfere with, or delay, the operator and/or maintenance crew from taking timely actions to restore the equipment to service or take compensatory actions. If the plant configuration is restored prior to conducting or re-evaluating the assessment, the assessment need not be conducted, or re-evaluated if already performed.
3. Failure to perform a complete risk assessment including all affected/involved SSCs within the scope of SSCs required for (a)(4) assessments, and considering (or adequately considering) all plant-relevant plant conditions or evolutions, Issue Date: 10/16/20 Att1-1 0609 Appendix K

external events (excluding fire, unless quantitatively analyzed and seismic),

internal flooding, and/or containment integrity.

4. Failure to consider maintenance activities which have historically had a high likelihood of introducing a transient leading to an initiating event that would result in risk-significant configurations.
5. Improper use of the risk assessment tool or process (i.e., beyond its capabilities or limitations, or under plant conditions for which it was neither designed nor in accordance with site procedures).
6. Deficient risk-informed evaluation process for limiting the scope of SSCs to be included in (a)(4) risk assessments as identified by NRC inspection (e.g., IP 62709).
7. Flawed risk assessment tool or process as identified by NRC inspection (e.g., IP 62709).

Underestimating or not estimating the risk of maintenance activities may not significantly increase the expected overall plant risk, in terms of core damage frequency (CDF) or large early release frequency (LERF). However, underestimating the risk may result in lack of risk awareness that could preclude RMAs and allow a high-risk configuration to persist unrecognized and uncompensated. Allowing a high-risk configuration with an unassessed CDF increase to persist longer than necessary, or desirable, will increase the exposure time and hence the incremental (integrated) core damage probability (ICDP) and/or the incremental large early release probability (ILERP) as defined below. Finally, unawareness of unassessed or inadequately assessed risk may allow actions or events to occur that could directly increase risk or hamper recovery from accidents or transients.

Licensees that have adopted RMA color thresholds that are not ICDP or ILERP based, may need to have performance converted to correspond to a probability unit of measure.

B. Failure to Manage Risk. Failure to manage the risk impacts of proposed maintenance activities means a failure to implement, in whole or in part, the key elements of the licensees risk management program. However, this deficiency will not result in an additional risk increase to the assessed risk of the maintenance configuration in terms of CDF or LERF. Measures to minimize the duration of the risk associated with a maintenance activity/configuration are a principal RMA. Nevertheless, failure to implement such measures when they are possible and practicable will allow the ICDP and/or the ILERP to increase further as the elevated risk condition persists.

Appropriate and suitable RMAs can only reduce the risk incurred from a given configuration change.

RMAs should be implemented in a graduated manner, commensurate with various increases above the plants baseline risk, to control the overall risk impact of an assessed maintenance configuration. However, licensees use a variety of methods for categorizing risk significance and managing the risk according to the significance category.

Issue Date: 10/16/20 Att1-2 0609 Appendix K

NUMARC 93-01 is endorsed by the NRC in Regulatory Guide 1.160. RMA levels or categories/bands were prescribed in the revised Section 11 of NUMARC 93-01, Revision 2, and subsequently incorporated in Revision 3 and Revision 4F of NUMARC 93-01. These risk bands are defined in terms of the ICDP, making them readily comparable to the risk levels used in determining the significance of the risk deficits.

For licensees that have adopted this guidance, normal work controls are allowed by site procedures for ICDPs less than 1E-6. For ICDPs of 1E-6 or greater, RMAs are prescribed. Section 11 of NUMARC 93-01 states that maintenance risk configurations above ICDP value of 1E-5 should not be entered voluntarily. Site procedures will prohibit this activity entirely or will allow it only with fairly rigorous restrictions that typically include the plant managers written permission along with extensive RMAs.

Site procedures may further define specific detailed RMAs or plans for routinely allowable risk categories as well. It should be noted that when evaluating the adequacy of a licensees RMAs, the inspector should consider only those actions that could have potential risk implications and are required by the licensees procedures, such as working around the clock, installing backup equipment, and reducing duration of maintenance activity.

2.0 DEFINITIONS The following are definitions of terms used throughout this SDP.

Incremental Core Damage Frequency (ICDF). The ICDF is the difference between the actual, adequately assessed, maintenance risk (configuration-specific CDF) and the zero-maintenance CDF. The configuration-specific CDF or ICDF are annualized risk estimates with the out-of-service or otherwise affected SSCs considered unavailable.

Incremental Core Damage Probability (ICDP). The ICDP is the product of the incremental CDF and the annual fraction of the duration of the configuration [i.e., ICDP = ICDF x (duration in hours) ÷ (8760 hours0.101 days <br />2.433 hours <br />0.0145 weeks <br />0.00333 months <br /> per reactor-year)]. Note that the ICDP is sometimes expressed as the integrated or integral ICDP (i.e., the delta CDF or ICDF integrated over the time of its duration which increases as the elevated-risk configuration persists). Figure 1 is a graphical representation of this concept.

Issue Date: 10/16/20 Att1-3 0609 Appendix K

Incremental Core Damage Frequency Deficit (ICDFD). The ICDFD is that portion of the ICDF defined as the difference between the actual maintenance-configuration-specific CDF (called ICDFactual for purposes of this definition) and the maintenance-related ICDF as originally and inadequately assessed (flawed) by the licensee (ICDFflawed). Therefore, the ICDFD = ICDFactual -

ICDFflawed. Note that if the licensee has failed to assess maintenance risk entirely when required (i.e., there is no licensee risk assessment), then the ICDFD will be equal to the entire value of the ICDF. The safety significance of the ICDFD (i.e., the magnitude of the licensees underestimate (or lack of estimate) of the risk) is determined by means of this SDP.

Incremental Core Damage Probability Deficit (ICDPD). The ICDPD is the product of the ICDFD and the exposure (i.e., the annual fraction of the duration of the unassessed or inadequately assessed configuration. Thus, the ICDPD = ICDFD x (exposure in hours) ÷ (8760 hours0.101 days <br />2.433 hours <br />0.0145 weeks <br />0.00333 months <br /> per reactor-year). Note that similar to the ICDFD, the ICDPD equals the ICDP when there is no risk assessment, rather than a flawed risk assessment. Note also that Exposure equals Duration if the risk remained unassessed or inadequately assessed for the entire duration of the configuration. The safety significance of the ICDPD (i.e., the magnitude of the licensees underestimate (or lack of estimate) of the risk (in terms of ICDP)), may also be determined by means of this SDP. Figure 2 is a graphical representation of this concept.

Issue Date: 10/16/20 Att1-4 0609 Appendix K

Incremental Large Early Release Frequency (ILERF). The ILERF is the difference between the actual, adequately determined maintenance activity/configuration-specific LERF and the zero maintenance model results, if determinable. Note that LERF and ILERF are determinable only if the plant has a Level-II PRA and a risk tool or process capable of quantitatively assessing Level-II risk beyond a qualitative assessment of the impact of containment integrity.

Incremental Large Early Release Frequency Deficit (ILERFD). The ILERFD is used to evaluate the significance of a finding under the following conditions (1) an impact on containment integrity from or concurrent with the maintenance activity occurs, (2) this impact is/was not qualitatively assessed, and (3) the impact is/was quantitatively assessed, but not adequately. Under these conditions the ILERFD is meaningful and is that portion of the ILERF defined as the difference between the actual maintenance-configuration-specific LERF (called ILERFactual for purposes of this definition) and the maintenance-related ILERF as originally and inadequately assessed by the licensee (ILERFflawed). Therefore, the ILERFD=ILERFactual ILERFflawed. Note that if the licensee has failed to assess maintenance risk entirely when required (i.e., there is no licensee risk assessment) and there is an impact on containment integrity from or concurrent with the maintenance activity, this impact can be neither qualitatively nor quantitatively assessed.

Therefore, the ILERFD will be equal to the entire value of the ILERF. The safety significance of the licensees underestimate (or lack of estimate) of the Level-II risk (i.e., ILERFD) may also be determined by means of this SDP, if appropriate.

Incremental Large Early Release Probability (ILERP). The ILERP is the product of the incremental large early release frequency (ILERF) and the annual fraction of the duration of the configuration. The ILERP = (ILERF x duration in hours) ÷ (8760 hours0.101 days <br />2.433 hours <br />0.0145 weeks <br />0.00333 months <br /> per reactor-year).

Issue Date: 10/16/20 Att1-5 0609 Appendix K

Incremental Large Early Release Probability Deficit (ILERPD). The ILERPD is the product of the ILERFD with the annual fraction of the duration of the unassessed or inadequately assessed configuration, or that portion of the annual fraction of the duration of the maintenance configuration during which its risk (in terms of ILERF or ILERP) remained unassessed or inadequately assessed.

Note that although an adequate maintenance risk assessment is expected to include the impact of containment integrity, at least qualitatively, there is no regulatory requirement for a quantitative risk assessment using a Level-II PRA. Paragraph (a)(4) of 10 CFR 50.65 neither prohibits nor explicitly discourages incurring maintenance risk. It only requires that the risk of maintenance activities be assessed (which can be done qualitatively, quantitatively, or, as is often the case, in a blended fashion) and managed.

Zero-Maintenance CDF(Risk). The CDF estimate of plant baseline configuration where all SSCs modeled in PRA are considered available.

Baseline CDF(Risk). The CDF estimate derived from a PRA model that considers average annual maintenance (preventive and corrective maintenance) unavailability data, and plant specific reliability data (failure rates).

Note that inadequate risk assessment or risk management for work not yet started is not an (a)(4) violation, but it still represents a licensee performance deficiency and may be indicative of deficiencies in previous risk assessments, RMAs and/or in the licensee's (a)(4) program. This SDP is not suited for determining the significance of this type of performance deficiency. This type of issue can normally be expected to be screened to Green in accordance with Reactor SDP Phase 1 screening.

Issue Date: 10/16/20 Att1-6 0609 Appendix K

ATTACHMENT 2 Revision History for IMC 0609 Appendix K Comment Resolution Accession Description of and Closed Feedback Number Training Commitment Form Accession Issue Date Description of Change Required Tracking Number Number Change and Completion (Pre-Decisional, Notice Date Non-Public Information)

N/A ML051400244 Initial Issuance. Completed 4 year search for None N/A 5/19/05 commitments and found none.

CN 05-014 N/A ML20202A459 Revised for 5-yr update. Corrected formatting to None ML20206K988 10/16/20 conform to IMC 0040 requirements.

CN 20-051 Issue Date: 10/16/20 Att2-1 0609 Appendix K

Retrieved from "https://kanterella.com/w/index.php?title=ML20202A459&oldid=2947910"