ML20205G946
| ML20205G946 | |
| Person / Time | |
|---|---|
| Issue date: | 03/27/1999 |
| From: | Roy Mathew NRC (Affiliation Not Assigned) |
| To: | NRC (Affiliation Not Assigned) |
| References | |
| NUDOCS 9904070431 | |
| Download: ML20205G946 (143) | |
Text
-,
v 54 8800 g% 4 UNITED STATES
- } NUCLEAR REGULATORY COMMISSION
- WASHINGTON, D.C. 20556-0001
, .~
- March 27, 1999 MEMORANDUM TO: File
' L_,.9 FROM: Roy K. Mathew, Operations Engineer VMW Inspection Program Branch Division of Inspection Program Management Office of Nuclear Reactor Regulation
SUBJECT:
SUMMARY
OF THE MARCH 11,1999 MEETING WITH THE NUCLEAR POWER INSTITUTE TO DISCUSS THE CONTINUED DEVELOPMENT OF PERFORMANCE ASSESSMENT PROCESS AND INSPECTION PROGRAM IMPROVEMENTS On March 11,1999, a public meeting was held between the NRC and the NEl to continue exchanging information and views ,in further developing the concepts sent to the Commission for improving the process for overseeing the safety performance of nuclear power reactors. The meeting agenda, a list of those who attended the meeting, a copy of written information exchanged at the meeting, and summary minutes are attached.
Attachments: As stated
Contact:
Roy K. Mathew 301-415-2965 4 O PI
~
g ct 6 3 o 4 r+ ' N E 1 9904070431 990327 PDR REVGP ERONUMRC
~
O d M - b b' h PDR j (cl313b
p-March 27, 1999 MEMORANDUM TO: File FROM: Roy K. f. "ew, Operations Engineer (original signed by:)
Inspection Program Branch Division of Inspection Program Management Office of Nuclear Reactor Regulation
SUBJECT:
SUMMARY
OF THE MARCH 11,1999 MEETING WITH THE NilCLEAR POWER INSTITUTE TO DISCUSS THE CONTINUED
'"NELOPMENT OF PERFORMANCE ASSESSMENT PROCESS AND INSPECTION PROGRAM IMPROVEMENTS i
On March 11,1999, a public meeting was held between the NRC and the NEl to continue exchanging information and views in further developing the concepts sent to the Commission for improving the process for overseeing the safety performance of nuclear power reactors. The meeting agenda, a list of those who attended the meeting, a copy of written information exchanged at the meeting, and summary minutes are attached.
Attachments: As stated
Contact:
Roy K. Mathew 301-415-2965 Qistribution:
Central Files PUBLIC PIPB R/F DOCUMENT NAME: G:ms311.wpd To receive a copy of this document, indicate in the box: "C" = Copy without enclosures "E" = Copy with enclosures "N" = No copy OFFICE PIPB: DIPM llAl'A PIPB: DIPM l48 l l l NAME RKMathew AKSpector DATE 3/ % /99 3/ 2 7/99 OFFICIAL RECORD COPY
Public Meeting Minutes
' Date: March 11,1999 Time: 8:00 a.m. to 3:30 p.m.
. Topic: . NRC/NEl MEETING TO DISCUSS THE CONTINUED DEVELOPMENT OF PERFORMANCE ASSESSMENT PROCESS AND INSPECTION PROGRAM IMPROVEMENTS Attendees: See Attached Listing items Distributed: See attachments )
- Overview:
For NEl and the NRC to discuss and review'the NRC's dcvelopment of performance assessment process and inspection program improvements. Participants shared progress by ;
the NRC's Transition Task Force (TTF) on the new Regulatory Oversight initiative and gained l input from NEl and the public.
)
Issues discussed:
Information Resources and Communication Initiatives:
o NRC discussed computer support for the new process. The industry members present stated that they are planning to put performance indicator data and other information in the web site
_before the initiation of pilot study and are making progress in formulating a process for I collecting data, revising input / output, etc.. They provided samples of web site pages (see at: ached) which indicated the summary of performance indicators, inspection results.' '
i The NRC also discussed proposed dates for conducting three workshop / training sessions. Two of these will be open to the public prior to the initiation of the pilot study. The NRC will hold the I performance indicator (PI) workshop ors April 12-15,1999, to provide information to selected NRC inspectors and licensee staff participating in the Reactor Oversight Process Pilot Program. The details of the workshop to be conducted will be published in Federal Register.
Workshop Agenda (see attached) is also discussed with the attendees. NEl will provide irW v ,lonal assistance at these sessions. One workshop, closed to the public, will be o Jgned to train internal NRC employees on the new procedures. NRC distributed an updated listing of current planned meetings, c,onferences, training sessions, and other communication activities (see attached). NRC's plan to take a video of the oversight process and development of a web page was also shared with participants.
Feasibility Studv:
NRC distributed (see attached) and discussed the Draft inspection Finding Characterization Process and methodologies for characterizing the risk significance of irr3rection findings. The results of licensee event reports (LERs) review of the selected plants using the risk characterization were shared with participants. The NRC has concluded that the new process is feasible to pilot.' The NRC also stated that the process is successful for items in current
scope and the new approach is more scrutable.. However, more work and refinement are i needed before fullimplementation of the process. The participants also shared their review of l sample LERs and their assessment (see attached) using the NRC inspection Finding C' ':acterization Process.
E_nforcement Poliev:
The NRC discussed changes in the proposed enforcement process (see attached). The NRC stated that the enforcement actions will be focused on issues that are risk-significant. Because the assessment process will be performing many of the functions that the enforcement process was providing in the past, there is a reduced need for the process of varying severity levels and the imposition of civil penalties. The NRC is currently in the process of revising enforcement policy guidance.
Performance Indicator initiatives:
NRC discussed Performance Indicators ( see attached ) for Cornerstone areas with industry members. NEl distributed a draft Regulatory Assessment Performance Indicator Pilot program Guideline manual and typical cover letter (see attached) for discussion. The purpose of this manual is to provide guidance to reactor licensees for reporting the data necessary to support the NRC's performance assessment pilot program. This program has been developed through a cooperative effort among the NRC, the NEl, and the public, during a series of public meetings. Further discussions are scheduled in the upcoming meetings scheduled on March l
18 and 24,1999. NRC discussed its plan to develop a training guidance manual for the Performance Indicator program.
i Action Matnx.
l I NRC distributed and reviewed Action Matrix (see attached) which indicated licensee l performance assessment results, response, and communication. The participants stated that the existing criteria for defining assessment results are not clear and needed further clarification. NRC staff stated that this will be discussed further in the upcoming meetings.
Next meetina:
Agreed to hold next public meeting on March 18,1999 from 8:00 a.m. to 3:30 p.m.
Meeting adjourned at 3:30 p.m. l l
l
c, L
ATTENDANCE Public Meeting l March 11,1999 l
Nuclear Enerav institute (NEI)
John Butler-Robert Evans Steve Floyd l.' Tom Houghton John McIntire Adrian Meymer.
Nuclear Reaulatorv Commission (NRC)
Morris Branch, NRR l Bill Borchardt, OE Tim Frye, NRR Donald Hickman, NRR i Michael Johnson, NRR Jim Lieberman, OE .
Alan Madison, NRR ,
Armando Masciantonio, NRR Mike McWilliams, NRR Roy Mathew, NRR .
Garreth Parry, NRR l August Spector, NRR Steven Stein, NRR Barry Westreich, OE i Peter Wilson, NRR i
- l. 4 OTHERS )
Bob Acosta, FPL Robert Boyce, PECO
! Mark Burzynski, TVA Mike Callahan, Self l Denise Craig, Va Power 4 l Dennis Hassler, PSE&G Jim Levine, APS Steve Lockfort, NYPA Gwen Newman, Va Power l Rosemary Reeves, NUS-IS .
l Jeff Reinhart,INPO Doug True, Erin Engineering Wade Warren, SNC l
m )
Draft: Regulatory Oversight Process Communication Plan Schedule
{
'" *W an'iiirf'1999 4 CO': , , *_ ~ ~ '
0- m' ?K- c -
T+ $ *, , "'P't.
, ~ <.c ,1^' s t/14'Brief RegionalDRP Directors- ' ,- -
1 . 7.1 5":
h/14 Meet with NEI to2iscuss slot Plan, (( , . [h"[4 #, ' '
J/20 Commission briefing on . Process Recommendations i ~ ...
$/20 Enforcement Coordinators BNefing" N' ^
Y [ ,3J * ' - j
)/22 Press Release to annouries 30 day comment period J 9 j ~ ,- ,
A 3/26 Brief ACRS on Final Recommendations ~
~
1/27 NEI/Public Meeting .
1/28 BriefIndustry Regulatory Compliance and Technology Group '_ , _
- - i -
<- M' I l1/28 Visit Salem NPP c s L ..- . ' an , . - .~ ~ .,u x - u _ .. _, .2 1 x - . v.; . '
, February 1999 2/3 R-I Town Meeting Conference Call j 2/2 NEI Meeting with Industry; Site VPs/ Licensing Managers - East 1 2/3 NEI Meeting with Industry; Site VPs/ Licensing Managers - West 2/10 NEI/Public Meeting: coordinated with OE -
2/11 NEI Task Force Briefing ofNSIAC 2/17 R-Il Resident Meeting !
2/18 R.IV Resident Counterpart Meeting ~
2/23 Public Comment Period ends 2/24 NEI/Public Meeting Regional Meetings (coincidewith PPRs to describe new process) held on various dates March 1999 l
3/3-5 Regulatory Information Conference (introduce concepts) l 3/11 NEI/Public Meeting l 3/12 Executive Forum Mtg.- Videoconference 3/15 Change Coalition Mtg.- Videoconference 3/24 NEI/Public Meeting 3/24-25 Meeting R-3 (SC,FG,MJ,AM) 3/26 Commission Meeting 3/26 Draft IP and IMC 0610 & PIM Guidance for Pilot use issued for comment (made available to the public April 1999 4/6-8 Briefing for American Power Conference (Frank Gillespie presenter) 4/7 NEI Mtg. Public meeting 4/7 Train the Trainer Session NEI/NRC 4/8 Meeting R-1 4/12-15 PI Workshop (R-3) public 4/22 NEl Public meeting 26-30 Inspector Workshop (R-2)NRC 1
I l
l
-
- l j
i l
l i
. May 1999 j 5/4-6 R-1 Resident Mtg. (Tentative) i i Joint NRC/NEI meeting to resolve issues prior to Pilot (TBA) l 5/17-20 Pilot Workshop - Public R-1/HQ 5/24-25 Managing Change Class Open to Task Force and Change Coalition members June 1999 '
6/1 Pilot Begins 6/6-10 ANS C ;nference presentation (tentative) 6/15 Issue Press Release on Enforcement Revisions 6/23 NEA Conference presentation (Tentative)
July 1999 f
7/12 Present at MIT Course (Gillespie) 7/15-30 Conduct Regional Meetings with States on details of new process ,
September 1999 Brief Commission TAs on Progress (TBD)
October 1999 -
l 10/11-25 (TBD) conductjoint NRC/ Industry 2 day Workshop (NRC/NEI)
Issue a Press Release regarding the Workshop i
, I t
November 1999 Begin NRC Training session for inspectors December 1999 Training Sessions for NRC inspectors continue Brief Commission TA's January 2000 1/15 Press Release issued announcing full process implementation and SALP deletion May 2000 Commission Briefing on Assessment results Press Release issued Note:
- 1. Change Coalition, Executive Forum and other internal communication vehicles to be on going
- 2. Public Meeting Information to be posted on NRC Web-page i
i !!i'
)
r l
a u n ) o o e s h n s y ie e r laio
)
a t a
r s t
u r u I
(
)
s n) ps u u ds r n o r ioru u ik icso h h c c t
u t r u o o mae lb p 5 c i e s o s o u c p h c x n yto h eh u
h 0 r u x u h r T OE 2
( 3B PE 1
( L PP 3
( Q( I r
t e nb em v
EuN 6 7 8 9
)
r u s s y ) o ye s ye s a e s h cn e c n s )
d ) t r I nd ) t nd n s s s r rs u s u ( ee s u e )
o r e
n e u n r e o h gr r u n gr e r u i u ik r e pa ik r a o T
h o o t
io mae c maer s d
W e
r h r
a B( 2 0 r ir r
a 5 n u mre h 2 0 e p mer h e Qu 5(
h T
F 1
( ( (
F A t nb r
e A
R e v
EuN m 4 4 5 5 N
D k a )
k a
O e
r r
u e r
B )
o B g e g s h g e s a n n r n s s) n
)
d y it s t
u it s u I
(
t u sr )r o s
r n
e d a
s a
gem n a gehmo h c
iamu t
igeo r
n i e ou i t
s u
o m e ii s im i t
t s5 n t t
sh im rh r e h u it y 0 i y u i y2 0 aI u 5 A T MS 3 MS( 1 L MS( 3 B( Q (
p o r h t e s nb k
r em v 3 3 3 4 o EuN W
r t
o k s
1
(
d s k s a
c n r a )
r t
n a t n
a u e e e i
n m e o v r v
d o E B E n R g )s h e s )
ai n i
I y t 1 g )s t g n s a r - n ru (
inru u n o r e
c d t
k h t n i t it u o
n is c ino c a o s n o ge eh p n i t h im ia t
)r u e u
h a eh u in2 0 ino 5 m M RC O2( L I ( 3 I h Q (
r f
o r e
r t b P
e nm e
v u
, 2 2 e EN n
t o . . . . . .
s . .
r e m.
a m..
a m.
p p
- m. m.
p m.
p m.
p m.
p m.
p e 0 0 0 n n
r m 0 0 0:
0 . 3: . 0 t 0 o 0 0 0 0 0 0 0 o i T
0 8
0:
9 0 m.
1 a 0 m.
1 a 1
1
- n.a 2:
1 o
N 0:
1 0:
2 0:
3 3:
3 0
4 3
4:
0:
5 C
During the public meeting on 2/24/99 industry or NEl requested to perform a sample review of LERs using the tool.
The following LERs were within the data base reviewed by the team and if industry performes their own review they need to clearly state the problem and their assumptions. Industry could run these LER through our process several times making different assumptions. Our process is intended to make inspectors use conservative but realistic assumptions'and theIPhase 3 review by industry and/or the NRC will further refine the outputs fro characterization process. Information as to the s ofeffectivenes,m the screening thewould process initial phase 2 ris also be useful. Comerstone affected would also be useful.F g
.?! [
Cook-1 96001,96002,97017,97018,97020, and 97021
~ f
/ 4 R ,i;QW % M }'
sas.~ -
pI bf gj' Millstone-2 94009,94011,94004,95002 x Millstone-3 94004,95011,95014
{(i St Lucie -1 97005,97009,97011 q Na~ n 6. ' ~ . ,
ATh WM,
% 3?
Waterford-3 97001,97002,97006,97027,970iOj%Qy y iJJ 9
,' ,' Q & &g J
4 .,
wy f
c, e&
vt bafV .
/? ~'
, -ll? n;'.lk,. 77:I ' L W.
Q ,
"cy ~
^p , .t. W;t.
' q " ;+
' " p. . .,.is. .9. ;< m> ,, q q +a y s
>{ p A - -w w Fj$hij ;f: 'h Y' a["
k < [g
?lh a
.a bi y
~n y C <
l p; y-l?tm!;$^
.; ;. ?
O k. f.,, O"
h l
l l
1 I
i
1 s
. , s..
p/
g INSPECTION FINDING Y j
RISK CHARACTERIZATidN PROIbbbN, .rzi t'
-y-h W.Q.4 N!,c%
~ .' _. 3;g
' :72 en .%, b>i*,,,h i.4.,- .
" ' ?l .
3l_.N g _
j ' ; ' .i ., . ;)
Developed by: '['
Task Leader Morris Branct@ , ;[
Task Members Douglas Coe
/Y' .]
,A Jin< Cifunh/.
/',..K,s A. . 7 e' 'j' n.c . -
T(iomas Dexter
- U John Flack 1
%,h Stephen Kle(rnentowicz L-: Steve M'ays-:. hip Eugene McPeeks JS Morris V r 9m% cott
/ Gareth Pagy j;r j f Roger Pederson William Ruland M R'andolph Sullivan
[p3 .Barry Westreich p~ f 3 ames Wigginton k%df Peter When
.y f .
I Attachment 2 l
i i
.N*
Introduc!2 SECY-99-007, dated January 8,1999, described the need for a method of assigning a risk characterization to inspection findings. This risk characterization is necessary so that inspection findings can be aligned with risk-informed plant performance indicators (Pis) during the plant performance assessment process.. Figure 1 describes the process flow of typical inspection findings or issues. Figure 1 also outlines the different paths an issue could take with the final outout of each process being aniringt to the assessment and/or the en rocess.
Appendix 1 of this attachment describes in detail the staff'steefforts risk to da,fgreem characterization of inspection findings, which have a potentidlimpact'on'at.fifwer operations, thereby affecting the initiating event, mitigating systems, 'tdrrier c7)mersto$ associated with the reactor safety strategic performance area. It is ex that this t of the risk-significant issues that would be experienced #
afa facility oweE issbiisass
~~
ed ' proose with shutdown' risk, emergency preparedness, radiatiofiafet safeguar ales rded6 risk !
characterization process as well. The staff is currently devi 'g processes withttie A0' clear industry to characterize the risk significance of inspecti fird f
n these areas. j m.%
Kur The concepts being explored with industry for the emggencypreparedness, radiation safety, l
and safeguards areas involve the development of a process flow, nd 'on logic that will complement or supplement Pl data. The productsISeveloped by ongo ng effort will receive a tabletop exercise similar to that accomplished'duririg the feasibility revie'w of the reactor oversight process described in Attachmenti5f thisjeperlCThatfea's"ibility review highlighted the need for a risk characterization processMfall plapt iterbs includedIn a plant's plant issue matrix (PIM). Recommendations from the fesisibility revisiw inclu'ded thi need to have these processes essentially complete before their ua$dUring 3l ant pil 5tudy described in Attachment 6. 1 i
Although the staff fully expects ave m ofthe characterization proccms in place for the pilot study, further enhancement and develIppm'ont will continue. Howevo., .f for example, difficulty is'en60untered deWeldping a rnethod fofihe risk characterization of shutdown activities', the iris'pection[ staff'may have to ih061ve a risk analyst or a properly characteriiejhe fiddi@ until the guidance can be developed. The Office of Research (RES) plans'to continue.its support of the, oversight process by providing risk expertise, methods, data,?and insights into'various" areas. Specific activities being developed include:
k%k&%
eration and Y
on of plant-specific risk insights to help focus plant inspections in risk significa ~ aisais7 2
jf generation of
]V t-specific insights to support the inspection finding risk characterization f and reacter asnessment process, kWdevelopnie$ m of methods and guidance to improve the process of evaluating risk
$$~ significarice of cross-cutting areas, or inspection findings that involve multiple
. performance indicatorc or safety comerstones, for example, common cause failure, human reliability, and problem identification and resolution.
Attachment 2 - 1
- (1 These activities will improve our knowledge and ability to apply risk to plant inspections and enhance our ability to evaluate p! ants through the plant assessment process. In addition, RES will continue to investigate the impact of modeling techniques, assumptions, ar d data on probabilistic risk assessment (PRA) results and cunclusions, and the impact' vy have on the regulatory decision-making process.
Figure 1 (Inspection Finding Risk Characterization Process) and Appergix 1 (P ss for Characterizing the Risk Significancy of Inspection Findings) for at-power situanons are included herein to describe the staff's efforts in this area. Additionatift or f coylpleten65Is, Appendix 2 presents the current DRAFT concepts for characterizing the,ri'sk significance'bfJns findings in the emergency preparedness, radiation safetf,lYnd safegu h Y %Q .
Tj,q l pgg mggW ,f;.g}. i w;M YJ
[ M}. i.
, W. mQaqd; /
- j. ~;;;; w 4~ j l
. l '.Th;W y., cy.g
/ 4 ;-
- f 9 .- .
.a MY a ;
,. .x-
% .[i[p$.
w
@I 4'T Q . . .q .Q
, m.
_-~.y m m ._ .
yppy
% ~ <
' . - -m' y f,.
y,
./ h..:(
. jr ;, > -
- f Y
- n. -
c
/
i . 3f_
Attachment 2 - 2
"9
. /
t 1
e r
u o
f p n
m ig F
o E N d nt an '"
t e s
) n t n nms e
mceec 1 os e S
( )
ids
)
(
c yta r e cia e m saB O sr o '
ndur sit sfor e P s n S 6 eagA s r 3
g e e e o r R, f e Y st
(_ sE KE e s an 0 si r A 5
msSo - ACx t R Eer sr t
etud i
,- n F n o,e n Ce SC I
C 0
1 n
t cd e eyn f r t r f
ApaCf a eo ipn mn e i pp r
A e t.
R Nme dn t
n e
RO t - i e nf m i
e eS D :- ae o c P r
w eR er v.
n L G R e n so .
d - E nf ".
lu " es E' d ict P G n a Ly l s d" n
N w lo t
n e
sa gn aA t a
n D N l
o g e I
F m nk s
s Ei s m s 3
> e R NI O s s -
s e s 2 A m" s t s A n F T I e o Y N g " e n Y > m A it s e y c n
wro ssB is U)
D R h
c a
NZ o ci t s m e Ye t i
cn se nlo a dce(
t T T o
A t
L y e u drt P t ac Ws y N OR u eo _
I , ga l t
e uqIs s , on h Rr inn f
y ce S Px S
a ey cm f
soed i
dA I st Ae t nn in2 TE ni r '
f o nc cko ast Fs o pi spe og ir n Cet sf o t
na imRreA p CT o sn ah laI r it ur eE n icP a
co t c ot i r
o f in <
EC lo i
V A rt Pw i C no g
id Se s PA o r ks a iB R "c SR N &7 'Ama NA r
g o
r P
I H u" rne s s r
si re "C o
C ri d
f oi t e
e wto o rstnsB Pe e yt t
mr ea s e
Y k
s2 ix Ri gn d gn t nvSn e ar E n ie ne tC o
s gn gm sp id Up di c i nin ine a raot pt gt aa t i sA sl Fu s e cde n
is mcitn it o i
aisC e I I o o R =*- PrM o A N
T F
A R
D
s Appendix 1 Process for Characterizing the Risk Significance of Inspection Findings Entry Conditions This process is currently designed to assess only those inspection find s as ed with at-power operations within the comerstones ofinitiating events mitigatio vstemtI, and barrier integrity under the reactor safety strategic performance areakCompfbnceiwilih Technical
~
Specifications (TS) and design-bases assumptions contpM provid{' defense ln depth and g safety margins. This process was developed to provide th6 risk insight " conditions that may affect the above-mentioned assumptions. An actual insiiting event 4ill eit ^ shturedfry c #
a performance indicator (e.g., a reactor trip) or, if it is cobifilicated 6f equipmen ' or operator error, will be assessed by NRC risk analysts outsidicithe process des'cribed'herein.
Obiectives
- 1. To characterize the risk significance of an regulatory response thresholds used for perform'jnspection finding consistent with t performance assessment process and for ent'ry into' ance indicators lenforceme ocess.(Pis)V)n)h'e NRC l 2.
f To provide a risk-informed framework for
$$hN cuss and communicating the potential significance ofinspection findings. g .
f
/J) 8 Definino Characteristic jf
..Q The mostipmportant charachris[q of tthis h~is.
it elevates potentially risk-significant issues e,arly irithe process and screens ol(those~ findings that have minimal or no risk significanceXfurther, fieid inspectors and theli managers should be able to efficiently use the basic accicient' scenario concieptsiirfthisprocess to categorize individual inspection findings by potential risk significssoe. ThEprocess presumes the user has a basic understanding of risk analysis methodi3@{.!
g
~c introd n
IE"&y Qay Tho'ff proposed overalllicens e assessment process (as defined outside of this document) eialuates licensee perf6rmance using a combination of Pl and inspections. Thresholds have kestablished for Pls, which, if exceeded, may prompt additional actions to focus licensee and NRC attention o[n areas in which there is a potential decline in lic Ipspection findin'gWsk characterization process described in this appendix and illustrated in
~
Figure'1 ovalustes the significance of indivic'ual inspection findings so that the overall licensee l peiformande assessment process can compare and evaluate them on a significance scale similar to the Pi information. Licensee-identified issues, when reviewed by NRC inspectors, are also candidates for this process.
Attachment 2 - 4
+
e r
w a
_ n _ ""
_ _ i o _
_ t '
t
_ _ a _ n "
g _ z _ e)
_ I n
i
_ 2re _ 3mdei r e -
M _
_ setc ei n
_ s ae
_ enu hr e
_ a ar si af q A
_ ha
_ ee
_ Ph ks Rr Pc _Ph g R
S C ny i( a s
_ _ it _
_ k inl _
G i
._ _ is iab _ R R m a) p3 _
O _
RC ea 2 h
R _
_ ene hot p t i
w P _
f tya(it S dio er
_ _ ig t a _
N _
t i nt eMi ina ce O _ _ d i
oc) sS4 _
I _ _ sg2 .
T _ _ Anp i ]
_ _ kt e C si t _
_ _ i Ri( mS _
o ES
_ _ eL _
t s
_ nt PS
_ t is _
s mo rM
_ y SE r _ _ l
_ s o e a is n f o e t e
n 5 NC d _ _
e _ gi o dk _ im r
D A -
I i
f _
int p) es _
ai nT _ k 2 F O ni s it n _
dm1 n
eR en
_ ee cr is Rt t n
e _
iu1 _ _
O R j
k Fsp r
c o) _ Su) s 1 _
Cu l
e se St2 _ fo oe _
Rse m P g n
d eats ind(
sa1 ip c _
. dx a pbl
? _
_ t NR h c
f n p ]t i
d rme o E.T de N
OG i
F n _
f ne ead D eM da eit S cl a(
hs&
i v2 nn ai ee f
A t
t a
N ic
_ f ot ae ni _ let i le _
eR Lepn2 I
ot k s Cen f b TI D i c
e t
c a
pmr l
uar t eEtv e a
Tt
_ n e
A N p do n S i
c teP
_ _ gd _ i ig( -
S _
mo a _
min ne _ L ZI _
I F t S
rt ea ir sC U e
)
_ e g _
R F I _ _
2 a
_ _ teiit e _
g Dn etanl ciob _
n E _
I nr a pit a E
T _
_ > icoaT f
r g pi&
inpi4 t C _
_ iga M 2 A _
Sgopr knf e R _
si iy Rp l
t S
(
A _
)
s i g
n t ep a A H _
(d o
in) ri m2 C _ i aF1 t s
n y2 e E cbp K _
_ Sde eteS t
y S
I inc(
fepa R _
Dm I
Inspection findings related to reactor safety comerstones (initiating events, mitigating systems, and barrier integrity) will be assessed differently than the remaining areas (emergency planning, occupational exposure, public exposure, and physical security). For the reactor safety comerstones, excluding the EP area, each finding is evaluated using a risk-informed framework that relates the finding to specific structures, systems, or components (SSCs), identifies the core damage scenarios to which the failure of the SSCs contribute, estimates how likely the initiating event for such scenarios might be, and finally determines what capability would ry' ain to preve core damage if the initiating events for the identified scenarios actually courr r
Bases r
n hn 4 w p ;. p The approach described in this Appendix was develope Using inp from other ag documents, including the fc!!owing: V Ng a
Regulatory Guide 1.174, "An Approach for Using
/ we
'stic Risk Assessmqmt'(PRA)in Risk-informed Decisions on Plant-Specific Chariges to the Licensing Basis;"
a Table 1 was based on generic values obtained fro,m NUREGICR-5499, " Rates of Initiating Events at U.S. Nuclear Power Plants: 1987 - $95;"
a The accident sequence precursor (ASP) screen,ing les ~ foutli ru%. %fh' in NUREG/CR-4674,
" Precursors to Potential Severe Core Daniige A'ocidents." "S@
In addition, Table 2 is based on QiSQ '
generic nur}nbers that Ngenerallybnsist
' dQF obtained from PRA models.
w Sensitivity Test of insoection Findino' Risk Characterizati "a Screenina Process hf /$ ff The staff performed a simple test.cf the sehsitivity of.the screening process. The test was risk impo' rtance would not be screened out by the designed process.,fTdstaffto,revi ensure that acci wed the1996 it,enis.vilth prover (dent sequence precursors core damage events. In 996, the NRC idstified in NUREG/CR-4674, Vol. 25,14 precursors with a corlditional"clare dam' age 'probisbility (CCDP) greater than 1E-6 affecting 13 units. There were seven procursor' events i'nvolvinginitiating events at power, six precursor events involving unavailabilities at power [and one% recur'sor event involving an initiating event while the plant was shut downeWith the. exception of the' shutdown event, which the IFRCP does not currently model, all'of the risk dig'nificadASP events successfully passed the screening test and would haveM{uired further evaluatioriTJsing Phase 2 of the model. Because of the simplicity of the l mgdel,' the process hasge'p6tential to overestimate the risk significance of some events, possibly requiring a more refined evaluation before a final assessment can be made,
[$ N P[rocess Discussio W? , .
ThirlApoction. ding assessment process is a graduated approach that uses e three-phase process to differentiate inspection findings on the basis of their actual or potenti~al risk significance. Findings that pass through a screening phase will proceed to be evaluated by the next phase.
Attachment 2 - 6 I
s Phase 1 - Definition and initial Screening of Findings: Precise characterization of the finding and an initial screening-out of low-significance findings Phase 2 - Risk Significance Approximation and Basis: Initial approximation of the risk significance of the finding and development of the basis for this determination for those findings that pass through the Phase 1 screening Phase 3 - Risk Significance Finalization and Justification: As-nee d refinement of the risk significance of Phase M 2 findings by[ar/NR_
Phases 1 and 2 are intended to be accomplished primaril field inspeciors and their first-line managers. Until a user becomes practiced in its use, it)s expected ydt ag NRChsk analyst /n,ay asi2 assessment.s HowMier, be after needed to assist inspection personnel withmore become some ofwith familiar thethe'assumptions process used for the Pp/Involv expected to become more limited. The Phase 3 reviekis dot r'nandatory and is ecdyliritinded to confirm or modify the results of significant (" white" or abope)lor ' controversial findings from the Phase 2 assessment. Phase 3 analysis methods will utilizia cunent PRA techniques and rely on the expertise of knowledgeable risk analysts. 9 Mpk 9WB .
Step 1 - Definition and initial Screening of Find ings ,.m,( WW Step 1.1 - Definition of the inspection h d Finding med linpact an&S$
y ? R$Q$
it is crucial that inspection findings be mell defined'in orderto: consistently execute the logic required by this process. The proodskcan bedritered witkinspection findings that involve one or more degraded conditions concurrently influefEing safetf- or non-safety-related equipment ,
and/cr initiating event frequenc[YThe defiliition of the[ finding should be based on the known existing facts and should NdT,inklude hypIothetical' failures such as the one single failure I assumed f6f licensing basis'disiin requirihientFThe statement of the finding should clearly identify the equipment dotentially br actuallyfr6pacted, as this will be used in the risk characterization process. lh some[cisses, the impact of the finding can be stated unambiguously
^
in terms of th'e. status of.a piec'e of equipment, for example, whether it is operable or not, or whether it is avSilable to'performhs function or not. In other cases, the finding may specify conditions,uriderwhich a piece of e'quipment becomes unavailable, in still other cases, those involvirjg' degraded conditions for,, example, the impact is not determined, and assumptions will havej to be made for the purposes of assessing the risk significance. Any explicitly stated assumptions regarding effect of the finding on the safety functions should initially be coliservative (i.e., force sI potentially higher risk significance) because the final result will always tie viewed from the co$ text of those assumptions. Subsequent information or analysis from the
" niee or other sodrfes is expected, in many cases, to reduce the significance of the finding, an'approprite" explicit and defensible rationale. Findings must also be well defined because the assumphons'can be modified to examine their influence on the results. However, the general rule is.that th'5 definition of the finding must address its safety function impact and any assumptions regarding other plant conditions. Examples include the fol!cwing:
- 1. The following situations represent two different findings: a motor-operated valve (MOV) in a pressurized-water reactor (PWR) auxiliary feedwater (AFW) system is found with Attachment 2 - 7
c t l
l hardened gearbox grease (i.e., is degraded); and an MOV in the AFW system is found I with a broken wire that renders it non-functional. For the purposes of assessing the risk significance, the impact of both could be characterized conservatively as "MOV does not l
perform its safety function of opening to provide flow to the steam generators." In the first I
case, it is necessary to assume that the hardened grease makes the valve unavailable, while in the second it is not.
- 2. A finding involving a deficiency in the design of the plant could be state ollows:
" Equipment / System / Component X would not perform its safetyMnctioydf .... under l
conditions. ..." For example, a remote shutdown paniel that might tirendered inhabitable l during a cable spreading room fire that causes a jeIss5f offsite power;due to inadequate heating, be characterizedventilation, andcoold conservatively as " plant air conditioning (HVAC)/dii'persi remote shutdown panel during a loss of offsite p,own not poss room fire due to inhabitability from resulting smoke andloss of power to remote" shutdown panel HVAC."
Step 1.2 -Initial Screening of the inspection Findiqg '%RT I' NE For the sake of efficiency, the initial screeningjsjinb to screenh se findings that have minimal or no impact on risk early in this processEThe screening guldefines are linked to the on comerstones as follows: If there is negligible'Irnpac(inim[ a meeting the[r'eactor sai objectives, corrected underthethefinding can licensee's be identified correctiOIaction as havingp' YsfOV cess. l or no irppact on risk and s l f
The decision logic is described as follo'ws: .3 Y
f' f
W &
If the finding and its associafedassumptions, as'difined in Step 1.1, could simultaneously adversely.affdct two or (n6re nia6 tor safely cornerstones, then Phase 1 is complete and the user !
should p'r 6ceed hirectly tottie Phase 2 anaI9 sis ~ Alternatively, the finding can be screened out immediatelyjcharacterized'as havinklittle or no risk potential impact and exit this process) if it can be shown'to NOT be related to any adverse effect on any reactor safety comerstone.
Finally, if the fin' ding and its assoI:iated iissumptions affect only ONE reactor safety comerstone, it may still beIscreened out'as follon
/ Y98
,1f only the mitigatiorisystems cornerstone is affected and the finding and the associated assumptions do$T, represent a loss of safety function of a system, OR the finding and j associated assymptions represent a loss of safety function of a single train of a multi-train M system for LESS THAN the allowed outage time (AOT) prescribed by the limiting Sp condition forfoi>eration (LCO) for Technical Specification equipment, OR represents a
, Mt ign or^qdilification finding but the equipment or the system is still operable (e.g.,
WA , meetsflRC Generic Letter 91-18 criteria to remain operable), OR is not categorized as a
-significant SSC under the maintenance rule (10 CFR 50.65) then the finding would be considered green and screened out.
Attachment 2 - 8
a n If only the initiating event comerstone is affected and the finding and associated assumptions have no other impact than increasing the likelihood of an uncomplicated reactor trip, the finding would be considered green and screened out.
1 If only the fuel barrier is affected, the issue will be screened out since a Pl exists for this barrier.
if any reactor coolant system (RCS) barrier function to mitigate n acci A sequence is affected, the issue will be assessed in Phase 2.
g If the containment barrier is affected, the concem iM%
ieferred o.a' Arisk analyst until moro 7
guidance can be provided. "GW -
Any inspection finding that is NOT screened out (i.e.,
a[ a m acten'zfed as green tythEsbove- !
mentioned decision logic should be assessed using thA Phise'2' process describedJsriin. ;
Phase 2 - Risk Significance Approximation 4;g k and .Basis?kEh y y.
Step 2.1 - Define the Applicable Scenarios ~b< j k-Once an inspection finding passes through the Phasedscreening, it evaluated in a more detailed manner using the Phase 2 proce,ss descriKhereirPQefi)st r step in the question "Under what core damage ident scenarios ~would.the finding, as defined in Step 1.1, increase risk?" # '
l ko )p.
Determining which scenarios make an' inspection finding sk important may not always be '
intuitive. Therefore, documents?su5h as pl5nt2specific'PRA studies, safety analysis reports, TS bases, and ernergency opefistirig' procedures sho0ld.be reviewed as needed to ensure that the most likeJy events and qircumstagces arebonsidered. Specifically, the inspector must determine which core damage scenarios are'adverseijimpacted by each finding.
g g g. g identifying the scenarios begins.with identifying the equipment and the assumed or actual impact of the finding,,a'nd takeis,into considerati5n the role the equipment plays in either the continued operation of,the plant or theIrespon'se'to an initiating event. This step leads to an identification of the role.of the finding irt either coptributing to an initiating event or affecting a mitigating system, j or botiVFor the mitigatipg systems, the impact may be one of two kinds: the finding results in the eq$ent function's being' compromised or the finding relates to the identification of a condition under which the function'would become compromised. In the first of these two cases, the funcdon can be assumIed to be lost, and the scenario of interest is the initiating event for which
" equipment is repred and the remaining equipment that by design can provide the same nction as that wifhich has been lost. For the second case, the scenario definition must also I. the condition under which the function would become compromised. For example, if the firidingis that'if two operator actions are reversed while performing the switchover to recirculation in a PWR, the safety injection (SI) pumps could be irreparably damaged due to cavitation, the scenario definition includes the loss of coolant accident (LOCA) initiating event, the failure of the charging system (if it is a viable attemative means of providing sump recirculation), and also the huinan error (which represents the condition under which the pumps would fail). If the finding Attachment 2 - 9
I' I
e t l I were that the Si pumps could never be aligned properly for some reason (this extreme case is an example to demonstrate a point only), the scenario definition would involve only the LOCA and the charging system failures.
l During this phase of the process, inspectors may determine that several different scenarios are affected by a particular inspection finding. This determination can occur in one of two ways:
g event; I First, the finding may be related to an increase in the likelihood p^f an init
- which may require consideration of several scenarios resultingirom thiknitiating event.
Second, a finding may be related toAa system requfred to res$$$$
pond to severalinitiating g events. For example, the discovery of a degraded Instrumeptiniriystetricould affecif l plant response to both a loss of offsite power a events must be considered separately inext step soofthat th[iifa the Pha LOCAgEdch of th 2/esifustIon l
process can determine which scenario is potenhall[mo'sf significant. W Ydh The scenario resulting in the highest significance will be.Osed to establish the initial relative risk-significance of the finding. If a Phase 2 assessment a[ multi'ple
" green" significance, the user should seek assistance.of nal a risk a, appl _icable scenario cannot effectively " sum"ine significance of multiple (lov$significan'yst/since scena'rios. Additionally, a th particular inspection finding may affect multiple comerstones,by bot - reasing the probability of an initiating event and degrading the capability or relisbility of a mi ting system. Again, each applicable scenario must be considered tVdetermidi which is thesiost significant.
In identifying possible core damage [ accident scenarios, co)nsideration m role of support systems as well as the hrimarksystem.f i$ r example, if a particular initiating event can be mitigated by more than one systen[providing the#same safety function, but all such systems are dependent on isingle train of a ' sepp 6rt s'ystem (e.g., service water or emergency ac power /the' limiting sc nario may involN the rather tha')n the individu$1 primary' system triihE.fai!6re of the single trai
%44 %%%
Step 2.2 - Estimation of the Likelihood.cf Scenario initiating Events and Conditions jh M7damage accident scenarios were determine in Step 2.jgs[ets of core likely by the identified 1nspechon finding (degraded condition). This step should result in the i
identification of one or r'nore"initiiting events, each followed by various sequences of equipment
~
l failures or operator errok 'To determine the most limiting scenario, perform the following
- arsly' sis for gagh set of! scenarios with a common initiating event.
i ifb3the finding does no[t' relate to an increased likelihood of an initiating e kwhihh the.affe'cte"d SSC(s) are required are allocated to a frequency range in accordance with guidance prov#ed in the left-hand column of Table 1 herein. Table 1 is entered from the left cdlumniusind the initiating event frequency, and from the bottom, using the estimated time that the degraded condition existed, to arrive at a likelihood rating (A- H) for the combination of the initiating event and the duration of the degraded condition.
Attachment 2 - 10
l g A If the finding relates to an increased likelihood of a specific initiating event, the likelihood of that initiating event is increased according to the significance of the degradation. For example, if the inspection finding is that loose parts are found inside a steam generator, then the frequency of a steam generator tube rupture (SGTR) for that plant may increase to the next higher frequency j category, and Table 1 is entered accordingly. l When the scenario includes the identification of a condition under which a functiop#a system, a train becomes unavailable, then this fact has to be factored into the assessment. It is not !
appropriate to assume that the affected function, system, or train is urjeTailablFAt this point, it is necessary that a risk analyst assess the probability of the condition,pnd aS the initiating event (or events) by the appropriate amount /FoFexam%:%jid
- A finding that if a control valve W in the instrumeptkh. ,to ,.air systepfs overpressure of a low-pressure part of the systeriistheretiyleading to the failure ~of the
~
equipment controlled by the air system. The pr'oba611P.y]6f interest is thaldthe failure of the valve during the mission time, which depends on the^ impact of the failure. For 3
example, if the valve failure would lead to a reactor trip in siddition to failing some mitigatir<g equipment, the mission time is 1 yeaf[and'the initiating event frequency would be the probability of failure of the valve in onetyear. If tiie, impact'is simply on the i mitigating systems for a LOCA, the missioiEtime'is that tim'eMd to place the plant in l a safe, stable state. In this case, the (OCA,freqiMincy would 4MIadjusted by the probability that the valve failure wouId"occurAiuring the missi$n time.
[ f &Y$$f Finally, remember that the definition,of the finding and thetselection of core damage accident scenarios should be strictly based 4nMe known~ existing facts and should NOT include hypothetical failures, such as thalone' single /aiiure assudied for licensing basis design
- requirements. 7 % .,,f f rE MWud
- f. 6s phN My: $pf '
' f,A g %,ymQ h[ll + i l
..,k$ l "m:%
- Rfl(;;p
}
./* . '
Ndbd*
l l
3 Uhk een -
l g Q o&
Mf:g i
i l
t Attachment 2 - 11 1
e s Table 1 - Estimated Likelihood Rating for initiating Event Occurrence During Degraded Period (taken from NUREG/CR-5499)
Approx. Freq. Example Event Type Estimated Likelihood Rating
>1 per 1 - 10 yr Reactor Trip A B C Loss of condenser l 1 per 10 - 102 Loss of Offsite Power B C D 2 yr Totalloss of main FW .
i.M g MSLB (outside entmt) . .u > 1 Loss of 1 SR AC bus A* 6 [j
.'/(9N Loss of Instr /Cntrl Air z'pf %g Fire causing reactor trip .k /f M.I
'/
1 per 102 -108 SGTR C ff k E V l yr Stuck open PORV/SV W %
- MFLB " 1; ,
MSLB inside PWR cntmt 4 [ g% s
][F Loss of 1 SR DC bus
- C f. 4 s f
Flood causing reacto trip ., /
N &
3.t h/
1 per 108 -10' SmallLOCA j(T $' E F yr Loss of all service' water / / r
, {W h\
1 per 10jI1'05, yr ( i" Med,L C 3 Large LOCA (BWR) (:- "[
E F G
<1 per 10'5 yr: Large LdCA'(PV[R). F G H
/
h ISLOCA Vessel Rup%. ture 8 .V, y
[ %n ~;% W
> 30 days 30-3 days <3 days f Eh? Exposure Time for Degraded Condition
'i f
se of Table 1 should r$sult in one or more initiating events of interest with an associated elih'o. r (" [th' rough "H") for each.
Step 2.3 - Estimation of remaining mitigation capability MY The scenarios of interest have now been identified, and Table 1 has been used to estimate associated initiating event frequencies and to combine them with degraded condition exposure time to arrive at an estimate of the likelihood of the initiating events. Following an initiating event, core damage will result from a series of system, component, or operator failures. In this step, the Attachment 2 - 12
g 6 9
user will approximate the probability of failing to mitigate the core damage scenarios associated with the condition identified by the finding. Findings defined in Phase 1 will generally identify the potential for degrading a particular function. Therefore, the probability of preventing the scenarios that include this degraded function will depend on the number of remaining success paths for providing the function.
To count success paths in a probabilistically consistent manner, systems are considered to be either single train or redundant. A redundant system is a system that hjs,s moradia'n one identical train, where the loss of one train does not lead to a loss of function. ijowevehil trains of a redundant system are subject to a possible common-cause4ailure. puccesspaths may be provided by each train of diverse single-train systems (e.g$ high-pressidinjsotion in a boiling y water reactor (BWR) for a loss of feedwater transient may be provided by the high-pressureff l coolant injection (HPCI) and reactor core isolation coolant (RCIC y'siems)both single train /
systems), or by diverse redundant systems (e.g., low-Neissure 'ction may' tie [providisib~y the low-pressure core spray (LPCS) and the LPCI systemijn at -4, both multi trairijysfems), or by mixtures of single-train and redundant systems. In addition,Jin.some cases there may be time to recover the function or train that has been lost, whichde be cdsdited as a success path under .
certain conditions. 9 @%ganb I y myn In counting the number of remaining available success paths for asconarf6 affected by the degradation assumed by the finding, the userifnust'selectihe most apt.Topriate column of Table l 2, " Risk Significance Estimation Matrix," forfei'ch affected scenario.f Each column in Table 2 i
represents about one order of magnitude $differenoEfroIn)djacent' columns in the failure probability of remaining success paths [,ind thegscriptions in'th'e column headings are inte.nded I as examples of mitigation methods that can typkially be asiumed. Refer to Figure 2 for basic guidance on how to determine theiridinber of trains andfidundant systems. In addition, the following rules and guidelines a iply: # ]
n M w Only equipmentpunt the licensee has scope into the maintenance rule (10 CFR 50.65) niay.be credited for; remaining mitiglitiolicapability. This provides a minimum level of assurance that credit 6d equipment meets pre established reliability goals or performance criterfaQ{ ]p%
A s.o J A common-c[ause failure of the remaining success pat Thepotentialfor Jn'the column'definitionlof Table 2. Therefore, any actual evidence of a common-cause Afailure must be included i$ the definition of the inspection finding.
p
=
d Credit for recovery may be taken if there is a possibility of restoration of the SSC or a
@ function that he's*been assumed to be lost due to the condition identified by the finding.
nA Recovery actions should be credited only if there is sufficient time available,
' Tenvironminthi conditions allow access, they are covered by operator training and written Wproceduniis, and necessary equipment is available or appropriately staged and ready.
_or risovery actions that are relatively complex, and/or require actions outside the control room, it is particularly impcrtant that the actions required are feasible within the time available to prevent core damage. If there are no remaining success paths other than restoring the failed equipment, and the above conditions are met, then Column 6 of Table 2 will credit this recovery. For example, consider an inspection finding involving a Attachment 2 - 13
r
! e s I
potentially recoverable system failure, such as a failed automatic start feature. If status l indication exists and simple operator antion would be able to start the equipment within l
sufficient time to provide the system function, then more credit can be given to recovery, which may be more appropriately given by using Column 5. If other equipment is also available as remaining success paths, then operator actions may be used to supplement that equipment.
- A
. Caution has to be exercised when taking credit for systems tha re depopdent on manual actuation (such as standby liquid control (SLC)in BWRs). If t timeA6 initiate the system is short and performed under stressful conditions, Cdlumn 5 ' id 6ifused for a redundant system rather than Column 4. When thers fs ample tinse$ sin the initiationgf suppression pool cooling in BWRs, the human edoIprobabilityklow"e66iugh that the7 nominal system column can be used. Y h
%@$e ,. -
%lhl2?
When all scenarios have been assigned and the asso , ili ihood and remainirJO mitigation capability estimated, the Table 2 matrix described in the(ext section can be used to estimate the potential significance of the degraded condition, within the context'of all assumptions made to this point. g Q Step 2.4 - Estimating the Risk Significance MM Findings &a m of Inspection
?'
/QcyQ f The last step of the Phase 2 assett. nentprocess is'to estimate thofelative risk significance of the finding. The risk is estimated by empidying agMalbatioriNatrix (Table 2 herein), which utilizes the information gained from S,t,eps 2.1 tt)rodgh 2.3}pinatrix combines the scenario likelihood derived in Step 2.2 with the rpmaininginitigation establishes an estimated risk significance for'the particul'f,apability or finding. determined One of only four possible in Ste results can be obtained: Green! White, Yeliod used for Pis4Jhe user musfco"mhlete thid asss, or Red >These results a inspection finding before determining the scenario"of highest significance.
@M As a mental"benclimar%]h k," the' user of this process should recognize that a " Green" outcome will s
involve any ciihdition'that hash or% ore diverse trains of remaining mitigation capability no l matter how freg'uently.it occurs, $nd thst'a " Red" outcome will involve any condition that has zero l or only one tr'ain'of remainidg mitigati6n capability if the initiating events that require such capabilityYccur more'often thiin once every 1000 reactor-years (e.g., a small LOCA, a LOOP, or a re c6r trip). #
n i m
- J ..
$Q - !
$ jf 1
l I
Attachment 2 - 14 l
il t .
e w e n n n d e
d e
d e
d e lo it e e o h e e n R R R R le r r
)
7
(
Y W G G f
o n yi r w e n n n era vt )
d e
d e
d e lo it h
e e
e e
e e
6 R R R le r r r od ce ( Y W G G G el i Rfa n
h o it yt ia e )s n w cacii ntumtn w e n n n ia R mdar t a ) d e
d e o it e e e m t
r O te nl et r 5
(
R R r.
e h e r
e r
e r
e r i x
1 suad yd un ns Y W G G G G t r
y senu r a oc a t
i 1
m M n
l
(
ib a
p i o _
t C3 a) f o n o
a .
y m _
n2 r it ipo e v ia i t 5 o h it e n n n n n s tate it yi n w 1 c R d e e e e e E _
i t
gS en ri O wccniet
)
s n R e lo le t
i h e r
e r er e
r e
r e 2 Mor +
im ar maami W t
) Y G G G G G c n dt t
ed mia t r 4
( n t n
gF s n nn oots a e in( ia e yut sd u c m 1rlia ear oc o t
i n f 1 r(
i f
i h a n c m g a e i t
t R s n S A h+ k ia t wcon yf e n n n n n s i
r w n t
e R n lo it e e e e e e i s O maya r r i
le h e r
e r
e r
e r
e r
e r R r
e t ed et s nvd
)
3
(
Y W G G G G G G -
. iv yuoe 2 d
2 sdcl 1 r eea rf i
l e
b a
T h y f 1 it c on e n n n n n n n wna R e i e e e e e e e s+ ya it
+ r r ) h e e e e e e e O
nrndn r 2 r r r r r r r e svdet ( W G G G G G G G iate u v inoe t r sd ye dici a ea l 1 sr 2t r rf ll e s hc y s min r t n n n n n n n n es ivin R tewad ) e e
e e
e e
e e
e e e e e e
e e
da r O shn yc u 1
( r r r r r r r r 3 t s ad G G G G G G G G 2 2e er
.dp g
nt oe t it n oS) a eh i 2 A B C D E F G H i
it Ee vl om2 T n k r F
I UF( A R
D
, . Step 2.5 - Docum:nting th) R: cults r
The rasults cf tha Phisa 2 risk satimttion will be communicat;d to tha licensea through tha inspection report process, it is expected that risk-significant or controversial findings will require obtaining licensee risk perspectives and will most likely prompt a Phase 3 review. If the inspectors, and appropriate regional and Headquarters staff (when necessary), agree with the results of the Phase 2 assessment, the final results will be documented in an inspection report i and no further review is needed. The extent of documentation should include all information needed to reconstruct the Phase 2 analysis. Although licensee perspectives will be considered, the NRC staff will retain the final responsibility for determining the risk significance of a finding and will provide its justification in an inspection report or other appropriate document. When licensee assumptims or perspectives differ from those of the staff, the taff shedd' explicitly 1 justify the basis for its determination.
4[
Phase 3 - Risk Significance Finalization and Justificatic h kf fYhkN If determined necessary, this phase is intended to refine or modify the earlier screening results f )
from Phases 1 and 2. Phase 3 analysis will utilize curre'nt PRAtec'hniques s'nd rely on'the' expertise oiknowledgeable risk analysts. The Phase 3 assess'nient is riot desc'ribed.hefein.
Work Remainina g 4/ ky7?g Work with RES to develop design-specific models ar)d better criteria'for evt luating findings and shutdown operations.
associated with the containment barrier, , :rqfire protection lQ l f n f 5%
. }
al r J f Nb W y
~
1 4 h ' ';h . ;f 3 Rj% hs.: f U
17;.4 n
g e y' x3
< 3:Q '%
/ [Qg '
l/
fYb h
/ '?pl&y
,L?
/
ti N
h }
- l Attachment 2 - 16
I L .
v v .
w o
2 e
r _
u g
2
) iF .
F C
E C _
o L t t
c B j b
e u
- )
F C
A S t
o C
y T b
,; l l I, I l l gN d n- g gt e ine g '
8 . g n n -
- inc n N is nf e d' 3ar i i n d "
i in I 2 nme le mRD ei v d
l i
e in a ia le ia
- 5if n aA l
ia e
ia bu F a
R e
m R
m e R F a
- meo mt F. R m
e sre O N URN al M * - N To na N - - -
Ci as A I
N N A R
a lonn I A N I
A I '
Ciiaa R I O
I r n Ti a 2 r T
R T R T
A R
T T
=
r r TT 1 g T. .
R T
A n
T
~
y g l l l l i n
l l n ia A in i
a m R m
e G
I R
h e - (
_ 7 1
T I
t B
(
o 2 t
n e
M h m
c a
G t A
t N
I Y g L i n
n P i a
m g
n P R e
n
_ - in ia) -
A ia T
r mC e
RC F
o ;
R l l ,g 1 mt et l l
+ t c _
g g g g g g g O 2 2e t nsy m d le i
n n
ia i
n n
ia i
ia n
n 2
se yj Su b , i ia n
n i
n n
ia d
e i
i n
a n i n
n ia nSs ia , lia F ems F m m m e , m m R F m m l
e e e e e e e bu) -
R R R l
b in R R 1 R R al Toi n N - - a IaTr - - O N - - _
S I
Ca A N N N T , N N I
A N N r R R I I I I I I I T A A A tug , A A A A T T S h lt u
R T
R T
R T Mn
(!
t n
, R T
R T
R T
R T -
E M
(
l l I' nia a
dm l ,g ' I l C
t n ne a uR d d(
O d n
u _
. - R e g] _
e 1 R R 1
P 1
y . App 3ndix 2 l
l Concepts for Characterizing the Risk Significance of Inspection Findings .in the Emergency Preparedness, Radiation Safety, and Safeguards Area i
l DRAFT CONCEPTS This appendix and its attachments convey to the Commission, current staffi t acepts for evaluating inspection findings in the emergency preparedness, radiation safety, and safeguards areas. Thresholds were selected on a significance scale similar to those established for the plant performance indicators that industry plans to submit. The staff continues development of this guidance with industry and fully expects to have a process in place for the pilot currently scheduled for June,1999. AE, part of this effort, table-top reviews of real and postulated I examples are planned to further refine the concepts.
I 1
1 i
I i
i l
i i
Appendix 2 - 18
I y
- Att: chm:nt 1 ,
l
~ 1 Emtrg:ncy Pr:paredness '
DMF l An assessment methodology was developed to address findings resulting from inspections f
performed under the Emergency Preparedness (EP) comerstone, The process has been reviewed within NRC and additional review from other stakeholders is being sought. It consists of flow chart logic to disposition inspection findings into one of the following categories: " licensee response band," " increased regulatory response band," " required regulatory response band," or
" unacceptable performance band."
During the development of EP performance indicators risk significant areas were identified as distinct from other program areas. These development efforts were performed by a group of EP subject matter experts with input from members of the public. The assessment methodology also recognizes failuies in the identified risk significant areas as more significant than findings in other program areas.
Emergency Preparedness regulations codify a set of emergency planning standards in 10 CFR
)
50.47(b) and Appendix E to Part 50. The risk significant areas of EP align with a subset of the planning standards and requirements. The flow chart logic uses failure to meet or implement planning standards and other regulatory requirements, and failure to identify problems in compliance as criteria to disposition inspection findings. Failure to meet or implement planning standards identified as risk significant results in a higher level of NRC involvement. While the assessment process does not generally sum unrelated findings to escalate the retultant response band disposition, a program collapse is indicated by failure to meet multiple planning standards. The assessment logic recognizes this unlikely, but significant, deterioration of an EP program and responds with increased regulatory involvement, including the potential for a set of concurrent findings being assessed as " unacceptable performance."
l l
l
\
Appendix 2 - 19 I
p #
5 DRAFT NRC Oversight l Finding Idenhfied Assessment Process for l Emergency Prreparooness Inspection Fmengs sheet 1 I
draft 1 February 24.1999 Self Result identified Evaluate fineng Green No Further Action I
No y, Evaluate Finding. there le no consederation for self40entifscation vos Y
R oblem - Analyas fineng and PIDR corrective .
wim Pi action failure inev6duelly verification? failed?
Promoe as esperate inputs Evoluete findin0 provide results to ?? No No for next P1 Verificetlen inspection
\
Yes Mful Evoluete finding and prov66e disregard package to og for regs.?
No Yes Yes yes Y'8 failure of PIDR FAILURE FAILURE to 10 5 OR WORE PIOR Drtit/Esercise Problems with in System? Evolustion? R/S PS's? tuonnial cycle?
No No N'
OREEN l WHfTE l FAILURE Yes to leontify feitare to meet or amplement PS of App E?
Yes FAILURE to 10 No problem T Yes 9 OR MORE wim Regulatory m violation vcATach Requirements? twennial cycle?
of . sheet 2 Note 2 10CFR?
No l
"* No OREEN l gy,, g OREEN -
Note 1: Evaluate finding and failure of PtDR separately. Note the PIDR opchrti cn failures the PiDR asfeiiur.
e coperate
- i. gre.6nput,
- n. et the ment lower level, e.g., if the finding le white Note 2: Reguintery Requirements include 10CFR60.47 and Appendia E.
i l
Appendix 2 - 20
i 0
ts DM7 VIOLATION #DENTIFIED NRC Oversight Assessment Process Emergericy Properedness Inspecten Fmdmgs sheet 2 croft 1 March 1,1999 Yes No y,,
Failure to Fedwo imp 4 ment or meet Fedure to 3 or more Wplement PS or App E7 to meet failures to P8 or App E? R/3*P87 REO (Actuut Event) - meet it r8. PS? l No No No GREEN Yes 6 or more Y" fedures to meet PS or App E7 YE LLOW No I
'W H I T E NOUE9N Y.. GREEN No Yes Yes ALERT ,F
, ' ', WH IT E R/S . PS?
No No ._
G R E E 42 Yes 8AE
?
\' Feuwe to hP ***"I YELL 0W R/S.PS?
No No WHITE l
,gik . Fed.ure
. mont to REo R/S . PS?
PS = Planning Standard R/S e Risk Segruficent No l YELLOW l e,cn,a en Appendix 2 - 21
y
- s ' Attichm nt 2 Radiation Safety DRAFT An assessment methodology concept was developed to address and access the risk significance of NRC inspection findings in the occupation and public radiation protection cornerstones. This process consists of flow chart logic to disposition inspection findings into one of the following categories: " Licensee response band",
' increased regulatory response band", " required regulatory response band" or " unacceptable performance band." A portion of the flow chart logic was developed - the risk significant area of work in high and very high ridiation areas and uncontrolled worker exposures. Complementary inspection findings risk characterization charts have been developed for both the occupational and public dose areas.
Public meetings have been held to benefit from stakeholder feedback and will continue as the assessment process further develops.
The disposition of inspection findings in the se low as reasonably achievable" (ALARA) area in the occupational worker dose comerstone is yet to be developed. Preliminary planning by the NRC staff has Emphasized the importance of using quantitative criteria to help ensure consistency in risk significance decision mtking.
i l
l l
I I
Appendix 2 - 22 l _ _ _
f' INSPECTION FINDINGS RISK CHARACTERIZATION IN RADIATION PROTECTION AREA (OCCUPATIONAL) l CREEN i
( Licensee Response Band)
NRC or licensee-identified non-conformance that, if uncorrected, would result in an unplanned occupational TEDE greater than 100 mrem or >2% of 10 CFR Part 20 dose limits.
WHITE l
(Increased Regulatory Response Band)
Multiple NRC or licensee-identified non-conformances that, if uncorrected, would result in an unplanned occupational TEDE greater than 2 rem or >40% of 10 CFR Part 20 dose limits (with one or more PI's involving unplanned occupational TEDE greater than 100 mrem or >2% of 10 CFR Part 20 dosa limits in past 12 months. I NRC or licensee-identified non-conformance involving an area with dose rates greater than 25 R/h with one or two barrier failures.
YELLOW
( Required Regulatory Response Band)
NRC or licensee-identified non-conformance that, if uncorrected, would result in an actual or substantial potential for an occupational TEDE in excess of 5 rem or greater than 10 CFR Part 20 dose limits.
NRC or licensee-identified non-conformance involving an area with dose rates greater than 25 R/h with three or more barrier failures.
NRC or licensee-identified non-conformance involving an area with dose rates greater than 500 R/h with one or two barrier failures.
RED (Loss of confidence in HP program's ability to provide assurance of worker safety)
NRC or licensee-identified non-conformance that, if unidentified and uncorrected, would result in an actual or substantial potential for an occupational TEDE in excess of 25 rem or greater than five times 10 CFR Part 20 dose limits.
NRC or licensee-identified non-conformance involving an area with dose rates greater than 500 R/h with three or more barrier failures.
Appendix 2 - 23
l s
- 4 l =,
2 l
.f b _f l1g 3
hi >
Ii 3 1-1I h'is i
'k i 6 Inri i
sI j.. 'til ua !
1 i l i\
p.
i-i.o >N -
'hl,!
asi 3 nL- 3 lu..,.
.i a
i a ,
dr/ a i
?
/ ,
l II.
i<y, w! +. , ,
" ,1 r
E a
- o E a
! , 1 _
i
! N;i\ /, V >
~
> i e
av .
INSPECTION FINDINGS RISK CHARACTERIZATION IN RADIATION PROTECTION AREA (PUBLIC EXPOSURE)
GREEN (Licensee Response Band)
NRC or licensee identified non-conformance that results in exposure to a member of the public from releases q
of radioactivity and radiation to a TEDE less than or equal to 0.025 rem. 4 NRC or licensee identified non-conformance of the monitoring or control of radioactive gaseous or liquid Effluents that did not compromise the ability to maintain exposure to a member of the public within Technical Specifications (i.e., keep radioactive eftluents within design objectives of Appendix I to 10 CFR Part 50).
NRC or licensee identified non-conformance that did not compromise the effectiveness of the radiological Environmental monitoring program (i.e., the level of radioactivity in the sample medium was within the reporting l levels in the Technical Specifications or the ODCM; or no more than 2 occurrences in which the required Environmental sampling was not performed).
l NRC or Licensee identified non-conformance in which a land use census was not conducted in accordance with the Technical Specifications or the ODCM.
NRC or Licensee identified non-conformance in which the interlaboratory comparison program was not performed in accordance with the Technical Specifications or the ODCM.
l WHITE (Increased Regulatory Response Band)
NRC or licensee identified non-conformance that results in an estimated exposure to a member of the public from releases of radioactivity and radiation to a TEDE greater than 0.025 rem, but less than or equal to 0.1 r m; or 2 or more occurrences that resulted in an estimated exposure to a member of the public from releases ;
of radioactivity and radiation to a TEDE less than or equal to 0.025 rem.
NRC or licensee identified non-conformance of the radiological effluent monitoring program to adequately monitor or control the discharge of radioactive gaseous or liquid effluents which results in an estimated exposure to a member of the public in excess of the Technical Specifications (i.e., doses were greater than the ;
dIsign objectives of Appendix I to 10 CFR Part 50). '
NRC or licensee identified non-conformance of the radiological environmental monitoring program where, as a r;sult of plant effluents, there were 2 or more occurrences of environmental sample media exceeding the rIporting levels specified in the Technical Specifications or the ODCM or 4 or more occurrences in which the rsquired environmental sampling was not performed.
Appendix 2 - 25
e v
' YELLOW (Required R:igulttory Rtsponse B nd)
NRC or licensee identified non-conformance that results in an estimated exposure to a member of the public from releases of radioactivity and radiation to a TEDE greater than 0.1 rem, but less than or equal to 0.5 rem; or 5 or more occurrences that resulted in an estimated exposure to a member of the public from releases of reo,w".hy and radiation to a TEDE less than or equal to 0.025 rem. l NRC or licensee identified non-conformance of the radiological effluent monitoring program to adequately monitor or control the discharge of radioective gaseous or liquid effluents which results in 2 or more l occurrences of an estimated exposure to a member of the public in excess of the Technical Specifications (i.e., l doses were greater than the design objectives of Appendix l to 10 CFR Part 50).
NRC or licensee identified non-conformance of the radiological environmental monitoring program where, as a rasult of plant effluents, there were 4 or more occurrences of environmental sampling media exceeding the r: porting levels specified in the Technical Specifications or the ODCM; or 8 or more occurrences in which the required environmental sampling was not performed.
RED (Loss of confidence in the Licensee's ability to provide assurance of radiological safety to a member of the public)
NRC or licensee identified non-conformance that results in an estimated exposure to a member of the public from releases of radioactivity and radiation to a TEDE greater than 0.5 rem; or 5 or more occurrences that rcsulted in an estimated exposure to a member of the public from releases or radioactivity and radiation to a TEDE greater than 0.025 rem.
NRC or licensee identified non-conformance of the radiological effluent monitoring program to adequately monitor or control the discharge of radioactive gaseous or liquid effluents which results in 4 or more occurrences of an estimated exposure to a member of the public in excess of the Technical Specifications (i.e.,
doses were greater than the design objectives of Appendix I to 10 CFR Part 50).
NRC or licensee identified non-conformance of the radiological environmental monitoring program where, as a rssult of plant effluents, there were 8 or more occurrences of environmental sampling media exceeding the reporting levels specified in the Technical Specifications or the ODCM; or 16 or more occurrences in which the rOquired environmental sampling was not performed.
Process Flow Diagram is currently under development.
Appendix 2 - 26
A
,, 4 c Attachm:nt 3
)
l Safeguards 1 DRAFT l.
l Detailed Narrative is currently being developed. Process flow is described in the figure below.
l.
l
- $E' 4
i % qt)j"
-a
/3
- .y'
% .- s. : m mne m G
- y Nvyes
~: s
. ,; * " a ,1).*,.yg]ygy l,f
. ,r ;.
-x. 9}_. m '.h. ,39 kllgg?
m, c .-
" .i: "l' 7
., y,
.y s ;-c.
y-l3: . ;' ,. ~ L ' i y h 1k e '-:
f{:n.A m\,%, , e 'lOy ^'p
. y- . e , ::% ,v ;.
y.n o$Nilrr@,
f j a f k? %;af G // ;;'QF i
.l /? if
/1w I o 1
.i ,,
,g f f gy t
- s ./c
- .
g)$ -s
%dif
.:.~^ f
. . 's.
yv m. , t g-63 sA *e . '3g G7 Siy f h, d
,% i s.:% / . g3 ,' w .s,,
' h . ~.,/3 q.T ;Tl*;\
&_b -
,v %p' l> qy
- d ,e%'%.
,t
/ %,* :.: (
- s. 9/wx I
' pgy
..s,
,/ - ,,, {
.y i t l'\Q .h a
lyly s
^
v N,
,.~ n//.
/R+y y7.,,. ? *"W f.v,;!.$
w .n :p w.,. ;y
- e:. _,,
i l
Appendix 2 - 27 l l
1 1
- _J
I l I. 4 . ' * ,
g C
k* W e
m l=
W lg 0 ,
L O ,
L
_ E E R
_ e Y .,
q s
s e id c
ofi n s
g n
9 9
9 S
E Y
d9 gJ ,
e
_ ProFt 1
nn 2
t neo h ag emtc c msspe r s
s es esn M a
e?
Fe r d s n O W
s sI e on L sAe Aks dr st dc r e u rmio eet r u f
1 L sia teRu 1
t af pE f Wea o E r g fa e ps Y e e r O O v d f a N u O fa S S
W E O T I
L L H S E W E Y Y Jq S
d E Y
e a 7, ?
s
? N r s te* o tnn t os E yh, bt e
o, v
E m
ei vhsm Eie t
wt 2 f
I E p 3 2
1 3 1 R
, > O 2 G
N O l M
' ly E
T S I E
Y H W
]
S E
Y e
c rble n oa a N meit rH eo ts n ?
s E eotap e ts o ef t x v E n
WoicE E am R Nl2 d y Cep 2 G _
+r e ope O >
1 O
N N E N 7 _
E U k S A*
S R I
E
- C "
N S'
_ A
_ M R
_ O a F
N O e la?
C inf ice N N
O f m ogg rtl t oa , E
_ N I t
eooo iib E
F O DeRdaaR S k R
is G
N
_ O R I I
_ T w
_ A o L
C t
F 6
T N
E D
I
.e x
t p
& oo nt s ks s te hi a i
e )d s s e R i r t r b (l r u d n e b -
S E o npo t oo n i k o -
T .L i r
s u
t ah s a a r
a t s
H s n, 8 p it t
n m ioin t
m ig d l
a 1 p n n a ee a e G r t a n
- a g i lp nba l i r e nan i
1 n n
&een I i e
S ec io 9 si i tr w t
ur t S
N ci t
c Lt o d o oep i r
I si7 f
n n Ger i
p ecsr n r c W S la gW u wu t f o s T -
es e l
e k s S iF f
v r ide n e oin a of r o e A E t s l i eisi l e r t dte c
c f -
C kaerdA va s t
s c e n i v ch ioec u o O or o nr oe t a s t, eeitanr s et n s e a cr s
R o ef d it i a cot exr t h vd r e md et e n icc n end e P lu isd t
s n e S Cf it Sid e p ne nm t
en s e ne t
s ya s p c lysd l
a es i t e n i r temi r t
s lafeac b
MCC or fi ge oo or f m e cuc ni oa es E I sNcc Cs c RsCm efir e RdTd I i S
I
) )) ) ) ) ) ) ) ) )
I 23 1 2 1 2
C 1 I 1 2 _
R ,
E E C X' N nA e Ae s
A E A eC d it t n ,C n K C ArOeAh e Ci e sO e P S CG CW O hAeG LWCr t
n e
r O I RIF I
O L) m )-L )-
LR O ieL G T
E N
G l
2 iu7 la (,d (, g(
e7 ne n e
n e n e
m u5 e5
)-O-L) s&nS) n aP e 5
L I mCeDaF r , e r e e e i(
d ,r g( t r O r W (. e ALOG T E S r r r e D a F, l Bs S M L G G G G M L l
A AR _
TE L T. s s s t n l
a P
t n
)
2
(
E CD I
MT Y h lup e
cc owoo e
nii t O
e s
e r W g t O F NE uh p t
GIL -
i wm r a s s nd ed y L y A AT NI I
B Ant s e
L icd ts l u mnye r a g 'B s i
t n
CC I E NA I
Cwy Oo s & i oib a n 'n t
n e s- b l
i a
e v 1 FL AP LdI m lawt e d e i a isAp i
r _
Riotne& r n d I E MC A l lo( iuAe a o W )n d C n a c T aCaS ro NS lrOcWt l
E - r c a s o et ps S t SmCFi a eon l
G R R - AtrML l it a l
a S l LlA To I - Actrh m. m R A& AM SO KF S D n
o f
o S
I E it n n MT c o A i R EC j ei t a r a
r F nl e n in t O MA Y P I
yc r u t ao wi T a
r W F
SM t t Y feic d a el S AW R
I ae SR eo FI s S DF R TA A
M ) gm k a k a ga y M S no A ye m m e e e
(
O i r C t t e r r n nrA U rf e s t B B)L .i i
r pC A u n pCA LC OA i f y s S
I R
A qo ei mO f o
a s s f y
s e ). et nt nioen nr i sO C ut qnL O
s t
n o o O f f i ee e N
E r t sl s auLmL u l u s s n o s n o n LoLct
- s o memdew s c a r s mmL u is n s AcSlad g ie - oi - s o Ai nie r aPA S eoi t ad aids k e ae e Ctade g a t
C eLc e oi t S CrCmer OcCs i
mt a n
oo un nl c oon nl c oon S nS uF t ei s et t t
rOCW NNf u - ( -( o B LOonmL OOT l
r e
NNF NNf u l
LrE - - i c - - ALLA
- t n - - - - s - - o
- 0 0-l a n e 0f 0- o 1
0-0 g 0- in n 0
0- st r
o 0 0 'A aa yt 0
0Wie t
s a 2 0 ert mu 4 g 9 1 r o 4 vl ea 1 4F a m l
rh R 0- ruhea 5 sT s ov t
ne 0 ns 0i te
- s v 4 el 4 0
0-1 ui t 0- ds ce 0 am 9 msp 94 nVucc 4
0l u 1
0- 'n p H i
aS r e 0 Apt 1
f i nmde 9 ve ur 5 5 E 9 e 9Ta 9 r n )S L 2elPrdCi 9
nfV a o a
2 e V g 2A 2l ben 2iAe i o 3 ToS nt i
r 3 r i pi u q
e a e )s g eD) Wr t
na g g n o n oquRV eE n
oC e
nr oht e nl s u t
a) a t eia(Re n sl ne e t
oint nini t oP no ooVq s olec u mn a o nF n ls edWR it t t t s sk c e t t l ek c dnla isGm lsI I ls s r eh s iAi ll b l D MF(I l
F si ME18 iW Wd t
i tu l l iMMRSE u ce yxs cMT( i rDtuTta t l l l i
ooio iaF a l r
MPLBI s min A (A MS F n s
e r t
r o o a e s t i
r t n r o y p? a i a e e t rilfit od e r r t
a
_ S r pne g d t
- i m e wn l ia)i b
_ T pe a er n o
e ed s f t
o r
o c?
d o ei t m Da iEp a
__ H i l
b ev e e d fea g sRc G h it s c t c? l l t
n ne fi t n( n a?&b a v od
_ I S we e e e
me n ee noi e0 be0 - ow N n b v rd ue&y t a s t gn o s m?
it s t e2h I oi i
t it l ca if ed ef e e n i n s o
aonu rl oo v0 s S tal d eff e a r o t ai a0t- o S r u r of s t, sp e r du at n h fo as ac d9 5 n e
du h o o ;a e oo E rl ff ne r a n
C c i r a
t r e pre l d eS nt t g oc t c u2 a O f o a nn t a mS o eh t
wc f s nei R u . c e e s a ert wns ns n md no t i d e s.
P i ci f og t oi s mio a pnna i t t a t eW ht a t
luls yt s mmmSW 3 c t
mhi a geesT r r y e m a te luh a
r oi A t sl ei ai nx l
E 2 a I t STTsA Md TCws y RMa e S ) ) ))) ) ) ) ) )
I 1 1 234 5 C I 1 2 I R E d g _
E C oto o n X
i hE v E N i l
o n
e n t el o e Aw ne Cl o e n Ak e w t
e i n e KA .
e e e h vdi ne h OeAe l i e
P S C r s r WieW br r
I Cli T G r s Gi LYCr G O
_ l I
Os ss u T RIF L
- et - - osB - OG t N l a l a
c
)
4 ue1n)S6 r )i a&6 r )
u )6me6L)-
/r o )
E G I
a e
(
. si(W(
s s n , nd(
,e e , d i
(, g( r t
c a in (,
1 L D e aATA EcSF eE lmhoD Me D La F.
_ .S n r era Bs S Pt r RT AR TEL T. - & )
E I m nd ee n
ogn s
m CD MY T t e
s pf e i t i l
e t
N E GI y o r c a -a y s
A ta NIL t s
st oo f r e or d s
I B n e v "y v e e t
C aly e n t
N A a a 2 I E I d l
arl rl ea l b d FL AP n v veav pu I
E MC A .dI u) yokd onm a e &n u fae e c coee d NS Wd t
E eS lymt e G R l
l rP n s F er I R A(H I S "Rbbl l Otoys AF(e2 SO KF S S D I E n R MT V o F EC R i
t a r e r e r TA S O lu t t a al e
)
O Y P e P S cr wwloe Y SM I o n e n
Ci c Ce de d e nl u r r t
R N O ER F( cf oia efe A g M )
S i n g A M (
O n l v
o n C o e f
o U I A
i vd i
r OA e t
n s s
S R C e
s
. ts iene iunL qo C l O ba s ib o _
A N O L
i r
e n
ieSosB s
l eimL r t au ns e t r
u l
o n- no E r u nWi& r sl i ge m-s. /r o
C l
l a =S rTnd a a Acud Cr er ai a t s
, t c et i
S S
m NRCTAe - SF ce e
OcML Lr i
e - -
oi Nht RT ap ei r nc on Nfu 0 n 0 - n 0 0 l 1
0i 0- 0- ot n 0 0- e 0- et _
5 ne 0il
- g 9 e v 1 e ao i
t i 1 -
up 0i ow n 2 w wve 7 a um e .
0 pb 0 e 0 v l a
1 ek 0 o LoL 1
- i a 7- ato v l 0- vct t e 0taNu a i 0L -
0 qu r - el R 7 pw 9 v nkc 7 t i
AS 6 9 da roV 6 nwh o 7d o E
9I o 9 avn) 9- ooia t t 9 aV _
L
- Sll na kc e o - r oS RFegg e ipF l wr e - inp 1
i 1
omb l !
eiA s t 1
na 1
r r t n 1 ym _
r o kTe n ee kl u f t ie el i enaR k air c geo l
ibt ,
ou s c ed io c lu( oqtot or adG t oaS ua es uVr ed uCclr a Ced inl Ctcd S oo wicn m oi CnS t
Lk LRs ur us e Lnin c a CtoC eC t e x. a c t .Oos slo t . oeig Ca n oeu Cea eote ei SNRS l
SLe SP cac DiMF DRFCS DPE _
7, K
f o o o t d y y t t y
R e e n i
t rilfi Et N ay l
i b t o l a)b i Ln a rt S a n iDa "y nc
.h.efe T bo "y S wn m
iEp a r i fi mc e oaduf nsa H r r peCo e e sRc n( e o nin ts r t o G vig ypn vCnr e0 n ot cpsi s pa s s I
S woe oc r o e kG t
be0 - ow e mer s ac o ' -
N l e onb e2h Ru ihFif l i s o I Rf d v0 s t Rn o S
"ss "sarel i uo a0t "r o a s m oEgn re a er a
- o S
E n h t<95 n ferem t
e/tL is o t d l d e l bt oe dat "e r ioC t
C u2 a s u e a n n e n d, u n i
l O ct . a re o eh uis R ol a wns rfi at emly us uw l
oi e nb e o P
t di c-- c r e kt s ul syt s
h lese t
o gk miami aat b e ct -
a +eercv l
et : i i sl e r eiainx nna t o or noh cn u E
N pS r RMae AS m i
NcPsf S
I
) ) ) )) ) )
I 2 1 1 2 1 2 C
R E E C X N .nAo w n nan n E eCl e KA Ae eCe eAe e l
e P S CI ArOeAe C GLYCr G CrOrGLGCr O G RIF I
O O T N L )- m )-O- L) L )- m )-O- L) l 2 iu6 e6 l 2 iu4 e4 E G la (,d (, g( r , la (, d (, g(
L I S S mCeDaF M L S m C e D ar F, M L Cs AR TEL T. s l a sf E I u i u o t a wo MY l t l p n pn e CD T ht ,
e g es ht ,i e g rd n
NE t
GIL to a a
- im w et mr i
r r si NI w e a pt e - a u w "y A Ant L Ant L CuE l
I B s t a s I per NA Cwy s & al y Cwys su "y & r e 3 I I Oo e cu r "r Oo s ul pe r nuv FL AP A Ld1 t
u A e, rai eo m LldI p l
vm il aio r ac I
E M l
l o( t v o(
o W )n,S C o iuAt f e c d C e rt R E C l
NS l
a o W )n d C onpce i l a n R mCFi eon rR mCFi aC e GR I S AtaML r o f" S At r E "R eML O o -hos "s a
SO -
KF S S D n~
o n o
I E t in in MT co t co R EC ja ei t ei ja t F T S A iu nl iu nl O Y P t yc r yc r Y SM I feic ae t
feic ae R SR SR A
M )
S g f gm f M ( n i
v A o no A o U O i
rf i C s i r rf C s pC A OA A OA i s s S
I R u qo n LC l o iuqo n pC LC l o
A ei r a mO O o ei mO O o N
E sl t
u uLmL s l u n- no r sl t
auLmL u
s u n- no AcSlad C CriCmer i
ge et nc i
AcSlad l
ieg et i
S OcCs ml a on CriCme OcCs ml a r nc on LrE - - -e Nf u e LrE - - - Nf u 1 n 1 1 d 0 0- n So 0- 0- a e 0- n Ci ta o 8
1 io Cl 0 pn 2
1 2
H 1 0 n i 0 i,. eEu t
t 0 mo 0- f gh 0 ot a ela e crc i i l 7 7- ut 7 oi o R 9 vun i ci i
e 9 nu Sra 9- sH 7i 9 os i s
E -
ri t aR - og s od P nt )
L 1 kout tear cog aPl 1 i i k a n t f 1
La n 3 dt en onV e -
n kl r ouin( omI a C oqs rCi w ol uo o cC oa oim t fr qta iae Ced at ne i t o Ci r t CniuS edC te di e ctnl v Ce cn l
Cagal o e Ct o eC a ad oa DiAMF n DRV DPME WiInnCV s
t o i n
y t o y t n s ee a rilfi t
a v ch nt e i t r g s ad t
u l
a )p b. e on n ne m D S a i o
u q r pil ei T
H lall e vef r
iE sn(R c. r o?
cdi mo o i
t i la dntun t f ini a ne t
n et c G ewre e0 n od o n c nm ocg md os nnolw be0 - ow I t i S
N o gss oo l c (a si a s e e e n v I si e2h v0 s in s oe r mr tund.
i a t
cis o et e a0t- t uh S odb i
o aitr o S h e ayfs o t aiv)fl rd E ds olnd d9 5 n r fd s s lu2 da t nst one co u C s e cuo cn o eh r e n ep focs oc t
ncu or mt h o O
R owsh r
poR wns oi s i
do gleta xe t e gar i. e n s mn e ci minl em t P lt t std T uls lyts ht aist t i ait ppt aeb i
h h uG sl eiainx e mnA a eS emmmehr o r r
E TsS RMae MdVP Tlie eTwpt t S
I
) ) ) ) ) ) )
1 2 3 I 2 I 2 C
R E E C s X N w
o nne An n n E A l l
e we or Ce e e P K S C Y dG Or e Are e r
O I t u - LG CG G RIF I
- O- o -
T N R (4
) h)
S 1 m
iu6
)- L) e6 d) a6 E G T ,
t (
n , d(e ,
g (.
r n(
r ,
L I S GB laA F aH oF Bs S P M L T AR TE L T.
)
m
)
n W E I e ia C CD MT Y t s
y r
t Cn Aio NE GIL s s u3 f t o acr AT t
NI lpde l
l nt I
B i a n "y o _
CC I E NA I
f r
ed!as nPn w
,o m m r t 4
AP e ea FL Tude md laoWy t s n v r e I
E MC A RS i op _
NS E TWr I r
t uF s y a c eo _
GR( ohA(
R I t Ry _
GR I S NS s " b SO KF S S D I E W R MT C _
F EC n wg C, T
S A O Y P di on W SM tu lo C Y I h o C R SC A A 4 M )
S f n
o g
nre M (
O o
s t
o d a A it c wo U I t n
s o l e o C a pt S R as b s L OA mg L C l
A l o as t P nw ne a O in N n- no ec o
e mL ol i
E Rmd l
ao i mr ap H u da oo _
C Tr u t et nc tois hWd ieg r mcr S Gch on u igC e a oy SNS Nf Nh t i
l CML Td 0 0 0 1 0- 0- 0- et 0-2 6 0 a 7i n 0 g 0 1 u 2 t 0- no n 0 S 0 q
- e 0f - e 7 mfi 7C 7 9- ad nl gow 7L R
E 9
- meolo o 9C E niF 9
- v e
L 3 orc Cl u 3
n 3 id l 3l 1
drl n di dlyi n uo d a oa iaow r
og rl oaBi t rV o
fiF r t f
ring fi r t dl a
fWl r a u
e ed n ed ed in e nl i eCn atee n t t t t t t ato o uh a iop ohi e aCa WPMS WVP i WPSV WAM
o, d
o o
h i
l s e t ki n l e
v 'E e
S S 'na W W o T T t A l A A d s
a r n C v f o i a
e O o g l L m d e n n e r i
o E
l l l
a r i u o i it S m t
a q o d)
I s e e c n5 C g h r t
e o(
R n t ht a cn i n e o u q
f o )
?
E w b oi t ?
m e n a X lo l
in s, d a oi c E V
E fo t if a n n t i as I t
n e i r s T P n o i
o ua io s
n t A O t a
c r n ar d
a DlC V T o o e . . R S
l u f i t
t r l e gon E E N c
r d e
i d
n f o t u ni S L O i
c t o e b, at r a N B I e r
i d c n s rl u O T e o t
/y a C As P S r c) it h la n 5- ve (
TR E M C C eEw bVI n t
n e
v e Er m U e o e NL I S E
d d Tio l
u i
c A I
f t s
y S
i C o "n DD i f t A o v oata cVn f
u O ri s g
EE a hRb i s L /y ra n
ST o n B ice m h c &
4- t E "e i
g UC e r t
io L h S o a t n ar p e into E n S wNc n 1
S E t c sOi e eo hi c p 5
N EL br ca n & r y
. i s ht to f t u er fu eCe ( c t n a nt on O B. yv e i
I S t en m L loS o n c a t r i "r
n e t TR nw oo le t e
s F W t cS an Re p
a c
l l
a ov l
a inc a i pe PO r, d b a y e nt t n r o
t ai u a lo MF eui % i og r s t
oin e
p f a l
n t
a moa 0 f t ine q c h U mlo o oi t o
ig nh m t 5 t n i n a "I s n is iawe W t i S s e i
h a ht S o oc l l
loto s m t n n c c "n F y aA i
t oAi u a i f rb A wf s d p i
m o t e i n s e F
t, o s e d e e r re g d t
cCo eor s p ig a n de ev t d a
et e nl u e u n e v s r c O ib l c dl i i
r aL r e m u t r r i ga a
r a n i i s a l
l i u q
h md p) n)d o ed k p Y t p e o nf f t i am e a e ous n r oe fu W EsEi l
c s o ei R
i c r r n ld cd t nd s eo c FI VdV nI oo nt r beno t A hi t o f o e t a u om e n
o n o mo AToTc c m p M mtr o w Ano l n d nid t nAeAtsf eVsVn oe s ip pu eW b io 3 e M t s
yF 8 Em a p
t a es e t e v iR2Rvn '
k e a l
U nlon drEfE ei 1
sA - Cm eo C a lo o S oS S ra m Im t
S Whc 1
s t l o r 9 lgc G
i lsi l S n to oOlaO N yN W o t u
sS F a L in o D W iP o M(cec D(ATTw sP AE G SN E F MND AH 1 2 1 1 . 2 1 1 1. 23. .
I 2
34.
1 2
- t - -
n - - s - - o 0 n 0 l e 0f 1 0 g 0 r o 0 0 t
0-2 am mn 0- o 0- 0 nin r o 0- s t ea 0 'A ay at
- 0Wie-ls 0i 5
- g 0il ne 4 g 9 0 eri 0 ns 0 1
1 ui t 4 0l vl u 1
r e 4F am f i 0- r uhne ea t 0i te 0- 0- ds c 0 am 1
0- 'n p H 1
0- Apt pb R 5 s sT ov 4 el s v 4 4 9 msp e 4 Vu c 5 i
aS r ) 5 nmd e e 0 ipwa 7
E 9 edCl 9Ta 9 9 n 9i L 2elPnf r ao V a
2 e V g 2A 2l ben i 2 o c 3 iAe 9
ToS 39eD) nS ni R er v ur i pi r q u Slo na l
n e t t 1 n a u e V)s eta) at na g eE e oh eia( Wer i f
oin t go ni o qR n oC noPr no nl t
ooVq s s u nsl ol u ec ma lsbiAi g
n n o enF n e eg ic o l
t s ni e k d a ls i t t l edWR t t lskc lsGm lsI I t
e t s s si r teh t
ua ss Lk e F
W Wd i u c s c MT(Tt i urDtas l
l i
t c ooio s iaFnl l i tu iD 8 i l l a l eyx l
r a c MPLBI min A (A MS ME1 MF( F I n MMRSE t. e x SLe
l d
n a
g i
n g
r a s h t
)
7 c n e
7 n v E o e V
I s
e l
l a
T c r n
A a r fo V a e n R l e e
E c r _
S h t
G ._
N ig a O t )
C o Eot
( t Vo E "y e u
I Tg .
S r d Ald I e C v o
t n Vu o e n R c e
n.
o s e R E c, o E R -
i t r S sr i t
" c p c X n s Ne l n E
s a u i Ooo u f f P n o
f o
t e
a Cc
( f o
O it s l
u Sn a s c s ic Cf s T S f a
r l o t r
Cy El n l
o E N "y o ap o "y t
a r n eo n, L O e r e e
, f i
r uh e r
e B I t v o r , si t r v T fo ew o
) s _
As P S c S f o c
TRE e e T r e _
W r pS r e _
M R e C C e R _
U T h (
wC _
NL I S S
A e
"a s
T a
y lo E h
T "a _
f s DD a r oPL n
A t a r o p n a E E ig /y d eS s s o l V
i s e i a
ST t t R
t 5 t
aC c n e lotar t
c v r
UC O imE o
eC rE f n
u m ot n
u t e
n 6 _
SE I t f P t o Sf
)
E o n t s s n o i N EL ht et Aos V t ia d o t t r
myr t a me o s Rs I e n e e o _
O ni T u o u _
I S b g
i t r
- f
/
4- t eo l A i n c l
)d i n h s -
TR n t t oE ita o i ts V t
n o
d n
S n Ta t
n o
g n
PO is u s t
n n i "y e ei od in d R c a Cc c i
r MF d vdt ee r
lye a E S d S C
(d yn a d d u
e n aeae v c r Nl e l
U e l
v pfrd o l l a e u
o C c. ar t lu o
p Oab S l b ye e is e c un kr w Et ps m e e, t e si x w -
S ne o Ci l u
A d
n e t d i monR a v w
( a S t ae s e n s S p fsd i o sc s"a r
a a me r e le va C C R .
F d r e yne o n t m bay C E
ide z nl lzme r C I I
in O e c e r z de si r ov ai t i no a
r ri t moio nat o E Rar t l f el i t r t t i
a a e rn t
a s a -
Y it i
usn esd ri v iotr s vb oa ht t n e on c
ht e no Was t i R d e oec oc nk ht c e p i h cf a A
M r
c n
mc n c lo ps sdb et vr r e e p a
t o
e t
r a od c
d e
w o
/ t h of id g
h ns ot n e
d e
w o
f R oI I -
a c s ) eVeef v
t no l ne e h a s h eR r
rel b rl s o m s M ice yo vOaRlb ogn l
i f a teb l
n lut U
r o o n a i s f pe ia a sl is s i s aa S
udamyP&i t ar e e
w& s y ommt n fP L0 r 3 (o f chd t ee p n r el pi u m a dde e d.
n ss ps u u oc ly a
n t t aa e re -
t a o e a t o e e ois r S>3SBFO OF N FF A LSAI f A TT I 234567. 1 .2 .
1 1 .2 1
- 1. 23 1
1 .2 0t
- n 0 0 1 1 n 1 1 d 0- on 0- ot 0- 0-l e 0- e 0- n S o 0 0- a e
9 e ve in ta io 0i ow 1 n 2 w wve 7 a t e um o Ci ta 0-Cl 2 pn l _
8- ie eE u 1 _
1 l LoLr 0 1 etup et 0 o 1 1 t 2 -
0 iv mla 0 vc e 6- diaNu t 0 t l 0L -
0 qu
- el 0 ct a gr c 0- ut mo i 0 f gh AS 9 a roVa 6 7d o 7 t 7 t i
nwh o 7 t l 9 Pi ou 7 9 S ar 9 sl 7 oi i R 9 aV r ci ni c -
t t RF e 9- ooia 9 ek r 9 avn) n nu tge s
E - us loc pF wr -
l
- r ip og -
oS egg e r gR od .
L I 1 eiA 1 I i r r t n 1 lym 1 e aog 1 ii 1 L na .
k air n a kTe n ee s t t f el o b, e nlaR our t
o kl u k aPl t outr Cni kol a n kl .
oqtot S or adG oa t
ic c d ic ou( oaS oi oqs uo oim w o rC uVed LRusrs e uCclr a Cei L noeicg in Cad oe oo Ctcd wicmn ae eC CnS t
Ceine Ci r CniuS t Ca dgal at lo t t nl a cn edC Ce ei CtoC o Ce e Cto eC -
. Oslo DInMF u DRFCS e ot DPE DInAMF DRV DPME t t SP ac SNRS
s e
c n
e u )
E q e E S s V I n I C n
. o c
T A
R io n V E t c o R X n t c E E fu a p S f N P o i m O O s s l a C
(
T l o r .
S o im /y E N n, i n 5 L O e M E B I r o
1 T
g o As f e n TR I t g r r _
E M .
i n e i
lo /y NL U m l o h T o 4-I S o o c _
S o r E DD A l r
o C
n n
o f
o 1 E E i t P ST t r
n w
o t
c n
p e O O
UC o c
dt u f u c x L 7 S E h o e, W g N EL fr m
o S ly t
e u
t a
a C
C i n
s O S y n n t r A u a
I o i o f c TR f i
r g t
n o
p o d PO e v n c m "y a n
MF i i l
o o d t o r e T U t y
o c lu n v C S o s i
t n w leo c D S l i o S m
e b e g A b a
i t
a C t
s y
lar ia "r i t
n F y lu C s vo i t
ln c E n af h O o, i r
t o nn o Y
c e a i uo d n r ht t a nt i
a R io c rn t S d i t
n iaan r oo A c n C C
e w e t ri r ot t M fu E o v eta af r o f f h s w ht r u M o o s o opedr y eo c
U s s
s s
i s
h s
mio u eu n
S o o ly s t udh q l
o l
o a
n A s s r5 e er S
N N A P AC7F 1 1 1 1 1 234 0 0 0 0 1 0- n 0- 0- 0 e 0-1 o 2 6 0 a
- t 7i n 0 n i t
a 0 g 0 1 u 2 t 0 ot 0- no n 0 S 0 q 0f w - e i l o - e R
7i s s 7 mfi olo ) 7C 7d g o 7L E
9 o 3 P nt I
)
9 3
- meo orc io n 9 C 3 E 9 a nl
- niF 3 i d 9 e 3l v L d t e onV n e I drl Cl u in nl t
a d n d lyi l
uon d a r a omC a r i rl rV f ouin(
r qtas e i fioaf r t weu ogmo og fring f oaBi r it t
dla o fWl r a e ned t r u ed in e nl i u te di e ct nl v ated eCn t
t t t t at eein t a ad oa o o uic a iop oh e aCa WInnCV I WPMS(hNc A WVP WPSV WAM i
e ft' ATTACHMENT 4:
CHANGES TO THE ENFORCEMENT POLICY 1 INTRODUCTION AND PURPOSE As described in NUREG-1600, Revision 1, " General Statement of Policy and Procedures for NRC Enforcement Actions," the purpose of the current NRC enforcement pro the NRC's overall safety mission in protecting theponsistent public with and the env that purpose, enforcement actions have been used as a deterrent to e the importance of compliance with requirements and to encourage prom 'id$ntifica "ahd' pt, comprehensive correction of violations.
9 s
The Enforcement Policy provides that prompt and vig enfor ment act fly been taken when dealing with licensees, contractors, shd'their$rhployees wh "hcit dE' vote 1 the necessary meticulous attention to detail and do not"achle0ithe high standar#of Tompliance that the NRC expects. In addition, the staff reviews eadWcais~End determines the action to be taken dependent on the circumstances of the case. [ Mg wh atten on compliance The issuescurrent to improveenforcement safety. The processprocess has been usespnloicedidntto 1 asuccessful in focusing'ssses of individual inspection findings and eventsg) f6Nhulati^tWe a(p)propifite ag these findings and events, (3) emphas!zegood perf6fman6e'aind coinpliance, (4) provide incentives for performance improvemepiand (5)fr6vidEblicpiitification of the NRC's views on licensees' performance and actiongit is noteworthy I tifille there have been substantial changes to the enforcement progrdd since 1986, the b theory of enforcement using sanctions including the use of ciylprialties 16" deter notichmpliance has been used by the Commission for almost thirty provide regulatory messapes,yearp.
irfthe conteAt of saWetionsIn sum','e'scalatedjdnforcement to encourage licensees to irnprove ac
'their perfo6hEnce. HoyeVerNiii NRC h55 n$t alWays integrated the decision making in the Systemdtic An5lysis of L16srisse Performance SALP process with the enforcement process.
This has Essulted ih; mixed Ieghlsidi7g(essage(s rega)rding performance and improve it. Further, the enforcement process has been criticized as not being sufficiently risk informed resulti'ng"itslisi'nsees fobbiing"6n issues of relatively low risk significance at the expense of. ^ risk'sightficant iteins, as well as being difficult to understand, subjective, inconsi nd unpr The elopment of a noyrpactor oversigM process with a more structured performance asssssment process, inbluding a process to evaluate the significance of individual compliance I f%gs with more predi6able regulatory responses through its action matrix, provides an I pportunity to reconalder the existing enforcement process. In considering a new approach to infoniement, tpe itaff is not saying that the existing process which used civil penalties has not astysd tiie"'agensfor is ineffective. However, given a viable oversight process, a greater age,ncy focus on risk and performance, and the rnaturing of the industry with improved overall perfErnsiiiice, this is an opportunity to develop an approach to enforcement that will integrate with the reactor oversight process. Based on the following, the new assessment process provides similar functions as the current enforcement process:
1
Individual compliance findings are evaluated for' significance under each system.
Both the current enforcement and the new oversight processes result in formulating agency responses to violations and performance issues. The enforcement process uses sanctions such as citations and penalties. It also uses processes similar to what the assessment process action matrix utilizes such as meetings to discuss deteriorating performance, 50.54(f) letters, Demands for Information, Confirmatory Action Letters, apd Orde si formulate the agency response.
Both processes provide incentives to improveperfor AJ and compliance as they provide measures of deterrence sincegdepsees . ~'Allystrive to avoid the negative performance labels with resulti " ulatory acti6hs and enforcemen sanctions. f %g*
Both approaches also provide the publi h the . views .
licensees' performance and complianc $ 7 7' Given the similarities in the purposes of the two programs thefgoal was not to continue having two separate and independent processes. The enforcefn[5nt progthshould b compliment the assessment program by focusing on thdividual kiolatiorm The agency response to declining performance whether caused by violationFor?6thefconcerns should be dictated by the agency action matrix. The result'shfuld be a unifie'd appf6ach within the agency I for determining and responding to performan6e-issuasidfiilicenseefat (a) maintains a focus on safety and compliance, (b) is more cons'Mfent with predictable results, (c) is mere effective and efficient, should, (d) is easily therefore, promote understandabi the publicgfidence) ~'
[and (e)6 the re~lstoih process. En support the agency oversight process rather thin drive it 8Y $ "
- 2. PROPOSED ENFORCEMEy APPROACH, 2.1 Backaround A jd_ f . w' #e MMk lb-In order to ensure a consisterit approach between the enforcement and assessment process, one agency 'mqth6d for,categdrizing tl@ risk significance of findings involving violations should be utilized. Ths'inshscti'or(Findihg Risk" Characterization Process (IFRCP)is being developed
~
to characterize lrispectidn' findings 6 died on their risk significance and performance impact. To support a[dNfied app' roach tojignificance, the enforcement program should also use the results'Of the IFRCP ca gorization of the significance of findings involving violations. -
e.' significance of an issue in the new assessment process may differ with what would be Th,le(mined g under thegrrent enforcement policy. This is due to the differe purrent enforcement policy and the methodology to be used in the IFRPC. The current pnlordement pol f(o(916titicinsg,% focuses in some cases on causes the root cause of violations, has been perceived as wellthan to be more significant as the conse consequences. The IFRCP for reactor safety cornerstones is a more risk driven process the,l6nsiders that only the effect of equipment degradation on the ability to mitigat and that effect on the change on core damage frequency (CDF). As discussed elsewhere in this paper, each compliance finding will be evaluated to determine its risk significance and will formulate an input in the assessment process. Significant violations, i.e., violations in a risk 2
h 4 range of greater than 10 CDF will be evaluated as significant and categorized into a color band. Violations evaluattsd at less than 10 4 CDF would not be considered significant violations. Health physics, safeguards, and emergency preparedness violations will also be subject to an analysis to categorize the significence of compliance findings. As a result, some issues that were considered significant violations under the current enforcement policy may not be of significance under the assessmant process.
When analyzing different options for revising the enforcement policy tope consiskt with the assessment process, the staff considered a process of using a direct tiFto the'sidnificance of a finding determined by the IFRCP categorization. For example, folio 3 disp 6sition of the significance of an issue by the IFRCP, the enforcement process co disposition the issue as follows:
Green - Severity Level 4 violation Nk White -
Yellow -
Severity Level 3 violation Severity Level 2 violation NkP Red - Severity Level 1 violation
- i. '
An assessment process with sanctions similar to the current orcement process could be used based on the severity level. Although this option would pr'sie5e a more traditional This is because the underlying process for de'tir(mining thEsignificarice using the IFRCP is risk driven, particularlyjoithe rehetof ssfety corfferstones, and relles on various assumptions in performing the analysis. Tiid lacl(of standirdized methodoiogy for making these assumptions and for p f fidality of Probabilistic Riskerds Assessm,ef (PR.A's)', may o'rming theie mdlie decisions types'of to cite risk a violation at aassessmen particular severity licensee's differing level and impo e;d risk a4sissment rnithodology.' In additi assumptions'an messages may likely occur $s ~ei1forcemeit arction res6lting from the traditional enforcement approacgdaybeincon ' ent the actidos"flowlI1g from the assessment action matrix.
MM8 $d 2.2 The Prooosed Enforcement'Anoroach As a result o ms inh ying the assessment of findings directly to the color s
bands of the n~sesimsnigrocess Adescribed above, a different approach was considered. ;
Because the'assessEnont prodess will provide many of the functions and objectives that the enforcer 6ent program had tseeriferforming in the past and the overall improved performance of .
licepd,e'es, a new enforchepi$pproach is warranted that will complement the assessment p ss. In developin a new approach, the staff had the following objectives:
k Enforcement eds to be consistent with the safety philosophy of the assessment MOprocess./*
It'needs to maintain an emphasis on compliance.
2)@ The enforcement process needs to be simplified and predicable to c 3)Qbffi6ient and effective process.
'Similar concerns could occur under the new assessment process. However, in the past the assessment process has not been as adversarial as the enforcement process.
3
l
- 4) It needs to support public confidence on the NRC regulatory process.
- 5) As with other agency actions it should not create unnecessary regulatory burdens.
The proposed approach meets these objectives. It essentially divides violations into two groups. The first group are those violations that can be evaluated under the IFRCP where appropriate action will be determined by the agency action matrix. The second group are those violations outside tt)e capability of the IFRCP, such as willful violations, those thatynpede the regulatory process, and those with actual dose or release consequences.
2.2.1 Violations handled by the Assessment Process Action Matrix lyh _ .
The first group of violations are those that will be assess the IF action matrix.
Violations will be considered as either formal or informaliinforceme N seve'rit i used. Violations that are evaluated by the IFRCP as rg6ibeing isl( '
significal perspective will be inputs to the licensee response barldl1Such (violations will be. for informal enforcement and treated as non-cited violations consistent with the crite a of~ Appendix C, Interim Enforcement Policy for Reactor Severity level V,Violallops. Three of the four exceptione to the interim Enforcement Policy would rem]alriin pladehSpe) violation would normally be issued only if (1) the licenMie failsMidstdr's compliance within a !
reasonable time after the violation was identified,,(2) the license'$ (alls tQlace the violation into J the corrective action program, and (3) the violation was, willful. Willful violations will be treated in accordance with the current section Vll.B.f(dj of th'5 Erforcemen$6licy.
viola Enforcement Policy is The where other exception the violation is repetitivefrom issuing a nor} lt of inadequate corrective action a as ajesu the NRC. The significance of this typi.'of violatIdn is baseId'on the effectiveness of the licensee's corrective action program 'which isYperformaMe assessment issue. The assessment process should detsMine the'sig*nificancEldf this type of a violation, and if not risk significant, even if repetitive 7thisiolationkould be7tre'ated as non-cited. It is noted that in SECY 98-2' 5 6[the staff state ( t this excgeMight be re-considered based on the new oversigh{ 7 Violations that:are evaluated by4h IFRCf as risk significant will be assigned a color band related to their'signifiaarice and will biIbonsidered for formal enforcement action. As a result of being risk sigrilficant a foMal noticWviolation will be issued requiring a formal written !
response Gniess sufficieiit inforrnation is already on the docket. Although this approach may have 36tne of the same -
l methMologies forsiffrisk, asses (b6nder[od it shou'Oe easier toas notedwhether determine abovea violation by using non is risk standard sighlficant than to deterinIne and defend the risk significa:'.ca to the degree required to place it into a specific color baM range. The enforcement approach will be based on the significance
$f tiis iolation or " ' of violations, independent of the response band the licensee is in at the irhe NMM m Tlie assessm, ent action matrix and not the enforcement process will be used to formulate the age'Ecpirdiponse, to determine root causes if warranted and to emphasize the need to improve performance for safety significant violations. Regulatory conferences and other actions as determined by the action matrix will be held if the specific violations or if overall licensee performance merits it. As a result, the assessment matrix with its escalating responses, (e.g.,
4
?
d V
increase inspection costs, regulatory attention, and regulatory actions) will provide the incentives and deterrence for licensees to avoid being in the increased regulatory response band. Thus, the staff is not proposing the use of the traditional enforcement approach with civil penalties to provide deterrence. This approach will result in enforcement complimenting assessment, maintaining consistency and promoting a predicable and unified regulatory message. If consistently applied, it should build public confidence.
2.2.2 Violations Sublect to Traditional Enforcement -
' In the proposed enforcement approach, the traditional enforcement ." Would be retained, with the potential for imposition of civil penalties for the sec' odd grouppioldtions. These are violations which are outside of the ability of the IFRCP to'detirmine a,significadostand whereg more punitive approach is warranted forenforcergeft' deterrence. Thisiapproachikouldj'o v policy f severity levelsincluding involve (1) willfulness and civil penalties discrimination, based on the curren(Ethathypede (2) actio ess for oversight of licensee activities, and (3) involve actdal dohiequences such as'a~ '
overexposure to the public or plant personnel or a substantial rele'ase of radioactive material.
tocess include violations Violations associated with that involve reporting actions issues, failure thatNR6 to obtain impede approvalsthe su regulatoj &arsight)sh'as fo 10 CFR'50.54 (p) and failures to facility as required by 10 CFR 50.59,10 CFR 50.54(a)gprovide the NRC with c 1 I
QNQ [
Finally, there may be particularly signifi .solations whereItis. appropriate to have a civil penalty, notwithstanding the program desdribed abiive, for'vioistioris addressed in the action matrix. While expected to be rare, the'siaff doesli$ot beli$ve 16e" Commission's policy should prohibit it from exercising the Sectio'n'2' 3 4 authNity of the%tomic Energy Act. Therefore, the policy should provide provisions f6r thd Cominission to liipose civil penalties for particularly significant cases. For examplelaIignificaritiio'ation of'a safety limit as described in 10 CFR 50.36 (a) or.for an inadvertentIrit'icality, b6th~bt whiciare Severity Level I violations in the current enf6rc'ement pol ^ T 4@A s QV The approach de~ scribed a o(d liiansure that there is a focus on compliance, and corrective action will bd'addreis'ad. The koposs8 grocess builds on the interim enforcement policy by l relying on the li'censee's' corrective a6ti6n program for less significant violations, it will leverage the NRC's ' 'rces 'by stitaining f5& rial responses for more significant violations.
2.2.2.1' moarison %k of P@rooos5d Process with the Current Enforcement Policy -
OE rformed a review lated enforcement action lesued during 1997 and 1998 to dst' ermine how many of,these issued violations might remain under the traditional approach i riewinforcement pro 6ess. The review indicated that about 17% of escalated violations were 2
elatskto willfulneis',# impeding the regulatory process or actual consequences.
Public$%M[f Perceo0on othe Proposed Enforcement Policy Chanaes t
l The Office of Public Affairs (OPA) has raised some concerns regarding public perception with this proposed approach. OPA surmises that if the NRC abandons civil penalties abruptly, except in those rare cases involving such things as " willful disregard" or actual radiological 5
t i
exposures, for what traditionally have been serious Severity Level I, ll and til violations, there will be a temptation for some public interest groups and news reporters to cite this as
" evidence" that the agency is lowering the bar on regulatory standards. Critics know that licensees abhor even worse than a civil penalty the accompanying press release and pre- i decisional enforcement conference which raise questions in the public's mind about the reactor operator scrupulously observing safety requirements. If the NRC issues an order requiring certain corrective actions, this may not be the case; but if a violation is merely turned over to the licensee's own corrective action program, it is apt to cause a perceptior proble in local communities, OPA suggests that the public tends toNiew civil NRC !c on the job, protecting public health and safety. A as evidence the d60nutionV;pahal civilpenalties because of a applauded.
even greater focus on safety But the nearly significant total abandonment of violations penalties could bdjiaisily
~
lif ' exp/ddIulifla misconstrued as an abrogation of regulatory responsi .
Md The staff acknowledges that these perception problems may MV as the process '
l j
implemented.. However, once the public and media become'more knowledgeable on the details of the assessment, inspection and enforcement processis'aiithipfit together, the consistent agency approach to licensees should become recognized. Ahoceis that is more predictable, objective, and understandable, in the long term, should increaselubild'5dnfidence that the agency is satisfying its mission. A strong comnfdnication outreaciiiipff6rt' emphasizing that the NRC is continuing to focus on compliance as' pad of thisiency's effoifto become more risk informed and performance based and i ' Ment an[ovfrall approacfi to reactor oversight may minimize but not eliminate the concern ut an erse ea _
- 3. Conclusion .
Y .
This proposed enforcement appitisch is a ear shift from the past implementation of the NRC i
enforcement. function. Howev,erfit'will cont'n0el616,al6tain a compliance focus by the use of formal and ihf6rmal enforchmerit' actions a's NRojs6ves to a more risk informed and performai{ce' based regulatoy process. Th(e Nrlo regulatory response will based on thisafet/signific5nbe of issues and overall performance of a licensee. There will continue to b$' increased reguldtory'Edrbliny and deterrence for poor performance that should result in maintainlhg seaItisfactory thel bf' performance as licensee's strive to avoid regulatory costs associated wittilricrea' sed inshicfion and attention. Because the assessment process will be performlh6 many 5f Thbifuh5tions that the enforcement process was providing in the past, there I,s'iTeduced needfor they6 cess of varying severity levels and the imposition of civil '
penalthiis. It should proddhe a more consistent regulatory message. Although, the abandbnment of civil peJWtie's for most reactor cases may initially result a perceived negative publid, perception probleni the overall approach to assessment, inspection and enforcement sliobld in the long terrii pro, vide assurance to the public that the NRC is fulfilling its mission of p'rotecting the publi$ealth and safety. Finally, this approach should result in NRC and lilsrisees iesolvirifissues in a less cdversarial manner.
6
t.n pa G emr c 5 0 A 00 0 0 200 1 1 1 D) E 0 A A A A c
af or 2
2
> N 52 1
5
> > > >2>
2 N N N N n e >
UP (
s ye d dr G l
o eos rt n 0 0 h iao 6 0 A 2 t 5 2 655 D )0 A 0 0 A s
e ul qup egs e > 1
> N 1
> > > 1
> > > >E 2>
1 N 1 1
N r >
h T ReRR (
drye eos st n 5 8 0 0 alao eup 3 4 8 4 2 4 22 5 0 5 6
> > > > 1> > > > > >3 > 5 cgs r >
nee iRR it la v im o l m c n e la e io R v re p t
c t o S s
r e a mo w o j n e eP h.
t H R c I
e C e i
u r e r
t aA T d s u u e y f
o n s s h s S s Hcn I
e t
n e r
I sCCsSe sI I
r C
sWla e %
c o PRPPRPPRCRFug y n m s hWHHWH hWRWAie
- d r t i
a s v m s 6
3 r
u igB H
P igB P em i t
c r r r o H RE a )
o u e h c
f r o p l L
(
e h a 6 s i
f it P l a
k n ic 3 h ic e m le c
t i r t, p i
b 1
it is r c e p
r o s L a e i r t a 0 ) c w
l b c e 0 % m S e o a p T
0 0
h 0, y
, 2 1
C S lla 0,
l a 7 it r R
( .
f o
r l e h e
i 7 m r b p m c %
r p e o o ila s e h
} p s
f n
o t
s n
e a
v a
e r
u il t
S s
y T
f o
e g
a m s is n a % k a s n u f t
n a r
c lo a r m m la e le
$ s h t e e o t a
t n _
b d it d t s
t s o r e -
r o e w e y y C k m t
n s n s s s r a n a n n y o e '.
c a m a yh t t t t
c l
ia -
i lp ar lp en e a S t n
d n n c n f
ao f a e C o m
I U S U Sm S R R C g
i n t n
d e d m s a n m lC ia s e S t t
n t
s le n e y u C o e v S F R C n E o g t
s g n r n i t
e i t a n a g r
i i t
o i n
t C'
I iM
1 A A A N N N 0 0 0 7 6 9 0 0 4 9 8 9 e,
c r n e p
a m s r n f
o e s r ir r e s t
o p le a e s
b c a r
i d ic r e n e p I
x s o e e h f c W t n o n ir o a d m m
r 4 e
)O c f
o R 2 n r a r
e E
( e P
p m n s r
o I 1 o n f it r e a o e p
l b z it i
a in s a o p
m l g t e
r y s O e y e k f
S s o n n o o
ps % it a
sh s c
et n s i
f Ro i
e t o
ym c
n Ns n4 id d h a t e2 gr e nn r
r ao e ep O tr m
m R e 2 E% E lA1 s
s ye cn nd ee gr r
ep a mer EP
- o
- g E M : g s n dr lao t t a ic cit s d e
n e a en e leg nin leyt n o
u u yt e r nn ni l it g ho t
c m m ni c e PrP e ai p lap oe se ob sia e oe r r qu i
f t au r r p a t q i ec rl ee s S PAE VE PS PR i n
g g e
r e
c ic u s n n l
b a o u o p e em s r it c
s y Px E it a o e l
t t e
slefr p u f f ee s n
s f
a ORP i e S R n io n
o t
ia la g g i d a
ne t
c iuor R apos t
e p S er n o
up R ul i
s n ccEx s or S t
c e
Ootpn T p I
O T xo s d L n e
n n A EC U I
a a C S P s r
I E
D t
e t o X s N g g R g s a ys i I t
c n ce N b i a nn n n e dn ed E o n O l
ge o W I P r r ea CPE it a di to I
T it c
t e mp N D ic p
n a, a ame C e Er e f c p a
r n P AO Oitr t f ri i t a toys E s n
D a MRE Ra P i m R EP ANS r S f
o r
O F gmE N I
e R e P y E yt g t n n f r t Pi v a e o o iei r g r i t
k a m e it c
y r ate c e n ig e r Bn A L aa p a S S t k n s oa I
y m t e C C e In f
a R R CL m :
u S S t r
o c
a g E gg O g e ns R om y d c n ae n o it iy gts e gr r e I t ymes er it c
e MS ew S R W fet si lu p EP mo P H R H F A
aya SSF i s
n g g g s nt s n in t
ae t
n o iv it s e it c
inE m is e m n p e a r s
- S T : I n
- g E W n s n dr lao t t a is cit c d e
n e an e e leg leyt u u yt e t r nin nn ni g
e ho c e
m p Ap m oe nil ob f
S a
PrP t oe PAE ai r r qu lau t
iq VE i
se r r ec PS sia rl ee PR g _
e r
e c
ic u n b s a l
o Px up e em t a s r o
y E ief t sl r e f f ee f
a ORP S
n o
it ia d
la ne g s a iuor r R t a
o pos S er t up R ul a
c cx cE s or _
i O
Ootpn _
d T xo _
e I n A EC -
g C a e P c I n D t
e a X t, N g i
m ys I s r t
n ce b
e o a nn ed E n f
r l ge o n W e P r r ea CPE it a di o nam t
t P mp N D i p
ac e Er e c f
a r
f o P AO Oir t t f ri i t le t oy s Dy MR Ra r R E EP ANS a
m O
F gmE m R u E y e
g t S r t y
Pi v t
a n e
iei r
r i k
a m e r g t
at e c e ng Bn A L i aa S S t k n
oa I
y t
e C C e f
a R R CL S
t r
o c
a g E gg -
R e
im t
ns o y c
ae n e
it iy gt s gr r e I ymes t er MS ew S R W et f sl iu EP mo P H
H R
F A
aya SSF .
g g
s nt s it n t n
ae it v s e i
inE m is a n _
r c a r
- S T .
i DRAFT l
r 1
REGULATORY ASSESSMENT PERFORMANCE INDICATOR PILOT PROGRAM GUIDELINE i
April 1999 i
ll l
e-p DRAFT F 1
REGULATORY ASSESSMENT PERFORMANCE INDICATOR j GUIDELINE EXECUTIVE
SUMMARY
- DRAFT 1
)
l l
TABLE OF CONTENTS '
1 l
DRAFT ,
L INTRODUCTION l
The purpose of this manualis to provide guidance to reactor licensees for reporting t the data necessary to support the NRC's performance assessment pilot program.
This program has been developed through a cooperative cffort among the NRC, the Nuclear Energy Institute, and the public, during a series of public meetings.
Performance indicators have been selected to monitor licensee performance in certain areas. The thresholds have been selected to provide an objective indication for the need to apportion NRC inspection resources based on plant performance.
(For a detailed description of how the thresholds were established, see the appropriate appendix to Attachment 2 of SECY 99-007," Recommendations for Reactor Oversight Process Improvements.) The purpose of the pilot program is to l test and assess the performance indicators and the reporting system before full industrywide implementation on January 1,2000.
A summary of the performance indicators and their associated thresholds are provided in Table 1.
- 2. General Reporting Guidance The reporting of performance indicators is a function separate and distinct from other NRC reporting requirements. Licensees participating in the pilot program will continue to submit appropriate regulatory reports as required by regulations; such as,10 CFR 50.72 and 10 CFR 50.73.
l During the pilot program, participating licensees should compile and submit the '
ernerstone performance indicator data described in this manual on a monthly basis. The data is to be submitted electronically by the 14th of the following month. l The format and general reporting requirements are described in Appendix A.
4
e l e
)
2
. b c 0 an t a 2 p
6 em cr G
c od D 2 afr n A 5521 ED1 D A A A A A A D n ea 5 2 / 0 2 B0B A B UPB > N >000>T>T
> > >(
/
N N
/
N
/ /
N N
/ /
N N
/
T t t i i d )
m m n 1 l i i l 2 2 r a S S r r a yB 0 o o e r > T T i r i r
y det o es ) f f r G o o p p e il r ano D % %
p 2245 uup qgs A 1 1 00.E0002 565 A
0 0
0 0 A %r s 0 a O a
%r s %
0 D eee 6 / 0 000 B RRR > N >000>> > >( > > > N
/ 1 1
/
N 7<ye G e
< y 9
< T t t d s i i r m m 2 r n t q i 2 a a l i
l r r s yB o o e S 4 S S i r y R do T T i
d r r r l
e o es t o f f p p r e
O hs s an al o 55 i
r o o a
- p T er eup r
1 41 2 222 p
% % l
%s 0 r %r s %
A h c gs 0000 000 -
0 0 6 9 a 8 e 0 a 4 D ee n RR 3 8 0000 000 B C > < e 5 5 5 0 9 I T I > > >>>> > > > > > > y < y < T D e N e v )s e g
I c r i s
ht ah a i
e c E t a w r
e t n ao t
n C m o x ht m e c
N t o P !
e r A u y y l
s4 e w2 l
c i p a n t r (
T M (
e i
v d et r s e F R s r g i ) c a c CICCeSr t
I O p n A O u o RWS I c a R f t
ie a 5 R F h PCPm HFP c E hh m D R l a
HRI E I RAH i f ( st r o
E c s r
i c
e n
o Oin f r
P i t
u y p i t
Re e p
i r o t s a Es i 1 c h i ) z f c 0
l S i ore m e
l ei n e 0 a c cb C a e gex t l 0 nla R g s y _
b ta r i
7 t ai ( r a i a s no S c mv O r r e m T e p )s r a r e e e el n 0 fo n u t g s ci l r r o
s 0 l s a n i )
m 0 erU i
y ed t e m a k o a y ar a 7 P) I F t s a e s p ( a p cm i i t
ssi n i
r c r f t m n l
cs e mP e l e i i a t y e S n Re s p t e b .
l e l t
a nd ot i a d a ts ts(S t s o o r e yc ie Nl l r eu nn n yr y c cn dt db i i a
o na e So S r k
a m na n a epa na v t
a i s tya t
y to e em a rgro ai l
A lam i
ri c c n ei c l
a r v n t
i p e c a S t ef Oi r t n dn a n ea re t
d n
Ua T SI r fdan f
a e S R C
R o mr e Ra l f i I C Ep Ep Ao S .
s s m t e g t n t s n n e y i a s e v S d t n E d l
o n yes o g g a o e c n t
n n l C m nd s i sC r
omi n egr ae r
r i t e t a el n i a i g ie ru tcte t a r ep r t t r as n mer o i n
A A
/
A
/
A
/
A
/
A
/
/
N N N N N N _
r a _
a f Rx i s s 3
e y o AFd a e t n
t n
s sRCn e f ht ra i r r e e ing 1 e s o e a a v v c e s eA 0 p s ne e e e e sn n n o r L1 l
p s o ait y y e e eel r cl ono) er o i
i e eed oAnA rl ei e
cl nbdt ed h rc r e
r e
el rb el rb rbd uaet o e ae rA p p oa oa m re (r g r rsam c r sl ha0Fr ct s rt s eR % mtr mtr t i5 r r st %
our r r ooe anet ruoeaA psuat r ocps e 5 5 opo r r opo 2 ccevae o < r e aet s qh CPI r a or agA ,ce s rL 8 8 e G re i _
1 oya6 3 < < 6 r r
a a I Rr 3
e y f o
AFo ; a sRCI e e i r r e e ing 1 e s r a a c es eA 0 ib xl s nt e e e l
b l
b sn n n o l L1 d ao ai y y a a ecl el i r n o ); r i
e e rl ed orAnntd eie odt r h r c r e
r e
t r
t r
o rbd o o o er (r eg o uaethapperA p p ps ps mr sam r uraer or ct s cr sl anear ooe t ir pe s eR eaA st %
5
%5 et r n r n et oc psuai0,es t eL 9 5- ev 5- ev c5 oagA ns r c ev < 9 6 oya3 1 re aet s qh r
< < 3 e 3 e r) y e1 s t
e b(hs r ge t e )s l i
l moir i b
be )m a nt b l ufhu ein vf s o a a a tpor nst yos - ef i
t d l
i t r ene repn tOa ee a p g ei h x o c cd v )s e o c v c r c a n
an (a no n ,i t
( m )v en eI uxc f
i e c p (a h e
T s e2l e s r( eh l f i e mt ei (a no eb ri n f d p ct c F eiud nt nf ens nc a n ct n ei for A n qn oo e f e u na a& G o pl a ri e e mf a z mty R
D i
t v
c0 up eas%
r) r r e2 r pc eAi ph t r
od mr r o i
r u b 0h n fod -
t f e e2 od ro nm rd e n f t oh r f
f e Rh/e m5 ce e r o pe r u pf e or F l c uR n T mf t t ea -
l oCml erots i
(Fr pr i e nn i p
s ms s s e r s r
t 0Rt nh a eCo c
up q mi s e aer n n1 o moco n0l, et o pe c c gt h oa oi ec t 0 c ch a 1 a nt u ys i ut r rf _
ei0 ru w01d u hse mren r
opa i
t r m q pe p e )s emr gt h tyth m s s ute rl eM f
c yo nf i f a oen nt) eys tf i o li org e n pc na af eb n s s irr x ah ost pao up en eo ior b
a no e i t s, % i e rt a t i af eo c ri l i p l
apere0 l r m s i a e pl oa r Aty eo st s ta et ct r ta n nmt aa 1 l eu i) as l e n le ni o toc o enoisnt er realc gci l i
dl is eb n cm r e n e n et le
- r a n git d a te arC t c ao At s oe i
nm oe nma rv b
a v
p o( aeh i e eit l
l ay sl slps e ie u
c nhie gd c oc fst a s o t ac o
r vn if t s r p r h c
c Oohr fi axt es f
OtD h P (a fu Vo e m Pio Pi emb A ly b
a n
. o n s a
o e y n i
t R t
o c s a
f e i t t e
l a
nS a i a o r I w
o d P i on a l A s
t o ai t R a -
pa cy i c A ui it l s R cd bf e y L
A ca ua h A
OR PS P t l!
I
\
i l
\
l l
l l
I 1
1 1
Q
DRAFT PERFORMANCE INDICATORS
~I NITIATING EVENTS CORNERSTONE Unolanned Scrams ner 7.000 Critical Hours Purnose: This indicator monitors the number of events that upset plant stability and challenge safety functions. It measures the rate ofinitiating events per year of operation at power (one year of operation with an availability factor of 0.80 is equivalent to about 7,000 critical hours). This establishes a uniform basis for reporting among plants.
Definition: The number of unplanned scrams during the last 12 months, both manual and automatic, while critical per 7,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> of critical operation.
Unplanned means that the scram was not an intentional part of a planned evolution or test as directed by a normal operating or test procedure; this includes scrams that occurred during the execution of procedures in which there was a high chance of a scram occurring but the scram was not intended.
' Scram means the shutdown of the reactor by the rapid addition of negative reactivity by any means, e.g., insertion of control rods or boron.
A manual scram is one caused by an operator action to directly insert negative i reactivity, such as pushing the manual scram buttons, turning the mode switch to shutdown, or initiating the injection ofliquid boron.
An automatic scram is one in which the initial signal that actuated the reactor protection system logic was provided hom one of the sensors monitoring plant parameters and conditions. This includes manual turbine trips which 1
automatically scram the reactor.
The scram rate is calculated per 7,000 critical hours because that value is an average of the critical hours of operation in a year for a typical plant.
Critical means that the effective multiplication factor (kerr) of the reactor at the time of the scram was essentially equal to one. :
Data Elements: The following data are reqt o ed to calculate this indicator: l the number of unplanned automatic scrams while critical in the previous 12 months the number of unplanned manual scrams while criticalin the previous 12 months the number of hours of critical operation in the previous 12 months 8
1
e.
DRAFT
- Calculation: The unit values for this indicator are determined as follows:
value for a unit = (total unnlanned scrams'while critical) x 7000 (total number of hours critical)
Data Qualification Reauirements: - Because rate indicators can produce misleadingly high values when the denominator is small, this performance indicator will not be calculated when there are fewer than 2,400 critical hours in the last 12 months. Instead, performance will be assessed through supplemental inspection.
l Reoortine Reauirements: The foliawing data should be reported monthly:
the number of automatic scrams in the previous month i the number of manual scrams in the previous month total number of unplanned scrams (auto + manual scrams) the number of critical hours in the previous month the unit value for this indicator (if there are fewer than 2,400 critical hours in the previous 12 months, report the indicator as N/A)
Clarifyine Notes:
This performance indicator is the same as the WANO indicator except that it includes manual scrams because, from a risk perspective, they are as important as automatic scrams.
E7. .nples oithe types of scrams included are those that resulted from unplanned transients, equipment failures, spurious signals, human error, or those directed by !
I abnormal, emergency, or annunciator response procedures.
Dropped rods, single rod scrams, or half scrams are not considered reactor scrams. )
l Scrams that occur as part of the normal sequence of a planned shutdown and scram j signals that occur while the reactor is shut down are not counted. j A scram that is initiated to avoid exceeding a technical specification action i statement time limit is counted. l l
9
DRAFT Transients ner 7.000 Critical Hours
Purpose:
This indicator monitors the number of unplanned events (excluding scrams) that could have, under other plant conditions, challenged safety functions.
It may provide leading indication of risk significant events but is not itself risk-significant. The indicator measures the rate of plant transients for a typical year of operation at power. This establishes a uniform basis for reporting among plants.
Definition: The number of unplanned changes in reactor power of greater than 20% per 7,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> of critical operation. It includes uncontrolled excursions in reactor power as well as unplanned controlled power reductions.
Unplanned power changes (reductions) are controlled changes in steady state reactor power that are initiated less than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Collowing the discovery of an off-normal condition, and that results in, or requires, a change in power level of greater than 20% to resolve.
Uncontrolled excursions in reactor power aru transitory changes in reactor power that occur in response to changes in reactor or plant conditions and are not an expected part of a planned evolution or test.
The transient rate is calculated per 7,000 critical hours because that value is representative of the critical hours of operation in a year for a typical plant.
Data Elements: The following data are required to calculate this indicator: ,
the number of transients in the previous 12 months the number of hours of critical operation in the previous 12 months Calculation: The unit values for this indicator are determined as follows:
value for a unit = (total nt nber of transients over the last 4 ouarters') x 7000 jotal number of hours critical)
. Data Qualification Reauirements: Because rate indicators can produce misleadingly high values when the denominator is small, this performance indicator will not be calculated when there are fewer than 2,400 critical hours in
+he last 12 months. Instead, performance will be assessed through supplemental inspeedva.
Reportine Reauirements: The following data should be reported monthly:
the number of transients in the previous month 10
DRAFT the number of critical hours in the previous month the indicator value for the previous 12 months (if there are fewer than 2,400 critical hours in the last 12 months, report the indicator as N/A)
Clarifyine Notes:
Unplanned power changes and shutdowns include those conducted in response to equipment failures or personnel errors and those conducted to perform maintenance. They do not include automatic or manual scrams or load following power changes.
Uncontrolled excursions include essentially all actual unplanned changes in reactor power other than scrams and unplanned power changes and shutdowns. Apparent power changes that are determined to be caused by instrumentation problems are ;
not included, i
Examples of transients are runbacks and power oscillations.
Transients are included as potential precursors to more risk significant events; because they themselves are not risk significant, only the Increased Regulatory Response (green white) threshold is applicable.
Anticipatory power reductions intended to reduce the impact of external events such as hurricanes or range fires threatening offsite power transmission lines, and power changes requested by the system load dispatchers, are excluded.
MITIGATING SYSTEMS This section defines the performance indicators used to monitor licensee performance in mitigating the effects ofinitiating events, and describes their calculational methods.
While safety systems and components are generally thought of as those that are designed for design basis accidents, not all mitigating systems have the same risk importance. PRAs have shown that risk is often influenced not only by front-line mitigating systems, but also by support systems and equipment. Such systems and equipment, both safety- and non safety related, have been considered in selecting the performance indicators for this cornerstone. Not all aspects oflicensee performance can be monitored by performance indicators, and risk informed baseline inspections are used to supplement those indicators.
Safety System Performance Indicator. Unavailability 11
DRAFT
, j
Purpose:
The purpose of the safety system performance indicator is to monitor the readiness ofimportant safety systems to perform their safety functions in response to off normal events or accidents.
Data Reoortine Reauirements:
The safety system performance indicator data will be reported monthly for those plants participating in the pilot program. For further information see the data reporting instructions.
Scope The safety systems monitored by this indicator are the following:
BWRs e high pressure injection systems - (high pressure coolant injection, high pressure core spray, feedwater coolant injection) e heat removal systems - (reactor core isolation cooling, isolation condenser) '
. residual heat removal system s e emergency AC power system PWRs e high pressure safety injection system e auxiliary feedwater system e emergency AC power system e residual heat removal system These systems were selected for the safety system performance indicator based on their importance in preventing reactor core damage or extended plant outage. Not every risk important system is monitored. Rather, those that are generally important across the broad nuclear industry are included within the scope of this indicator. They include the principal systems needed for maintaining reactor coolant inventory following a loss of coolant, for decay heat removal following a reactor trip or loss of main feedwater, and for providing emergency AC power following a loss of plant off site power.
l-L Except as specifically stated in the definition and reporting guidance, no attempt is made to monitor or give credit in the indicator results for the presence of other systems at a given plant that add diversity to the mitigation or prevention of accidents. For example, no credit is given for additional power sources that add to 8At some BWR units, ths suppression pool cooling and the shutdown cooling functions are performed by separate systems. The systems to be monitored for these units are described in Enclosures 2 and 3.
12
DRAFT
~ the reliability of the electrical grid supplying a plant because the purpose of the-indicator is to monitor the effectiveness of the plant's response once the grid is lost.
Definitions:
The performance indicator is calculated separately for each of the four systems for each reactor type. The safety system performance indicator first measures the fraction of time that a train is unable to perform its intended safety function due to planned and unplanned unavailability, and from fault exposure unavailability resulting from train failure when the system is required to be available for service.
l The indicator is the ratio of the hours the train is unavailable (out of service hours) due to these causes, to the hours the system was required to be available for service.
The sum of the individual train unavailabilities is then averaeed over the number of trains to uroduce the average train unavailability as the indicator value.
Data Elements; The elements needed to calculate a train's unavailability are:
. planned unavailable hours, e unplanned unavailable hours, e fault exposure unavailable hours v
. Hours the train was required to be available for service.
A train's unavailable hours consist of the sum of the planned and unplanned unavailable hours and the fault exposure unavailable hours. Collectively, these data elements define the total number of hours that a train was not available for service during the reporting period.
Unavailable hours are only counted for periods when a train is required to be available for service. Guidance regarding the time a train is required to be available for service is provided under, " Hours Train Required." The required data elements are defined as follows:
Planned unavailable hours: These hours include time the train was out of service for maintenance, surveillance testing, equipment modi.6 cation, or any other time equipment is electively removed from service and the activity is planned in advance.
. Unplanned unavailable hours: These hours include corrective maintenance time or elapsed time between the discovery and the restoration to service of an equipment failure or human error that make the train unavailable (such as a misalignment).
13
DRAFT e Fault exposure unavailable hours: These are hours that a train was in an undetected, failed condition.
For systems that have installed spare components, train unavailable hours are not counted for certain situations. For further information, see Clarifying Notes.
Some power plants have safety systems with extra trains to allow preventive maintenance to be carried out with the unit at power without violating the single failure criterion (when applied to the remaining trains). That is, one of the remaining trains may fail, but the system can still achieve its safety function as required by the safety analysis.
For purposes of the safety system performance indicator, plants that have systems with an extra train (maintenance train) as defined above, that may be removed from service for an unlimited time, may avoid reporting both planned and unplanned unavailability for one such train at a time. Fault exposure unavailable hours associated with failures involving these trains are always counted and reported, irrespective of whether the failure occurred while the train was in standby service or in maintenance. See the Clarifying Notes for additional details.
Planned Unavailable Hours Planned unavailable hours are hours that a train is not available for service for an activity that is planned in advance. The beginning and ending time of planned unavailable hours are known.8 Causes of planned unavailable hours include, but are not limited to, the following:
e preventive maintenance, corrective maintenance on non failed components, or inspection requiring a component or train to be mechanically and/or electrically removed from service e planned support system unavailability causing a train of a monitored system to be unavailable (e.g., AC or DC power, instrument air, service water, component cooling water, or room cooling) e surveillance testing, unless the testing configuration is automatically overridden by a valid starting signal or can be quickly overridden within 10 following such a signal, either by an operator in the control room or one stationed locally for that purpose.
sAccumulation of unavailable hours ends when the train is returned to a normal standby alignment. However,if a subsequent test (e.g., post maintenance test) shows the train not to be capable of performing its safety function, the time between the return to normal standby alignment and the unsuccessful test is reclassified as unavailable hours.
14
4 DRAFT
. any modification that requires the train to be mechanically and/or electrically removed from service The reason planned unavailable hours are included, subject to additional provisions addressed in the Clarifying Notes, is that the portions of system are unavailable during ther,e activities to perform their intended monitored safety function. l t
It is recognized that such planned activities can have a net benencial effect in terms of reducing unplanned unavailability and fault exposure unavailable hours (as I discussed further below). In fact, if planned activities are well managed and effective, fault exposure unavailable hours and unplanned unavailable hours are minimized. Therefore, it is not necessarily desirable that planned unavailable hours be avoided or minimized during periods when the system is required to be available for service. Rather, the objective should be to attain an overall indicator i value that, while low, allows for planned maintenance activities to help maintain system reliability and availability consistent with safety analyses. -
1 l
Stations with a high degree of redundancy in the design of the monitored systems !
may be able to avoid reporting planned unavailable hours under some circumstances. See Attachment M for additional details.
Unnlanned Unavailable Hours Unplanned unavailable hours are the hours that a train is not available for service i for an activity that was not planned in advance. The beginning and ending time of unplanned unavailable hours are known 4. Causes of unplanned unavailable hours include, but are not limited to, the following:
. corrective maintenance time following detection of a failed component (The time between failure and detection would be counted as fault exposure unavailable hours as discussed below.)
. unplanned support system unavailability causing a train of a monitored system to be unavailable (e.g., AC or DC power, instrument air, service water, component cooling water, or room cooling)
. human errors leading to train unavailability (e.g., valve or breaker mispositioning-- only the time to restore would be reported as unplanned unavailable hours - the time between the mispositioning and discovery would be counted as fault exposure unavailable hours as discussed below)
Egult Exnosure Unavailable Hours dSee Footnote 2.
15
i+
DRAFT The concept of fault exposure unavailable hours is extremely important to the accuracy of the safety system performance indicator because it reflects the amou y of time that a train spends in an undetected, failed condition. Three situations involving fault exposure unavailable hours can occur.
In the first case, the failure's time of occurrence and its time of discovery are !
' known. Examples of this type of failure include events external to the equipment I (e.g., a lightning strike, some mispositioning by operators, or damage causf test or maintenance activities) that caused the train failure at a kn these cases, the fault exposure unavailable hours are the lapsed time between t ;
occurrence of a failure and its time of discovery.
In the second case, the failure is annunciated when it occurs. For this case, there are no fault exposure unavailable hours because the time of failure is the time of; discovery. These failures include the following: }
. failure of a continuously operated component, such as the trip of an operating feedwater pump that is also used to fulfill a monitored system function, such as feedwater coolant injection in some BWRs e failure of a component while in standby that is annunciated in the control room, such as failure of control power circuitry for a monitored system i Failure of a standby component during a surveillance test is not typically included in the second case, unless it is known with certainty that the failure would not havel occurred if the test had been conducted at an earlier date. In other words, zero fau !
exposure unavailable hours are only associated with standby component failure that are caused by conditione unique to the particular test in which the component j fails. !
I For the third case, only the time of the failure's discovery is known with certainty.
' It is improper to assume that the failure occurred at the time of discovery for thesef failures because the assumption ignores what could be significant unavailable time ,
prior to their discovery. Fault exposure unavailable hours for this case must be estimated. The value used to estimate the fault exposure unavailable homs for this case is:
the time since the last successful test or operation that proved the system )
was capable of performing its safety function, or the time since the start of the reporting period (one quarter), which ever is the shortest time interval.
Hours Train Reauired The hours the train is required to be able to perform its safety function --
Unavailable hours are counted only for periods when a train is required to be available for service. The denominator of the unavailability calculation is the hours the train was required to be able to perform its safety function. The term " hours 16
l i
l DRAFT l train required" is a default value as described below. The default value for " hours f train required" will be used to calculate train unavailability. The default value is determined as follows for each syatem:
. emergency AC power system: This value is estimated by the number of calendar hours in the reporting period, because emergency generators are normally expected to be available for service during both plant operation and shutdown. )
. BWR residual heat removal system: This value is estimated by the number of hours in the reporting period, because the residual heat removal system is i required to be available for decay heat removal at all tunes.
. all other systems: This value is estimated by the number of critical hours during the reporting period, because these systems are usually required to be in service only while the reactor is critical, and for short periods during startup or shutdown. This data element is already provided as part of the station unplanned automatic scrams per 7,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> critical data. l l
Guidance for Determinine the Number of Trains in the System i
A train consists of a group of components that together provide the monitored functions of the system and as explained in the enclosures for specific reactor types.
Fulfilling the design basis of the system may require one or more trains of a system to operate simultaneously. The number of trains in a system is determined as follows:
. for systems that primarily pump fluids, the number of trains is equal to the number of parallel pumps or the number of flow paths in the flow system (e.g.,
number of auxiliary feedwater pumps). The preferred method is to use the number of pumps. For a system that contains an installed spare pump, the number of trains would equal the number of flow paths in the system.
. for systems that provide cooling of fluids, the number of trains is determined by the number of parallel heat exchangers, or the number of parallel pumps, whichever is fewer e isolation condenser system: The isolation condenser system is considered to be a single train system for units with one isolation condenser and a two-train system for units with two 100 percent capacity or four 50 percent capacity isolation condensers.
. emergency AC power system: the number of emergency (diesel, gas turbine, or hydroelectric) generators at the station that are installed to power shutdown loads in the event of a loss of off-site power -- This includes the diesel generator dedicated to the BWR HPCS system.
17
m DRAFT
. ~ Some components in a system may be common to more than one train, in which case the effect of the performance (unavailable hours) of a common component is included in all affected trains.
Calculation:
I The unit unavailability value for each safety system (except emergency AC power) are determined for each reporting periad as follows:
unit unavailability value for a system =
(planned unavailable hours)+(unnlanned unavailable hours)+(fault exDosure unavailable he.ud (hours system required) x (number of trains)
Emergency Generators Because emergency generators (EGs) at multi unit stations often serve more than one unit, the indicator value for an emergency AC power system is calculated for each period as a station value as follows:
unavailability value for each EG =
(planned unavail hours) + (unplanned unavail hours) + (fault exposure unavail hours)
(hours system required) station unavailability value =
(sum of all unavailable hours for all EGs)
(average number of EGs present during the period) x (hours in period)
Clarifyine Notes:
1 Except as noted, the following clarifying notes are applicable to all the safety systems monitored for this indicator.
l I
18
m
}
. I DRAFT Data Sources:
1 Sources for identifying unavailable hours can be obtained from component failure records, control room logs, event reports, maintenance work orders, etc.. Preventive maintenance and surveillance test procedures may be helpful in determining if activities performed using these procedures cause components to be made unavailable and in identifying the frequency of these maintenance and test activities. !
Component Scone Excentions I Components (e.g., annunciators, transmitters, etc.) that do not affect the monitored j function of a system's principal components should not be included in the scope of l components monitored for this indicator. For example, a pressure transmitter that i provides only an indication of pressure would not be included. However, a pressure transmitter that could prevent a pump from starting would be monitored.
I Component Failure Exceptions Malfunctions or operating errors that did not prevent a train from being restored to normal operation within a few minutes from the control room, and did not require 4 corrective maintenance or significant problem diagnosis, aie not counted as failures.
A small oil, water and steam leak that would not preclude safe operation of the component during an operational demand of the safety system is not counted as a component failure for purposes of determining loss of train function.
Unavailable hours (planned, unplanned, and fault exposure) are not reported for the failure of certain ancillary components unless the safety function of a principal component (e.g., pump, valve, emergency generator) is affected. Such ancillary ,
components include equipment associated with control, protection, and actuation functions; power supplies; lubricating subsystems; etc. For example, if three pressure switches arranged in a two-out-of three logic provide low suction pressure protection for a PWR auxiliary feedwater pump, unavailable hours would not be counted for a failure of only one of these pressure switches because the single failure would not affect operability of the pump.
Installed Soares For systems that have installed spare components, unavailable hoars are not counted in certain situations. An " installed spare" is a component (or train of components) that is used as a replacement for other equipment to allow for the removal of equipment from service for preventive or corrective maintenance without incurring a limiting condition for operation (where applicable) or violating the 19
DRAFT single failure criterion. To be an " installed spare," a component must not be required in the design basis safety analysis for the system to perform its safety function.
Components that are required as backup in case of equipment failure to allow the system to meet redundancy requirements or the single failure criterion (e.g. " swing components'that automatically align to different trains or units) are not installed spares.
Unavailable hours for nn installed spare are counted only if the installed spare becomes unavailable while serving as replacement for another component. This includes planned and unplanned unavailable hours and fault exposure unavailable hours.
Planned unavailable hours (e.g. preventive maintenance) and unplanned
' unavailable hours (e.g. corrective maintenance) are not counted for a component when an installed spare has been placed in service to perform the component's safety function.
Fault exposure unavailable hours associated with component failures or human errors are always counted, even if the failed component is replaced by an installed spare while it is being repaired. For instance, a pump in a high pressure safety injection system (that has an installed spare pump) fails its quarterly surveillance test. Unavailable hours reported for this failure would include the time needed to substitute the installed spare pump for the failed pump (unplanned unavailable hours) and one-half the time since the last successful operation of the failed pump (fault exposure unavailable hours). I Installed spares are not counted as principal pumps or emergency generators for the purpose of determining the number of trains.
Safety Systems With Extra (Redundant) Trains Some power plants have safety systems with extra trains of components to allow preventive maintenance to be carried out with the unit at power without violating the single failure criterion (when applied to the remaining trains). That is, one of the remaining trains may fail, but the system car still achieve its safety function as required by the design basis safety analysis. Such systems are characterized by a large number of trains (usually a minimum of four, but often more).
Fluid systems that have such extra trains generally must meet design bases requirements with one train in maintenance and a single failure of another train.
For systems that have installed spare components, train unavailable hours are not counted for certain situai: ions. Some power plants have safety systems with extra 20
l l
DRAFT traine to allow preventive maintenance to be carried out with the unit at power without violating the single failure criterion (when applied to the remaining trains).
That is, one of the remaining trains may fail, but the system can still achieve its safety function as required by the safety analysis for J1 design bases.
For purposes of the safety system performance indicator, plants that have systems with an extra train (maintenance train) as defined above, that may be removed from service for an unlimited time, may avoid reporting both planned and unplanned unavailability for one such train at a time. Fault exposure unavailable hours associated with failures involving these trains are always counted and reported, irrespective of whether the failure occurred while the train was in standby service or in maintenance.
The following examples will help illustrate the fluid system requirements in order to benefit from this provision:
Any system c. ntaining three 50% (flow rate and/or cooling capacity) trains would not meet th , requirement since full design flow rate would not be available with one train in maintenance and one train failed (single failure criterion).
Similarly, a system with four 50% trains or three 100% trains may meet the criterion, assuming the system design flow rate and cooling requirements can be met during a design basis accident any'vhere within the reactor coolant or secondary system boundaries, including unfavorable locations of LOCAs and feedwater line breaks. This statement is not intended a set new design criteria, but rather, to define the level of system redundancy required if reporting of unavailable hours on a redundant train is to be avoided. j Systems Reauired to be in Service at All Times The emergency AC power system and the BWR residual heat removal RHR) system l j
are normally required to be in service at all times. However, planned and '
unplanned component unavailable hours are not reported when certain components (for example, emergency generator, RHR pump) are removed from service (e.g., for preventive maintenance, corrective maintenance, or overhauls). These conditions are as follows.
I Emergency AC Power System-- When a unit (or units) is/are shutdown, one l emergency AC power train at a time may be removed from service without !
incurring planned or unplanned unavailable hours under the following conditions:
For a single or multi unit station with all units shut down, one emergency generator (EG) at a time may be electively removed from service without reporting planned and unplanned unavailable hours providing that at least one operable EG is available to supply emergency loads.
21
DRAFT For a multi unit station with one unit shut down and all other units operating, one EG at a time may be electively removed from service without reporting planned and unplanned unavailable hours providing that both of the following criteria are satisfied:
The EG removed from service is associated primarily with a unit that is shut down.
Removal of the EG from service has little effect on the safety of the operating units (i.e., required emergency loads for each operating unit can be met, even when accounting for the single failure of an operable EG), and there is still an operable emergency generator available to the shutdown unit.
EGs may be tested without reporting planned and unplanned unavailable hours provided that the EGs remain available for use during the test (i.e., the testing configuration is overridden by a valid automatic start signal or can be quickly overridden within a few minutes by control room operators or operators stationed locally for that specific purpose). ,
When the reactor is shutdown, those systems or portions of systems that provide shutdown cooling can be removed from service without incurring planned or unplanned unavailable hours under the following conditions:
Those portions of the shutdown cooling system associated with one heat exchanger flow path can be taken out of service without incurring planned or unplanned unavailable hours provided the other heat exchanger flow path is available (including at least one pump) and an alternate, closed cycle, forced means of removing core decay heat is available. The alternate means of decay heat removal need not be safety related, but must have been determined to be capable of handling the decay heat load.
With fuel still in the reactor vessel, when the decay heat load is so low that forced recirculation for cooling purposes, even on an intermittent basis, is no longer required (ambient losses are enough to offset the decay heat load), any train providing shutdown cooling may be removed from service without incurring planned or unplanned unavailable hours.
When the reactor is defueled, any trains providing shutdown cooling may be removed from service without incurring planned or unplanned unavailable hours.
When the bulk reactor coolant temperature is less than 200 F, those trains or portions of trains whose sole function is to provide suppression pool cooling may be removed from service without incurring planned or unplanned unavailable hours.
22
m.
DRAFT When portions of a single train provide both the shutdown cooling and the suppression pool cooling function, the most limiting set of reportability requirements should be used (i.e. unavailable hours and required hours are reported whenever at least one function is required.)
For the systems discussed above, fault exposure unavailable hours are always counted, even when portions of the system are removed from service as described above.
i When the plant is operating, selected components that help provide the shutdown cooling function of the RHR system are normally de energize or racked out. This does not constitute an unavailable condition for the trains that provide shutdown I cooling, unless the de energized components cannot be placed back into service l before the minimum time that the shutdown cooling function would be needed (typically the time required for a plant to complete a rapid cooldown, within I
maximum established plant cooldown limits, from normal operating conditions).
Fault Exposure Unavailable Hours )
To provide sufficient information to properly assess fault exposure unavailable hours, at least two tests or operations of a monitored train function must be performed between overhauls or major maintenance of the components. The first test may be associated with the post-maintenance demonstration that the system is available for operation at the beginning of the time period during which the system is required to be available. At least one more test is required near the end of this period, prior to the next overhaul or major maintenance, to determine whether the components in the system have remained available throughout the period.
If a second test is not conducted to verify the "as found" operability of the train prior to maintenance, fault exposure unavailable hours should be left blank and annotated. This, will cause the indicator computation to be suppressed.
When a failed or mispositioned component that results in the loss of train function is discovered during an inspection or by incidental observation (without being ,
tested), fault exposure unavailable hours should still be reported. !
A train is not unavailable ifit is capable of performing its safety function. For example, if a normally open valve is found failed in the open position, and this is the position required for the train to perform its function, fault exposure unavailable hours would not be counted for the time the valve was in a failed state.
However, unplanned unavailable hours would be counted for the repair of the valve, l if the repair required the valve to be closed or the line containing the valve to be isolated, and this degraded the full capacity or redundancy of the system.
23
DRAFT Fault exposure unavailable hours are not counted for a failure to meet design or technical specifications, if engineering analysis determines the train was capable of performing its safety function during an operational event. For example, if an emergency generator fails to reach rated speed and voltage in the precise time required by technical specifications, the generator is not considered unavailable if the test demonstrated that it would start, load, and run as required in an emergency.
When a component failure is detected, the time since the last successful test or operational demand may include some time when the system was not required for service. In this case, the fault exposure unavailable hours are estimated as one. half the time the system was required to be available since the last successful test or operation. For example, if a PWR high pressure injection pump is discovered to be failed 24 days after the last successful pump test, and a 10 day outage (when operability of the pump is not required) occurred between the last successful test and discovery of the failure, fault exposure unavailable hours for the pump are computed as follows: % x (24 10) days x (24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> / day) = 168 hours0.00194 days <br />0.0467 hours <br />2.777778e-4 weeks <br />6.3924e-5 months <br />.
. When both the time of component failure and the time of failure discovery are known, fault exposure unavailable hours are calculated as the time the train was required to be available for service during the period between the time of failure and the time of discovery.
Suncort System Unavailability If the unavailability of a support system causes a train of a monitored system to be unavailable, then the hours the support system was unavailable are counted against the train as either planned or unplanned unavailable hours. Support systems are def" m ed as any , "em required for the monitored safety system to remain available for service O 2 technical specification criteria for determining operability may not apply 9 ' m determining train unavailability. In these cases, analysis or sound engineering judgment should be used to determine the effect of support system unavailability on the monitored system.)
If the unavailability of a sin'gle support system causes a train in more than one of the monitored systems to be unavailable, the hours the support system was unavailable are counted r. gainst the affected irain in each monitored system. For example, a train outage of 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> in a PWR service water system caused the emergency generator, the RHR heat exchanger, the HPSI pump, and the AFW pump associated with that train to be unavailable also. In this case,3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> of unavailability would be reported for the associated train in each of the four systems.
If a support system is dedicated to the monitored system and is normally in standby status, it should be included as part of the monitored system scope. In those case, fault exposure unavailable hours caused by a failure in the standby support system 24
1 DRAFT that results in a loss of a monitored train function should be reported because of the effect on the monitored system. By contrast, failures of continuously-operating support systems do not contribute to fault exposure unavailable hours in the ,
i momtored systems they support. )
l Unavailable hours are also reported for the unavailability of support systems that l
maintain required environmental conditions in rooms in which monitored safety ]
L system components are located if the absence of those conditions is determined to have rendered a monitored function of a train unavailable for service ata ' time it i was required to be available.
In some instances, unavailability of a monitored system that is caused by unavailability of a support system used for cooling need not be reported if cooling water from another source can be substituted. Limitations on the source of the cooling water are as follows:
- for monitored fluid systems with components cooled by a support system, where both the monitored and the support system pumps are powered by a class lE (i.e., safety grade or an equivalent) electric power source, cooling water supplied by a pump powered by a normal (non class 1E--i.e., non-safety grade) electric power source may be substituted for cooling water supplied by si class lE electric power source, provided that redundancy requirements to accommodate single failure criteria for electric power and cooling water are met. SpeciScally, unavailable hours must be reported when both trains of a monitored system are being cooled by water provided by a single cooling water pump or by cooling water pumps powered by a single class lE power (safety grade) source. !
e for emergency generators, cooling water provided by a pump powered by another class lE (saNy grade) power source can be substituted, provided a pump is available that will maintain electrical redundancy requirements such that a single failure cannot cause a loss of both emergency generators. l Emergency AC power is not considered to be a support system. Unavailability of a train because ofloss of AC power is counted when both the normal AC power supply and the emergency AC power supply are not available.
Additional Notes for Emereenev Generators GG)
Fault exposure unavailable hours should not be counted for failures of an EG to start or load run if the failure can be definitely attributed to reasons listed under Component Failure Exceptions above, or to any of the following:
e spurious operation of a trip that would be bypassed in the loss of offsite power emergency operating mode (e.g., high cooling water temperature trip that erroneously tripped an EG although cooling water temperature was normal).
25
DRAFT
- malfunction of equipment that is not required to operate during the loss of offsite power emergency operating mode (e.g., cirenhe; used to synchronize the EG with off site power sources, but not required when off-site power is lost) e a failure to start because a redundant portion of the starting system was intentionally disabled for test purposes, if followed by a successful start with the starting system in its normal alignment When determining fault exposure unavailable hours for a failure of an EG to load-run following a successful start, the last successful operation or test is the previous successful load run (not just a successful start). To be considered a successful load-run operation or test, an EG load run attempt must have followed a successful start and satisfied one of the following criteria:
a load-run of any duration that resulted from a real (e.g., not a test) manual or automatic start signal e a load run test that successfully satisfied the plant's load and duration test specifications e other operation (e.g., special tests) in which the emergency generator was run for at least one hour with at least 50 percent of design load.
l l
26
o DRAFT ENCLOSURE 1 Emergency AC Power Systems Scope This enclosure provides additional guidance for reporting performance of the emergency AC power system. The emergency AC power system is typically comprised of two or more independent emergency generators that previde AC power to class I E buses following a loss of off-site power. The emergency generator dedicated to providing AC power to the high pressure core spray system in BWRs is also within the scope of emergency AC power.
The function monitored for the indicators is:
. The ability of the emergency generators to provide AC power to the class lE buses upon a loss of off site power. i 1
l Most (i.e., diesel driven) emergency generator trains include dedicated subsystems !
such as air start, lube oil, fuel oil, cooling water, etc. Support systems can include service water, DC power, and room cooling. Generally, unavailable hours are counted if a failure or unavailability of a dedicated subsystem or a support subsystem prevents the emergency generator from performing its function. Some l examples are discussed in the clarifying notes for this attachment.
The electrical circuit breaker (s) that connect (s) an emergency generator to the class lE buses that are normally served by that emergency generator are considered to be part of the emergency generator train.
Emergency generators that are not safety grade, or that serve a backup role only (e.g., an alternate AC power source), are not required to be included in the performance reporting.
Train Determination The number of emergency AC power system trains is equal to the number of emergency generators that are installed at the unit to power safe shutdown loads in the event of a loss of off site power, including the diesel generator dedicated to the High Pressure Core Spray (HPCS) system.
27
DRAFT ENCLOSURE 2 i I
BWR Systems. High Pressure Iniection Systems (High Pressure Coolant 1 Iniection. High Pressure Core Sorav. and Feedwater Coolant Iniection)
Description / Scope This enclosure provides additional guirlance for reporting the performance of three BWR systems used primarily for main umag reactor coolant inventory at high pressures: the high pressure coolant injecdon (HPCI), high pressure core spray (HPCS), and feedwater coolant injection (FWCI) systems. Plants should monitor either the HPCI, HPCS, or FWCI system, depending on which is installed. These systems function at high pressure to maintain reactor coolant invent-ory and to remove decay heat following a small break Loss of Coolant Accident (LOCA) event or a loss of main feedwater event.
The function monitored for the indicator is:
. The ability of the monitored system to take suction from the condensate storage tank or from the suppression pool and inject at rated pressure and flow into the reactor vessel.
This capability is monitored for the injection and recirculation phases of the high pressure system response to an accident condition.
Figures 2.1,2.2, and 2.3 show generic schematics for the HPCI, HPCS, and FWCI systems, respectively. These schematics indicate the components for which train unavailable hours normally are monitored. Plant-specific design differences may require other components to be included.
To maintain consistency with data submitted using the component based reporting option, the train values calculated for HPCI/HPCS/FWCI will be combined with the train values calculated for RCIC/IC when contained in reports.
Train Determination The HPCI system is considered a single-train system. The booster pump and other small pumps shown in Figure 2.1 are ancillary components not used in determining the number of trains. The effect of these pumps on HPCI performance is included in the system unavailability indicator to the extent their failure detracts from the ability of the system to perform its monitored function. The HPCI turbine, governor, and associated valves and piping for steam supply and exhavst are in the scope of the HPCI system. Valves in the feedwater line are not considered within the scope of the HPCI system.
28
~
DRAFT The HPCS system is also considered a single-train system. Unavailability is monitored for the components shown in Figure 2.2. The HPCS diesel generator is 4 considered to be part of the emergency AC power system. I For the feedwater injection system, the number of trains is determined by the I number of main feedwater pumps that can be used at one time in this operating (
mode (typically one). Figure 2.3 illustrates a typical FWCI system.
Clarifying Notes ,
i' The HPCS system typically includes a " water leg" pump to prevent water hammer in the HPCS piping to the reactor vessel. The " water leg" pump and valves in the ,
" water leg" pump flow path are ancillary components and are not directly included in the scope of the HPCS system for the performance indicator.
For the feedwater coolant injection system, condensate and feedwater booster pumps are not used to determine the number of trains.
l l
l 29 1
3 5
g$
nm m ia a is MtSe p' r u e S n i
"* ia t
r {
i S
r y ole t
) o .
cs dst as ee naa aGrT e RV S t
p m
u r
P [_
e d
% i(
s u
a n
o C
r e m nx e N s n
e t
e s
N dd y)
Ii i
+ nn lao GC S ep n
oo c iS t
N 3 la S
e jn c
eg
.~ c 1
2 ni I t t
r o
r np e
na iw a
Me t
d p
e l V
v-i br e
n o
N t P
o n
ia p i claoRe gof FCo ee rl r up Al t o
r n
D s s
e r
m a
~ o PD h
~
wC h
i H
g
(
hN
[' n r
u P
T, a
T' 4 I- 3 c
T sA C1 s
pC
Uf3 r .
. ole t
cs a s ee RV W
+
l(H
]
4 1 m e
t s )e p
N 3 c
yo S c y S
_ ~
s p 1- ag r
pn
- 2. S t i
r
~
epo 2
m P
u' e roe r
uCR
_ g S f Cr ie F r o _
P u s e _
H sl
_ e p r _
. P m a hgE x i(
H N
M H
M rE e
4 n
o is
_ n slo ia t
r e r o T S p S u C S
$n xal X 4
p P r
r e e
z t
a h w ar d e e n e m
D e
4
+ W m p
p m'
%n d t
s r
e s
e t
e yp)e s
S o nS o
c n u
~
pP ig t
w cn P
e 3jrei t gm t
e t a nop a
s s
n I
n e F et e w2 r
d e d n u gl a nR n o , i o f o C oo LF C Ce p p r p l
PmM u
r m
u P
r e
te aam wx E e d(e mF t t a a e a d w
e e
d w
e e
F F n
+ 0 m
- w
- hT V '
S C
hT S C - V E
y DRAFT ENCLOSUREa BWR Heat Removal Systems (Reactor Core Isolation Cooling and Isolation Condenser Systems)
Scope This enclosure provides additional guidance for reporting the performance of two BWR systems that are used primarily for decay heat removal at high pressure:
reactor core isolation cooling (RCIC) system or the isolation condenser (IC) system.
Plants shouM ~onitor either the RCIC or IC system, depending on which is installed. These systems function at high pressure to remove decay heat following a loss of main feedwater event. The RCIC system can also function to maintain reactor coolant inventory following a very small LOCA event.
The function monitored for the indicator, depending on the system, is:
. the ability of the RCIC system to cool the reactor vessel core and provide makeup water by taking a suction from either the condensate storage tank or the suppression pool and injecting at rated pressure and flow into the reactor vessel, or
. the ability of the isolation condenser to cool the reactor vessel core via natural circulation when the reactor is isolated from the main condenser or when all feedwater is lost.
Figures 3.1 and 3.2 show generic schematics for the RCIC and isolation condenser systems respectively. These schematics indicate the components for which train unavailability is monitored. Plant-specific design differences may require other components to be included.
To maintain consistency with data submitted using the component-based reporting option, the train values calculated for HPCI/HPCS/FWCI will be combined with the i train values calculated for RCIC/lO when contained in reports Train Determination The RCIC system is considered a single train system. The condensate and vacug pumps shown in Figure 3.lare ancillary components not used in determining the number of trains. The effect of these piimps on RCIC performance is included in the system unavailability indicator to the extent that a component failure results in a inability of the system to perform its monitored function. The RCIC turbine, governor, and associated valves and piping for steam supply and exhaust are in the scope of the RCIC system. Valves in the feedwater line are not considered within the scope of the RCIC system.
33
DRAFT The isolation condenser system is considered to be a single train system for units with one isolation condenser and a two-train system for units with 2 x 100%
capacity or 4 x 50% capacity isolation condensers. Both the shell and tube side of the isolation condenser (s) are within scope of the system; however, the water supply to the shell side of the condenser is considered a support system. !
l 34
r -
isne ]
an Me d
. n on a o im r
T>C D
N -
m -
N N a -
e
'n N
y a M ,_ N
).
r ole t
ca ss (V m p ns t
e a
ee u me RV u u d _
c m aP n o t e -
_ v{C s) y e S p W h gco ins l
og t .e on 1 Ci r ov kh TVa t
, rl
, 3 nopo Y eie uaR r t iglof g
9 n re n Fs I o elv it e
, va ao el oV DrP r p dG o Cma r x oE t
c(
a e
in 9H /\
a R e
L t
T I
s e W '
C I P n *r H g f p o e C is n C m s ia I
u e r
_ R P r p
t S
_ y S
u>
p T
s c
3/
A 7_ Ma K Xc I-g
i dm e
zte m is
'ay r
e eS t
s y
ar S ie mt ea e oW t a
s n
= d e
n o
C b l s
4 W t oO r
n o
C N leo e
v L /1 mp )e W - V
- 7l t
e o sS y
S g c
n r r i n e 2 et i l s r inos 3 no ep a de t
ed e Nt l
r l
on ugo nR i so iCf F o C
I l n
ol e i
t p
l a oa m
_ s x I
E
(
n_
io i
P e
r i
F 4 4 r
t ole cs a s ee _
RV _
DRAFT ENCLOSURE 4 BWR Residual Heat Removal Systems Scope I
This enclosure provides additional guidance for reporting the performance of the l BWR residual heat removal (RHR) system for the suppression pool cooling and shutdown cooling modes. The attachment also includes guidance for reporting performance of other systems used to remove heat to outside containment under low pressure conditions at early BWRs where two separate systems provide these functions with unique designs. The suppression pool cooling function is used whenever the suppression pool (or torus) water temperature exceeds or is expected to exceed a high-temperature setpoint (for example, following most relief valve openings or during some post accident recoveries). The shutdown cooling function is used following any transient requiring normallong-term heat removal from the reactor vessel.
The functions monitored for the indicator are: l e the ability of the RHR system to remove heat from the suppression pool so that pool temperatures do not exceed plant design limits, and
. the ability of the RHR system to remove decay heat from the reactor core during a normal unit shutdown (e.g., for refneling or for servicing).
Figures 4.1 and 4.2 show generic schematics with the RHR system in the suppression pool cooling and shutdown cooling modes, respectively. Two variations of basic RHR system design are shown in Figures 4.3 and 4A. These are included to illustrate reporting for systems with redundant and series components, respectively. The figures indicate the components for which train unavailability is monitored. Plant-specific design differences may require other components to be included.
Train Determination The number of trains in the RHR system is determined by the number of parallel RHR heat exchangers capable of performing suppression pool cooling or shutdown cooling. The following discussion demonstrates train determination for various generic system designs.
Figures 4.1 and 4.2 illustrate a common RHR system which incorporates four pumps and two heat exchangers arranged so that each heat exchanger can be supplied by one of two pumns. This is a two train RHR system.
37
g -
DRAFT Some trains have two heat exchan;3rs in series, as shown in Figure 4.3. The system depicted in Figure 4.3 is also a two train RHR system.
Figure 4.4 shows an arrangement with four parallel tets of a pump and a heat exchanger combination. This system is a four-train RHR system.
Other Systems: For some early BWRs, separate systems are used to remove heat to outside the containment under low pressure conditions. Depending on the particular design, one or more of the following systems may be used: shutdown cooling, containment spray, or RHR (torus cooling function). For example, a unit using a shutdown cooling system (with three heat exchangers)and a containment spray system (with two heat exchangers) would monitor each system separately for the safety system performance indicators. All components required for each safety system to perform its heat removal function should be included in the scope. The number of trains is determined by the number of heat exchangers in the systems that perform the heat removal function under low pressure conditions (five trains in this example).
Clarifying Notes The low pressure coolant injection (LPCI), steam cooling, and containment spray modes of RHR operation are not monitored.
Some components are used to provide more than one function of RHR. If a component cannot perform as designed, rendering its associated train incapable of meeting one or both of the monitored functions, then the train is considered to be failed. Unavailable hours (if the train were required to be available for service) would be reported as a result of the component failure.
38
cM>
r.
_ "w k
j _"c. ~
W 4/ s.
h Rt ,
H, V 1RHe x c
r icp MG g i
YooRoL y T
o a r
p f
e S s P s
e S V g r o t
o T in c
e a lo R o o
T : C n _: l o
is _y o s
o P
p _:
u :
n S _~ o
. iss e
r 1 p
- 4p s
p o e u o rS L
c
. u-g r
- ic e im F
R t e
s
- y 4 S
. R
_- . H n
o _. R is s _: R l
e p
p e
r
_: W V
s s
e s
u
_y -
],
B r
t o
c y '
a e a r
R p o
T S.
j P.
S f.
o If er T acp <J -
eo YRo oL (
T j I -
I- I r.
- t. o i
e "
xRHe R
H . r.
x i r
_ 4 k ~ >
e.
2 _ "w.
_ "e
" 4 s
oo
_ ct
e$3
= n N
=
k A J
'si 4
m k
dgk A L_ i o
T j
t e
QQuN jIl e
s s
e I
- J vr g o
da w in l
e o iY_ o R
T o
wh t.
J 4
O _
eN_
C n
w o
d k
s "
% l I 1
m4e- r um t
- 2. h S
u
_ e e O g
ie Ft s
%M^ ) 1 S
y R
H J
> R
- R
>I % IY W
" B C
"r.
t R
T o
c a
e o
I N_ -
t n
gI j QuN Q-L T
o
$ gA L_
Y- -
k J A L
- h. 4 S
yw>3 a ,
A -
_ X 8W #ME_
i q . gmm%
t-
?
. ,* v m e e )p
= X T_
t o sySc
. IIT S g
- ' Rn R* 3.H ti r
_. 4Ro p
_. _l=
- e rRe u
gWR iBf O VY_ o l'
F n o iale r p
,* e* Ta o
m wx
=
- - _III
, T(E a
v' f P
_. J_
V 7 - ,+
g8 a
K 1
m X
a' eW R&_ $_ _
c _
e o
M.% ,
4 L_ ~
=
c_A- N w
N- i gIIe
, g
, ~
- h n iY_
w = m )e "4- h_ ep t
s yc o g
i
'J
% 1
~
4.
S S Rg n 4 Rr o Hi t
. - I* - eRp e rWR u
v
^
i m g iBf Fnie o al rp h
I X) ~. it Tm r a ux oE l
C
<) _ - F(
w e
N O
wIi &
I n -
w J
N- M r
w y
b A~d= _i i
4 u
, !7*
DRAFT ENCLOSUREE PWR High Pressure Safety Inlection Systems
~ Scope This enclosure provides additional guidance for reporting the performance of PWR high pressure safety injection (HPSI) systems. These systems are used primarily to maintain reactor coolant inventory at high pressures following a loss of reactor coolant. HPS1 system operation following a small break LOCA involves transferring' i an initial supply of water fron. Te refueling water storage tank RWST) to cold leg piping of the reactor coolant syst' a. Once the RWST inventory is depleted, recirculation of water from the reactor building emergency sump is required.
Components in the flow paths from each of these water sources to the reactor 1 coolant system piping are included in the scope for the HPSI system. (Because the l residual heat removal system has been added to the PWR scope, the isolation - i valve (s) between the RHR system and the HPSI pump suction is the boundary of j the HPSI system. The RHR pumps used for piggyback operation are no longer in HPSI scope.)
There are design differences among HPSI systems that affect the scope of the components to be included for the HPSI system function. For the purpose of the safety system performance indicator program, and where applicable, the HPSI system includes high head pumps (centrifugal charging pumps /high head safety injection pumps) which discharge at pressures of 2,200 2,500 psig and intermediate head pumps (intermediate head safety injection pumps) which discharge at i pressures of 1200-1700 psig, along with associated components in the suction and discharge piping to the reactor coolant system cold legs or hot-legs.
The function monitored for HPSIis:
. the ability of a HPSI train to take a suction from the primary water source (typically, a borated water tank), or from the containment emergency sump, and inject into the reactor coolant system at rated flow and pressure.
The charging and sealinjection functions provided by centrifugal charging pumps in some system designs are not included within the scope of the safety system performance indicator program.
Figures 5.1 through 5.4 show some typical HPSI system configurations for which train functions are monitored. The figures contain variations that are somewhat reactor vendor specific. They also indicate the components for which train unavailability are monitored. Plant specific design differences may require other components to be included.
43
j DRAFT Train Determination
..In general, the number of HPSI system trains is defined by the number of high head injection paths that provide cold leg and/or hot-leg injection capability, as applicable. This is necessary to fully account for system redundancy.
Figure 5.1 illustrates a typical HPSI system for Babcock and Wilcox (B&W) reactors. The design features centrifugal pumps used for high pressure injection (about 2,500 psig) and no hot-leg injection path. Recirculation from the containment sump requires operation of pumps in the residual heat removal system. The system in Figure 5.1 is a two train system, with an installed spare pump (depending on plant specific design) that can be aligned to either train.
HPSI systems in some older, two loop Westinghouse plants may be similar to the system represented in Figure 5.1, except that the pumps operate at a lower pressure (about 1600 psig) and there may be a hot-leg injection path in addition to a cold leg injection path (both are included as a part of the train),
Figure 5.2 is typical of HPSI designs in Combustion Engineering (CE) plants. The desi;n features three centrifugal pumps that operate at intermediate pressure (abc t 1300 psig) and provide flow to two cold leg injection paths or two hot leg injection paths. In most designs, the HPSI pumps take suction directly from the containment sump for recirculation. In these cases, the sump suction valves are included within the scope of the HPSI system. This is a two train system (two trains of combined cold leg and hot-leg injection capability). One of the three pumps is typically an installed spare that can be aligned to either train or only to one of the trains (depending on plant-specific design).
i A HPSI system typical of those installed in Westinghouse three loop plants is i
shown in Figure 5.3. This design features three centrifugal pumps that operate at l high pressure (about 2500 psig), a cold leg injection path through the BIT (with two trains of redundant valves), an alternate cold-leg injection path, and two hot-leg injection paths. One of the pumps is considered an installed spare. Recirculation is provided by taking suction from the RHR pump discharges. A train consists of a pump, the pump suction valves and boron injection tank (13IT) injection line valves electrically associated with the pump, and the associated hot-leg injection path. The alternate cold-leg injection path is required for recirculation, and should be included in the train with which its isolation valve is electrically associated. Thus, Figure 5.3 represents a two train HPSI system.
Four-loop Westinghouse plants may be represented by Figure 5.4. This design features two centrifugal pumps that operate at high pressure (about 2500 psig), two centrifugal pumps that operate at an intermediate pressure (about 1600 psig), a BIT injection path (with two trains ofinjection valves), a cold-leg safety injection 44
c DRAFT path, and two hot-leg inje:: tion paths. Recirculation is provided by taking suction l from the RHR pump discharges. Each of two high pressure trains is comprised of a high pressure centrifugal pump, the pump suction valves and BIT valves that are I electrically associated with the pump. Each of two intermediate pressure trains is comprised of the safety injection pump, the suction valves and the hot leg injection valves electrically associated with the pump. The cold-leg safety injection path can be fed with either safety injection pump, thus it should be associated with both intermediate pressure trains. The HPSI system represented in Figure SA is considered a four-train system for monitoring purposes.
Clarifying Notes Many plants have charging pumps (typically, positive displacement charging pumps) that are not safety 4 elated, provide a small volume of flow, and do not automatically start on a safety injection signal. These pumps should not be included within the scope of HPSI system for the safety system performance indicator program.
Some HPSI components may be included in the scope of more than one train. For example, cold leg injection lines may be fed from a common header that is supplied by both HPSI trains. In these cases, the effects of testing or component failures in an injection line should be reported in both trains.
At many plants, recirculation of water from the reactor building sump requires that the high pressure injection pump take suction via the low pressure injection / residual heat removal pumps. For these plants, the low pressure injection / residual heat removal pumps discharge header isolation valve to the HP pump suction is included in the scope of HPSI system.
l 45
9 DRAFT 00 A 3
A 3
A A
T T UU UE I d $
j 4 @
@-I
'g=
@K ir{
.hkd
- < x >o- J x
, lI A
E~ x * -gg l*
s Z Z
- s e Z
(
y V
V* V"92 V y .
y 1
a 46
ds _
7 (7
mmh 1
O _
TwB E L
h 3y bD e
L O
C W
T N
E M
N f
A Wtr s
N T
!S S r
r a
N ti s
m M
$rlL ;Y N-T m m i m o o _
N O
C o
r F
o r
l
- r r Y-i F
r M _
E D
I S
N I
?
+
t I P N N M I
i j ,! ',l
! 'l li ' _
iI T
N E
M N
- __ g I
A T
N _
eh O
C - _ _ - t m
e E s) ye S
D I
T
_ S p o
U nc O oS itc g
- e n
~ 2. j int r
, I 5 o et e yp .
r e ufR ga f N -
iS F
e r e o
ul s p L se ma W I N N r P E x h( g il I
v
( v x [ x a Y 4 -
L 2 M
" m-3
DRAFT is ja je 11
- s*i si*
jg ja ja gi il.
la i.l .,fa~f
~9
- 11 l
Z.11. Z Z r_,. *J
' > 11-7 kY Z b7 7 Y Z 7 %2?
t>
I t.
A L i T>
Il I
'f>tii i
_______q__
A ~
E q
5 .! $
ei ei y }.{
.1
@I (5) l ll!
" j.E g[
I &I &I ,7 '
<M 'M &
=
n a o li!I i i x
r - 18 11 48
_____u
g C" 7, Y. 7 2 $ 4 >
8 C
' 7 Y. Y, L
= ~
4 g
- t. o w4O+y
_ - . L t
+ ..
si =
- = ..
- H s
i i S
a
= = M n
s = R r = = =
g..
M N NNN M
N
- i,
- l ' .t g._,- u%
+
,H M*
W + {
l
.j -
x x x x x x x x
_ L w >I J -
m t
e s) ye
- Sp f
+ N
, s 'i'i' ', ' 'if t t ,i' n co _
oS
@H h_ g><
i .
gT4p t
cg -
- (k>
i)
- 4. nt en j ri e
v _ ~ 5I o p=A eyp o
p *=
o
~ 2 M) rt e ufR gaf e
i F So I b X* *
- c. epl m
Na h % h(
ig H
E x
j gv Q+*
a-g pea o
r s
M A A S
b>4 4 -
$N 2 -
g'4>
t s
gb> :
A, .
T S R
. H
- e w
s R
W R R
DRAFT ENCLOSURE 6 PWR Auxiliary Feedwater Systems Scope This enclosure provides additional guidance for reporting the performance of PWR auxiliary feedwater (AFW) or emergency feedwater (EFW) systems. The AFW system provides decay heat removal via the steam generators to cool down and depressurize the reactor coolant system following a reactor trip. The AFW system is assumed to be required for an extended period of operation during which the initial supply of water from the condensate storage tank is depleted and water from an alternative water source (e.g., the service water system) is required. Therefore components in the flow paths from both of these water sources are included; however, the alternative water source (e.g., service water system) is not included.
The function monitored for the indicator is:
e the ability of the AFW system to take a suction from the primary water source (typically, the condensate storage tank) or from an emergency source (typically, a lake or river via the service water system) and inject into at least one steam generator at rated flow and pressure.
Some plants have a startup feedwater pump that requires a manual actuation.
Startup feedwater pumps are not included in the scope of the AFW system for the safety system performance indicator program.
Figures 6.1 through 6.3 show some typical AFW system configurations, indicating the components for which train unavailability is monitored. Plant specific design differences may require other components to be included.
) Train Determination The number of trains is determined primarily by the number of parallel pumps in the AFW system, not by the number ofinjection lines. For example, a system with three AFW pumps is defined as three train system, whether it feeds two, three, or four inject (a lines, and regardless of the flow capacity of the pumps.
Figure 6.1 illustrates a three pump, two steam generator plant which features redundant flow paths to the steam generators. This system is a three train system.
(If the system had only one motor-driven pump, it would be a two train system.)
The turbine-driven pump train does not share motercerated isolation valves with the motor-driven pump trains in this design.
50
n.
DRAFT l
Another three-pump, two steam generator design is shown in Figure 6.2. This is also a three train system; however, in this design, the isolation and regulating valves in the motor-driven pump trains are also included in the turbine driven l I
pump train.
A three pump, four steam generator design is shown in Figure 6.3. In this design, either motor-driven pump can supply each steam generator through a common header. The turbine driven pump can supply each steam generator through a separate header. The turbine driven and motor-driven pump trains do not share the air-operated regulating valves in this design. Three-steam generator designs may be arranged similar to Figure 6.3.
Clarifying Notes Some AFW components, may be included in the scope of more than one train. For example, one set of flow regulating valves and isolation valves in a three pump, two steam generator system (as in Figure 6.2) are included in the motor-driven pump train with which they are electrically associated, but they are also included (along with the redundant set of valves) in the turbine-driven pump train. In these instances, the effects of testing or failure of the valves should be reported in both affected trains.
Similarly, when two trains provide flow to a common header, such as in Figure 6.3, the effect ofisolation or flow regulating valve failures in paths connected to the header should be considered in both trains.
I n
51 I
i
k$
w i ' a_ w_ ' I-r A f; :4
< _ 'X-
_i'
- mu A
us 3 *) _
A 4 v-c t , i-p w
@]><
A4 ww w
oo c
x m_c u mpe
)
ss e o
._ruo t s
yS c
_ w, e S r
g n
__ *r I- \
4
- e 1 t
6 awp ei t o
r 4
% ?-
lI I' ed r e
_ u eeR gFf g < _ r I- o ,X
, F y o i
_,', e O t r al e
g i p A
h) v_
LQ*' N l
i x m u ax n
nm AE (
< is ~
i'iI i_
, WP A' F
A >"*
e D I- v lTij
(- j (0 o
- s e L OM k v L
I_
M 4
N -
O4 L
C
- MZ -
- w s
"=
8 lL
U 4 K
A -
EW s O.
L
}
x E
mi ,
I 1/
Mg -
M
)1
=>
A g
_ A e m
~
g__mns o w
a b
'/
1 m
'< /
l m)e p G
eo t
> sc yS Sg rn ei X 2. t t e 6 ar c
rde wpo
_ EE T
N &o ueR ge iFf F y o
_ DM > re ISIN : al p i
T/ l UT i m
ON O x u ax C iie 'it f i;! iit i i 'i AE(
_ 'l T
N
,t'Of ! :
E EW Dd I r SA NT IN O
C Yv - .
8
=s V l
M 1
W '/
h, s U
DRAFT s ga ga s-sf et sf af lI. . . _ . _ . . . _ . . . . . . , . . . - . _*e- A A
-a A 5
i ;h e e e e -
Oi yek k i k
tk kI, x x Z
[1 5 i e
Y Z Z <a T
& A i
a 6
54
l i
DRAFT Safety System Failure.g Purpo This indicator monitors the number of events or conditions that did prevent, or would have prevented,' the fulfillment af the safety function of any of 26 systems or components. It is a count of the number of those events or conditions in the past year. Because of the wide range of systems considered, their differences in safety significance, it is not possible to assign a risk significance to this indicator. It is intended to be used as a possible precursor to more important equipment !
problems, until an indicatar of safety system performance more directly related to risk can be developed. Tha threshold for reporting this performance indicator is that the system failure is reportable under 10 CFR 50.73.
The following systems are monitored:
Accident Monitoring Instrumentation Low Temperature Overpressure Auxiliary (Emergency) Feedwater Protection System Main Steam Line Isolation Valves Combustible Gas Control Emergency ac & de Power and Component Cooling Water System Distribution Containment and Containment Radiation Monitoring Instrumentation l
Isolation Reactor Coolant System Containment Cooling Systems Reactor Core Isolation Cooling System Control Room Emergency Ventilation Reactor Trip System and Emergency Core Cooling Systems Instrumentation Engineered Safety Features Recire. Pump Trip Actuation Instrumentation Instrument.
Essential Compressed Air Systems Residual Heat Removal Systems l Essential or Emergency Service Water Safety Valves Fire Detection and Suppression Spent Fuel Systems Systems Standby Liquid Control System Isolation Condenser Ultimate Heat Sink Definition: The number of actual or potential failures of the safety function of the monitored systems in the previcus 12 months.
Actual failures are those that occur upon a valid demand during operation or test.
They do not include those that occur during post-maintenance testing before the system is declared operable and returned to service.
Potential failures include those that would have occurred upon a valid demand for '
the system to perform its safety function assuming the necessary conditions were in place to cause the potential system failure to occur. For example, a safety system failure would be counted if a component was found to be environmentally unqualified so that, should a high energy line break occur in the worst-case 55
DRAFT' location, the component would fail, which would render the system incapable of performing its safety function.
The safety function of a system includes any function (s) for which credit was taken in any accident analysis.
Data Elements: The following data are required to calculate this indicator:
the number of safety system failures during the previous 12 months Calculatipon: The unit values for this indicator are calculated as follows:
unit value = number of safety system failures in previous 12 months)
Reportine Reauirements: The following data should be reported monthly:
the number of safety system failures for the reporting period the unit value (total number of safety system failures during the previous 12 months)
Clarifyine Notes:
A system is considered operable when it is capable of performing its specified safety function (s) and when all necessary attendant instrumentation, controls, electrical power, cooling and seal water, lubrication and other auxiliary equipment are also capable of performing their related support function (s).
A system is considered to have failed if the licensee determines that an actual or potential failure could have prevented the system from performing its safety ,
function (while required to be operable). l l
I A system that does not meet the technical specification operability requirements is considered to be inoperable and will be counted as a safety system failure unless the licensee determines that the safety function could have been performed, either by reference to the FSAR or by performing additional analyses.
If the licensee determines that the requirement (e.g., FSAR or technical specification) is in error and the requiremSnt is changed without modification of the system, the system will be considered to have been operable.
If a system is found to be failed when it was not required to be operable, a safety system failure is not counted unless it is determined that the condition existed during a period when the system was required to be operable.
56
i i
DRAFT System inoperability caused by planned maintenance or planned testing are not considered to be failures. If the licensee identifies a condition during planned ] -
maintenance or testing that could have prevented a system from performing its intended safety function prior to commencing the planned maintenance, the i condition is considered a safety system failure.
f d
For systems that perform multiple safety tunctions, a safety system failure has j occurred whenever any one or more safety function is inoperable for all trains or j channels. j Events involving the loss of one mode of operation of a system are considered to be safety system failures if the loss of that mode affects the system's ability to complet.e the safety function. For example, an event in which the ability to manually start the high pressure coolant injection system is lost would be a failure even if the system could be started automatically. The loss of manual speed control l
of the same system, however, would not be a failure as long as the required flow rate cculd still attained.
When multiple occurrences of a system failure occur, the determination of the number of failures to be counted will depend upon whether the system was declared to be operable between occurrences. If the licensee knew that a problem existed, tried to correct it and considered the system to be operable, but the system was I subsequently found to have been inoperable the entire time, multiple failures will l be counted. But if the plant knew that a potential problem existed and declared the i system inoperable, subsequent failures of the system for the same problem would
! not be counted as long as the system was not declared operable in the interim.
Similarly, in situations where the licensee did not realize that a problem existed i (and thus could not have intentioually declared the system inoperable or corrected the problem), only one failure is counted.
A failure leading to an evaluation in which additional failures are found is only counted as one failure; new problems found during the evaluation are not counted, even if the causes or failure modes are different. The intent is to not count additional events when problems are discovered while resolving the original problem.
Train failures are not counted as safety system failures as long as a completely redundant train of the same system is capable of performing the safety function.
( (Note that one consequence of this rule is that failures of single train systems are counted as safety system failures.) '
When a potential failure by an identified mechanism (i.e., not a random single failure) could incapacitate a system (all trains of the system), a safety system failure is counted. That is, ifit is discovered that " redundant" trains rely on a single component or are unintentionally or incorrectly cross-connected, and a 57
m l
l DRAFT mechanism is found that could incapacitate all trains, a safety system failure is counted.
When a single train fails while the other train is inoperable for maintenance, resulting in both trains being simultaneously inoperable, a safety system failure is counted. Similarly, when a problem affecting one train is identified, and it is determined that the other train was inoperable for any reason (including f surveillance testing) during the time the problem existed, a safety system failure is counted.
In the absence of an identified potential failure mechanism, it is not necessary to consider a single random kilure. Licensees are not required to satisfy the single failure criterion for purposes of determination of a safety system failure. That is, events involving only a single train of a multi train system are not counted as safety system failures as long as the other train always remained operable.
Failures of systems that do not prevent the system from performing its safety function (e.g., isolations of the Control Room HVAC system or containment) are not counted as long as no other safety function was lost. Engineered Safety Feature (ESF) actuations of systems that result in loss of the safety function (e.g., isolations) are counted if the ESF actuation was caused by an equipment failure or if the safety system was not restored to operable status immediately because it was not realized that the system was inoperable. (Note that any equipment failure, even ifit is caused by some other factor such as operator error, is sufficient to consider the event to be a safety system failure. Thus,if a safety system isolates because a fuse blew, the event is counted even if the blown fuse could be traced to shorting test leads together during maintenance.)
A single event or condition that affects several systems is counted as only one failure.
Events involving cable separation problems (which are commonly Appendix R concerns) are counted if the cable separation problem disables, or has the potential to disable, an entire safety system (events that could disable only one train of a multi-train system are not counted, in accordance with the general rule concerning multi-train systems.)
Often several other conditions must be present for a cable separation problem to disable a system. Despite the fact that (1) an external event such as a fire must occur, (2) a hot short must develop, and (3) one train of the safety system must develop a fault before the entire system can be lost, these events are considered to be failures as long as a specific system failure can be identified.
An error discovered in an accident analysis is only counted as a failure if a monitored system can be specifically identified as having been inoperable. Accident 58
[
DRAFT analysis errors that result only in changing a requirement (e.g., FSAR, technical specification) and do not result in changes to a system design, equipment, or l
operation are not counted.
Events involving the inability to isolate containment penetrations are considered to be failures of the containment function rather than the system that failed to isolate.
Conditions involving missing or inoperable seismic constraints do not necessarily render the system incapable of performing its designed safety function even if the licensee declares the system inoperable. Such conditions should be analyzed for reporting as a failure. ,
j Events involving inoperable room coolers do not necessarily render the equipment l (systems)in the room incapable of performing their designed safety function. Suc events should be analyzed for reporting as a failure. ,
3 vents in_ which the licensee declared a system inoperable but an engineering analysis later determined that the system was capable of performing its designed
.afety function are not counted.
Conditions in which missile shields are determined to be inadequate (for example, the turbine building walls may not be able to withstand a tornado generated missile) are not necessarily safety system failures. Such conditions should be analyzed for reporting as a failure.
i 59
DRAFT BARRIER INTEGRITY CORNERSTONE The purpose of this cornerstone is to provide reasonable assurance that the physical design barriers (fuel cladding, reactor coolant system, and containment) protect the public from radionuclide releases caused by accidents or events. These barriers are an important element in meeting the NRC mission of assuring adequate protection of public health and safety. The performance indicators assist in monitoring the functionality of the fuel cladding, the reactor coolant system, and the containment.
Reactor Coolant System (RCS) Activity Purnose: This indicator monitors the integrity of the fuel cladding, the first of the ihree barriers to the release of fission products. It measures the radioactivity in the fuel as an indication of functionality of the cladding.
Definition: The maximum RCS activity in micro-Curies per gram (pCi/gm) dose equivalent iodine-131 each month as calcuhted per technical specifications.
Data Elements: The following data are required to calculate this indicator:
. maximum calculated RCS activity required by technical specifications for the previous month
. Technical Specification limit Calculation: The unit value for this indicator is calculated as follows:
the maximum value of calculated activity
. x 100 amt value = Technical Specification limiting value Reportine Reauirements: The following data should be reported monthly:
e all values of the calculated RCS activity in micro Curies per gram dose equivalent iodine 131 in the last month
. the unit value of the indicator 60
l h
t m 10 1 0
1 I 2 -
1 l
l h
t 3
m 30 0 1
1 1
l l
h t
m 40 4 0
1 0
1 l
l h
t 0 6 1 S.
m 6 0 T f .
9 o l
l
% 000 2
h h 0 ]5g00001 0
78 91 1 1 t 5 t 0 1 n m 5 0 T 8
l h l t -
h n t 2 2 0
1 m 2 0 _
7 h .
l t n
l _
h t 2 3 _
m 2 0 1 h _
0 t _
6 l n .
l 4
h 5 _
t 5 0 1 h
t N m 0 0 h n E _
5 0 t n 5 E _
l o R T
l, l .
h M h t d E _
F t 4 0
n T 1 G
A I
m 4 0 1 6 H R 4 l l
h tr W
D l
r 7 -
h t 5 0 y h -
W m 5 0 1
t t
n O 3 i 8 L v L h
t 2 l
l it i
t A
c h
t n
9 y E Y
0 1 t t m 2 0 i t m n >
2 i
a 0 h t
im m i l
l 1
n o
l l i l l .
S. S. S. o h h
t 0 1 T T T C 1 1 t n
m 1 r 1 0 o T %
0 0 0 t
2 h
_ 0 c 1 t n
l 5 5 1 a
< > > e R
t 1 i 3 m 1
- n e w i
L I
e t o
. m e il r hl e g
S.
T C I
I G W Y f
o p s e
% ityvn t
d l
o l r ie t p o cl a mt i h
t a Av L s m c i
e a id xu i
r x n ME T a qS . h E I T
DRAFT
. RCS Leakage Purnose: This indicator monitors the integrity of the RCS pressure boundary, the second of the three barriers to the release of fission products. It measures RCS leakage as a percentage of the technical specification allowable leakage to provide an indication of RCS integrity.
Dennition: The maximum RCS identified leakage in gallons per minute each month as calculated per technical specifications.
Data Elements: The following data are required t' calculate this indicator:
The maximum RCS leakage calculations for the previous month Technical Specification limit Calculation: The unit value for this indicator is calculated as follows:
the maximum value of calculated leakage x 100 unit value = Technical Specification limiting value Data Reportino Reauirements: The following data should be reported monthly for pilot plants:
e calculated RCS identified leakage in the last month e the unit value for the indicator 62
r i
l DRAFT {
Example T Mth 2nd 3rd 4th 5th 6th 7th 8th 9th 10th lith 1 Mth Mth Mth Mth Mth Mth Mth Mth Mth Mth Indicator %T.S. 60 40 10 70 50 60 40 30 30 20 20 Value Leakage (gpm) 6 4 1 7 5 6 4 3 3 2 2 l
TS Value (gpm) 10 10 10 10 10 10 10 10 10 10 10 l
Thresholds: Green....< 50% Technical Specification Limit j 1
RCS Leakaae Month 12th 11th 10th 9th 8th 7th 6th 5th 4th 3rd 2nd T Mh Mh Mh Mh Mh Mh Mh Mh Mh Mh Mh Mh 0
10
. GREEN 20 h 30 40
% \- 50 Leakage
\f b 60 as % T.S.
V 70 limit j WHITE 80 90 100
<- YELLOW 110 iT l
I t
l 63 1
i l
J
m f
e o f g s o a n t l
ek g u s a i a
el e s e
s e
r l
ee d rlb e e ht ht ea ht wo f y ol o b t l n d s a i o i e
r n t f _
i i eo c a
i d
rt r r o bi aca f a m f t e c i
s s ee a e r p ht s d o
t e 'ss t
t e ea l i r a hc e p
r nn t i n k e f g a i n
oh c n l e i n
drte i t l t a
r a :
r n a :
y i
o c o o L ht he p o t s c e l ht e ft e
r l
a w c R t
a e c n ht o e c i d o m k o ht n n l
l a e
fo
,e e m t g r i nn L na r fe s s a s d fo i
et i a s e T mne e r ht s B a t r
nc C d o F
A ir e e e e s n g p 4 G
ta e t
ht t a a e R np y p
l l a is e r T
y u u na D e t D oa c s b c t s l c b s d d l
a s a t e ea n e c e c T d l
t ht e a r o t
e y u e g u t e r M o t a
f o ay B s a d t
s e
t a a t n h r kt e e e t r r s yar i p r e o M- a k a
t i eg y m i k t t rl e T e u q
t a a a c
a l e
gt t r e = d enn l a u e l i d g e l
a t ei l a r k l r u c n t o e a a . n o n o i
ene mtn t vets .
r e c o L i s
t a i l
a l r o
" s a l e
l e
i c w o v t n t him t a d n
he t t a c t n t a
ht i d l e e a c
sni t n u s t
a n e r r n l fo t
a u i r oa o ie t d e r u o I r q d to ct f ea e q k f e e n is no s t r g f e a s h k s i ne a a n e s e e T a b e or c rk i r b l u e u ht
" a w u s l s
e muf so d keal o ht e
s i s
l a
v s l a r g
a rtoea no t e
a el l a l
l f
o f f
o b a t t
n e
c o
hc a f o
amt c o i n
l e e k
a c t a i m
).
d" o e t t s n g u m e c f u i
dI c t nl h l u
l u e n o l a
e s . ut T: i e r i
s v foen L n .d eL( s e
s e e h i
u e r l t
isn e s s T u t aqu r r d a fe ht e t sti t s i n ic n e e e e e e n e hun Ta r " es e ht ht ht n R r r u m Tda o e n k eb m o e e e e n : rd o a hu e i
t n ht ht ht e pi i e Ts l
. . . a i i
a s n v o i t l E l u
t r
t D o r o n s a c o p . . .
n r sp i i i t l e s a f
o u io a e s a C R C P ft Db D
DRAFT PHYSICAL PROTECTION
' This cornerstone provides assurance that the physical protection system can protect against the design basis threat of radiological sabotage as defined in 10 CFR Part
- 73. The attributes in this cornerstone are intended to provide protection against both external and internal threats.
Internal threats are minimized by the access authorization (AA) system that encompasses: the personnel screening process, fitness-for-duty (FFD) program and the behavior observation program ' referred to as CBOP). Data, currently collected, is used for the performance indicators to monitor the effectiveness of these programs.
The probability of an external or internal action at a nuclear power plant with the intent to commit radiological sabotage is small. Although the probability is low, should an event occur it could impose a significant challenge to plant safety with a potential degradation in the protection of public health and safety. An effective safeguards / physical security program minimizes the probability of a physical security event and the potential public health and safety issues.
There are two indicators for the physical protection system, and two indicators for the access authorization. The performance indicators are assessed against established thresholds using the data and methodology as established in this j guideline. The NRC baseline inspections ~will validate and verify the testing q requirements for each system to assure performance standards and testing periodicity are appropriate to provide ve. lid data.
The performance indicators are:
. Protected Area Security, e Vital Area Security, l e Personnel Screening, and l i
e Personnel reliability program The first two indicators measure equipment availability. If equipment is unavailable or unable to perform its intended function, it is a security vulnerability, unless compensatory measures are employed. These indicatora provide data for evaluation of the effectiveness of the maintenance process, and also provide a method of monitoring equipment degradation as a result of aging that might adversely impact reliability.
The second two indicators measure access and trustworthiness processes. These i processes verify that persons granted unescorted access to the protected area have i satisfactorily completed personal screening and, as a result, are considered to be trustworthy and reliable. Beth indicators are the number of one hour reportable 65
DRAFT events that reflect problems in the implementation of the access authorization or fitness for-duty programs or program.
Protected Area (PA) Security Eouinment Performance Indicator Operability of the PA physical protection system is necessary to detect and ass safeguards events and to provide the first line of protection in the defense in d concept. In the event of a malevolent act, the intrusion detection system identifie the existence of the threat, the barriers provide a delay to the person (s) posing the threat and the alarm assessment system is used to determine the scope of the threat. The PI is used to monitor the capability and availability of PA barriers, intrusion detection systems and alarm assessment systems to perform their intended function.
_ Definition Performance is measured by the percent of the time all components / equipment (barriers, assessment aids for intrusion detection, alarm assessment, portals, etc that make up the PA barrier systems are available cnd capable of performing their safeguards intended function-manufacturer's stated equipment capability.
Unavailability is measured by the compensatory hours used when equipment is in a degraded state. The data in this area is reported as the percent availability for t protected area perimeter.
Data Elements Because of the variability in size and complexity of these systems across the industry, the method of calculation of the total percent available will be normalize in a manner that doesn't penalize a large site. 'Ising quantification of defined lowing applicable factors:
elements the PI calculation is made using the
. Barriers-Barriers may be either inactive or active, only active barrier components are counted for the purpose of this PI, i.e., number of PA gates, VBS gates, etc.
. Compensatory man hours-The amount of time expended compensating for equipment unavailability.
. Assessment aids for IDS-The number of dedicated CCTVs that support the IDS.
. II'S zones-The total number of zones of detection around the PA.
. Portals-The number of PA doors, turnstiles, gates, or other removable barriers that are used for the purpose of personnel entry or exit to the PA.
Calculation 66
, (
- DRAFT Compensatory man - hours implemented in the period) x 100%
<1- # zones x 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> x days in period l
Compimsatory Measures and Reoorting
)
j When a portion of the system is not available/ capable of performing its intended )
function, required compensatory measures are implemented. Compensatory I measures are acceptable to meet regulatory requirements pending equipment being returned to service. The reporting of equipment percent availability is accompanied by the reporting of compensatory hours for equipment inoperability.
The compensatory man-hours expended for extreme environmental conditions and j
for planned maintenance / modifications are not counted in assessing equipment unavailability as part of the PI, but are reported separately for information only, as part of total compensatory hours. The tracking of equipment availability provides an indication of the effectiveness of maintenance of the systems. The breakdown of compensatory hours can be used as a pointer for areas ofinspection.
Clarifyine Notes Comnensatory man. hours: The period of time that compensatory measures are i' initiated until the degradation has been repaired, tested, and system declared perable in events involving IDS, PA barrier gates / doors / turnstiles, or CCTV.
Derradation: Required system / equipment no longer performs its regulatory function-does not satisfy its intended functional capability within the design / manufacturer's specifications.
Eauioment unavailability: When system degradation results in an inoperable ,
condition, even with a compensatory measure (officer posted)in place. The equipment is unavailable until corrected.
Extrq_me environmental conditions: Conditions beyond the design specifications of the system and when it is unsafe or inappropriate for posting L compensatory officer. Conditions include severe storms, heavy fog, heavy snowfall, sun glare that renders the IDS or CCTV system temporarily inoperable, etc.
Intended function: The ability of a component to act as a barrier, detect the i
presence of an individual or display a visualimage as intended by the design criteria or manufacturer's specifications for in place systems to meet regulatory 1 requirements.
R]Snned maintenance Scheduled preventive maintenance on system / component to include probability and/or operability testing. All activities necessary to maintain it 67 l
\
f
. I l
DRAFT l j
at the necessary functionallevel. Planned plant support activities are also includedl within this definition \
Planned modifications Activity to improve, upgrade or enhance system performance as appropriate to be more effective in its reliability or capability.
Examples (To be developed)
Vital Area (VA) Security Eauinment Performance Indicator Operability of the VA security barrier system is necessary to provide the intern line of defense for the critical target sets. In the event of a malevolent act the barriers provide a delay to the person (s) posing the threat and the alarm system ;
indicates the path of the threat. !
Definition The performance indicator is the availability of VA brriers, door locks and alarms j to perform their intended function. Compensatory man hours used to compensate !
for unavailable equipment is used as the performance indicator. This indicator is {
directly proportional to the time all components / equipment that make up the VA '
barrier systems are available and capable of performing their intended function-manufacturer's stated equipment capability. The data in this area is reported as the percent availability for the vital area barrier system.
When a portion of the system is not available/ capable of performing its intended function, required compensatory measures are implemented. Compensatory ,
measures are acceptable to meet regulatory requirements pending equipment being retur71ed to service.
The colapensatory man hours expended for planned maintenance / modifications or other plant support activities such as material movement into or out of a VA are not counted in assessing equipment unavailability as part of the PI, but are reported for information only, as part of total compensatory hours. The tracking of equipment availability provides an indication of the effectiveness of maintenance of the systems. The breakdown of compensatory hours is used as an additional indicator J on the need for additional inspections and reviews.
Data Elements VA barriers, door locks and door alarms are to be evaluated. Because of the variability in quantity and type across the industry, the method of calculation of the 68 I
i DRAFT total percent available will be normalized in a manner that doesn't penalize a site with a complex VA system. Using quantification of defined elements the PI calculation is determined using applicable factors.
Calculation un e mPensaton man om in peri k 100 %
Availability = *(1- # zonesx 24 hrsx# days}m o pen d Clarifdne Notes f
Walls / Barriers: Inactive components of the VA barrier system, i.e., wall.s floors, ;
ceilings, doors that are welded / braided shut, etc. For the purpose of this PI, only active barrier components (VA doors) are counted VA door lock: A padlock, lock assembly or other device /means used to prevent l l
unauthorized entry into a VA.
j VA door alarm: An indicator that alerts an operator that a VA portal breach may be occurring. The number of VA BMS devices or other approved alarm system.
(LPS should not be counted as no credit is given nor is compensation required.)
Comnensatory man hours The period of time that compensatory measures are initiated until the degradation has been repaired, tested, and declared operable in events involving VA barrier alarms, locks or if a VA barrier has been returned to its design operability state.
Examnles (To be developed) 69
DRAFT Personnel Scr_eening Process 7 <rformance Indicator The screening process performance indicator is used to verify the assess the program in place to evaluate trustworthiness of personnel prior to granting ;
unescorted access to the protected area. The screening process includes psychological evaluation, an FBI criminal history check, a background check reference check. These processes should be able to verify that persons granted unescorted access to the protected area have satisfactorily completed personal screening and, as a result, are considered to be trustworthy and reliable.
Definition The PI is a count of significant failures of 10 CFR 73.56 requirements, as identified by one hour reports to the NRC.
Data Elements Number of one hour reportable events during the period. :
Indicator Number of one bour reportable events Clarifyinc Notes One hour reportable event Reporting a programmatic failure that by its nature requires prompt regulatory notification. Additionally, actions and considerations for minimizing potential consequences would be appropriately reported.
Examoles i (To be developed)
Fitness-for-duty (FFDVPersonnel Reliability Program Performance Indicator The FFD/ personnel reliability program performance indicator is used to assess the program in place to provide reasonable assurance that these personnel are in compliance with the FFD program, required by 10 CFR Part 26. This includes:
suitable inquiry and substance testing (random testing and for-cause testing for alcohol and illicit drugs). The program is designed to minimize the potential for a person to be under the influence of any substance that could adversely affects his or her ability to safely and completely perform required duties.
70
F DRAFT I
l ;
The behavior observation program, managed under the FFD program, provides l
reasonable measures for the early detection of any change in trustworthiness and l
reliability with reporting of significant events under AA/FFD requirements. The l program is conducted by supervisors and management personnel to observe and detect behavioral changes in personnel in an FFD context, which, ifleft unattended, l
! )
might result in an act detrimental to plant safety, and ultimately degrade the !
protection of public health and safety. \
t Definition One hour reportable event-Reporting a programmatic failure that by its nature requires prompt regulatory notification. Additionally, actions and considerations for minimizing potentiel consequences would be appropriately reported..
Data Elements A count of significant 10 CFR Part 26 non-compliances that result in a one hour ,
l NRC report.
l Calcuhtien The PI requires no calculations. It is a count of significant failures to satisfy 10 CFR Part 26 requirements. These are the required one hour reports as specified below.
Garifyine Notes (To be developed)
Examples (To be developed) l l 71
DRAFT 9
EMERGENCY PREPAREDNESS The objectivt of this cornerstone is to ensure that actions taken by the emergency
- plan would provide adequate protection of the public health and safety during a radiological emergency. Licensees ensure that the emergency plan can be implemented correctly through drills, training, and corrective action. The monitoring of such measures provide reasonable assurance that the licensee has an effective emergency preparedness program. The performance indicators do not monitor offsite actions, which are controlled by FEMA.
The protection of public health and safety is assured by a defense in depth philosophy that relies on: safe reactor design and operation, the operation of mitigation features and systens, a multi layered barrier system to prevent fission product release, and emergen:y preparedness.
The performance indicators monitored by this section are:
. Drill exercise and actual event performance,
. Emergency Readiness 01 ranization (ERO) Drill Participation,
. Availability of Alert ant' >tification System There is no threshold for una. ptable regulatory performance. Declining emergency preparedness performance in the required regulatory response band (yellow band) would be indicated by a continuing increase in licensee corrective action elements, and increased NRC attention to a licensee's emergency preparedness activities. Increased NRC attention starts with additional regulatory interaction and inspections, increasing to ultimately the issuance of a NRC order.
Drill Exercise and Actual Event Perforrnance (DEP)
The purpose of this indicator is to assess the effectiveness oflicensee performance in
. drills and exercises by monitoring opportunities for classification of emergencies, notification of offsite authorities, and timely and accurate development and communication of protective action recommendations (PARS).
Definition The indicator is the ratio of successful performance actions to the total
. opportunities for the licensee to identify classifications of emergencies, notification of offsite authorities, and the timely, accurate development and communication of PARS. Such actions are summed for the last eight quarters. The indicator is expressed as a percentage for the last eight quarters.
72
g DRAFT Data Collection
.' Classification of Emergencies I e Notification l
. Protective Action Recommendation Calculation '
All Successful Classifications, communications, & PARS
.The total number of opportunities to perform Classifications, Communications and PARS.
Opportunities are determined by the licensee, and include drills, exercises, and training venues, such as simulator runs.
Clarifvine Notes:
Number of Observable Oonortunities The maximum number of opportunities to observe Classification, Notification and PARS during the course of a drillincludes the following:
- Classification - 4 opportunities e Notification - 4 opportunities for classification, 2 opportunities for PARS
. - PARS - 2 opportunities Total number of opportunities for success per drill, Performance indicator observables - 12.
If a licensee performs four drills per year, the maximum number of performance indicator success observables is 48.
Emergency Readiness Organization (ERO) Drill Particination The breadth and scope of the emergency response organization (ERO) activities include severalimportant supporting areas not fully measured by the DEP indicator described in the previous section. Such areas include, accident assessment, dose projection, damage control, worker protection, and the ability of I the ERO personnel to work as an integrated team.
The licensee assesses drills and actual events to identify areas for personnel and process improvement that are implemented under the licensee's corrective action program. These proficiency development opportunities contribute to overall ERO 73
a DRAFT readiness, which is an indicator of ERO proficiency. In addition, this indicator indirectly measures facilities and equipment readiness, training program efficacy and procedure quality.
7efinition This indicator measures opportunities that the total ERO has been given to gain proficiency as an integrated organization. It is the ratio of ERO team members and operations personnel (shift crews) that have participated in a drill or an exercise over the total number of ERO and operations (shift crews) personnel. The ratios are summed over a 24-month period, and the indicator is expressed as a percentage.
Participation in drills includes: the shift crew on the simulator (this is volunteer participation each licensee would need to make its own commitment), TSC, EOF, or OSC activities. To count, the drill should tests major portions of the emergency plan.
The licensee identifies the number of ERO personnel and operating personnel (shift crews) that have participated in a drill or exercise in the quarter.
Data Collection e Number of total ERO complemented positions plus the total number of plant shift personnel.
- Number of ERO personnel and shift crews that have participated in a drill or actual event in this quarter.
- Number of ERO personnel and shift crews that have participated in a drill or actual event over the previous eight quarters Calculation
' Number of ERO personnie and shift crews participating in a drill or actual event over 8 quarters Totalnumberof ERO and shift crews .
Clarifvine Notes Drill participation includes the following ERO members:
o responding as a team member e training in a position, e assigned as a controller e assigned as coach / mentor If the ERO member has taken credit for participation and has been re assigned to a new position during the 24 month period, and the position ensinpasses similar 74
DRAFT disciplines, participation within that time frame is acceptable. If the person is placed in a new position, or facility that is different or unfamiliar with respect to the Emergency Plan, the person will need to participate in the new position in order to qualify for the ERO Readiness performance indicator.
A analifyine event for an operating shift could be the same events that have DEP ,
opportunities in them. The licensee identifies the total ERO complement based on '
its emergency preparedness program.
Timelv
. Offsite notification of an Unusual Event, and Alert should be made within 20 3 minutes. {
. Offsite notification a Site Area Emergency or General Emergency should be I made within 17 minutes. I Offsite notification of Protective Action Recommendations (PARS) should be made within 15 minutes.
I Accurate
. As specified by the approved plan and implementing procedures. If the i licensee identifies the correct EAL but the incorrect inidat%g condition it l should not be identified as a failure but recognized in the drill critique.
! . PARS should be accurate within procedural guidance.
l Number of Drills There is no required number of drills. Sufficient numbers of drills need to be I demonstrated in order to provide meaningful data. In keeping with performance base philosophy, poor or marginal performers would be expected to increase drill activities to increase proficiency. ,
Meanineful Oooortunities This applies to performance identified drills or exercises that involve two or more of I
the emergency centers that are evaluated. It does not apply to tabletop or training drills.
ERO Performance Assessment includes self-assessment of performance and identification of deficiencies.
Self-assessment renorts should be available for inspection.
75
7_.
DRAFT Performance assessment relates to the monitoring and assessment of risk significant drill observables:
. Classi6 cation, ,
. Notification
. PARS.
Availability of Alert and Notification System This is calculated in accordance with each licensees FEMA approved method. The l
assessment period is four quarters. FEMA and the States work on a calendar year report. The evaluation is on a calendar year basis with the clock starting on the first of each year.
Availability of the system is calculated in accordance with each licensees FEMA l
l approved method I
{ Example of the Reportine Format (I'o be further develoned) t
_ Current Running Total Guarter i
1.0 Drill Exercise and Actual Event Performance (DEP) l l l 2.0 ERO Drill Participation l 3.0 Availability of Alert & Notifications System 76
DRAFT Process Effluent Radiological Occurrences Radiological effluent release occurrences (as listed below) that are reportable in accordance the Radiological Effluent Technical Specifications (RETS) or similar reporting provisions in the Offsite Dose Calculation Manual (ODCM), if applicable RETS have been moved to the ODCM in accordance with Generic Letter 89-01.
Definition:
. Releases reportable under the RETS/ODCM provisions outlined for PWR's in NUREG-1301 and for BWR's in NUREG-1302, as identified below:
+ Dose controls for liquids - Section 3.11.1.2
+ Liquid radwaste treatment system controls - 3.11.1.3
+ Dose controls for noble gases - 3.11.2.2
+ Dose controls for I-131, I-133, H-3, and particulate form - 3.11.2.3
+ Gaseous radwaste treatment system controls - 3.11.2.4 cad 3.11.2.5
+ Total dose controls - 3.11.4 Note - Provisions on reporting occurrences involving abnormal releases and out-of-service process and effluent radiation monitors are retained in the risk informed baseline inspection program and are excluded from this performance indicator.
Recommended Thresholds:
(Per rolling four quarters)
Green to White:
Two or more reportable occurrences involving assessed dose less than or equal to the "as low as reasonably achievable" criteria in 10 CFR Part 50, Appendix I. One or more reportable occurrences involving assessed dose greater than the "as low as reasonably achievable" criteria in 10 CFR Part 50, Appendix I.
White to Yellow:
Four or more reportable occurrences involving assessed dose less than or equal to the "as low as reasonably achievable" criteria in 10 CFR Part 50, Appendix I. Two or more reportable occurrences involving assessed dose greater than the "as low as reasonably achievable" criteria in 10 CFR Part 50, Appendix 1.
Yellow to Red:
Not appropriate for this indicator.
l 77 !
)
r DRAFT Data Elements:
. Number of reportable effluent occurrences each quarter as defined above involving assessed dose less than or equal to the "as iow as reasonably achievable" criteria in 10 CFR Part 50, Appendix I
. Number of reportable effluent occurrences each quarter as defined above involving assessed dose greater than the "as low as reasonably achievable" criteria in 10 CFR Part 50, Appendix I
_ Calculation:
. None-simple tabulation Clarifvinst Notes:
. Provisions on reporting occurrences involving abnormal releases and out-of-service process and efDuent radiation monitors are excluded from this performance indicator.
Examples:
. Effluent releases that exceed the following limits:
Per Quarter Per Year Liquid Effluents Whole Body 1.5 mrem 3 mrem Organ 5 mrem 10 mrem Gaseous Effluents Gamma Dose 5 mrads 10 mrads Beta Dose 10 mrads 20 mrads Organ Doses from 7.5 mrems 15 mares I-131, I-133, H 3
& Particulates
. Effluents discharged without treatment and in excess of the following limits:
Liquid Effluents 0.06 mrem 0.2 mrem Whole Body Organ Gaseous Effluents 0.2 mrad - Gamma 0.4 mrad Beta 0.3 mrad organ
. Main condenser air extraction system being discharged without treatment for more than 7 days Examples of effluent occurrence that do not count against the ERO-PI: l
. Liquid and / or gaseous monitor operability issues
/
. Liquid and / or gaseous releases in excess RETS/ODCM concentration limits 78 l 1
9 DRAFT a
79
(
DRAW APPENDIX A DATA AND REPORT FORMAT 1
80
DRAFT APPENDIX B COMPLEMENTARY AND SUPPLEMENTARY BASELINE INSPECTIONS l
I I
I 81
DRAFT APPENDIX C DEFINITIONS Uno!anned transient includes all transients that are not planned, reviewed ana authorized by the normal station management committee (s), with the exception of load following transients called for by the transmission entity.
Safe shutdown (non design basis accident (non DBA)) means bringing the plant to those shutdown conditions specified in plant technical specifications as Hot Standby or Hot Shutdown, as appropriate (plants have the option of maintaining the RCS at normal operating temperatures or at reduced temperatures).
As low as reasonabir act.ievable (ALARA): additional guidance and amplification of the term,"as low as reasonably achievable"is provided in 10 CFR 50.36(a) and in Appendix I to 10 CFR Part 50.
l 1
i
(
l 1
l t
82 l
~
DRAFT APPENDIX D 1 l
CLARIFYING OUESTIONS AND ANSWERS. PILOT PROGRAM &
INDUSTRY WORKSHOPS l
l
\
i l
83
DRAFT b Cover Letter Plant Y Overall Performance l 1
Plant Y operated in a manner that preserved public health and safety.
. Performance Indicators As shown on the attached Plant Issues Matrix, the performance indicators for cornerstones were in the licensee response band with the following exceptions:
. Unplanned transients greater than 20% in the initiating events cornerstone and
. AFW system availability in the mitigation systems cornerstone i These indicators were in the increased regulatory response band.
NRC Inspection Activity and Findings The areas inspected and the inspection hours expended are shown in the attachments. NRC inspection activity confirmed that configuration control problems contributed to a loss of reactor water level inventory event during shutdown. A design error related to the DC power system c tused the system to be outside the design basis for certain postulated accident rwiences. i The licensee has performed a root cause analysis of both problems and has - )
identified corrective actions. The NRC conducted a Regionalinitiative inspection to !
assess the licensee's root cause determination and concurs with the causes identified by the licensee. NRC inspection activity and licensee self assessments ,
did not identify any findings of safety significance in other cornerstone areas.
NRC Actions There were three cited violations as follows:
. one violation for failing to maintain configuration control of water inventory systems during shutdown; _
. one violation for a design error on the DC power system that caused the system to be outside its design basis under certain postulated accident conditions; and
. one violation and civil penalty for falsification in a surveillance report.
Future NRC Insoection The NRC oversight of Plant Y will be accomplished primarily through the baseline inspection program. In addition, the NRC will monitor implementation oflicensee corrective actions to reduce initiating events and improve mitigation system availability as well as implementation of corrective actions for the two violations summarized above.
- g t
y GGG -
i
- r g e g
e a t k n a I
l e
r -
_ i e tyegn t s
r ia r v e g a ikm t an i n
B c eial at d
n i e SSn CCo f
o n
o RRC N N t t de n r
e o p
disd et i e su cc r r s u r o e e a oa f w r c m c be n on x e GGWGG i depo f al
- d oo a t
i s s g : dl i r y e nmtmerc t
uC s e e t
a S r i u d n e i sD uv s r M n l i ngt r n he i s us s o a i i s o ot y e i F ft se yf s i) s i
t r t a laf o
_ t - l u a m nd rs an r
s s
g e e c aaeaW( iovo r ni en d
n s if nwb s i
t I t i
w o
r po a y i i o n e d r i b S nrp gc t
n M P ee .i va l t s d a - g - - y igoCin sr r s t
inmic i ht e l
P I r SeWRe nn e t e eDe d ueq cge ci eit ei f d u
Y PmFHa f s n s s nls n t HEARS OAtnt e i s Ode syO fa i e re n
a s dn dnr at s
l P
s o
r fol
. a B Bpae u r
WG l t n o e o o s a e d rt e n s es to h
t n
g ov t e u o n n o od d
n
- e - nl odl s s c p s pe a v s d r t e ev) i i n d e st t d E tn- ntn u e W( no ei e _
g es i
f ob l
ia oi t s r
oaynR yr Rm t c
n im t cirnr e w ar t t e i
s na n nt t logu aBr cet oop r e p s
t a ar a o nao i i
s nla aly t
n i rc ciowd t vf n i t c i
d n
i t TS f i a nr s r u d o I p ulua o g gm l
s a
ge c s ife c i
n nn . .
gumtoh t es e e r e I ceR r aa l l pp i
si f l ae c o nR a
Ro a enb ei l es d d n r
- nn UU no orh OCpowrf ns Ol o mee r s e s reto fo f oneu ain t n
re r qs e t ecc et e c
n *s n n
e PLInRn r
i
.l a h m
ar o* m ont . e. wP c a
mto ra i*
t s e cno f
eio d ehl dl t
t oc fi ct el pus r foit nrWee eG g -
YR A e
rd s e nc e - - - e T
F e
- R
- D *
- g
. n i
o GGGG t
c - -
e - nb t
o a e ei a r e rl c
P l
A r
Sb al l s
g a d eee n c ternn i d
i s cAnn el oo n y e ot ass i
h t
rr f
n P riee o o PVPP N N y G l t afe l -
na or i oS t a n n t
pi o Co s ut g cc a er i i n
u d x Oad osp i n e i
r R x f o
n o
t a E N N M
s e n u o G s i t d s a n I
t i
y r- a _
dt b n ae u s a Rf a cc s i d l
g ht e P cS O n d
n n Y
i t i l
b n d i e p
t n u e u i n e d t e xe a P l f o
n n da nr i
o a e. s B Bpeo l f P E N N r u
e se o n ns to h GG o od p pe d
n s - - s stt a ys c e ee cc s d e rnRei Rm d
e n
ed aa n nn oay t c
ge t
aBryr o rope e r r mm r r s c et p s
e a ff oo g i
d s ataly nl n mpe r r ee i n I n o g ul ua l i s
Er PP P
d n esp ceRe e gmr a e
e OS nR d dRon r i
f n a a RN o o ee r EA N N mes et r o o rs oneu fre rqs ain f t
e n c
t n e cinc et e n *s n e PLIRn r . .l a
h m
ar o* m ontewP c
mto ra i*
t s ct e
cn f eio d ehl dl t
a oc fi el pus r oio nrWee eG g YR t
A e
rd e s e fnc t e - -
e T
R D
- 4 DRAFT Inspectable Areas and Hours Expended i
Inspectable Area Hours l Initiating Events Cornerstone _
Adverse weather preparations Equipment alignment Emergent work ,
Fire protection j Flood protection measures )
Heat sink performance l Identi6 cation and resolution of problems and issues i Inservice inspection activities Maintenance rule implementation j Maintenance work prioritization and control Nonroutine plant evolutions Piping system erosion and corrosion Refueling and outage activities Total Initiating Events Cornerstone Mitigating Systems Cornerstone Adverse weather preparations Changes to license conditions and safety analysis report Emergent work Equipment alignment Fire protection Flood protection measures Heat sink performance IdentiScation and resolution of problems and issues Inservice testing of pumps and valves ASME Section XI Licensed operator requalification Maintenance rule impleraentation Maintenance work prioritization and control Nonroutine plant evolutions Operability evaluations Operator work arounds Permanent plant modifications Post maintenance testing Refueling and outage activities Safety system design and per'ormance capability Surveillance testing Temporary plant modifications Total Mitigating Systems Cornerstone Barrier Integrity Cornerstone Changes to license conditions and saieig analysis report Equipment alignment Fuel barrier performance Identification and resolution of problems and issues Inservice inspection activities
, Large containment isolation valve leak rate and status verification Licensed operatoc equalification
DRAFT Inspectable A 'ea -
Hours Maintenance rule implementation Maintenance work prioritization control Nonroutine plant evolutions Permanent plant modifications Refueling and outage activities i Surveillance testing Temporary plant modifications Total Barrier Integrity Cornerstone
)
Emergency Preparedness Cornerstone I Alert and notification system testing Drill and exercise inspection Emergency action level changes Emergency response organization augmentation testing
, EP training program IdentiScation and resolution of problems and issues Total Emergency Preparedness Cornerstone Occupational Exposure Cornerstone Access control to radiologically significant areas ALARA planning and controls
. Identification and resolution of problems and issues Radiation monitoring instrumentation Radiation worker performance Total Occupational Exposure Cornerstone Public Exposure Cornerstone Gaseous- and liquid-effluent treatment systems Identification and resolution of problems and issues Radioactive-material processing and shipping Radiological environmental nionitoring program Total Public Exposure Cornerstone Physical Security Cornerstone j Access authorization i Access control Changes to license conditions and safety analysis report Identification and resolution of problems and issues Physical protection system Response to contingency events Total Physical Security Cornerstone Reactionary Inspections Total Reactionary Inspection Total Inspection Hours
l y
at ci i r _
su yc h e PS _
e i
l c urs boup Px E
e r
. u cs co Op Y x E
t n
a g .
l r p P ee _
mr t _
a EP d
e ryt d
n ei ir e r r g p ae t x Bn E I s
r gs u n o im t
H ae gt is d t y i _
n MS a .
s -
a g e ns r i t n t _
A i ae t v l
e i nE b I t
a c _
e -
p s s
a ur l
n t I
TH oo ly d f s s s n o la n ls n n t
n e a n c o o r m o io n s e it o ig it e it t o e lu iv sI r e t
a pX r n t i r t it u o o s dnpo c e it u c f f
i t
c mn lo a p c y
le a s n e e c a uo lo n
i e
s o cre s p v en t t n a a -
n n fpi tc ss d d n e se e m d ee o a r n p a o es n l n m e iu s a it o oe a
e r u it ds a r
to s r
e g it a
sis ny e i
n o om pg a r
g n m m o n f r
ilqm m r c gS dtse e fo ns izr s su r e tnE r ic el it kr o ig n io A a d o r i l l o o a t h
r re a n in f it ic an ic r
e c
a ea r o rg la to ce p t e ny p r sp sM i
nn a yon l
e t tn n a e n o o w r as p in eS h t x yc e -t oa u o ot w la n n n ce tor l t t b t y e n ci t A
a it a s a c c na e n ef p d s e d e es e za ne t
nt in em to ir r sn kn e cie-s t
c icm s s s c s A ag ga n g g gi g g ia p
p rp d a ue is ic b et om t rvr ve e f i le s s si f r R r n ns a ren eai r n n r r ni vdeA.l les hadn r mha mgsretm P q ir t iu e o t
p s
nb eor cec cce cg cei t it l l
i le s a a e ev u a e e s i sl a I
n di p A A As A A At e Ca D Ec Eote E E E F lo F F Gtr H Inn v
l at y
~
ci ir
_ su yc he PS e
r c
iu l
s bo up Px E
e r
. u cs co Op x
E _
g . _
r p ee EP mr r ty -
iei r r
r g _
a te Bn i g s _
n i
t m ae gt is t y i -
MS -
g i
ns t t n i ae t v nE i
I s
a ur l
t TH oo n s e s n o it n c ie s n
.o a s o n it o vi t iz n it a m dn a la v d it iva o g y a ic e t it
.c t n m g n c c n l i o
i t
u s s f t
s a n
it r
o n e a n a y ic s r s e f
oi r n n d i
d y n s g fr i p m e e ni t d u f
i i p lo o n o s o e e l
n g g gi l
o o v it is n p iiap om g
t v u m n n n m H t
e a a it b a
e n s ro kr o o o e i r rh e s vrr ia t is epa n r e u mta r t
a le un o t n lau r a
t n c e it r c to n in r
e t ad ng u n o o da c i
t s tn o A w a v a no kr e opr e la t p e m r la en o kr mn d c i
int e lp e n oi t o m t e a s pio eit o e t ce e p c t
r e o e mta - a n o l
b t n& ot ca cl a nt no e y w t n p s t t w e vg la cg a t c yr e p a a n at r n it e yn n nn n in g e $y an n oe dc n e eo nn it l r o l n a so ia o e t o cis in gi n s s a a s o n t i i r
c ct a ef em t c u ba t im as oro n yr m l
le os i
e sl i
o a a ic gs i m t it l I
p er n e a t nle n r r r s ia ru ia oe lot pt n t o ie p l cqu iap id v m ta gk n e e m r y ino t i i u
e s e r s dt d ic d d n fef s r a a as a a o f
n a n o p p e h ipro o ao ev ae r r u e o i Lle ie L r Mim Ma N O O P P Pc P Rin R Rp r Rm R Re Sp S T T
4 DRAFT Cover Letter Plant X Overall Performance Plant X operated in a manner that preserved public health and safety.
Performance Indicators As shown on the attached Plant Issues Matrix, the performance indicators for cornerstones were in the licensee response band.
NRC Insoection Activity and Findines The areas inspected and the hours expended are shown in the attachments. NRC inspection activity and licensee self assessments did not identify any findings of safety significance.
NRC Actions There were no cited violations. No enforcement action was taken during the period.
Euture NRC Inspection The NRC oversight of Plant X will be accomplished through the baseline inspection program.
I i
L l
! : 1 i!} {l ) {I{l{ {
ll l t h ,
,Mj].43&/M&@*ym o
e N[('tgf$V4 o
M it w
d n
e h
it
,b tste l
m g g g n p
s w
g r r n ude n
,dePil ana5,agb.
a'pe d a$ a,.Ahmp e ee Ss ,n i
t e
ee
. cc e; O n M ;
me f e y
Mest ac oBl t a be yw sa $g& ' ;( nnn oee st i c di oL nnn
%n Uadit n Mek oee icm e he pg@NMW.4g si
. ari llr mt icyf t t
r e .g isle mr g t o s
o ei icmsi sLe omhaf oa r v i
ef r r t ict uo., .
minn e e itv mro g
,. veeina OPPWUSMWgWp;fg oe a dRr r c it mia oea nn
.a s o r s
m@dQ'
, ej f
,d. ; d l e otu e
n a(;ify3MCf:n_g Ki e M.
)o n t
e n eh ci t nw
.n
.o~ t e
r u
~~
d )oc n 'e mi1dtispCe.
e pt ft t ma t e e aueIr n; b c ..
ca i s md' e' )
g sr e man a e ;' n m in e l t
.a L -
ss a s~
j -
r e ;- r mw O ; iog r l e ua sl l )' oa r o n g M, o o i mia f( imc'
.D e e c.lycDeCln eun6i. t e n,r n ea.
r nn .fr t g doeopt h Tcr 4 5 r i
r en gr plp f In mroi c w mfr Ltn l t eni nFv n oSM Pes is t. io n e
, n n a eodYpoSia C eme r anOo 0e iit o o ero e iv
,tc a m i 'i r vt s e deish hf. he 5d r wec C it t
nt rt eev eioa of eme is Pim e igr if oep em aglpdemt r t l er w it c u,j Otee (
oie wsn svO norC nt lice d FR O i vsp is r (o s s nege R nf
-_i e e o e u R o aCMRg ri t
d-, e esra spug CU es r ei n s m usa y c
> e g Dec epR c asae A s m Ochn n SPRCDM1 EML .LI i imN BInCD 0 C As/ o Diia st e 1
- - R a (w C EDwM A c
p)t gd 7 t I
u e weg.n t
e n EC F g$ tie pnt;s
(
hI fsgy?MMag M wpcfteyut i
v y
e C R
if t
o co on i
e w
v C N ,J njl e
) N ee io ) e Woiba t
gh. A ps t n R NA a h su et r oa A C ,de (2 eteOmS l R h i
j l
la( t na sd py MI fSMM%g i n
on n gren it la R! F _deYih e n n' nr e o i - f w I C w n I ON . i.vtn s
or 1 Wnii oMn fXVgm.iga
. ooe t s
let Snet d
nn n aoio p
sC istni to sce i
o o
et r n eg T
FG /w e c sn e H
oso3shij t o' ,
e emh t Rn RI S D
r e s yn e w r t t icnu i ?W.. . Rsic e sg eda eme uae c R sme E
r ni s ss i r ed t ea i
d i vsp F PY ,
emtu g oil mh ce se n er i sa leur es s ir s P E E +
1 ~
n o p oCMRMMw OCInr a oeea m t _d r sW;W,f Ddi daw t
isv LAO scg aoe BFD k r cg oe r ein As/ s Don Aec fr e A S A NS t
- l DD R a (w RPL i
R E
CG .
_i t
, he ]V s, e a(t < - M6.eg :
g n'
o o' D N r)
_W' I
iv t LI oD it^
e
~
S A .,t sL1tc#
u e y' ndmw a gv.g
)De C (r e o
iv c
e p
s nn r tr )n 'h' D
j t E
p' Bon s oit t
b s cC s pa o .oa i' w'
R C i ni);sO.s M 3 (t ce e rR in' ere en s n en plp
^
t e
N . wnn n' ot e ey3JMEmq;;, f eeic irL r
oN dn '
RAR gr istni o e I
Trteot h CDh i
Ch' . a 'p t n gn /w ec t M' r es s e t t ewhg ei ot[fi[Mh eino De t
.e n u e hci ni im r
. of f r ie eM ow iew-o adt rac i
vs p e- De s 4 3Mey y s nis n or s
- .edmml
.n no o luZf nst aie v e .eie c t l
sll ur cgn e es n r ei r
o ne
. O (i cCF' 9 d ch, f, ri BDM icv LAO ao BF oes n DD! Ds/
D a (w -
s Cc i BL
, ' =
- ec [d )s e;e}T t 6w
- mg e
nngn r n)
. . n m )sdsly~
t aanoMS i t . t o
cn v
it c
oe it in tr n oa
) h it w
r o eo e cl ee er oPieuin rl
- %wmwnsc ipi t r
r dps n en gr plp t e
. s e snos esPr o mf r(FmFsV3 oiCef ;cw ena St e ir C o
e e sa mnB r (
istni to
/w ec M
e s(t iv) e nt o 's m C
,Assa +c ;n t
7 y, , n eIn e e ime Bee e ect f
sn nia n vs p u ic t
id) no I r es s r s e
. l
,. t i pd ,ej r. usR I
ei k eg so n r ein on
. r b WT T 1v3g
. l l
AiInn0GO oe S c ic t
iars o s I e
Ds/ Rc
- RR( LA RBP 1
N D a (w SL i
i x ,
r ;
g ll t
y" ,,i s.
dg9',wG .yRN y a ;
j-M ,
dW[- 1M M r. T i ,em.,:(QW ,M1?,
t c .n i
o c @ .1 h5' yt c' n
o .
17M ,'
, , - r
,o
.e y cn 7 :.,AQ * .tp e Iyg- n
.ftn ett i e
,.. sn y4>
r ,
.e' it -.t e .e of Ne1QpG m
c . #. ar5 gsgy m t
A [ .s~ .
f as' n st ,i
'2cs'yr ,sr7f RC-lufe1 n' A _ .I lu o' sr gn~ ye '~ C [' eo s p7 yl bs icsin hoe et e
[
eo ec+
gi l 1
a 4
j; , - c >
- t se 5
lL ' -
i L ' ,. . .RMp"Q N IRA AR4 n ,PAM useb le _1' b
a ml$ry - n l T Wn(ZkmW"Q $ oEa: Ego :
1
i
- 7M
- h d m
yM}tQ1yQgMY4.aw it n i
7m r w a elbt 1oiQd e N, s i s
g n mU r bp g n
i s
w ud g
n ana r ia EM wtplsdM ePp ayrgi@wgww n
- M j it e
ee mest Se iye
,n s
it e
ee Mest n'a ce c;O c
oBlba e,p@M4.y,x i
u nnn f
di c oL nnn nn t sa oee oee mUadit mie n t h epp%$ c p %d.MhWDaWpA icm ie si sL Mek o n i
sim sLe c
l ari r
t i
moa r g t r
e eiv oh v
i mroag wl efomhaf min n
.OPP
- v e itenaW fU r r
.%,m.d S @jg%.mOsc oe a CSM e N M m.j hdRi r r c OoA t min oen a CSM 4 j v'
4 e r i e o
.t .~
md@y QNnjM%#.d.ga r , .i >
~
,o' i
s sev Wm.i )'e t
eh e dlept otu ens tt. i op- )n Jne ci nw t . e'
_'tt e "' -
d e n e a c ,.u ios . me a mI 'l; . ) .o c in L m s a es n'
4.d pg e Wd r
aueI rl n t
e r.og s ma~ a- l J ) T' tr n oa .
plp.t o r s n i s p]g e W.. b e ime' f
r r l a mroi c g M,mw . ne
(
.D e e eycDeCl o o ;pO.j % mian r nn ea .f opt r t g h T dee r 4 - ,
f I
n
.mfr Ltn w l
t n eodypoS n t leuni e
h,& C oSM .. eni Pes r nFvn an0o
. 5. r.
0e .
grh ist n n, ,o ero e i e
v gcmir n a i a vt s deishe nt rt he
- me
- ev eioa of it
. 5d RO r /w e iem gio k
s CPim r n e R e
(o s t r t n oie ws ;vO nt d e ioe i rt f
e a ripd e wi.
l
(
n .o lice e esra F
CU vs s es m s usag y ig r ei n c nf gr p m gt e m't Otee irC Och st n l r pR spug A' m n
> m. i e e o e u R o e . a Dec k o, m N BInCD asae 0C A s
s /w o Diia e
+SPRCDM1CM EML M
i
.LI 1
- - Ra( C EDwM o g
A
- . I i -
)
j t pN M t e n w y;@0(s@JWdwO.wM epsv e e?O AvA e C o e
,T v
i sgh Intut iejt f
EC E i y l M R it ceeo ono e W
- s. )
t wp c k ) N t tr n R CN 1 ps NA A C n Woibaa %w w d (2 ll njl eOmS f r la(
A R h it su na eiit sd nn n gr en oa plp h
it w
l a
n MIF RI ~an1deYi e et hennZu.,.e i
eSdw W b nr e ooe f
let w
n I
d C nn n oo pC s istni to sc e i o
a F
ON .gt FG r o r WoMo t nii n %.yiwM-it ga etrcen s
Set emh aoio eda t
eg Rn /w e c ieme sn uae R e T E S .e RI r r it cn t Rs e sig ned t d i
vs n sp cme s s F A
i r ni s ss lisa ea es ir
. D e s y e gwn.Wudawg@m'lhs oil o 3 sDD oe h i As/ :@ M.6Aei A i
P Y gnop . emtun amt dr mh n ese er eur scg k r cg r ei Don f e R oeea .C Ddi csv aoe s r c R
I t E n r EH .OCioCMRM LAO R a (w i
BFD RPL D
SA NS e
i.fedjr.$&Ma,n " '
- D
, E ,i t h
s e
..o' .f ,
it v Q:W Qwm De r
)
e hc '~ t e~
Ty. s h' ci[;[$i_d u e~ )-
S A nWsATe )o D e v p- nn tr n it
,t u
p' j C (r s t i
oi oa-E R !n i );s 1 b 1 Q_Mer(t ce Bon cC' e
rR li~
m^
paw e
ere n e gr n l
p p/ .t w
. e~
OsQ_ QC Dh;W
~
A. MW%$ p._sm f
~ . r C
. ot e e eei c oN' e f
,d" n RAR ist o '~
N 1i wnn n F,
irL hi C h 't a p- . t g n /w ni ec-M ei n I ~
t
~Trteot es s e t eih e wg eu e e-im De r x ni n- vs p~ Des r
o t$j@M m.@bm.m how md
~
M ura f r
.of i e9mly ci snis liw' es .= ' r sedm AtxA -
nst avei e n or eie eo sll cg . r en o ne i c C F M$
. n no ou f_ . a .x s l t ri cc v ao oe Ds/- Cc
,O(
.d BDM BF' r' ,#+ iLAO DD i D a (w-- .BL
- tg fm1 v
+
1ec d )s o e gy$r t 7gs e ) h nngn r o v n )e o r n it
>aanoM i t t
cn it c it in cl t
oa plp w
dpse e r eo e n en t
wtn
, mfr( o P F m F r $WuW+/yg"n.;.Q+
er mi)sdsl ni euw r l
~
5.W _ +7, m+.
" i opi nsc ena t
C r
r o esa mnB igr o M e
e
.sPr se s oCve St e ir e r I (
/s tni wec t C e e oi o e nt n e f oem n e
ime vs p Be nos',hM',- noe t
c ;i eI s (s ac e nc s t t
ee t
t, id) s n no I nia leg r e es s r s on Auipein t i n r ein so I
k e h
usR ei t s I
. l pdsrb AlnnnGO@Wh,.g t
icc iar o Ds/ Rc RR( S D as (w l
. II LA RBP N SL i
x.
i g ,i . ^ j r
t _o i
- v aY,7d m.d t .
a .M[$6fQFg74rM+_.m mh.$% w%$QhM. ss;-Q~Q.
n@iMM y
_i e.t. d f t M r S gi%1ra, e one gA ycl ,
c e jMrF g%
yi t
N uC n iQ UW \i,5,s%a- rt n r
- pp .y r A ynM e ;a o
j arei
- s 1 T t o
a s m m g$.:
sr MWP sn i
i$ '
it ,i r st c ;-
- i. Q ne e
A ,'
a rl gnM uf .
.G ,,l u o e spf o i cet e MU " , lk ? e;Q r ~ eo l
. d gh. bs R e cw AR s e Q'1 ussi@ e 1
5
, p. '
R C_ k k
L q
+
sN$Qp
' RA. '
- NAM -
l le l b
T a I gld - mW* WmZkmI.% u 8i 32322oo _
-