ML20202A478

From kanterella
Jump to navigation Jump to search
IMC 0308 Att 3 App K Technical Basis for Maintenance Risk Assessment and Risk Management Significance Determination Process
ML20202A478
Person / Time
Issue date: 10/16/2020
From: John Hughey
NRC/NRR/DRA/APOB
To:
Hughey J
Shared Package
ML20206K969, ML20289A806 List:
References
CN 20-051, DC 20-017
Download: ML20202A478 (16)
v  d  e


Text

Issue Date: 10/16/20 1

0308 Att 3 App K NRC INSPECTION MANUAL APOB INSPECTION MANUAL CHAPTER 0308 ATTACHMENT 3 APPENDIX K TECHNICAL BASIS FOR MAINTENANCE RISK ASSESSMENT AND RISK MANAGEMENT SIGNIFICANCE DETERMINATION PROCESS Effective Date: 01/01/2021 0308.03K-01 PURPOSE This document provides the basis for Inspection Manual Chapter (IMC) 0609, Appendix K for the assessment of licensee performance deficiencies related to licensee assessment and management of the risk associated with performing maintenance activities. Oversight of licensee performance in assessing and managing the risk of plant maintenance activities is conducted principally by baseline Inspection Procedure (IP) 71111.13, Maintenance Risk Assessments and Emergent Work Control, or Supplemental IP 62709, Configuration Risk Assessments and Risk Management Process.

0308.03K-02 BASIS The NRC requirements in this area are set forth in paragraph (a)(4) of 10 CFR 50.65, Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, effective November 28, 2000.

The intent of paragraph (a)(4) is to have licensees appropriately assess the risks of proposed maintenance activities that will (1) directly, or may inadvertently, result in equipment being taken out of service, (2) involve temporary alterations or modifications that could impact structure, system, or component (SSC) operation or performance, (3) be affected by other maintenance activities, plant conditions, or evolutions, and/or (4) be affected by external events, internal flooding, or containment integrity. Paragraph (a)(4) requires management of the resultant risk using insights from the assessment. Therefore, licensee risk assessments should properly determine the risk impact of planned maintenance configurations to allow effective implementation of risk management actions (RMAs) to limit any potential risk increase when maintenance activities are actually being performed. Although the level of complexity in an assessment would be expected to differ from plant to plant, as well as from configuration to configuration within a given plant, it is expected that licensee risk assessments would provide insights for identifying risk-significant activities and minimizing their durations.

0308.03K-03 BACKGROUND During the initial implementation phase of the reactor oversight process (ROP), a task group was formed to review the adequacy of the reactor safety Significance Determination Process (SDP) to assess the significance of maintenance rule (MR) related inspection findings. The task group, consisting of staff from NRR and the regions, concluded that the existing reactor SDP did not address issues related to risk assessment and risk management associated with performance of maintenance activities and recommended that a new SDP be developed to

Issue Date: 10/16/20 2

0308 Att 3 App K assess the risk significance of these findings. This recommendation was based on the following reasons: (1) existing SDP phase 1 worksheet may inappropriately screen risk-significant plant maintenance configurations to green, (2) phase 2 site-specific inspection notebooks lack the necessary level of detail and completeness to assess maintenance configurations with multiple equipment out-of-service, and (3) licensees are already using phase 3 type analyses (and tools) to assess the at-power risks of maintenance configurations. The task group developed a draft SDP to evaluate the significance of MR (a)(4) issues, such as (1) failure to perform an adequate risk assessment, and (2) failure to manage risk. The proposed SDP concept was first discussed with industry groups in a public workshop held on March 2001 and further SDP refinements were discussed during routine ROP public meetings to obtain industry feedback. The subject SDP incorporated internal and external feedback and recommendations. IMC 0609, Appendix K is to be used as a Phase 2 SDP tool for assessing the significance of inspection findings related to compliance with Maintenance Rule (a)(4) requirements.

0308.03K-04 METRICS USED The incremental core damage probability deficit (ICDPD) and the incremental large early release probability deficit (ILERPD) are the metrics used to evaluate the magnitude of the error in the licensees inadequate risk assessment of the temporary risk increases due to maintenance activities/configurations. Note that this SDP uses the Incremental Core Damage Probability (ICDP) metric rather than change in core damage frequency (CDF), the annualized risk increase, used in other reactor SDPs. The incremental plant risk (ICDP) is a function of the amount of the time in which the plant configuration change exists (time dependent). Thus the risk increase of a configuration can be best represented in terms of a probability metric.

0308.03K-05 DEFINITIONS USED The following are definitions of terms used throughout this SDP.

Incremental Core Damage Frequency (ICDF). The ICDF is the difference between the actual (adequately/accurately assessed) maintenance risk (configuration-specific CDF) and the zero-maintenance CDF. The configuration-specific CDF or ICDF is the annualized risk estimate with the out-of-service or otherwise affected SSCs considered unavailable.

Incremental Core Damage Probability (ICDP). The ICDP is the product of the incremental CDF and the annual fraction of the duration of the configuration [i.e., ICDP = ICDF x (duration in hours) ÷ (8760 hours0.101 days <br />2.433 hours <br />0.0145 weeks <br />0.00333 months <br /> per reactor-year)]. Note that the ICDP is sometimes expressed as the integrated or integral ICDP (i.e., the delta CDF or ICDF integrated over the time of its duration which increases as the elevated-risk configuration persists). Figure 1 is a graphical representation of this concept.

Issue Date: 10/16/20 3

0308 Att 3 App K Incremental Core Damage Frequency Deficit (ICDFD). The ICDFD is defined as the difference between the actual maintenance-configuration-specific CDF (called ICDFactual) and the maintenance-related ICDF as originally and inadequately assessed (flawed) by the licensee (ICDFflawed). Therefore, the ICDFD=ICDFactual - ICDFflawed. Note that if the licensee has failed to assess maintenance risk entirely when required (i.e., there is no licensee risk assessment), then the ICDFD will be equal to the entire value of the ICDF. The safety significance of the ICDFD (i.e., the magnitude of the licensees underestimate, or lack of estimate, of the risk) is determined by means of this SDP.

Incremental Core Damage Probability Deficit (ICDPD). The ICDPD is the product of the ICDFD and the Exposure (i.e., the annual fraction of the duration of the unassessed or inadequately assessed configuration). Thus, the ICDPD = ICDFD x (exposure in hours) ÷ (8760 hours0.101 days <br />2.433 hours <br />0.0145 weeks <br />0.00333 months <br /> per reactor-year). Note that similar to the ICDFD, the ICDPD equals the ICDP when there is no risk assessment, rather than a flawed risk assessment. Note also that Exposure equals Duration if the risk remained unassessed or inadequately assessed for the entire duration of the configuration. The safety significance of the ICDPD (i.e., the magnitude of the licensees underestimate, or lack of estimate, of the risk in terms of ICDP), may also be determined by means of this SDP. Figure 2 is a graphical representation of this concept.

Issue Date: 10/16/20 4

0308 Att 3 App K Incremental Large Early Release Frequency (ILERF). The ILERF is the difference between the actual, adequately determined maintenance activity/configuration-specific LERF and the zero maintenance LERF, if determinable. Note that LERF and ILERF are determinable only if the plant has a Level-II probabilistic risk analysis/probabilistic safety assessment (PRA/PSA) and a risk tool or process capable of quantitatively assessing Level-II risk beyond a qualitative assessment of the impact of containment integrity.

Incremental Large Early Release Frequency Deficit (ILERFD). The ILERFD is used to evaluate the significance of a finding under the following conditions: (1) an impact on containment integrity from or concurrent with the maintenance activity occurs, (2) this impact is/was not qualitatively assessed, and (3) the impact is/was quantitatively assessed, but not adequately.

Under these conditions the ILERFD is meaningful and is that portion of the ILERF defined as the difference between the actual maintenance-configuration-specific LERF (called ILERFactual for purposes of this definition) and the maintenance-related ILERF as originally and inadequately assessed by the licensee (ILERFflawed). Therefore, the ILERFD=ILERFactual ILERFflawed. Note that if the licensee has failed to assess maintenance risk entirely when required (i.e., there is no licensee risk assessment) and there is an impact on containment integrity from or concurrent with the maintenance activity, this impact can be neither qualitatively nor quantitatively assessed. Therefore, the ILERFD will be equal to the entire value of the ILERF. The safety significance of the licensees underestimate (or lack of estimate) of the Level-II risk (i.e., ILERFD) may also be determined by means of this SDP, if appropriate.

Incremental Large Early Release Probability (ILERP). The ILERP is the product of the incremental large early release frequency (ILERF) and the annual fraction of the duration of the configuration. The ILERP = (ILERF x duration in hours) ÷ (8760 hours0.101 days <br />2.433 hours <br />0.0145 weeks <br />0.00333 months <br /> per reactor-year).

Incremental Large Early Release Probability Deficit (ILERPD). The ILERPD is the product of the ILERFD with the annual fraction of the duration of the unassessed or inadequately assessed

Issue Date: 10/16/20 5

0308 Att 3 App K configuration, or that portion of the annual fraction of the duration of the maintenance configuration during which its risk (in terms of ILERF or ILERP) remained unassessed or inadequately assessed.

Note that although an adequate maintenance risk assessment is expected to include the impact of containment integrity, at least qualitatively, there is no regulatory requirement for a quantitative risk assessment using a Level-II PRA. Paragraph (a)(4) of 10 CFR 50.65 neither prohibits nor explicitly discourages incurring maintenance risk. It only requires that the risk of maintenancejeans activities be assessed (which can be done qualitatively, quantitatively, or, as is often the case, in a blended fashion) and managed.

PRA Function. PRA function refers to the ways in which the SSC can be used in a PRA to prevent an initiating event from resulting in core damage. An SSC may have more or different PRA functions than those functions for which it is credited in the design or licensing basis. For example, the design function of the core spray system may be limited to mitigation of large loss of coolant accidents (LOCAs). As such, the accident analysis may define a certain flowrate required to mitigate that accident. However, the core spray system can be credited in a PRA to provide coolant injection in any scenarios in which coolant injection is needed and pressure can be reduced such that the system can operate. Thus, the PRA function of the core spray system is not limited to the mitigation of large LOCAs and the system may be able to perform some of its other PRA functions without meeting its design flowrate.

Restoration Actions. In some cases SSCs out of service for testing are considered unavailable, unless the test configuration is automatically overridden by a valid starting signal, or the function can be promptly restored either by an operator in the control room or by a dedicated operator stationed locally for that purpose. Restoration actions must be contained in a written procedure, must be uncomplicated (a single action or a few simple actions), and must not require diagnosis or repair. Credit for a dedicated local operator can be taken only if (s)he is positioned at the proper location throughout the duration of the test for the purpose of restoration of the train should a valid demand occur. The intent of this paragraph is to allow licensees to take credit for restoration actions that are virtually certain to be successful (i.e., probability nearly equal to 1) during accident conditions.

If the restoration actions are virtually certain to be successful due to emergent conditions, the risk assessment may consider the time necessary for restoration of the SSC's function, with respect to the time at which performance of the function would be needed.

Zero-Maintenance CDF (Risk). The CDF estimate of plant baseline configuration where all SSCs modeled in PRA are considered available.

Baseline CDF (Risk). The CDF estimate derived from a PRA model that considers average annual maintenance (preventive and corrective maintenance) unavailability data, and plant specific reliability data (failure rates).

Note that inadequate risk assessment or risk management for work not yet started is not an (a)(4) violation, but it still represents a licensee performance deficiency and may be indicative of deficiencies in previous risk assessments, RMAs and/or in the licensee's (a)(4) program. This SDP is not suited for determining the significance of this type of performance deficiency. This issue will be screened to Green in accordance with Reactor SDP Phase 1 screening.

Issue Date: 10/16/20 6

0308 Att 3 App K 0308.03K-06 SDP METHODOLOGY Once an inspection finding satisfies the IMC 0612 minimum threshold process, the finding can then be evaluated using the following Table (Table 1) or the flowcharts in IMC 0609, Appendix K. The input to the maintenance rule (a)(4) SDP is an inspection finding that has some significance due to the licensee's underestimate of plant risk or lack of risk assessment from ongoing or completed maintenance activities and/or the licensee's ineffective implementation of RMAs.

The SDP methodology described below does not directly apply to those licensees who perform qualitative analyses of plant configuration risk due to maintenance activities. When performance deficiencies are identified with qualitative assessments, the inspector should determine significance of the deficiency by an internal NRC management review using risk insights where possible. Use of risk insights may include an independent NRC quantitative risk assessment (e.g., use of plant specific Standardized Plant Analysis Risk model). It is expected that most licensees will perform quantitative assessments for at-power conditions but not necessarily for plant shutdown conditions. In addition, quantitative risk assessments for the large early release frequency (LERF) and external events (e.g., fire, seismic) risk effects may not be performed due to the lack of probabilistic risk tools for these effects. For these risk effects, a qualitative assessment may be used and the approach described above should also be used to determine significance. Therefore, this guidance does not apply to the following situations: (1) those licensees who only perform qualitative analyses of plant configuration risk due to maintenance activities, or (2) performance deficiencies related to maintenance activities affecting SSCs needed for fire (unless quantitatively analyzed) or seismic mitigation. When performance deficiencies are identified with either 1 or 2 above, the significance of the deficiencies must be determined by an internal NRC management review using risk insights where possible in accordance with IMC 0612, Issue Screening.

Underestimating or not estimating the risk of maintenance activities may not significantly increase the expected overall plant risk in terms of CDF or LERF. However, underestimating the risk may result in lack of risk awareness that could preclude RMAs and allow a high-risk configuration to persist unrecognized and uncompensated. Allowing a high-risk configuration with an unassessed CDF increase to persist longer than necessary, or desirable, may increase the exposure time and hence the ICDP and/or the ILERP. Finally, unawareness of unassessed or inadequately assessed risk may allow actions or events to occur that could directly increase risk or hamper recovery from accidents or transients.

Licensees who have adopted RMA color thresholds that are not ICDP or ILERP based, may need to have performance converted to correspond to a probability unit of measure.

When the inspector has identified that the licensee has performed an inadequate risk assessment (or none at all), the actual maintenance risk (configuration-specific CDF) must first be adequately or accurately assessed. The inspector should discuss the results of the risk assessment with the licensee before proceeding with any further risk assessment. The new risk assessment value may be obtained in several ways including having the licensee perform the omitted maintenance risk assessment, or re-perform it, correcting those errors and/or omissions that rendered its original risk assessment inadequate. Alternatively, the inspector may request the regional SRA(s) or the headquarters risk analyst(s) to independently evaluate the risk using the plant-specific SPAR model or other tools. For this, the inspector needs to provide information as shown in the SDP. For findings that have significance preliminarily determined to be White, Yellow or Red, an SRA may perform a Phase 3 analysis, if necessary.

Issue Date: 10/16/20 7

0308 Att 3 App K The original flawed risk assessment value is subtracted from the actual/correct ICDF to obtain the risk deficit or ICDFD. The ICDFD is converted into ICDPD. Note that ICDPD is equal to ICDP when there was no risk assessment performed by the licensee. If ICDP is significantly greater than 1E-6 (i.e., one order of magnitude or greater), the net risk impact must be assessed by subtracting 1E-6 from the risk deficit (ICDPD) as determined above, prior to determining an SDP color. This is because licensees are not normally expected to take RMAs for ICDP,1E-6. Therefore, the net risk deficit that should be considered for quantitative significance determination should be that portion of the ICDPD that is in excess of 1E-6. The safety significance of the licensees underestimate (or lack of estimate) of the risk is then determined by entering Table 1 or flowchart 1 (IMC 0609, Appendix K) with the value of ICDPD as determined above and finding the matching color. The color of the ILERPD, if applicable, is determined in a similar fashion.

In general, the following two types of licensee performance deficiencies in meeting (a)(4) requirements can be defined:

a.

Failure to Perform an Adequate Risk Assessment. The failure to perform an adequate risk assessment in accordance with 10 CFR 50.65 (a)(4) prior to the conduct of maintenance activities includes the following deficiencies which result in underestimating the risk.

1.

Failure to perform a risk assessment for maintenance configuration changes.

2.

Failure to update a risk assessment for changes in the assessed plant conditions (e.g., changes in maintenance activities or emergent conditions). However, performance or re-evaluation of the assessment should not interfere with, or delay, the operator and/or maintenance crew from taking timely actions to restore the equipment to service or take compensatory actions. If the plant configuration is restored prior to conducting or re-evaluating the assessment, the assessment need not be conducted, or re-evaluated if already performed.

3.

Failure to perform a complete risk assessment including all affected/involved SSCs within the scope of SSCs required for (a)(4) assessments, and considering (or adequately considering) all plant-relevant plant conditions or evolutions, external events, internal flooding, and/or containment integrity.

4.

Failure to consider maintenance activities which have historically had a high likelihood of introducing a transient leading to an initiating event that would result in risk-significant configurations.

5.

Improper use of the risk assessment tool or process (i.e., beyond its capabilities or limitations, or under plant conditions for which it was neither designed nor in accordance with site procedures).

6.

Deficient risk-informed evaluation process for limiting the scope of SSCs to be included in (a)(4) risk assessments as identified by NRC inspection in accordance with IP 62709.

7.

Flawed risk assessment tool or process as identified by NRC inspection in accordance with IP 62709.

Issue Date: 10/16/20 8

0308 Att 3 App K

b.

Failure to Manage Risk. Failure to manage the risk impacts of proposed maintenance activities means a failure to implement, in whole or in part, the key elements of the licensees risk management program. However, this deficiency will not result in an additional risk increase to the assessed risk of the maintenance configuration in terms of CDF or LERF, unless an event actually occurs that results in additional risk impacts.

Measures to minimize the duration of the risk associated with a maintenance activity/configuration are a principal RMA. Nevertheless, failure to implement such measures when they are possible and practicable will allow the ICDP and/or the ILERP to increase further as the elevated risk condition persists. Appropriate and suitable RMAs can only reduce the risk incurred from a given configuration change.

RMAs should be implemented in a graduated manner, commensurate with various increases above the plants baseline risk, to control the overall risk impact of an assessed maintenance configuration. However, licensees use a variety of methods for categorizing risk significance and managing the risk according to the category.

NUMARC 93-01 is endorsed by the NRC in Regulatory Guide 1.160. RMA levels or categories/bands were prescribed in the revised Section 11 of NUMARC 93-01, Revision 2, and subsequently incorporated in Revision 3 and Revision 4F of NUMARC 93-01. These risk bands are defined in terms of the ICDP, making them readily comparable to the risk levels used in determining the significance of the risk deficits.

For licensees that have adopted this guidance, normal work controls are allowed by site procedures for ICDPs less than 1E-6. For ICDPs of 1E-6 or greater, RMAs are prescribed. Section 11 of NUMARC 93-01 states that maintenance risk configurations above ICDP value of 1E-5 should not be entered voluntarily. Site procedures will typically prohibit this activity entirely or will allow it only with fairly rigorous restrictions that typically include the plant managers written permission along with extensive RMAs. Site procedures may further define specific detailed RMAs or plans for routinely allowable risk categories as well. It should be noted that when evaluating the adequacy of a licensees RMAs, the inspector should consider only those actions that could have potential risk implications and required by the licensees procedures, such as working around the clock, installing backup equipment, and reducing duration of maintenance activity for effective implementation of RMAs.

Issue Date: 10/16/20 9

0308 Att 3 App K Table 1 SDP Matrix for Quantitative Risk Assessment Risk Results SDP Colors for Licensee Performance Deficiency Incremental Core Damage Probability Deficit (ICDPD)

Incremental Large Early Release Probability Deficit (ILERPD)

Failure to Perform an Adequate Risk Assessment (without any mitigation for risk management)

< 1E-6

< 1E-7 GREEN

>1E-6 ~ <1E-5

>1E-7 ~ <1E-6 WHITE

>1E-5 ~ <1E-4

>1E-6 ~ <1E-5 YELLOW

> 1E-4

> 1E-5 RED 0308.03K-07 RISK MANAGEMENT ACTIONS In accordance with licensee procedures, RMAs should be implemented in a graduated manner, commensurate with various increases above the plant's zero maintenance risk. However, the risk reduction benefits of these actions are generally not quantifiable. These actions are aimed at increasing the risk awareness of key plant personnel, providing more rigorous planning and control of maintenance activities, and controlling the duration and magnitude of the increased risk. RMAs should be considered in the development of work schedules in accordance with the licensee's program and procedures. RMAs can include (but are not limited to) the following:

1.

Actions to provide increased risk awareness and control:

Discussion of planned maintenance activity with the affected operating shift(s).

Ensuring operator awareness of risk level, RMAs, protected SSCs, contingency plans, etc., and obtaining operations approval. Documenting risk information in logs, on status boards, etc.

Conducting pre-job briefing of maintenance personnel, emphasizing risk aspects of planned maintenance evolution.

Requesting system engineers to be present for the maintenance activity, or for applicable portions of the activity.

Obtaining plant management approval of the proposed activity.

Ensuring risk and RMA information on all work schedules, plans, etc.

Announcing the plant risk band in effect and what risk-significant activities are in progress on the public system (e.g., Gaitronics) periodically and when changes occur.

Issue Date: 10/16/20 10 0308 Att 3 App K

2.

Actions to reduce duration of maintenance activity:

Pre-staging parts, materials, tools and other equipment.

Walking down tagouts, equipment lineups (e.g., valves and switches) and the maintenance activity prior to starting work.

Conducting training on mockups to familiarize maintenance personnel with the activity (similar to ALARA strategies).

Working jobs during back shifts as well as day shift.

Establishing a contingency plan to restore out-of-service equipment (or functions) rapidly if needed.

3.

Actions to minimize magnitude of risk increase:

Minimizing other work in areas that could affect initiators (e.g., reactor protection system areas, switchyard, emergency diesel generator rooms, switchgear rooms) to decrease the frequency of initiating events that are mitigated by the function performed/supported by the out-of-service SSC.

Minimizing other work in areas that could affect other redundant systems (e.g.,

high pressure coolant injection/reactor core isolation cooling rooms, auxiliary feedwater pump rooms).

Establishing alternate success paths for performance of the safety function of the out-of-service SSC (note that equipment used to establish these alternate success paths need not be within the scope of the maintenance rule). Use of administrative controls to ensure that backup equipment is protected.

Establishing other compensatory measures.

Re-prioritizing and/or rescheduling maintenance activities.

4.

A final action threshold should be established so that risk significant configurations are not normally entered voluntarily.

Because the benefits of these RMAs are generally not readily quantifiable, the approach chosen for quantitatively determining the significance of failure to manage risk is to assign some credit to the effectiveness of these actions in reducing the risk impact of the assessed configuration.

Therefore, the simple screening rule used in this SDP is to assign a credit of half-decade reduction in risk to the correctly calculated risk if the licensee effectively implemented one or two categories of the RMAs to control risk. If the licensee effectively implemented three or more categories of the RMAs, an order of magnitude reduction in risk can be credited against the actual maintenance risk. This approach allows the significance of failure to manage risk to be expeditiously determined without using quantitative approaches that may require intensive resources. Flowchart 2 (IMC 0609, Appendix K) is to used for evaluating the significance of failure to implement RMAs when the maintenance risks are adequately assessed.

Issue Date: 10/16/20 11 0308 Att 3 App K If inspection staff needs assistance from the Agency technical experts in determining the adequacy of RMAs, follow the guidance in IP 71111.13, Maintenance Risk Assessments and Emergent Work Control.

0308.03K-08 EXAMPLES OF (a)(4) FINDINGS The following examples are provided to illustrate the use of the subject SDP using Flowcharts 1 and 2 (IMC 0609, Appendix K) for inspection findings that involve failure to perform an adequate risk assessment and failure to manage risk. These examples neither represent risk assessments of actual configurations nor actual examples of any MR findings.

08.01 Example 1 During the period January 14-16, 2003, plant X was operating at 75 percent power with a Division 1 partial outage in which the residual heat removal (RHR) heat exchanger A, essential service water (ESW) A 4.16-kV switchgear breaker, and Division 1 emergency diesel generator (EDG) had already been assessed for the risk of their removal from service for up to 100 hours0.00116 days <br />0.0278 hours <br />1.653439e-4 weeks <br />3.805e-5 months <br />. The licensee calculated the ICDF (CDF) as 8.76E-4.

(ICDF = CDFactual - CDFzero-maintenance = 8.77E 1.0E-6).

ICDP = ICDF x [100 hrs/(8760hrs/reactor-year)]. Therefore, the resultant ICDP in this case was about 1.0E-5.

The inspectors reviewed work orders, control room logs, and risk assessments for the maintenance activities performed during the above period. The inspector noted that the licensee failed to consider the following maintenance ongoing work activities for the above risk assessment: (1) maintenance on switchyard breakers and relays by the offsite group, and (2) routine maintenance on train B Class 1E Battery system. In addition, during this time, the licensees contractors were working near the switchyard with cranes and other heavy equipment which had the potential for causing a loss-of-offsite power. Also, the licensees Division 1 partial outage was extended for an additional 18 hours2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br /> (from the original schedule) due to the unavailability of parts and other documentation issues.

The SRA reassessed the risk with the above conditions and found the actual ICDF to be about 6.09E-3. The corresponding ICDP was 8.2 E-5.

The inspector reviewed licensees RMAs for the above maintenance configurations and noted the following deficiencies:

The RMAs did not contain actions to provide increased risk awareness and control, such as coordinating switchyard and other yard work activities that could affect the availability of offsite power sources; obtaining management review and approval of the proposed maintenance work; coordinating work activities with those assigned to offsite organizations; and requiring risk assessments prior to conducting maintenance activities and applicable risk management guidance.

The RMAs did not contain actions to reduce the duration of maintenance activity, such as verifying and pre-staging parts, materials, tools and other equipment; encouraging the performance of maintenance work during back shifts, as well as day shifts; and

Issue Date: 10/16/20 12 0308 Att 3 App K establishing contingency plans to restore out-of-service equipment (or functions) rapidly, if needed.

The RMAs did not contain actions to reduce the magnitude of a risk increase, such as minimizing work that could affect the frequency of initiating events which are mitigated by out-of-service SSCs; establishing alternate success paths for performance of the safety function of the out-of-service SSC; minimizing work that could affect redundant systems; developing administrative controls to ensure that backup equipment is protected; establishing other compensatory measures; and reprioritizing and/or rescheduling maintenance activities.

The RMAs did not establish risk thresholds so that risk significant configurations could not be normally entered voluntarily.

The inspectors reviewed this issue against the guidance contained in Appendix B, Additional Issue Screening Guidance, of IMC 0612, Issue Screening. The inspectors concluded that the issue was more than minor since the licensees risk assessment failed to consider unavailable SSCs during the maintenance. This finding is associated with inadequate 10 CFR 50.65 (a)(4) risk assessment/management and it impacted the mitigating systems cornerstone. Accordingly, the inspectors determined the significance of the finding using IMC 0609, Appendix K, "Maintenance Risk Assessment and Risk Management Significance Determination Process.

The following steps should be followed to determine the significance of the finding using this SDP (IMC 0609, Appendix K).

1.

Calculate the risk deficit (ICDPD) as follows:

Actual lCDP - original flawed ICDP-1E-6 = 8.2 E 1.0 E 1.0 E-6 = 7.1 E-5.

2.

In order to determine the significance of this value (SDP color), use flowchart 1 in IMC 0609, Appendix K.

For ICDPD = 7.1 E-5, the SDP color is Yellow. (Decision blocks Is Risk Deficit > 1E-6, and Is Risk Deficit >1E-5? were answered Yes and decision block Is Risk Deficit

>1E-4? is answered No with no RMAs taken).

3.

Next, use flowchart 1 (IMC 0609, Appendix K) and follow the decision block Is Risk Deficit >1 E-4 path No to determine whether any RMA credit should be applied to the risk deficit.

Section 4.3 of this SDP lists the following categories of appropriate RMAs:

Increased risk awareness and control.

Reducing the duration of the maintenance activity.

Minimizing the magnitude of the risk increase.

Establishing other compensatory measures to provide alternate success paths for maintaining the safety function of the out-of-service SSC (e.g., using diverse means of accomplishing the intended safety function).

Issue Date: 10/16/20 13 0308 Att 3 App K Based on the deficiencies identified in all four RMA categories, no credit is given to the licensee for RMAs. Therefore, the final significance color is Yellow.

This example illustrates a case where the licensee assessed the risk, but the risk assessment was flawed (incomplete or inadequate). This is because the licensee did not include the following in their risk assessment: all out-of-service components, additional hours due to extension of the maintenance, increased risk of a plant trip from switchyard work. The risk deficit was recalculated as shown above. The risk deficit value was assigned an SDP color Yellow using Flowchart 1 of IMC 0609, Appendix K. The significance color remained the same (did not get any credit) because the licensee did not implement any RMAs.

08.02 Example 2 On August 2, 2000, the inspectors questioned the licensees overall risk assessment of plant XY due to several maintenance activities. The licensee had evaluated the increase in risk (ICDF) due to maintenance activities as 1.18E-5 using their Plant Risk Analysis Program (ORAM/SENTINEL) tool. The corresponding ICDP was 1E-6. The licensee implemented only the normal work controls because the ICDP was not >1E-6.

Based on plant status review the inspectors noted that the licensee had taken the reactor core isolation cooling (RCIC) system out of service for maintenance and were in a Technical Specification Action Statement. The inspectors identified that the licensee had not accurately input the RCIC system maintenance activity for 12 days in their risk assessment. The inspectors asked the licensee to perform the overall risk assessment using ORAM/SENTINEL with the RCIC system unavailable since that was the plant configuration and it was credited for accident mitigation. When the licensee made the RCIC system unavailable in the ORAM/SENTINEL program, the overall risk (ICDF) changed to 6.36E-5.

The inspectors reviewed this issue against the guidance contained in Appendix B, Additional Issue Screening Guidance, of IMC 0612, Issue Screening. The inspectors concluded that the issue was more than minor since the licensees risk assessment failed to consider an unavailable SSC during the maintenance. This finding is associated with inadequate 10 CFR 50.65 (a)(4) risk assessment/management and it impacted the mitigating systems cornerstone.

Accordingly, the inspectors determined the significance of the finding using IMC 0609, Appendix K, "Maintenance Risk Assessment and Risk Management Significance Determination Process.

The following steps should be followed to determine the significance of the finding using this SDP:

1.

If not already done, convert actual incremental core damage frequency (ICDFactual) to actual incremental core damage probability (ICDPactual )

(i.e., ICDPactual = ICDFactual x [12x24 hrs/(8760hrs/reactor-year)];

ICDPactual =6.36E-5 x [12x24 hrs/(8760hrs/reactor-year)]. = 2.09 E-6).

2.

Calculate the risk deficit (ICDPD) as follows:

Actual lCDP - original flawed ICDP = 2.09E 1E-6 = 1.09E-6

3.

In order to determine the significance (SDP color) of this value, use Flowchart 1 in IMC 0609, Appendix K. For ICDPD = 1.09 E-6, the SDP color is White. (The decision block

Issue Date: 10/16/20 14 0308 Att 3 App K Is Risk Deficit >1E-6? was answered Yes; the decision block Is Risk Deficit >1E-5?

was answered No; and no RMAs were taken).

This example illustrates a case where the licensees risk assessment was flawed (incomplete or inadequate), and the licensee had not taken any RMAs because they did not realize the actual risk was above 1E-6. Also, note that in this example ICDP was not significantly greater than 1E-6 (i.e., one order of magnitude or greater). Therefore, the net risk impact remained the same (did not subtract 1 E-6 from the risk deficit prior to determining an SDP color).

08.03 Example 3 The online risk was evaluated by the licensee for plant YY to be at an elevated level (ORANGE) during a designated work window for preventive maintenance on the 2A EDG and other scheduled maintenance work including a surveillance test on the Unit 2 Solid State Protection System. The inspectors questioned operators and the work week manager concerning the plant configuration and the published risk condition for that maintenance. The licensee assessed the increase in risk (ICDP) associated with the maintenance activities to be 4.1 E-6. The inspectors verified the risk assessment to be adequate and that it reflected the actual plant configurations.

However, the inspectors noted that this configuration would not have been allowed by plant risk procedure PRK-001 without implementing appropriate RMAs. The inspectors reviewed the licensees RMAs for the above maintenance configurations. The licensee had taken the following RMAs: conducted pre-job briefing of maintenance personnel, obtained plant management approval of the proposed activity, ensuring risk and RMA information are highlighted on all work schedules, pre-staged parts, performed walkdown of affected systems and hung and verified boundary and caution tags. The inspectors determined that the licensee has taken adequate RMAs to provide increased risk awareness and control and actions to reduce duration of the maintenance activity, but did not take actions to minimize the magnitude of risk increase as specified in the licensees procedure.

The inspectors reviewed this issue against the guidance contained in Appendix B, Additional Issue Screening Guidance, of IMC 0612, Issue Screening. The inspectors concluded that the issue was more than minor since the licensee did not adequately manage the increase in risk due to maintenance activities. This finding is associated with inadequate 10 CFR 50.65 (a)(4) risk management and it impacted the mitigation system cornerstone. Accordingly, the inspectors determined the significance of the finding using IMC 0609, Appendix K, Maintenance Risk Assessment and Risk Management Significance Determination Process.

The following steps should be followed to determine the significance of the finding using this SDP:

1. Since the finding is related to RMAs only, go to SDP Flowchart 2 (IMC 0609, Appendix K).
2.

For ICDP= 4.1E-6, the SDP color is determined as Green. (The decision block Is Risk Deficit >1E-6? was answered Yes; the decision block Is Risk Deficit >1E-5? was answered No; the decision block 3 or RMAs taken was answered No; the decision block 1 or 2 RMAs taken was answered Yes; and the decision block Is ICDP< 5E-6 was answered as Yes.)

This example illustrates a case where the licensees risk assessment was adequate, but the licensee had not implemented all required RMAs. Since the licensee had effectively

Issue Date: 10/16/20 15 0308 Att 3 App K implemented 2 RMAs and the risk increase was <5E-6, the significance was mitigated from a potential White finding to a Green finding.

0308.03K-09 REFERENCES Section 50.65 of Part 50 of Title 10 of the Code of Federal Regulations (10 CFR 50.65),

Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants Regulatory Guide 1.160, Revision 4, "Monitoring the Effectiveness of Maintenance at Nuclear Power Plants" (Agencywide Documents Access and Management System (ADAMS) Accession No. ML18220B281)

Inspection Procedure 71111.13, Maintenance Risk Assessments and Emergent Work Control Nuclear Energy Institute (NEI) (formerly Nuclear Management and Resources Council (NUMARC)), NUMARC 93-01, Revision 4F, Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants (ADAMS Accession No. ML18120A069)

END

Issue Date: 10/16/20 Att1-1 0308, Att. 3, App. K ATTACHMENT 1 Revision History for IMC 0308 Attachment 3 Appendix K Commitment Tracking Number Accession Number Issue Date Change Notice Description of Change Description of Training Required and Completion Date Comment Resolution and Closed Feedback Form Accession Number (Pre-Decisional, Non-Public Information)

N/A ML051400252 05/19/05 CN 05-014 Initial Issuance None N/A N/A ML20202A478 10/16/20 CN 20-051 Revised for 5-yr update. Corrected formatting to conform to IMC 0040 requirements.

None ML20206K987

Retrieved from "https://kanterella.com/w/index.php?title=ML20202A478&oldid=4084358"