ML20206R756
| ML20206R756 | |
| Person / Time | |
|---|---|
| Issue date: | 12/16/1998 |
| From: | Holden C NRC (Affiliation Not Assigned) |
| To: | Gillespie F NRC (Affiliation Not Assigned) |
| Shared Package | |
| ML20206R761 | List: |
| References | |
| NUDOCS 9901200178 | |
| Download: ML20206R756 (173) | |
Text
-.
g?
c.
4 UNITED STATES l
j NUCLEAR REGULATORY COMMISSION f
WASHINGTON, D.C. 2056M21
'49.....,&
MEMORANDUM TO:
Frank P. Gillespie, Director Llc COCUMENT ROOM i
Division of Inspection and Suppgrt Pro rams Office of Nuclear Reactor ReguRNon C1 M1
- l FROM:
Cornelius F. Holden, Acting Chief
=
Inspection Program Branch Division of Inspection and Support Programs Office of Nuclear Reactor Regulation
SUBJECT:
MEETING WITH THE NUCLEAR ENERGY INSTITUTE TO DISCUSS THE PRELIMINARY TEAM RESULTS OF THE NEW FRAMEWORK, BASELINE INSPECTION AND ASSESSMENT PROCESSF.S DATE & TIME:
December 16,1998 8:00 a.m. - 5:00 p.m.
l LOCATION:
Hyatt Regency Bethesda One Bethesda Metro Center Bethesda, Maryland 20814 Room: Cabinet / Judiciary Suite PURPOSE:
For tha NRC to provide the draft results of the Framework, Deseline Inspection and Assessment task group results to i
Nuclear Energy Institute for discussion of the new processes. NRC's transition plan for implementing the new regulatory process will also be discussed. Public participation is welcomed.
PARTICIPANTS:
NRC INDUSTRY C. Holden S. Floyd M. Johnson A. Madison P. Baranowsky B. Mallett p3-]AMN/N
/
9901200178 981216
/
Y ~ b 4 p.( # m 6 eh-PDR REVGP ERGNUMRC i
[
j 3 jla K 'ilP
i Attachments:
- 1. Meeting Agenda
- 2. Technical Framework For Licensee Performance Assessment
- 3. NRC Nuclear Power Reactor Baseline inspection Program
- 4. Detailed Discussion of the Proposed Assessment Process improvements
- 6. Transition Plan CONTACT:
James A. Isom 301-415-1109
l December 16,1998 NRC/NEl PUBLIC MEETING AGENDA i
i 8
8:00amWelcome/ introduction Alan Madison l
8:15amAssessment Team Michael Johnson Updated Report i
Transition Planning 10:15amBreak l
10:30amBaseline Inspection Team Bruce Mallett Updated Report 12:30pmLunch 1:30pminspection Findings Assessment Process Bill Roland 2:30 Break 2:45pmFramework Development Team Patrick Baranowsky Updated Report 4:45pmFuture Interactions Alan Madison 5:00pm
{
l s
v ATTACHMENT 1
Technical Framework For Licensee Performance Assessment Team Leader Patrick Baranowsky Team Members Doualas Coe John Flack Donald Hickman Jeffrev Jacobson William Johnson Georae Kuzo Scott Morris Robert Palla Gareth Parry Ann Ramev-Smith William Ruland Greaory Smith Randolph Sullivan John Wilcox
_.=
Table of Contents Page Ex e cutive S u m m a ry............................................................I
- 1. Introd uction............................
................................ 1
- 2. Framework Development Process........................................... 4
- 3. Performance Thresholds Conceptual Framework................................. 6
- 4. Perform a nce Indicators..................................................... 8
- 5. Risk-informed inspection Areas.............................................. 12
- 6. Cros s Cutting issues...................................................... 2 0
- 7. Future Development Activities............................................... 25 Appendix A - Initiating Events Comerstone........................................A 1 Appendix B - Mitigating Systems Comerstone....................................B-1 Appendix C - Barrier Integrity Comerstone........................................C-1 Appendix D.- Emergency Preparedness Comerstone..............................D-1 Appendix E - Occupational Exposure Comerstone..................................E-1 Appendix F - Public Exposure Cornerstone......................................F-1 Appendix G - Physical Security Comerstone.................................... G 1 Appendix H - Supporting Analysis for Performance Thresholds........................H-1 Aopendix l - Benchmarking................................................. l 1 Appendix J. Team Charter and Roster.......
..................................J1 i
l 1
k 1
__ - _ - -.- ~
Executive Summary The NRC conducted a Performance Assessment Workshop on September 28 through October 1,1998. The stated purpose of the workshop was to explore and develop a framework for oversight of operating commercial nuclear reactors. As an outcome of the workshop, alignment was reached on the general principles and conceptual framework that provides for a graded, threshold approach to perfom1ance assessment and related inspection. Subsequently, three task groups were formed to further develop the concept and make the NRC's reactor assessment and inspection processes more efficient, effective, and risk informed (1) a technical framework task group; (2) an inspection task group; and (3) and assessment process task group. The task groups were comprised of representatives from the Office of Nuclear Reactor Regulation, the Office for the Analysis and Evaluation of Operational Data, the Office of Research, and all four NRC Regional Offices. This report provides the results of the technical framework task group's efforts to identify and develop:
the comerstones of safety and the key attributes of performance within each
=
cornerstone; I
the performance indicators that can be used to assess performance in certain areas;
=
performance indicator thresholds intended to establish clear demarcation points for identifying fully acceptable, declining, and unacceptable levels of performance; aspects of risk informed inspections that should supplement and verify the validity of the e
performance indicator data.
The task group also performed analysis of cross cutting issues, benchmarked the proposed performance indicators against prior plant performance, and identified future development activities. During the development of the report, information was shared with the inspection and assessment process task groups for use in developing a new risk informed baseline inspection program and overall NRC reactor assessment process.
As a starting point, the technical framework task group used the results of the Performance Assessment Public Workshop held from September 28 through October 1,1998. During this workshop, alignment was reached with the industry on the regulatory oversight framework and the cornerstones of safety. A diagram of this framework showing the relationship between the NRC's overall safety mission, strategic performance areas, and comerstones of safety is included as Figure 1 in the main body of the report.
These cornerstones of safety were chosen to: (1) limit the frequency of initiating events; (2) ensure the availability, reliability, and capability of mitigating systems; (3) ensure the integnty of the fuel cladding, reactor coolant system, and containment boundaries; (4) ensure the adequacy of the emergency preparedness functions; (5) protect the public from exposure to radioactive relaterial releases; (6) protect nuclear plant workers from exposure to radiation; and (7) provide assurance that the physical protection system can protect against the design basis threat of rariiological sabotage.
i 1
i
_.____m Within each cornerstone area, the task group then used a top-down, risk-informed approach to:
identify the objective and scope of the comerstone; l
identify the desired results and important attributes of the comerstone; identify what should be measured to ensure that the comerstone objectives are met; determine which of the areas to be measured can be monitored adequately by performance indicators determine whether inspection or other information sources are needed to supplement the e
performance indicators, and determine the thresholds of performance for each comerstone, below which additional NRC actions would be taken.
(
Where possible, the task group sought to identify performance indicators as a means of measuring the performance of key attributes in each of the comerstone areas. Where such a performance indicator could not be identified, the group proposed a " complementary" inspection activity. Where a performance indicator was identified but was not sufficiently comprehensive, the group proposed " supplementary" inspection activities. The task group also identified the need for " verification" type inspections to verify the accuracy and completeness of the reported performance indicator data. These recommended inspection activities were provided to the risk-informed baseline inspection task group for consideration in developing the baseline inspection i
program.
Performance indicators together with risk-informed baseline inspections, are intended to provide a broad sample of data to assess licensee performance in the risk significant areas of each comerstone. They are not intended to provide complete coverage of eve'ry aspect of plant design and operation. It is recognized that licensees have the primary responsibility for ensuring the safety of the facility. Objective performance evaluation thresholds are intended to be used to help determine the level of regulatory engagement appropriate to licensee performance in each comerstone area. Furthermore, based on past experience it is expected that a limited number 1
of risk significant events wi!I continue to occur with little or no prior performance indication.
Reactive inspections will be conducted to ensure that the cause of the event is well understood and licensee corrective actions are adequate to prevent recurrence. The results of these follow-up inspections will be factored into the assessment process along with performance indicators and risk informed baseline inspections.
For the initiating events comerstone, scrams per 7000 critical hours and transients were identified as performance indicators. Recommended inspection areas for this comerstone included aspects of: fire protection; testing of steam generator tubes and reactor coolant system piping; and operating equipment line-ups.
Under mitigating systems, safety system failures and the safety system performance indicator (SSPl) were chosen as the performance indicators. Recommended inspection areas for this i
i ii i
i
comerstone included risk significant aspects of: protection of equipment from extemal events; equipment design adequacy and design modifications; test procedure adequacy; operator training / certification; and emergency operating procedures.
For the barrier integrity comerstone, performance indicators were chosen for reactor coolant system activity, reactor coolant system leak rate, and totalleakage from all containment penetrations. Recommended risk-informed inspections under this comerstone included:
configurations of control rod alignments during risk significant evolutions; configurations of key equipment in the reactor coolant system during shutdown; in-service inspection programs; equipment design adequacy and design modifications; and line-up of equipment penetrations.
The performance indicators selected for the emergency preparedness comerstone were l
drill / exercise performance, emergency response organization readiness, and availability of the alert and notification system. Recommended inspection in the emergency preparedness area was largely centered around ensuring the adequacy of licensee assessments of exercises, drills, severe accident management guidelines, equipment, and facilities. In addition, inspection was recommende' for changes to emergency action levels in accordance with 10 CFR 50.54(t) as d
appropriate.
In the area of Radiation Safety - Occupational Exposure, a summary performance indicator was crafted for occupational dose control. Inspection in this area was recommended for the identification and monitoring of high radiation areas; source term control; ALARA planning; and contract health physics technician performance.
In the area of Radiation Safety - Public Exposure, a performance indicator was chosen for effluent releases. Inspection was recommended for calibrations of and modifications to waste processing equipment; verifying operability of meteorologicalinstrumentation; packaging and transportation of radioactive materials; and effluent sampling.
For the Physical Security comerstone, performance indicators were selected for availability of security systems and failures of the personnel screening and fitness for duty process.
Inspection in the Physical Security cornerstone was recommended for testing of barrier intrusion, detection, and alarm systems; search, identification, and control processes; response to security related incidents; and reporting of significant events.
i A complete listing of the performance indicators selected for each comerstone, along with performance thresholds is provided in Table 2 in the main body of this report. These thresholds were selected for consistency with the performance threshold conceptual model provided in Figure 2 of the report. They correspond to levels of performance requiring no additional regulatory oversight (above the green to white threshold), performance that may result in increased oversight (below the green to white threshold), performance that will result in specific l
NRC actions (below the white to yellow threshold), and performance that is unacceptable (below l
the yellow to red threshold). It should be noted that although not expected, should a licensee's performance reach what has been determined to be an unacceptable level, margin would still exist before an undue risk to public health and safety would be presented. The extent of NRC actions would be graded based upon the relative deviation from the performance indicator threshold and the number of thresholds exceeded.
iii
For some indicators, such as those for scrams and safety system performance indicators (SSPIs), selection of the performance indicator thresholds was made using the insights from probabilistic risk assessment (PRA) sensitivity analysis. Other performance indicator thresholds
)
could not be assessed using PRA models. In such cases, the performance indicator thresholds l
were tied to regulatory requirements or were based on the professionaljudgement of the NRC staff and industry. For example, under the barrier integrity comerstone, reactor coolant system activity is a good measure of the integrity of the fuel cladding, but the performance thresholds chosen were based on technical specifications. Under the physical security comerstone, the I
availability of physical protection systems provides a useful measure of the status of intrusion detection equipment, but its thresholds were chosen based on professionaljudgement of the i
NRC staff and industry representatives.
Once the performance indicators and corresponding thresholds were selected, the task group performed a benchmarking analysis to compare the indicators against several plants that had i
been previously designated by the agency as having either poor, declining, average, or superior i
performance. The analysis indicated that the performance indicators could generally differentiate between poor and superior plants, but were not as effective at differentiaung l
average levels of performance. The transients and safety system failure performance indicators appeared to be the mos: closely tied with prior NRC judgements about performance. In some instances, the cause of the poorly rated plants was due to design or otherissues for which valid performance indicators have not been developed it is expected that these plants would continue to be identified by the inspection program.
The task group also identified aspects of licensee performance such as human performance, the l
establishment of a safety conscious work environment, common cause failure, and the I
effectiveness of licensee problem identification and corrective action programs, that are not identified as specific comerstones, butt are important to meeting the safety micsion. The task group concluded that these items generally manifest themselves as the root causes of performance problems. Adequate licensee performance in these crosscutting a eas will be assessed either explicitly in each comerstone area or will 'oe inferred through comerstone performance results from both Pls and inspection results.
l l
iv l
l
l j
- 1. Introduction 4
1 The NRC conducted a Performance Assessment Workshop on September 28 through October 1,1998. The stated purpose of the workshop was to explore and develop a framework for oversight of operating commercial nuclear reactors. As an outcome of the workshop, alignment was reached on the general principles and conceptual framework that provides for a graded, threshold approach to performance assessment and related inspection. Subsequently, three task groups were formed to further develop the concept and make the NRC's rtactor j
assessment and inspection processes more efficient, effective, and risk informed. The three i
task groups included: (1) a technical framework task group which was responsible for identifying j
what information is needed by the NRC in order to ensure adequate public health and safety,
)
including whether the information could be obtained by per ormance indicators or whether d
^
inspections would be required, (2) an inspection task group which was responsible for defining the baseline inspection to be performed at all operating reactor facilities; and (3) and assessment process task group which was responsible for developing a process for assessing licensee performance using the performance indicator and inspection data. This report details j
the results of the technical framework task group. The purpose of the technical framework group was to further develop details of the conceptual framework derived from the workshop, namely:
4 i
the comerstones of safety and the key attributes of performance within each
=
comerstone; the performance indicators that can be used to assess performance in certain areas; performance indicator thresholds intended to establish clear demarcation points for
=
identifying fully acceptable, declining, and unacceptable levels of performance; aspects of risk informed inspections that should supplement and verify the validity of the performance indicator data.
During the development of the report, information was shared with the inspection and assessment process task groups for use in crafting the baseline inspection program and the overall NRC reactor assessment process. The charter and roster of the technical framework group is provided as Appendix J to this report.
As a starting point, the technical framework task group used the results of the Performance Assessment Public Workshop in which the framework concept was developed. The comerstone framework is a hierarchical structure that begins with a focus on the NRC's overall safety mission and identifies strategic areas in which performance must be maintained in order for the overall safety mission to be achieved. Each strategic performance area, in tum, has a set of cornerstones or safety function areas that support the strategic performance area. The comerstones provide the fundamental building blocks for the regulatory oversight process and, if their objectives are met, provide reasonable assurance that the NRC's overall safety mission is also met. A diagram showing the NRC's overall safety mission, strategic performance areas, and cornerstones of safety is provided in Figure 1.
I
NRC's PUBLIC HEALTH AND SAFETY Overstl AS A RESULT OFCIVILIAN Safety NUCLEAR REACTOR Mission OPERATION I
i f
i REACTOR RADIATION 8"' *.*
SAFEGUARDS Performance SAFETY SAFETY Areas
(
I i
i INmA11NG MmGA110N BARRIER EMERGENCY PUBUC OCCUPATIONAL Comentones EVENIS 4
SYSTEMS N
INTEGRITY PREPAREDNESS PROITrilON IIUMAN
SAFETY CONSCIOUS WORK ------------- PROBLEM ---------
i PERFORMANCE ENVIRONMENT IDENTIFICATION AND
[
RESOLUI10N PERFORMANCEINDICATOR INSPECTION i
i Figure 1-Comerstones of Safety
- UrllERINFORMATIONSOURCES DECISIONTIIRESIIOLDS 1
For the reactor safety area, the comerstones are:
Initiating Events - The objective of this comerstone is to limit the frequency of those events that upset plant stability and challenge critical safety functions, during shutdown as well es power operations. If not properly mitigated and multiple barriers are breached, a reactor accident could result which would compromise the public health and safety. Licensees can reduce the likelihood of a reactor accident by maintaining a low frequency of these initiating events. Such events include reactor trips due to turbine trips, loss of feedwater, loss of off-site power, and other reactor transients.'
Mitigating Systems - The objective of this comerstone is to ensure the availability, reliability, and capability of systems that mitigate initiating events to prevent reactor accidents. Licensees reduce the likelihood of reactor accidents by enhancing the availability and reliability of mitigating systems. Mitigating systems include those systems associated with safety injection, residual heat removal, and their support systems, such as emergency AC power. This comerstone includes mitigating systems that respond to both operating and shutdown events.
Barrier Integrity - The objective of this comerstone is to ensure that physical barriers protect the public from radionuclide releases caused by accidents. Licensees can reduce the effects of reactor accidents or events if they do occur by maintaining the integrity of the barriers. The barriers are the fuel cladding, reactor coolant system boundary, and the containment.
Emergency Preparedness - The objective of this comerstone is to ensure that actions taken by the emergency plan would provide adequate protection of the public health and safety during a radiological emergency. Licensees can ensure that the emergency plan would be implemented correctly by drills and training. This would give reasonable assurance that the licensee can effectively protect the public health and safety in the event of a radiological emergency. This comerstone does not include the off site actions, which are covered by FEMA.
For the reactor safety area to fail to meet the goal of adequate protection of public health and safety, an initiating event would have to occur, followed by failures in one or more mitigating systems, and ultimately failure of multiple barriers. At that stage, the emergency plan would be implemented as the last defense-in-depth of public protection.
For the radiation safety area, the comerstones are:
Public Protection - The objective of this comerstone is to ensure adequate protection of public health and safety from exposure to radioactive material released into the public domain as a result of routine civilian nuclear reactor operations. These releases include routine gaseous and liquid radioactive effluent discharges, the inadvertent release of solid contaminated materials, and the offsite transport of radioactive materiale, and wastes. Licensees can maintain public protection by meeting the applicable regulatory limits and ALARA guidelines.
Occupational Worker Protection - The objective cf this comerstone is to ensure adequate protection of workerhealth and safety from exporure to radiation from radioactive material during routine civi!ian nuclear reactor operation. This exposure could come from poorly controlled or uncontrolled radiation arsas or radioactive material that unnecessarily exposes 3
_ -_.=_
workers. Licensees can maintain occupational worker protection by meeting applicable regulatory limits and ALARA guidelines.
For safeguards, the comerstone is:
Physical Protection - The objective of this comerstone is to provide assurance that the physical protection system can protect against the design basis threat of radiological sabotage. The threat could come from either extemal or intemal threats. Licensees can maintain adequate protection against threats of sabotage based on an effective security program that relies on a defense in depth approach.
Performance indicators together with risk-informed baseline inspections, are intended to provide a broad sample of data to assess licensee performance in the risk significant areas of each comerstone. They are not intended to provide complete coverage of every aspect of plant design and operation. It is recognized that licensees have the primary responsibility for ensuring the safety of the facility. Objective performance evaluation thresholds are intended to be used to help determine the level of regulatory engagement appropriate to licensee performance in each comerstone area. Furthermore, based on past experience it is expected that a limited number of risk significant events will continue to occur with lilttle or no prior perfomance indication.
Reactive inspections will be conducted to ensure that the cause of the event is well understood and licensee corrective actions are adequate to prevent recurrence. The resuts of these follow.
Up inspections will be factored into the assessment process along with performance indicators and risk informed baseline inspections.
- 2. Framework Development Process The Performance Assessment Workshop began the process of identifying the key attribites of performance within each comerstone area, as well es potential performance indicators. The framework task group continued the process using a top-down approach to developing each comerstone area. Included within the task group's efforts were:
defining the objective and scope of the comerstone; a
identifying the desired results for each comerstone and the important licensee performance a
attributes necessary to achieve them; identifying what attributes of performance the NRC needs to assess to ensure that the comerstone objectives are met; determining which of the attributes to be monitored can be measured adequately by a
performance indicators; determining whether inspection or other information sources are needed to supplement the a
performance indicators, and determining the thresholds of performance for each comerstone, above which additional a
NRC actions would be taken.
4
A detailed analyses of each comerstone is provided in Appendices A through G. Throughout the task group's efforts, a risk informed approach was used, meaning that probablistic risk insights were balanced with operational experience and existing regulations in general, generic versus site specific probablistic risk assessment results were used in selecting the performance indicators, performance thresholds, and inspection areas. This generic use of risk information is consistent with previous NRC risk-informed applications such as guidance to the Maintenance Rule and Regulatory Guide 1.174," Scope, Level of Detail and Quality of PRA.*
Where possible, the task group sought to identify performance indicators as a means of measuring the performance of key attributes in each of the comerstone areas. In selecting performance indicators, the task group tried to select indicators that: (1) were capable of being objectively measured; (2) allowed for the establishment of a risk-informed threshold to guide NRC and licensee actions; (3) provided a reasonable sample of performance in the area being measured; (4) represented a valid and verifiable indication of performance in the area being measure; (5) would encourage appropriate licensee and NRC octions; and (6) would provide sufficient time for the NRC and licensees to correct performance deficiencies before the deficiencies posed an undue risk to public health and safety. Where such a performance indicator could not be identified, the group proposed a " complementary" inspection activity.
Where a performance indicator was identified but was not sufficiently comprehensive to cover all performance areas to be measured, the group proposed " supplementary" inspection activities.
The task group also identified areas where " verification
- type inspections should be performed to verify the accuracy and completeness of the reported performance indicator data.
In some instances, performance indicator thresholds could be directly tied to probablistic risk assessment data, such as those for scrams and safety system perfonnance indicators (SSPis)
(See Appendix H). A sample of plants with PRA models available was selected to cover a spectrum of ' typical" designs. Normal performance ranges were identified and core damage frequency sensitivity analyses were performed to evaluate the effects of departures from normal performance. This information was used to set performance indicator threshold values that corresponded to the nominal (acceptable), declining (acceptable), and unacceptable performance bands described in section 3.
Other performance indicator thresholds could not be specifically tied to probablistic risk data. In such cases, the performance indicator thresholds were tied to regulatory requirements or were based on the professionaljudgement of the NRC staff and industry. For example, under the barrier integrity comerstone, reactor coolant system activity is a good measure of the integrity of the fuel cladding, but the performance thresholds chosen were based on technical specifications. Under the physical security comerstone, the availability of physical protection systems provides a useful measure of the status of intrusion detection equipment, but its thresholds were chosen based on professionaljudgement of the NRC staff and industry representatives. It is expected that if a licensee was to exceed a performance indicator threshold, additional NRC actions, including inspection, would be taken in order to identify the cause and prevent any undue risk to public health and safety. The extent of NRC actions would be graded based upon the relative deviation from the performance indicator threshold and the number of thresholds exceeded.
The task group also identified aspects of licensee performance such as human performance, the 5
establishment of a safety conscious work environment, common cause failure, and the effectiveness of licensee problem identification and corrective action programs, that are not identified as specific comerstones, but are important to meeting the safety mission. The task group concluded that these items generally manifest themselves as the root causes of performance problems. Adequate licensee performance in thest crosscutting areas will be assessed either explicitly in each comerstone area or will be inferred through comerstone performance results from both Pls and inspections. A more detailed discussion of cross-cutting issues and how they are specifically addressed is discussed in section 6 of this report.
Lastly, the selected Pls were put through a benchmarking exercise that involved evaluation of an industry sponsored assessment and independent NRC staff analyses. This benchmarking was performed for a selection of plants with a history of poor, declining, average, and superior performance as determined by the NRC's senior manegement meetings. (See Appendix l)
- 3. Performance Thresholds Conceotual Framework The concept for setting performance thresholds includes consideration of risk and regulatory response to different levels of licensee performance. The approach is intended to be consistent with other NRC risk-informed regulatory applications and policies as well as consistent with regulatory requirements and limits. The primary attributes of the concept are: (1) the scheme should include multiple levels with clearly defined thresholds to allow unambiguous observation and assessment of declining (or improving) perforr.1ance; (2) the thresholds should be risk informed to the extent practical, but should accommodate defense in depth and indications based on existing regulatory requirements and safety analyses; (3) the risk implications and regulatory actions associated with each performance band and associated threshold should be consistent with other NRC risk applications, and based on existing criteria where possible (e.g.
Regulatory Guide 1.174) ; (4) the scheme should provide for consistency of risk informed indications of performance with performance indications based on existing regulatory requirements and safety analyses to the extent practical; (5) the scheme should be capable of accounting for performance indicated by risk-informed inspection findings; (6) thresholds should provide sufficient differential to allow meaningful differentiation in performance and limit false
)ositives (e g. allow an order of magnitude in the risk differential between thresholds); (7) sufficient margin should exist between nominal performance bands to allow for licensee initiatives to correct performance problems before reaching escalated regulatory involvement thresholds, and sufficient margin should exist between thresholds that signify initial declining performance and unacceptable performance to allow for both NRC and licensee diagnostic and corrective actions to be effectuated; (8) each individual Pl should have its own performance thresholds; (9) where appropriate plant-specific design differences should be accommodated; and (10) there will be a performance threshold for unacceptable performance sufficiently above the point of unsafe plant operation that allows NRC sufficient opportunity to take appropriate action to preclude operation in this condition.
The conceptual model that was developed to incorporate the attributes listed above is shown in figure 2. It includes four performance bands as discussed below:
The licensee response band is characterized by acceptable performance in which comerstone objectives are being met with periormance attributes and risk indications are 6
Figure 2 CONCEPTUAL MODEL - OVERALL LICENSEE PERFORMANCE / ACTION
-GREEN-(ACCEPTABLE PERFORMANCE - Licensee Response Band)
- Comerstone Objectives Met
- Nominal Risk / Nominal Performance
- WHITE -
(ACCEPTABLE PERFORMANCE - Increased Regulatory Response Band)
- Comerstone Objectives Met
- Outside bounds of nominal performance
- Within Technical Specification Limits
- Changes in performance consistent with aCDF<E-5 (ALERF<E-6).
- YELLOW -
(ACCEPTABLE PERFORMANCE - Required Regulatory Response Band)
- Technical Specification limits reached or exceeded
- Changes in performance consistent with 4CDF<E-4 (ALERF<E-5)
-RED-(UNACCEPTABLE PERFORMANCE - Plants not normally permitted to operate within this band)
- Plant performance significantly outside design basis
- Loss of confidence in ability of plant to provide assurance of public healtn and safety with continued operation
- Unacceptable margin to safety UNSAFE PERFORMANCE 7
in the normal range. This performance band is also designated as the green band.
Performance problems would not be of sufficient significance that escalated NRC engagement would occur. Licensees would have maximum flexibility to " manage
- corrective action initiatives. The threshold for this band would involve performance that would be outside the normal range of industry historical performance and risk.
The increased regulatory response band would be entered when licensea performance is outside the normal performance range, but would still represent an acceptable level of performance. This performance band is also designated as the white band.
Performance is still considered to be within the objectives of the comerstone and is within TS limits. Degradation in performance in this band is typified by changes in risk of 5
up to 410 CDF or 4104 LERF associated with either Pls or inspection findings.
The required regulatory response band involves more significant decline in performance but licensee performance is, in general, still considered acceptable, if marginal.
Performance in this band 4 also designated as the yellow band. When TS limits are reached or exceeded, licensees would be required to take immediate and effective corrective actions to maintain performance in the band. Degradation in performance in this band is typified by changes in risk of up to 410' CDF or 4105 LERF associated with either Pls or inspection findings.
The unacceptable performance band is entered when performance falls bellow the yellow band threshold. It is also designated the red band and is typified by changes in performance that are indicative of changes in risk greater than 410' CDF or 4105 LERF associated with either Pls or inspection findings. Plant performance is considered to be significantly outside the design basis, with unacceptable margin (s) to safety, with an accompanied loss of confidence that public health and safety would be assured with continued operation. Further decline in performance would result in operation in a state inconsistent with the safety goals.
- 4. Performance Indicators Twenty performance indicators were developed in support of the comerstone approach to licensee performance assessment, with at least one Pl established for each of the seven comerstones. The Safety System Pen'ormance Indicator (SSP /) is actually four individual indicators to measure the availability of four different safety systems. Another PI, Occupationa/ Exposure Effectiveness, is a composite indicator which sums occurrences in three areas to assess performance in the Occupational Radiation Safety comerstone. Table 1 provides a listing of theses Pls and includes a brief definition of the specific data that will be collected for each performance indicator along with the performance thresholds.
In a September 10,1998, white paper, the NEl proposed eleven Pls to assess licensee safety performance. In general, all of these Pls are encompassed by the set ofindicators established in the comerstone framework. The current proposed set of Pls includes four Pls to evaluate licensee security and safeguards practices for the physical protection comerstone, an area not initially considered by NEl.
Differences between the initial NEl Pls and the NRC Pls largely involve the scope of the areas monitored, as well as the thresholds for which regulatory response would commence. Licensees will 8
Table 1 - PERFORMANCE INDICATORS Cornerstone Indicator Thresholds hosed Reguestory Required Reguistory Unseceptable N-..w Response Band Response Band Band l
Initiating Events Unplanned scrams per 7000 critical hours (automatic and
>3
>6
>25 manual scrams)
Risk-significant scrams per 3 years
>4
~ >10
>20 Transients per 7000 critical hours
>8 N/A N/A Mitigation Systems Safety System Performance HPCI and RCIC
>0.04
>0.12
>0.5 Indicator Unavailability HPCS
>0.015
>0.04
>0.2 Emergency Power
>0.025
>0.05 (>2EDG >0.1)
>0.1 (>2EDG >0.2)
>0.015
>0.02
>0.06
>0.12 HPSI
>0.015
>0.05 TBD t
Safety System Failures
>5 - prior 4 gtrs N/A N/A Barriers Reactor coolant system (RCS) specific activity
>50% of TS limit
>100% of TS limit N/A
- Fuel Cladding RCS leak rate
>50% of TS limit
>100% of TS limit N/A
- Reactor Coolant System Containment leakage
>100% La N/A N/A
- Containment Emergency Emergency Response Organization (ERO) drit!/ exercise
<75% - prior 6
<55% - prior 6 N/A Preparedness performance months; months;
<90% - prior 2
<70% - prior 2 I
years years 9
Table 1 - PERFORMANCE INDICATORS Cornerstone Indicator Thresholds
,4a.,* -y n
an
(>==
.w. %
n - e.no n
en e.na e.no ERO readiness (percentage of ERO shift crews that have
<80% - prior 2
<60% - prior 2 N/A participated in a drill or exercise in the past 24 months) years; years;
<90% - prior 3
<70% - prior 3 years years Alert and Notification System performance (percentage of
<94% per year
<90% per year N/A availability time)
Occupational Occupational exposure control effectiveness (the number of 6 or more 12 or more N/A R:diation Safety non-compliances with 10 CFR 20 requirements for (1) high occurrences in 3 occurrences in 3 (greater than 1000 mrem / hour) and (2) very high radiation years (rolling years (rolling areas, and uncontrolled personnel exposures exceeding average);
average);
i 10% of the stochastic or 2% of the non-stochastic limits) 3 or more in 1 6 or more in 1 year year Public Radiation Safety Offsite release performance (number of effluent events that 7 or more events 14 or more N/A are reportable per 10 CFR 20,10 CFR 50 Appendix 1, in 3 years (rolling events in 3 years Offsite Dose Calculation Manual, or Technical average);
(rolling average);
Specifications) 4 or more events 8 or more events in 1 year in 1 year Physical Protection Protected Area security equipment performance
<95% per year
<85% per year N/A (availability of systems to perform their intended functions) l Vital Area security equipment performance (availability of
<95% per year
<85% per year N/A systems to perform their intended functions)
Personnel screening process performance (acceptable 3-5 reportable 6 or more N/A implementation of the access authorization program) events reportable events i
10
Table 1 - PERFORMANCE INDICATORS Cornerstone Indicator Thresholds
== e n,*mory
===*.e neeawr u==.p==. m acepanse emne Peepense Bene BaM t
Personnel reliability program performance (acceptable 3-5 reportable 6 or more N/A implementation of the fitness-for-duty & behavior events reportable events i
observation programs)
L f
4 I
!I
r: cord most Pl data on a monthly basis, and report the indicators on a quarterly basis. Data for some Pls (e.g. containment leakeage) will be provided as soon after it becomes available as practical, but within one quarter. Reporting of Pls to the NRC will be established by a voluntary process, which is nnded to enable the comerstone performance assessment process to be implemented in the relatively nrar term.
S;veral additional Pls have been proposed, however further work is needed to determine whether these 4
proposed Pls are viable and can provide meaningfullicensee performance insights. Additional discussion of these proposed indicators is detailed in section 4 as well as the indlvidual comerstone tppendices.
For two Pls (transients and safety system failures), no thresholds have been identified for the Required R:gulatory Response Band or the Unacceptable Performance Band because the indicators could not be dirsetly tied to risk data. These two indicators have provided good correlation with plant performance in th3 past and they are considered to be leading indicators of the more risk-significant indicators (scrams, risk-significant scrams, and SSPI). The barrier integrity comerstone Pls (RCS activity, RCS leak rate, and containment leakage) do not have thresholds identified for the Unacceptable Performance Band because their lower thresholds are based on regulatory requirements (technical specifications).
individual plant technical specifications would require plant shutdown within a short time after the r gulatory limits were exceeded. The emergency preparedness, radiation safety, and safeguards comerstones do not have thresholds identified for the Unacceptable Performance Band. There is no risk i
basis for a determination that a certain degraded level of performance reflected by these indicators can be correlated into mandatory plant shutdown. It is expected that declining performance in the areas monitored by these indicators would be arrested by increased licensee corrective actions and by increased NRC attention up to and including the issuance of orders.
1
- 5. Risk Informed lospection Areas As stated previously, the performance indicators do not cover the complete spectrum of risk significant cttributes necessary to assess performance in each comerstone area. In some cases, such as with the SSPIs, the indicators provide data for only a subset of risk significant systems and components. In other areas, such as with design adequacy, the performance indicators provide little or no data.
Consequently, risk informed inspection is required to ensure that performance is adequate in certain ersas. This inspection can be divided into three parts: (1) inspection required to supplement those areas where performance indicators do exist but are not sufficiently comprehensive; (2) complementary inspections required where indicators do not exist, and (3) verification type inspection activities designed to ensure the completeness and accuracy of the reported performance indicator data.
Table 2 provides the complete listing of recommended inspection elements tied to each comerstone, key attribute, and inspection area. Based on expert panel review, these inspection elements were determined to have a direct relationship to meeting the desired performance goals in each comerstone area. The Table d>es not contain recommendations regarding reactive inspections which may be performed in response to specific high risk events or in response to exceeding the thresholds associated with specific performance indicators.
12
Table 2 - Recommendations for Risk informed Baseline inspection Cornerstone Key Attribute Inspection Area insection Element Minimize Minimize Fire protection Inspect for ignition sources and control of initiating extemal combustible material control Events events Loss of heat sink Limited reviews for site specific high risk areas such as grass intrusion in service / circulating water, clogging of cire water with frazzle ice, etc.
Toxic hazards Site specific inspection to verify control of on-site toxic hazards Switchyard Review of switchyard controls that could
{
activities cause an initiating event Equipment protection of Review licensee testing of steam performance primary system generator tube, reactor coolant system barriers piping integrity erosion / corrosion programs, and integrity of fuel cavity during fuel transfers Configuration Operating Review work control and licensee control equipment line-ups awareness of system status for high risk work on systems that could cause initiating events and also lead to a loss of mitigating function, particularly during on-line maintenance Mitigation Protection Flooding Plant specific risk informed inspection of systems against design features extemal factors Weather Plant specific risk informed inspection of design features Toxic hazard Plant specific risk informed inspection of design features fire Plant specific risk informed inspection of passive and active fire protection features Seismic Plant specific risk informed inspection of modifications that could affect seismic capability 13
4 I
4 Table 2 - Recommendations for Risk Informed Baseline Inspection Cornerstone Kev Attribute Inspection Area insoection Element l!
Loss of heat sink Plant specific risk informed inspection of design features such as service water heat exchanger fouling 3
Design Design adequacy Risk-informed inspection of those features i
of mitigation systems not subject to l
verification by start-up or periodic testing i
j Design Design inspection of design modifications 4
modifications (temporary and permanent) with focus on g
design interfaces, configuration 1
management, post modification testing, and those areas not validated by testing j
activities i
Configuration Equipment line-up For systems not covered by the SSPI's, control during operation inspection ofimplementation of the J
maintenance rule as necessary to verify l
licensees are controlling equipment configurations during operation 1
Configuration Equipment line-up Inspection of licensee programs to j
control during shutdown manage shutdown risk l
Equipment Availability of inspection ofimplementation of the j
performance equipment maintenance rule '.~or equipment not i
covered by SSPl. Focus on licensee j
actions to ensure the availability of risk j
significant systems and components.
1 Reliability of Inspection ofimplementation of the i
equipment maintenance rule. Focus on licensee
}
actions to ensure reliability of safety systems and components.
Procedure Maintenance and inspection to identify that test procedures quality test procedures adequately test those design functions l
being verified (those design functions not i
verified by testing will be subject to risk j
informed inspection) i 1
Emergency Focused review of risk significant changes operating to EOPs. (could be performed as part of procedures and reqJal. examinations) related off-normal procedures 14 1
l Table 2 - Recommendations for Risk informed Baseline inspection Cornerstone Kev Attribute inspection Area insoection Element Maintain Configuration Reactivity control Configuration of control rod alignments Barrier control and reactivity control systems during risk Integrity - Fuel significant evolutions Cladding Barrier Design Design Risk informed inspection of permanent integrity -
modifications and temporary design modifications that Reactor could impact RCS integrity (focus on Coolant safety evals, post-modification testing, and System design bases and risk analyses integrity assumptions)
Procedure Emergency Focused review of risk significant changes quality operating to EOPs. (could be performed as part of procedures and requal examination) related off-normal procedures Configuration System alignment Periodic reviews during shutdown to control confirm that the configuration of the RCS and connected systems is properly maintained as necessary to prevent intersystem LOCAs Equipment Reactor coolant Monitor the rate and cause for reactor performance system leakage coolant system leaks and assess adequacy of licensee corrective action in service Risk informed inspection of ISI programs inspection results with focus on use of industry operating experience i
Active RCS Oversight of maintenance rule 1
l component implementation as necessary to verify l
performance availability and reliability of active RCS l
components Barrier Design Operational Risk-informed inspection of those features Integrity -
Capability of containment systems not subject to Containment verification by start-up or periodic testing integrity i
l 15
Table 2 - Recommendations for Risk Informed Baseline inspection Cornerstone Kev Attribute insoection Area insoection Element Design Risk informed inspection of permanent modifications and temporary design modifications that could impact containment integrity (focus on safety evals, post modification testing, and d3 sign bases and risk analyses assumptions)
Procedure Emergency Focused review of risk significant changes quality operating to EOPs procedures Maintenance and Inspection to identify that test procedures test procedures adequately test those design functions being verified (those design functions not verified by testing will be subject to risk informed inspection of operational capability)
Configuration Line-up of Periodic reviews to ensure the control containment containment is in the proper configuration penetrations and and that open penetrations can be closed safety systems in a timely manner during risk significant and components evolutions important to minimizing the large early release frequency Equipment Reliability and Maintenance rule verification as performance availability of necessary to verify availability and containment reliability of containment systems isolation systems Reliability and Maintenance rule verification as availability of risk necessary to verify availability and important support reliability of containment support systems systems Emergency Emergency Demonstration of Observe licensee performance during Preparedness response timely tests of emergency response organization organization augmentation of augmentation readiness the emergency response j
organization i
i 16
l m
Table 2 - Recommendations for Risk Informed Baseline inspection Cornerstone Kev Attribute Inspection Area insoection Element Licensee Observe adequacy of licensee reviews assessment required by 10 CFR 50.54(t) capability Facilities and Availability of inspect adequacy of licensee equiprnent equipment and assessments of equipment and facilities faciltties Procedure EAL changes in Inspect changes against 50.54 (q) and quality accordance with approve change as appropriate 50.54 (q)
SAMG Inspect adequacy of licensee implementation assessments ofimplementation of SAMG drills Occupational Plant Source term inspection of licensee programs for Exposure facilities, monitoring identifying and properly monitoring source equipment, terms resulting in high radiation areas.
and For transient high dose rate areas verify instrumentati operability of select radiation area on monitors Source term inspect licensee programs for source term reduction control Programs Guidance and Assess performance for high radiation and procedures areas between 100 and 1000 mrem /hr processes Exposure and Assess performance for high radiation contamination areas between 100 and 1000 mrem /hr monitoring / control ALARA planning inspection of ALARA program Human Health physics inspection of proficiency of heMth physics performance technician technicians covering high dose rate and high collective dose tasks Radiation worker Evaluate proficiency of workers involved in training and high dose rate and high collective dose performance tasks 17
Table 2 - Recommendations for Risk Informed Baseline Inspection Cornerstone Kev Attribute Inspection Area inspection Element Public Plant Process radiation Sample inspections of modifications te Exposure facilities, monitoring system, and calibrations of radioactive waste equipment, radiological processing equipment and effluent and monitoring monitoring instrumentation instrurnentati program on RMS and counting Sample inspections to verify adequacy of l
room detector calibration and performance parameters l
calibrations for process radiation monitoring system and chemistry laboratory instrumentation used for effluent monitoring activities Meteorological Sample inspections to verify operability of monitoring meteorologicalinstrumentation Transportation site specific reviews of transportation packaging activities to ensure proper packaging of configuration representative shipments Program and Radwaste inspection to verify acceptability of processes processing effluent licensee actions to compensate for out of monitor service equipment and for evaluating potential abnormal release paths Effluent Sample inspections to verify adequacy of measurement QC sample analyses and acceptability of quality control results for effluent measurements Transportation:
Assess adequacy of identification of DOT requirements radionuclides and quantities as applicable for all packaging Human Technician /
Verify adequacy of analysis of effluent performance Ooerations samples qualifications HazMat training Verify completion of hazardous material training requirements for all personnel involved in processing and loading packages of radioactive materials for transportation Proficiency Verify proficiency of HP, chemistry, and operations staff in conducting processing and release activities 18 l
l l
l l
Table 2 - Recommendations for Risk informed Baseline inspection l
Cornerstone Kev Attribute insoection Area Inip3Mion Elem2D1 j
Physical Physical Barriers, intrusion Review of testing requirements for each Security protection detection, and system to ensure performance standards system alarm assessment and testing periodicity are appropriate Ace' ss
- Search, inspection of effectiveness oflicensee e
control identification and search and identification and control I
control processes Access Personnel Verification of reporting thresholds for authorization screening, fitness significant events system for duty, and behavior observation Response to implementation of Inspection of licensee programs for initiating protective strategy responding to security related initiating events events (i.e. training, protective strategy, j
drills, and demonstrations)
All - Cross Problem Problem inspect to ensure equipment, human Cutting issue identification identification performance, and programmatic issues and are promptly identified and captured in resolution corrective action system programs Problem inspect to ensure that problem evaluations evaluation are prioritized based on their potential risk significance, that root cause analyses are l
performed for potentially risk significant issues, and that evaluations are thorough.
Corrective action inspect to ensure that corrective actions are implemented in a timely manner coincident with their risk significance l
l All-Cross Human Post-event human Operator performance during requal.
Cutting issue performance errors exams focusing on accident mitigation l
l l
19
Table 2 - Recommendations for Risk informed Baseline Inspection Cornerstone Kev Attribute inspection Area Insoection Element All Pi data Data inspect to ensure that Pl data is being verification completeness, appropriately captured and reported in reporting accuracy accordance with Pl definitions
- 6. CROSS-CUTTING ISSUES Certain aspects of licensee performance were seen as
- cross-cutting" and potentially impacting more than one comerstone. Issues identified during the Performance Assessment Workshop included: (1) human performance, (2) establishment of a safety conscious work environment, and (3) the effectiveness of problem identification and corrective action programs. Three other close!y related issues were identified by the framework task group and are included in the discussion below: (1) maintenance rule implementation; (2) common cause failure; and (3) generic issues and risk significant events. During the group's efforts to assess the information needed to ensure adequate performance in each comerstone area, the cross-cutting issues were considered and where possible, linked to either performance indicators or inspection areas. They are discussed below to characterize their significance and means by which they were addressed during the cornerstone development process.
Human Performance By the nature of the design of NPPs and the role of plant personnelin maintenance, testing, and operation, human performance plays an important role in normal, off-normal, and emergency operations. Following the accident at Three Mile Island, Unit 2 (TMI-2), the NRC implemented a number of programs that significantly improved the reliability of personnel performance and the safety of NPPs by reducing the likelihood of core damage and containment failure. Detailed control room design reviews resulted in substantial improvements to the human engineering design of control rooms, as well as to control stations and panels outside the main control room. Emergency operating procedures were modified to include symptom-oriented mitigation strategies and were refined to be more useable, reducing errors in their implementation. Training programs for licensed operators, and later for other important plant personnel, were modified such that job-task analyses were performed which formed the basis for the development of learning objectives, training materials and approaches, objective-specific testing, and appropriate program improvements based on feedback from personnel performance in the field. Other policies and programs implemented by the NRC improved staffing, overtime controls, and fitness-for-duty of plant personnel. Still others improved security and safeguards operations, emergency planning and response, and health physics controls (both occupational and public). Broad-reaching verification and validation efforts were conducted to ensure the proper implementation of the programs.
Together, these programs have significantly improved human performance at NPPs.
Risk-informed, performance-based regulation will, at least in part, involve a shift in the NRC role from improving human reliability to one of monitoring human reliability. Past efforts were appropriately proactive (rather than performance based) because the accident at TMl-2 had clearly illustrated the serious deficie.:ies in programs to support effective and safe human performance at 20
NPPs. The success of the human performance improvement programs allows the NRC to now take a more performance-based approach to regulatory oversight of human performance. Thus, if plant performance is acceptable (as monitored through risk-informed inspections and performance indicators), then the performance of plant personnelis assumed to be acceptable as well. That is, if risk-informed inspection (for example, maintenance rule verification inspections, configuration controlinspections, and other inspections as described for each comerstone) and plant performance indicators for each comerstone (such as scrams and transients for the initiating events comerstone and the SSPI for the mitigating systems comerstone) together indicate that plant performance is meeting the comerstone objectives, then those findings also provide an indication of the acceptability of the associated human activities. This relationship between plant and human performance is assumed to be especially strong with regard to the broad range of normal operations, including maintenance and testing activities during power and shutdown operations.
Supplemental verification inspections of problem identification and retolution programs will be conducted to ensure that human performance (and those factors such as training, procedures, and the like that influence human performance) is specifically and appropriately investigated through licensees' root cause analyses and corrective action programs, including the investigation of potential common cause failures caused by human actions.
Post-initiator operator actions are far less frequent than pre-in5ator human activities that influence the latent capability of plant equipment. While initial and requalification examinations provide a predictive measure of operator performance during off-normal and emergency operations, follow-up inspections of risk-significant events will provide a more direct indication of the adequacy of post-initiator human performance. In addition, performance measures from emergency response exercises, and those associated with security and occupational exposure, will provide another means for the NRC to ensure that human reliability is being maintained appropriately.
Safety Conscious Work Environment A safety conscious work environment (SCWE), also referred to as a " safety culture," can be characterized by a willingness on the part of a licensee staff to raise and document safety issues to resolve risk-significant equipment and process deficiencies promptly, adhere to written procedures, conduct effective training, make conservative decisions, and conduct probing self-assessments. In general, management commitment to safety will promote a safety conscious work environment.
Possible indications of an " unhealthy" safety culture include a high number of allegations, a weak employee concems program, and a high corrective maintenance backlog.
The establishment of a safety conscious work environment is seen as a cross-cutting issue since a poor safety culture among licensee staff can affect performance in any of the comerstone areas.
For example, a failure to reinforce high standards of procedure compliance or provide effective training can result in human-induced errors which cause transient events or render safety systems inoperable (initiating events and/or the mitigating systems comerstone). A corrective action program with a high threshold for reporting conditions adverse to quality can result in a large number of deficiencies going unresolved, which could complicate plant response to a subsequent event (mitigating systems or barriers comerstone).
The importance of a safety conscious work environment is similar to, if not integral with, the role of licensee problem identification and corrective action processes. As with the problem identification 21
i 3
and corrective action cross-cutting issue, an assumption was made regarding the role of a safety conscious work environment in NRC assessments of licensee performance. Specifically,if a j
licensee had a poor safety conscious work environment, problems and events would continue to j
occur at that facility to the point where either they would result in exceeding thresholds for various j
performance indicators, or they would be surfaced during NRC baseline inspection activities, or both. Additionally, because inspection oflicensee problem identification and corrective action i
programs will be included in the baseline inspection program, some indirect assurance will be gained as to the health of a licensee's safety culture. Lastly, the NRC's verification of the j
maintenance rule implementation, also to be included in the baseline inspection program, will j
provide assurance that risk-significant safety equipment deficiencies are being effectively resolved.
in short, no separate and distinct assessment of licensee safety culture is needed because it is 2
j subsumed by either the Pl's or baseline inspection a :tivities.
I Problem identification and Corrective Action Programs Defining and implementing an effective problem identification and corrective action program is a key element underlyina licensee performance in each comerstone area. A fundamental goal of the NRC's reactor inspen.on and assessment process is to establish confidence that each licensee is detecting and correcting problems in a manner that limits the risk to members of the public. The NRC expects licensees to be technically and organizationally self-sufficient in this regard.
Ineffective problem identification and corrective action programs, including poor conduct of root cause analysis of self identified or self-revealing issues, has been a common theme among problem plants in the past. The scope of problem identification and corrective action programs includes processes for self assessment, root cause analysis, safety committees, operating experience feedback, and corrective action.
With regard to licensee problem identification and corrective action effectiveness, there are several areas that are not specifically evaluated by either the individual comerstone performance indicators or the complimentary risk informed inspections. As such, additional focused inspection is needed to evaluate licensee performance as it relates to this cross cutting issue. Specifically, baseline inspection of licensee corrective action programs is necessary for the NRC to:
(1) conduct reviews of precursors to events which occur relatively infrequently but have significant consequences; (2) independently identify potentially ' generic" concems that a licensee may have missed, including specific problems involving safety equipment, procedure development, design control, etc.;
(3) assess the collective impact of all of the iteras in the corrective action backlog which may not have individual risk significance. The comerstone framework does not otherwise include a means to accomplish this assessment. A good understanding of plant-specific risk vu'nerabilities would be needed while conducting this review; (4) have assurance that licensees adequately address potential
- common cause" equipment failure concerns, identified either by internal events and issues or by receipt of operating experience feedback from other licensees, vendors, etc.;
22
(5) verify that licensee's are appropriately identifying and capturing issues that could affect the i
unavailability of equipment tracked by the SSPls and the maintenance rule.
in all cases, deficiencies identified in the problem identification and corrective action program should be risk informed and should be tied to the comerstone areas.
i Maintenance Rule implementation Assessment of the licensee's implementation of the maintenance rule is recommended as a baseline inspection item in order to ensure the availability, reliability, and capability of those safety systems and components (SSCs) not being monitored by the safety system performance indicators (SSPIs). The maintenance rule includes SSCs that influence performance in the initiating events, mitigation systems, and barrier integrity comerstone areas. SSCs under the scope of the maintenance rule include both safety related SSCs, and non safety related SSCs. These SSCs are relied upon to' mitigate accidents or transients and are used in plant emergency operating procedures (EOPs). Failure of the SSCs could also cause a reactor scram or actuate a safety-related system. The maintenance rule requires monitoring of the reliability and unavailability of risk significant SSCs, as well as the performance of on-line and shutdown safety assessments of equipment line-ups. These shutdown and on-line safety assessments are important in order to ensure that the defense-in-depth and safety margins features of the plant design are not unduly compromised.
This maintenance rule verification inspection activity should consist of two parts: (1) verification of the accuracy and completeness of the unreliability and unavailability data that provides input to individual performance indicators (PI); and (2) monitoring of the plant specific high risk SSCs that have demonstrated high unreliability and unavailability to ensure that appropriate corrective actions have been taken.
Common Cause Failure A common cause failure (CCF) is an event or condition that results in the failure of redundant equipment to perform its safety function at approximately the same time as a result of a shared cause. Risk assessments have consistently shown that CCF is a significant contributor to risk.
This is due in large part to the multiple redundancies in commercial nuclear power plant design that makes coincident independent failure of redundant systems and components relatively insignificant. Since common cause failures can impact the performance of systems in multiple comerstones (or multiple systems within comerstones) it is important for the performance indicators and risk-informed inspection activities to appropriatery account for their impact.
Common cause failures in risk important systems tend to be relatively rare events that are not easily amenable to plant specific trending and monitoring. The rate of CCF events resulting in complete failure of redundant equipment has been steadily decreasing in recent years. The current rate is about one event at a plant every 5-6 years. The performance indicators and risk-informed inspections are designed to monitor performance of risk important systems, structures and components. Failures causing initiating events or the inability of a risk-significant mitigating system to perform its safety function would be captured under the existing process. Common cause 23
failures, being a subset of all failures would be captured by this process as well. However, since a common cause failure has a greater potential risk impact, additional activity beyond monitoring the impact of failures on performance indicators and other baseline inspections is warranted.
The NRC has developed a CCF database which catalogs both the complete and partial common cause failure events that have occurred bety een 1980 and 1996 as reported in the LERs and INPO's NPRDS database (NPRDS is being replaced by EPIX which will provide input for future CCF event analyses). AEOD is currently performing a study of the nature of the causes, coupling factors, and barriers to common cause failures from the industry wide experience contained in the CCF database. Insights from this study and plant specific screening of the CCF data can be used to identify plant specific programmatic areas for inspection that will enable the NRC to assess w'
"the most important causes, coupling factors, and barriers to CCF are being addressed by licen S. With the existing coverage of failure events (including the CCF events) by the performance indicators and other risk-informed inspection activities, the addition of CCF insights to appropriate inspection activities can provide added assurance that licensee are adequately addressing factors important to limiting the occurrence of CCF events.
Generic issues and Risk Significant Events Generic issues are events or conditions affecting the safety performance of plant systems, structures, or components which have the potential to affect multiple plants. They may be identified as a result of an occurrence at a plant (s) or a review of one or more plant's design features. The NRC has a long standing program to identify generic issues, rank them according to their risk significance, and resolve them in accordance with their attendant costs and benefits. Generally, generic events deal with issues outside the existing licencing bases of the plants.
Another long standing and complementary program to the Generic issue process is the evaluation of the risk significance of operational events in the Accident Sequence Precursor Program. This program calculates the conditional probability of core damage based on actual events or conditions reported at nuclear power plants it provides the ability to relatively rank the severity of operational events and can also provide generic insights into plant and industry performance. In addition, the analysis of ASP events provides insights into the characteristics of the most risk significant event occurrences as well as trending industry experience relating to these events. SECY 97-296, SECY 98-xxx, and NUREG/CR-4674, Volume 26 provide more detail on these findings including:
The rate of occurrence of precursors has been decreasing significantly The most tisk significant precursors (CCDP>1E-3) tend to occur about once every two years The risk implication of the ASP ever;ts is generally consistent with estimates based on PRAAPE analyses Of the approximately 1000 events and conditions reportable to the NRC each year, about 1% have sufficient risk implications (CCDP>1E-6) to be precursors The characteristics of about 15% of the precursors are different from those typically 24
modeled in PRA/IPEs Both the ASP insights provided above and the benchmarking of Pls against ASP events (see Appendix I) indicate that there will be limited leading indication for many of these events. However, as also noted in the ASP insights, the industry-wide occurrence rate of these events and conditions is generally consistent with estimates based on PRA and IPE results. While current PRAs, IPEs, and ASP analyses do not cover all possible contributors to risk, for the areas they do cover (primarily core damage events associated with " internal' initiators and some containment events),
they indicate consistency with the quantitative health objectives of the Commission's Safety Goal Policy. Moreover, the current NRC Strategic Plan has a performance goal to " Maintain low frequency of events which could lead to severe accidents", which it further defines as an occurrence rate of not more than one per year of
- events that could result in a 1/1000 (108) or greater probability of occurrence of a severe accident' As was also the case with CCF events, the risk importance of these events likely will be relatively higher than other events captured by the performance indicator or baseline inspections. The ASP analyses will continue to provide indication of the overallindustry performance and the frequency at which these events are expected to occur provide as well as perspective on the most risk significant events at individual plants. This program and related activities that provide risk based analysis of reactor operating experience will continue to provide the industry-wide context and assessment of events and issues that affect individual plants and have broader risk significant implications.
- 7. Future Develooment Activities Several performance indicator development activities remain to complete and/or further enhance the reactor performance assessment framework. A brief summary of these activities follows.
Definitions Detailed instructions for how to calculate each Pl, must be established and distributed.
- A review of more optimal Pl display options should be conducted, particularly for the SSPl and Barrier indicators.
Thresholds The current assessment of PI thresholds is based on a relatively small number of sensitivity studies, using PRA models of differing levels of detail. They show significant differences in results.
The selected threshold values are somewhat conservative for most but not all plants. More effort is needed to understand these results, and to determine whether thresholds can or should be established for plant classes on a plant specific basis. In particular, the following activities should be performed:
-If made available, analyze the results of sensitivity studies performed /provided by NEl for a broader set of plants, conducted in accordance with the approach used by NRC staff.
25
- Separate the analysis of data on turbine driven pump and motor driven pump trains (contingent on receiving data from industry) 3
- Conduct analyses to support the establishment of thresholds for new/ proposed Pls, or refinement of existing Pls, where current data is limited.
Proposed "Near-Term" Pls
- Continued effort is needed to investigate the viability several proposed Pls (see attached table). It is expected that these PI's could be developed and implemented by June 1999. Actions needed to complete the development of these Pls are noted in Table 3. Other Pls associated with emergency preparedness, radiation protection, and security still require refinement and further evaluation of thresholds. PI benchmarking would be part of this activity. Use of some or all of these Pls would eliminate related baseline inspection activities.
"Long-Term" Pls l
The NRC is currently embarked on a long-term project to develop ' Risk-Based
- Pls (RBPI).
l The objective of this AEOD-sponsored program is to establish and implement a risk-based I
approach to Pls that is capable of evaluating trends in risk-significant performance at i
specific plants, and generically among groups of plants. RBPIs will use measures of l
reliability, availability, probability, and frequency to monitor the performance of risk-significant systems, structures, and components that contribute to core damage frequency.
Quantitative data needed to support the RBPIs will come from various sources, including l
the industry's Equipment Performance and Information Exchange system and NRC's Reliability and Availability Data System (also under development). Industry-wide analyses of this data for common cause failures, initiating events, and system / component reliability j
will be used in conjunction with plant-specific analyses (Accident Sequence Precursor program and Simplified Plant Analysis Risk models) to form the basis for the RBPIs. The RBPIs may ultimately replace the indicators currently established for the Initiating Events and Mitigating System comerstones, and should permit better, more focused use of inspection resources. This work is scheduled for completion in early 2001.
The viability of Pls related to licensee implementation of the maintenance rule should be pursued. For example: (1) a PI that indicates changes in cumulative core damage frequency based on the changes resulting from on-line and shutdown safety assessments (threshold values would be plant-specific); (2) a Pi that indicates structures, systems, and components that either remain in *(a)(1)* status for long periods or that have entered into
- (a)(1)* status on more than one occasion over relatively short periods (threshold values would be plant-specific). Use of maintenance rule Pls would eliminate some baseline inspection activities.
l l
l 26 l
l l
Table 3 - PROPOSED "NEAR TERM" PERFORMANCE INDICATORS l
l Cornerstone Indicator Action 1
Initiating Events Risk-Significant Scrams NRC compiling data; need to evaluate data to j
determine whether a meaningful threshold can be established.
Shutdown safety margin (number of unplanned NEl proposed this indicator in their white reductions in the safety margir. for (1) reactor paper; more NEI d;x:,preent work b coolant inventory (2) reactor coolant temperature, needed and (3) reactivity while the plant is shut down)
Mitigation Systems Safety System Failures This is an NRC-developed indicator currently
+
in use. Work is needed to establish a i
performance threshold before it can be added l
to the comerstone framework.
Safety system reliability (reliability of four safety NRC development in progress; more effort systems) needed to establish meaningful thresholds.
l Shutdown operations performance (percent of NEl plans to propose this indicator and j
outage time that defense-in-depth was develop the details. NRC review will also be
(
compromised) required.
l Barriers Reactor coolant system integrity (frequency of NRC plans to develop this indicator. Need to l
- Reactor Coolant System pressure boundary leaks as defined by technical determine whether data is available, and I
specifications, excluding steam generator tubes) evaluate results of benchmarking.
I Reactor coolant system integrity (percentage of NRC plans to dex:cip this indicator. Need to
[
inservice inspections which identify the need for determine whether data is available, and l
repairs to be performed pursuant to technical evaluate results of benchmarking.
F specifications) 6 I
l I
The comerstone approach to licensee assessment relies on objective indicators of plant performance to make inferences about human reliability. However, more direct measures of pre-initiator human performance could provide a leading indication of changing plant performance. For example, errors during maintenance, testing, and operations affecting plant configurations will eventually, if not corrected, be evidenced through degraded equipment availability and reliability and increased frequency of transients and scrams.
Therefore, future research may be conducted to study the utililty and feasibility of developing a performance indicator (s) for pre-initiator human performance that is risk-informed and plant-performance based. In the interim, plant-level Pl's, complimented by risk-informed reviews of licensee corrective action program data, will be performed.
Additionally, studies of operator error probabilities (and their contribution to plant risk) are underway. This effort is being conducted largely because this information i 'n essential i
input to the Risk-Based Pls described above.
1 Review additional benchmarking data to determine if the use of dual level thresholds in the Emergency Preparedness, Public Radiation Safety, and Occupational Radiation Safety could be eliminated through consolidation.
l l
I l
I s
28
Appendix A Initiating Events Cornerstone General Description The objective of this cornerstone is to limit the frequency of those events that upset plant stability and challenge critical safety functions, tiuring shutdown as well as power operations. When such an event occurs in conjunction with equipment and human failures, a reactor accident may occur. Licensees can therefore reduce the likelihood of a reactor accident by maintaining a low frequency of these initiating events. Such events include reactor trips due to turbine trip, loss of feedwater, loss of offsite power, and other reactor transients. There are a few key attributes oflicensee performance that determine the frequency ofinitiating events at a plant.
Key Attributes of Licensee Performance That Contribute to Event Frequency Those attributes oflicensee performance that affect the frequency ofinitiating events are shown in Figure 1. They include three that were identified at the NRC's Performance Assessment Public Workshop of September 28 through October 1,1998, (configuration control, procedure quality, and human performance) plus three additional ones (protection against external events, equipment i
performance, and design). Common-cause failure, which was also identified at the Workshop, has been addressed elsewhere as a cross-cutting issue. The soundness of a licensee's performance in these attributes will affect its ability (1) to maintain a low frequency ofinniating events that are under the licensee's control and (2) to limit the number ofinitiating events caused by external factors. In the first case, the licensee can control the frequency ofinitiating events by ensuring adequate human performance, procedure quality, equipment performance, plant design, and configuration control. In the second case, the licensee can limit the plant's vulnerability to factors that are outside its direct control by l
providing adequate protection against those external factors.
l Protection Against External Events Extemal events can cause initiating events and have been shown in some PRAs to be significant contributors to plant risk. Such events include those that are due to weather, floods, fires, accidents involving toxic substances, activities in the switchyard, grid instability, and loss of access to the ultimate heat sink. While licensees cannot prevent most of these events from occurring, they can install protective systems, such as freeze protection and lightning arresters, and implement procedures, such as shutting down prior to the arrival of a hurricane, to reduce their impact on the plant. These actions help to limit the number of plant upsets due to external events. Because external events are so rare, the lack of an initiating event due to an external event does not provide assurance that protection against such events is adequate. This attribute will be monitored by inspection of protective features.
Human Performance Human errors can cause initiating events, especially during activities associated with plant operations, maintenance, calibration, and testing. Human-induced initiating events are relatively more frequent during shutdowns than during power operations. The nature of the work being performed while the plant is shut down is quite different from that of power operations, with more frequent, direct interactions between plant personnel and plant equipment; likewise, work scheduling is more complex because of the higher number of concurrent work activities. Hence there are more human induced initiating events while shut down because there are more opportunities for such events. Effective planning and control of work is crucial to limiting the occurrence of human-induced initiating events, both while the plant is A-1 grrh cm w T 7_
Appendix A Mey:
80
- Snuassen tes.ye(Fus.se)
- " llll":".P y a vetemen ens Wetenten Sum.nen 2l".,
'llll"
- l"llll*
a===
'".'."l""
I
~
g= _,,
""~
..u.
y-9 es & W Figure 1 operating as well as when it is shut down. Human errors that cause initiating events during both shutdown and power operations will be captured by performance indicators.
Procedure Quality Inadequate procedures can cause initiating events by inducing plant personnel to take inappropriate actions during plant operations, maintenance, calibration, or testing. This can occur for reasons such as a missing step, ambiguous or confusing language or organization, or a typographical error. Procedural inadequacies that cause initiating events will be monitored by the Pls.
Equipment Performance Equipment failure or degradation can cause initiating events such as reactor scrams during power l
operations and losses ofdecay heat removal during shutdowns. These are expected to originate primarily in balance-of plant (BOP) equipment while at power and in safety-related equipment during shutdowns.
To limit challenges to safety functions due to equipment problems, licensees should have programs in j
place to achieve high availability and reliability of equipment that can cause initiating events. Strong preventive and corrective maintenance programs would be an integral part of those programs. Initiating events caused by equipment performance will be captured by Pls. In addition, licensees are required by j
the Maintenance Rule to establish performance criteria and goals for equipment that can cause initiating i
events and to monitor performance against those criteria and goals and to implement effective j
maintenance programs.
t A-2
Appendix A l
Barrier related initiating events (steam generator tube rupture, loss-of-coolant-accident [LOCA),
interfacing system LOCA, and fuel handling error) were judged to be unsuitable for monitoring by an indicator due their low frequency and possible high risk. Risk informed inspections will be performed to verify that the barriers have not degraded, particularly in those areas where the safety margins are smallest.
Design Inadequacies in either the' design, the as-built configuration, or the post-installation testing of plant i
modifications can cause initiating events. Also, as plants age, their design bases may be misunderstood or forgotten such that an important design feature may be inadvertently removed or disabled during a plant modification. Design errors that result in initiating events will be revealed by Pls. Design errors that do not cause an initiating event are not relevant to this cornerstone.
Configuration Control Loss of configuration control of risk significant safety equipment (primarily support systems) can initiate a reactor transient and simultaneously compromise mitigation capability (common-cause initiators).
i During power operations, PIs are not viable as indicators of risk-significant configuration control problems because such events are rare and, with the extensive redundancy that exists, they would not lead immediately to a plant trip.
During shutdowns, however, when equipment is out of service for maintenance or testing, or when off-normal lineups or infrequent tests and evolutions are being conducted, configuration control problems are more likely to result in initiating events. These events will be captured by Pls (in the future) but, l
because of the high risk of shutdown events, Pls alone are insufficient. Risk-informed inspection of configuration control will be used to supplement the PIs during plant shutdowns.
Performance Indicators This section defines the Pls and describes the calculational methods used to monitor licensee performance in limiting initiating events. PRAs have shown that risk is often determined by initiating events oflow frequency, rather than those that occur with a relatively higher frequency. Such low-frequency, high risk events have been considered in selecting the Pls for this cornerstone. All of the PIs used in this comerstone are counts of either initiating events, or transients that could lead to initiating events (see Table 1). Rey have face validity for their intended use because they are quantifiable, have a l
logical relationship to safety performance expectations, are meaningful, and the data are readily available. ne PIs by themselves are not necessarily related to risk. Rey are however, the first step in a sequence which could, in conjunction with equipment failures, human errors, and off-normal plant configurations, result in a nuclear reactor accident. They also provide indication of problems that, if uncorrected, increase the risk of an accident. In most cases, where Pls are suitable for identifying l
problems, they are sufficient as well, since problems that are not severe enough to cause an initiating event (and therefore result in a PI count) are oflow risk significance. In those cases, no baseline inspection is required (the exception is shutdown configuration control, for which supplemental baseline inspections is necessary).
l Not all aspects oflicensee performance can be monitored by PIs. Risk. significant areas not covered by PIs will be assessed through inspection. Figure 1 identifies the type of monitoring (e.g., Pls or inspection) to be used for the elements of each attribute. (NEI proposed, and the Performance Assessment Workshop recommended, a PI based on the NRC's Safety System Actuations (SSA]
l A-3
l l
\\
l j
l Appendix A indicator; it would only include those SSAs that occur wb n a plant parameter actually exceeds its set point. The Framework team is continuing to look into the use of risk-significant scrams and/or Safety System Failures (SSFs) to account for potentially high-risk initiators. Both the risk significant scrams l
and the SSFs can be more closely related to risk and are therefore preferred over SSAs) l Performance Indicators for Power Operations
- 1. Scrams - unplanned automatic and manual scrams while critical per 7,000 Critical Hours' and l
risk-important scrams.
l This measure is a count of events that upset plant stability and challenge safety functions. The indicator includes all scrams while the reactor is critical that are not directed by a normal operating I
or test procedure. It also includes scrams that occur during the execution of procedures in which there is a high probability of a scram but the scram was not planned. Examples of the types of scrams included are those that result from unplanned transients, equipment failures, spurious signals, human error, or those directed by abnormal, emergency, or annunciator response procedures. This is the same as the WANO indicator that is used by all U.S. plants, except that it also ceunts manual l
scrams because, from a risk perspective, they arejust as important as automatie scrams. Also, a separate count is made of risk important scrams over a 12 quarter moving sum to differentiate these scrams from the scrams without any complications. Risk-Significant Scrams = Scrams with LOCA, SGTR, LOOP, Total Loss of Heat Sink, Total Loss of Feedwater; or Scrams with a failure one or l
more trains of the SSPI systems. The SSPI systems are: BWRs -Emergency AC Power; High Pressure Coolant Injection Systems (HPCI, HPCS, FWCI); High Pressure Heat Removal Systems (RCIC,IC); and RHR for the suppression pool and shutdown cooling functions. PWRs -Emergency AC Power, HPSI, AFW, and PJIR for the post-accident recirculation and shutdown cooling functions.
Calculational Method - The number of scrams in the last four quarters are summed, divided by the I
number of critical hours in the last four quarters, then multiplied by 7,000. This will ensure that shutdown periods are treated consistently in the Pl. For risk-important scrams, the number of those scrams are added for the last 12 calendar quarters.
Thresholds - Thresholds were determined using risk sensitivity studies as discussed in Appendix H.
Scrams: GW - 3, WY - 6, YR - 25 Risk-important Scrams: GW - 4, WY - 10, YR - 20 Verification Inspection - On a sample basis, verify that the number of scrams and the critical hours are being reported accurately.
- 2. Transients - unplanned changes in reactor power of greater than 20% per 7,000 Critical Hours.
This indicator counts unplanned events (excluding scrams) that could, in certain plant conditions, challenge safety functions. It may be a leading indicator of risk significant events. The Pi includes all changes in reactor power of greater than 20% that are not planned. It includes uncontrolled excrsions in reactor power as well as 'mplanned controlled power reductions and shutdowns.
Unplanned power reductions and shutdowns are those that are initiated before the end of the weekend following the discovery of an off-iormal condition. Examples of the types of transients included are runbacks, power oscillations, power reductions conducted in response to equipment
' One year of operation wi'.h an availability factor of 0.80 is equivalent to 7,000 critical hours Rate indicators are susceptible to false positives when the denominator is small, as when a plant has been in an extended outage.
A-4
Appendix A failures or personnel errors, and unplanned power reductions to perform maintenance. It does not include manual or automatic scrams or load following power changes. This is similar to the information that is included by all licensees in their monthly operating reports.
Calculational Method - The number of transients in the last four quarters are summed, divided by the number of critical hours in the last four quarters, then multiplied by 7,000. His will ensure that shutdown periods are treated consistently in the Pl.
Thresholds - ne threshold was determined using the industry mean plus one standard deviation based on data from Jdly 1,1995, through June 30,1997. His is consistent with the methodology used by Arthur Andersen to develop the Performance Trending Tool currently being used to support the Senior Management Meeting process. Benchmarking is discussed in Appendix 1.
GW - 8; others - none, not a direct measure of risk.
Verification Inspection - On a sample basis, verify that the number of transients and the critical hours are being reported accurately.
Performance Indicators for Shutdown Operations 3.
Shutdown Margin (future)- the number of unplanned decreases in the safety margins of reactor coolant level, reactor coolant temperature, and reactivity during reactor shutdown.
This indicator counts the events thatjeopardize the capability to remove decay heat frorn the reactor while shut down or could lead to unplanned criticality. Experience has shown that plant activities while shut down with safety equipment out of service can, under certain circumstances, have serious consequences. It is important that reactor coolant level and temperature be controlled to maintain the heat removal capability and to prevent inadvertent criticality.
Calculational Method - TBD Thresholds - Regulatory: TBD Safety: TBD Verification Testing - TBD Inspection Areas ne accuracy of the P1 data reported by licensees will be verified through baseline inspections. In addition, for those elements oflicensee performance that are important to risk, maintenance of defense in depth, and maintenance of safety margins and are not amenable to monitoring through Pls, licensee performance will be assessed through inspection. Table 2 identifies the type of regulatory monitoring (Pis or inspection) that will be used for the elements of each key attribute oflicensee performance associated with initiating events.
Table 1 Performance Indicators for the Initiating Event Cornerstone PI Measured Areas Definition Thresholds Scrams Human Error, Counts unplanned automatic and manual Scrams: GW-3 Procedure Quality, scrams while critical; calculated per WY - 6; YR - 25 Design, and 7,000 critical hours to remove shut down Risk important Equipment periods from the indicator; Also counts scrams - GW - 4, Performance risk important scrams for a 12 quarter WY - 10, YR - 20 moving sum.
A-5
... _ _ _ _. _ ~..
l Appendix A Transients Human Error, Counts unplanned power excursions or GW-8 Procedure Quality, controlled power reductions not included (No others) i Design, and in total scrams that result in a change in l
Equipment reactor power of greater than 20 percent; Performance calculated per 7,000 critical hours Shutdown Human Error, Counts the number of unplanned TBD Margin Procedure Quality, decreases in the safety margins of reactor (future)
Design, Equipment coolant level, reactor coolant Performance and temperature, and reactivity during reactor Equipment Lineup shutdown Table 2 Initiating Events Key Attributes and Means to Measure Key Areas to Means to 1
Attributes Measure Measure Discussion Protection All areas See below initiating events due to external factors, such as Against below earthquakes, fires, and floods, are sufficiently rare External that the absence ofinitiating events is no test for Factors these protec;ive features. Therefore, no Pls address these concems. Risk-informed inspection will cover this area. Each area will have its own risk-informed items that are to be inspected.
Flood Hazard Risk-site-specific informed Inspection Weather Not The licensee can only take mitigating actions to Applicable reduce to the ef"ects of weather related initiating events. Therefore, this area is covered in the mitigating systems cornerstone.
Fire Risk-Risk significant fires would be counted in the scrams informed and the operating transients indicators. As stated Inspection above, the number of those events has been small l
enough to preclude the use of a fire performance indicator that could provide an opportunity for early intervention. Areas for inspection for fire initiators would include review of certain important areas (control room, cable-spreading room, emergency switchgear rooms, cable vaults and tunnels etc.) for transient combustibles and climination ofignition j
sources.
A-6 q.-.
ww
.y
. - +
Appendix A Key Areas to Means to Attributes Measure Measure Discussion Loss ofHeat Risk-A loss ofheat sink occurs when the main condenser Sink informed can no longer condense steam from the power Inspection conversion system. His includes loss of heat sink not related to equipment failure, which is covered under Equipment Performance. An example would be clogging of circulating water strainers due to foreign material. An infrequent site-specific review would be conducted to verify that the potential causes ofloss of heat sink that could also cause a loss of mitigating or support systems are addressed.
Toxic Hazard Risk-site-specific informed Inspection Switchyard Risk-Ris area was isolated from the other areas of Activities informed licensee performance since these activities are Inspection typically low frequency but can have risk impact since they may result in a loss of offsite power. A review of switchyard controls would be done infrequently, focusing on those areas most likely to cause an initiating event.
Grid Stability Grid stability is normally excellent, but under certain conditions, such as severe weather or extended plant shutdowns, grid instability can cause initiating events at nuclear plants. De NRC is aware when such conditions exist and will follow up as required during event followup inspections. Neither Pls nor baseline inspections will monitor this area.
Human Human Error
- Scrams, Human induced initiating events that contribute to Performance Transients, the indicators are direct measures ofinitiating events SD Margin for scrams and the shutdown margin. The Transient (future) indicator measures events that may lead to initiating events. Since the transient indicator link to safety is more indirect, there will be no safety threshold for that indicator.
Procedure Procedure
- Scrams, nis factor only addresses those procedures that, if Quality Adequacy.
Transients, deficient, could result in an initiating event. If those (Maint., Test, SD Margin procedures are inadequate such that initiating events ys)
(future) increase, that decline in performance would be detected by the indicators since the Scram and S/D indicator are direct measures ofinitiating events.
A-7
l l
J Appendix A Key Areas to Means to Attributes Measure Measure Discussion Equipment Availability,
- Scrams, Any decrease in licensee performance in this area Performance Reliability, Transients, will be manifested in increased events due to and SD Margin equipment performance. Like procedure quality, this Maintenance (future),
is a direct measure ofinitiating events. This area is MR V&V also monitored via the maintenance rule verification.
Barrier Risk-Barrier-related initiating events (S/G tube rupture, Integrity informed LOCA, ISLOCA, & fuel handling events) were Inspection judged to be not suitable for monitoring by an indicator due the low frequency and possible high risk of those events. Inspections would be performed to verify that the barriers have not degraded, particularly in those areas where the safety margins are the smallest. This would include S/G tube ISI, risk-informed ISI reviews, and integrity of the fuel cavity used during fuel transfer.
Design Initial Design
- Scrams, Any problems with the initial design that cause Transients, initiating events will be picked up by the indicators.
SD Margin (future)
Modifications
- Scrams, Addresses permanent and temporary modifications.
Transients, Modification errors that cause initiating events would SD Margin be captured by Pls.
(future)
Configuration Shutdown SD Margin Configuration control problems include incorrect Control Equipment (future) equipment lineup, often due to frequently changing or i
Line-up RIl off normal configurations. The indicator would monitor events that cause degradation of critical safety functions during shutdown due to system configuration. Until the PI is finalized, risk informed inspection will be performed to verify equipment line-ups, particularly during special tests or evolutions.
Operating Risk-Configuration control problems can cause a trip and Equipment informed the simultaneous loss of a mitigating system or Line-ups inspection function (common-cause initiating events). A PI is not viable because such events are rare and, with extensive redundancy during operation, they would not lead immediately to a plant trip. Inspection would also be focused on emergent work items where less time was available for the licensee to plan the work.
A-8
Appendix B Mitigating Systems Cornerstone General Description "Re objective of this cornerstone is to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences (i.e., core damage). When such an event occurs in conjunction with equipment and human failures, a reactor accident may result. Licensees therefore reduce the likelihood of reactor accidents by enhancing the availability and reliability of mitigating systems. Mitigating systems include those systems associated with safety injection, residual heat removal, and emergency AC power. His comerstone includes mitigating systems that respond to both operating and shutdown events. There are several key attributes oflicensee performance that ensure adequate mitigating system performance at nuclear power plants.
Key Attributes of Licensee Performance That Contribute to Mitigating Systems Performance Those attributes oflicensee performance that are important to mitigating system performance at a plant are: protection against external events, design, configuration control, equipment performance, procedure quality, and human performance. These attributes embrace and refine the key attributes described in a report entitled,"Results of the NRC's Performance Assessment Public Workshop,"(LANL), October 25, 1998) and are shown in Figure 1. The quality of these attributes will affect the licensee's ability to optimize the availability and reliability of the mitigating system function. The licensee can ensure mitigating system performance by supporting effective human performance, procedure quality, equipment performance, plant design, and configuration control.
For each of these attributes, specific elements have been identified. For example, the particular aspects of configuration control to ensure adequate mitigating system performance include equipment lineup during operating and shutdown modes, control of temporary modifications and operator work-arounds, and risk informed equipment maintenance scheduling. As another example, the types of procedures that are relevant to mitigating system performance include maintenance, test, and operating procedures. The discussions that follow summarize the relationship between the key attributes and mitigating system performance.
Protection Against External Events External events can prevent mitigating systems from performing their intended functions by reducing their capability or rendering the systems inoperable. Most of these factors are site-specific, related to weather, loss of heat sink, toxic and flood hazards, and seismic hazards. Fire can also prevent mitigating systems from functioning, and was included in this area because fire is typically analyzed in the IPEEE.
Due to the rare but possibly risk-important nature of these events, no PI was judged suitable to monitor licensee performance in this area. Risk-informed inspection will be performed in these areas.
Design Inadequacies in the initial design or in the control of plant modifications can affect the capability of mitigating rystems to perform their intended function as well as their availability and reliability. As plants age, their design bases may be lost such that an important design feature may be inadvertently B-1
I 1
i Appendix B Mey:
7
- E*'% %"" 7 **""
P : 24. -
3
- Z = :.--
- W.;'l*/.E"2" a-e
'"c*.*.'.""
L A
p e
g,,,,
_ _., ~
=
- =
~
=
~.
Figure 1 altered or disabled. It is expected that Pls can be used to provide partial information regarding the adequacy of the initial design and the control of design modifications insofar as they monitor the availability and reliability of equipment. Many aspects of the original plant design have been adequately addressed by initial design reviews, start-up testing,50,54(f) reviews, and periodic surveillance programs. Inspection in this area should be limited to those risk significant design features and design assumptions, if any, not adequately addressed in previous programs. In addition, periodic design basis reviews using plant modifications as a window into the original design, can help maintain confidence that mitigating systems will respond to events as intended. The modifications reviewed should be only those modifications that could alter the functionality of mitigating systems used during risk-significant accident sequences. Also, risk-informed inspection of those areas that could affect the functionality of mitigating systems is warranted to insure that the design and design basis was not inadvertently altered.
Pls are not expected to address the understanding and control of conditions outside the design basis.
Configuration Control Loss of configuration control of risk-significant safety equipment (primarily support systems) can compromise mitigation capability. When safety systems are not available or system redundancy is degraded due to misaligned valves or switches, that unplanned unavailability will be captured by the Pls for selected systems. For other systems not covered by the Pls, risk-informed verification of systems and components in a standby status is planned for both the operating and shutdown cor,ditions. Also, the maintenance rule and the associated verification will also monitor operating performance in this area.
Equipment Performance B. _ _ _
Appendix B Adequate availability and reliability of equipment important to effective performance of mitigating systems is critical to mitigating the impact ofinitiating events on plant safety. The performance of certain mitigating systerns are measured by the Pls to the extent that testing is adequate to measure functional availability and reliability. In addition, the performance of all structures, systems, and components (SSCs) important to the performance of mitigating systems will be monitored as part of i
licensees' implementation of the maintenance rule. Consequently, performance indicator data will be supplemented by verification of maintenance rule implementation.
Procedare Quality To ensure proper functioning of mitigating systems, the procedures which control their maintenance and testing operation must be correct. Maintenance and testing procedures influence the capability of mitigating systems to respond to initiating events. The quality of such procedures are indirectly confirmed by the performance of mitigating systems as monitored by the Pls and verification inspection of maintenance rule implementation. Test procedures will be reviewed to identify what post accident mission-related aspects of the design are not tested. His would be an input to the design inspection.
Emergency and abnormal operating procedures are also essential for mitigating system performance.
Initial and requalification testing of operators provides an indication of the quality of operating procedures, including abnormal operating procedures, standard operating procedures, and emergency operating procedures.
Human Performance Human performance in day-to-day, pre-initiator plant activities influences the performance of mitigating systems through the conduct of maintenance and test activities. Herefore, the licensee's problem identification and resolution program is expected to identify and correct human errors that lead to i
degraded plant performance which is measured by other plant performance indicators for mitigating systems, including those associated with design, configuration control, and equipment performance.
Also, human errors that degrade equipment will be monitored through maintenance rule implementation.
Human actions are also clearly important in plant response to initiating events. Further, human performance is critical to mitigation in multiple-failure accident sequences. Examples of human actions that are important to the performance of mitigating systems are those associated with depressurization and cool down and actions involved in aligning and recovering backup cooling water systems. While few data are available to directly measure post-initiator human performance, operator performance during initial and requalification examinations provide an indirect indication of expected post initiator operator performance.
Performance Indicators His section defines the Pls used to monitor licensee performance in mitigating the effects ofinitiating events, describes their calculational methods and thresholds, and identifies the inspections necessary to verify their accuracy (see Table 1). While safety systems and components are generally thought of as those that are designed for design-basis accidents, not all mitigating systems have the same risk importance. PRAs have shown that risk is often influenced not only by front-line mitigating systems, but also by support systems and equipment. Such systems and equipment, both safety-and nonsafety-related, have been considered in selecting the Pls for this cornerstone. The Pls are all direct counts of either mitigating system availability or reliability or surrogates of mitigating system performance. Hey have face validity for their intended use because they are quantifiable, have a logical relationship to B-3
~-
l l
Appendix B safety performance expectations, are meaningful, and the data are readily available. Not all aspects of licensee performance can be monitored by Pls. Risk-significant areas not covered by Pls will be l
assessed through inspection. Figure 1 identifies the type of monitoring (i.e., Pls or inspection) to be used for the elements of each attribute.
Performance Indicators for Power Operations
- 1. Safety System Performance Indicator (SSPI)- the INPO indicator of the performance of four of the most risk-significant safety systems. This indicator monitors several generic risk-significant l
safety systems. The SSPI systems for BWRs include high-pressure injection systems (high-pressure I
coolant injection or high-pressure core spray or feedwater coolant injection), high pressure heat removal systems (reactor core isolation cooling or isolation condenser), residual heat removal systems, and emergency AC power systems. For PWRs, the systems monitored include high-1 pressure safety injection systems, auxiliary feedwater systems, residual heat removal systems, and emergency AC power systems.
l The SSPI indicator provides a limited but useful sample of safety system performance information l
associated with equipment important to risk. Limitations in scope of the SSPI are augmented by i
review ofimplementation of the maintenance rule on those systems not covered by the SSPI, with focus on issues that cross comerstones such as common cause failure and human performance.
i
- a. SSPI Unavailability. This indicator measures the in-service unavailability of four generic risk-significant safety systems. The SSPI for cach monitored system is the average of the unavailability l
l of the individual trains that comprise the system.
Calculation Method - The SSPI for each monitored system is the average of the unavailabilities of the individual trains that comprise the system. Each train unavailability is the ratio ofits unavailable l
hours to the hours the system was required to be operable. The train unavailable hours is the sum of the planned, unplanned, and fault exposure unavailable hours. Detailed definitions of these terms are contained in INPO 96-003.
Thresholds - The following thresholds were determined following a sensitivity analysis of risk information as discussed in Appendix H.
HPCI: GW - 0.04; WY - 0.12; YR - 0.5 RCIC: GW - 0.04; WY - 0.12;' YR - 0.5 HPCS: GW - 0.015; WY - 0.04; YR - 0.2 Emergency Power System: GW - 0.025; WY - 0.05 (0.1 >2 EDG);
YR - 0.1 (0.2 >2EDG)2 BWR RHR: GW - 0.015; WY - 0.05; YR - TBD AFW: GW - 0.02; WY - 0.06; YR - 0.12 PWR Hi Pressure injection: GW - 0.015; WY.05; YR - TBD Verification Inspection - Selected review of a sample of the SSPI systems to verify that unavailability data are reported accurately i
2Oconee thresholds are TBD since they do not have emergency diesel generators.
i B-4
Appendix B
- b. SSPI Unreliability (future)- This indicator measures the demand unreliability of the above described generic risk significant safety systems to start and/or operate for the prescribed period of time to perform a safety function. The SSPI for each monitored system is the average of the unreliability of the individual trains that comprise the system. Each train unreliability is the ratio of the number of start or run failures to the number of demands or run hours respectively. Current data showed wide fluctuations and needs further review to establish as a Pl. Detailed definitions of these terms and prescriptions for combining failures are contained in INPO 96-003.
Calculation Method -TBD Thresholds-TBD Verification Inspection - Selected review of a sample of the SSPI systems to verify that demand and failure data are reported accurately.
- 2. Safety Systems Failures - events or conditions that could prevent the fulfillment of the safety function of structures, systems, or components.
This measure is a count of the number of events or conditions that did prevent, or could have prevented, the fulfillment of the safety function of any of 26 safety-related structures, systems, and components. For systems consisting of multiple redundant trains, failure of all trains is necessary for a safety system failure. The indicator also counts failures that cause at least one independent train or channel to become inoperable in multiple systems. This is the same indicator used in the NRC Performance Indicator program. We recognize that this indicator measures more than mitigating systems. However, this indicator was still added in mitigating systems since the SSPI reliability indicator could not be used without further analysis.
Calculational Method - The number of safety system failures in the last four quarters are summed (
a four-quarter moving sum).
Thresholds - The threshold was determined using the industry mean plus one standard deviation based on data from July 1,1995, through June 30,1997. This is consistent with the methodology used by Arthur Andersen to develop the Performance Trending Tool currently being used to support the Senior Management Meeting process. Benchmarking is discussed in Appendix I.
GY: 5 Others: None Verification Inspection - On a sample basis, verify that the number of safety system failures are being reported accurately.
Performance Indicator for Shutdown Operations
- 3. PI for Shutdown Operations (future)- mitigating system availability during shutdown. Most licensees manage shutdown risk in accordance with NUMARC 91-06, " Guidelines for Industry Actions to Assess Shutdown Management." They manage defense in depth, through configuration control, for key safety functions (decay heat removal, inventory control, electrical power availability, reactivity control and containment). This PI will measure the percent of outage time that each key safety function lacked defense in depth, either from installed equipment or contingency actions.
Since defense in depth for each area would need to be dermed and further additional work is needed, B-5
- - -. -.. ~ -. - - -..
Appendix B this PI will be developed in the future.
Calculation Method -TBD Thresholds -TBD Verification Inspection -TBD Inspection Areas for, Mitigating Systems The accuracy of the PI information reported by licensees will be verified through baseline inspections. In addition, for those elements oflicensee performance that are important to risk, maintenance of defense in depth, and maintenance of safety margins and are not amenable to monitoring through PIs, licensee performance will be assessed through inspection. Table 2 identifies the type of regulatory monitoring (i.e., Pls or inspection) which will be used for the elements of each key attribute oflicensee performance associated with mitigating systems.
i l
l l
7 B-6
l Appendix B Table 1. Performance Indicators for the Mitigating Systems Cornerstone PI Measured Area Definition Thresholds SSPI availability of For each monitored system, counts the HPCI & RCIC : GW - 0.04; WY Availability specified risk-average of the unavailabilities of the
- 0.12; YR - 0.5 important mitigating individual trains that comprise the HPCS: GW - 0.015; WY - 0.04; systems system. Each train unavailability is the YR-0.2 ratio ofits unavailable hours to the EDGs: GW - 0.025; WY - 0.05 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> the system was required to be (0.1 >2EDG); YR - 0.1 (0.2 >2 l
available. The train unavailable hours is EDG)'
the sum of the planned, unplanned, and BWR RHR: GW - 0.015; WY -
fault exposure unavailable hours.
0.05; YR - TBD AFW: GW - 0.02; WY - 0.06; YR - 0.12 PWR Hi Pressure injection: GW
- 0.015; WY.05; YR - TBD SSPI reliability of For each of four monitored systems, TBD Reliability mitigating systems calculates the demand unreliability to (future) start and/or operate for the prescribed period of time to perform their safety l
functions.
l Safety reliability of For each of 26 safety-related structures, GW - 5; others - none.
System mitigating systems systems, and components, counts the Failures number of events or conditions that did prevent, or could have prevented, the i
fulfillment of the safety function as a four quarter moving sum.
Mitigating availability of Plan to calculate the outage time that TBD system mitigating systems to each key safety function lacked defense availability limit shutdown risk.
in depth, either from installed equipment during or contingency actions. Since defense in shutdown depth for each area would need to be (future) defined, this PI will be developed in the future.
l l
80conee thresholds are TBD since they do not have emergency diesel generators.
B-7 i
=.
l Appendix B Table 2. Mitigating Systems Key Attributes and Means to Measure Key Areas to Means to Attributes Measure Measure Comment Protection All external Risk-informed External factors ca: prevent mitigating systems from responding against factors listed (R-1) if called upon. Since the systems that mitigate external events are external below.
, inspection called upon so rarely, inspection (as warranted) of mitigating frctors systems and design modifications will verify that the systems remain in place and are functional. Inspections of this key attribute will be very plant specific. Some plant features that are important to risk are discussed below.
1 1
Flood R-1 inspection Protection against the effects of floods is afforded in a variety of ways that includes drains, encasing equipment in splash proof barriers, and providing barriers, such as flood doors between redundant trains of systems. These protection systems are site-specific and should be subjected to an inspection that is commensurate with the risk importance of the feature and system.
1 Weather R-I inspection In general, most safety systems are well protected against the j
effects of weather by being enclosed in protective structures.
{
t However, there are certain portions of systems that are susceptible to effects of weather for which protection is provided by design. Examples include: fluid lines outside buildings that could freeze may be protected by lagging or trace heating, ventilation intakes and roof drains that could become blocked are protected by covers or grilles. The inspection will review those desip features used to protect multiple mitigating systems from the efYects of weather, including potential common cause effects on mitigating systems.
l Toxic hazard R-1 inspection Plant-specific.
Fire R-I inspection System functions are typically protected against fires by providing protection by fire barriers with or without detection and i
suppression, and by establishing barriers between different trains j
of redundant systems. The status of passive and active fire protection measures should be inspected in a risk-informed way.
The first areas for inspection would include the functionality of detection and suppression systems (including the fire brigade) located in important areas (e.g., control room, cable-spreading room, emergency switchgear rooms, cable vaults and tunnels).
Less frequently, inspection would be performed to verify that if the fire was not extinguished (i.e., defense in depth is ineffective),
the fire would not spread (i.e., fire barriers are intact for those areas) and imponant alternate actions and stations are available to safely shutdown the plant.
i e
i l
B-8
Appendix B Key Areas to Means to Attributes Measure Measure Comment Seismic R-1 inspection Safety-signincant equipment is designed for seismic events by being seismically qualified and having appropriate anchorage.
Since this is unlikely to change and has been reviewed industry-wide (A-46, masonry walls, anchor bolts, pipe supports), the focus of the inspection would be to ensure that plant modifications (e.g., installation of scaffolding or removal of snubbers) have not compromised the capability of mitigating systems during seismic events and that the qualification of equipment was maintained to prevent the introduction of a new
{
common cause failure.
Loss of heat R-I inspection The ultimate heat sink for systems that provide cooling for the sink front-line and support systems is typically the same source as the circulating water, although in some plants there is a dedicated supply. In either case, they are susceptible to the same external effects as circulating water, such as clogging of strainers due to foreign material. Site-specific inspection will assess whether the required features to prevent loss of supply are not degraded. This inspection ought to focus on the potential common-cause failures of the heat sink, most notably service water heat exchanger fouling.
Design Initial design None Pls would only indicate problems with the initial design after the mitigating systems are called upon to act, which would be too late. Initial design reviews have been extensive the last several years, particularly in response to the 50.54(f) letters. Further inspection ofinitial design would be performed in those areas where plant modifications have been made. In addition, risk-informed inspection will review those aspects of the design not subject to periodic testing, to assure that those features are still functional.
Design R-I inspection As above, PIs would not provide timely indication of faulty plant modifications ofdesign modifications. He focus ofinspection in this area is to ensure modifications that risk-significant mitigating systems remain functional after modifications, both intentional and inadvertent. Dat inspection ought to focus on the design interfaces, configuration management, post-modification testing, and those areas not readily verified by testing (EQ, seismic, etc.) that are risk significant.
B-9
Appendix B Key Areas to Means to Attributes Measure Measure Comment Configuration Equipment SSPI, MRV For those systems monitored, SSPI will provide some information Control Line-up on the adequacy ofconfiguration control, especially on licensee (at power) programs and practices to maintain critical safety functions with adequate margins. Inspections will monitor plant configurations that affect mitigating system performance, especially for system restoration, as part of maintenance rule verification [i.e., A(4)].
Equipment R-1 inspection A future PI may measure events that cause degradation of critical Line up safety function during plant shutdown based on mitigating system (shutdown) configuration. In the interim, inspection will be conducted of the licensee's program to manage shutdown risk.
Equipment Availability SSP 1, MRV He SSPI will monitor the unavailability of cenain important Performance systems and licensees also monitor the availability of the SSCs of mitigating systems as part of Maintenance Rule implementation.
Reliability SSFs, MRV Licensees monitor the reliability of the SSCs of mitigating systems as part of Maintenance Rule implementation. SSFs are an interim indicator until the SSP 1 Reliability indicator is developed. The MR review could be eliminated for those monitored systems when the SSPI Reliability indicator is ready.
Procedure Pre-event SSPI, R 1 Equipment performance (e.g., as monitored through maintenance Quality maintenance inspection rule implementation) and the SSPI will indirectly confirm the
& test quality of maintenance and test procedures. Test procedures will procedures be reviewed to identify what post-accident mission-related aspects of the design are not tested. This would be an input to the design inspection.
Post-event Initial operator These procedures are not used until after an event occurs, thus a operating exams &
PI is not suitable to measure the quality of these procedcres.
procedures requalification Review of emergency and abnormal operating procedures, most program likely during initial and requalification testing of operators, inspections provides some confirmation of the quality of mitigating system operating procedures on a sample basis. Inspection, as pan of the review of design modifications, may also will identify procedure inadequacy.
Human Pre-event SSP 1 Pre-event errors will be monitored by the SSPI since errors in the Performance human errors operating and maintaining the equipment will be reflected in system unavailabilny. Also, when mitigating system equipment performance is degraded, then the role of human performance is expected to be assessed by the licensee as part ofits problem identification and resolution program.
B 10
Appendix B Key Areas to Means to Attributes Measure Measure Comment Post-event Initial operator Current PIs will not provide indication ofpost-event human human errors exams &
performance. Operator performance during initial and requalification requalification examinations provide an indication of post-event
, program operator performance.
inspections B-l l
I Appendix C Barrier Integrity Cornerstone C.1 General Description The purpose of this comerstone is to provide reasonable assurance that the physical design barriers (fuel cladding, reactor coolant system, and containment) protect the public from radionuclide releases caused by accidents or events. These barriers play an important role in supporting the NRC Strategic Plan goal for nuclear reactor safety, " Prevent radiation-related deaths or illnesses due to civilian nuclear reactors."
The defense in depth provided by the physical design barriers which comprise this cornerstone allow achievement of the reactor safety goal.
The first barrier is the fuel cladding. Maintaining the integrity of this barrier prevents the release of radioactive Dssion products to the reactor coolant system, the second barrier. Maintaining the integrity of the reactor coolant system reduces the likelihood ofloss of coolant accident initiating events and prevents the release of radioactive 6ssion products to the containment atmosphere in transients and other events.
Even if significant quantities of radionuclides are released into the containment atmosphere, maintaining the integrity of the third barrier, the containment, will limit radioactive releases to the environment and limit the threat to the public health and safety. Herefore, there are three desired result., associated with the banier integrity cornerstone. These are to maintain the functionality of the fuel cladding, the reactor coolant system, and the containment.
For this discussion, the scope of the fuel cladding barrier includes the fuel cladding during operations, shutdown, and refueling, both inside containment and in the spent fuel pool. He scope of the reactor coolant system barrier includes piping and pressure retaining components such as valves, pumps, seals, and gaskets. It also includes portions of connected systems when the plant configuration is such that these connected systems form a part of the reactor ecolant system pressure barrier. Although steam generator tubes are a part of the barrier, they are being addressed under the initiating events cornerstone. The scope of the structures, systems, and components related to the containment barrier includes the primary and secondary containment buildings (including personnel airlocks and equipment hatches), primary containment penetrations and associated isolation systems, and risk significant systems and components necessary for containment heat removal, pressure control, and degraded core hydrogen control.
~
C.2 Key Attributes of Licensee Performarice that Contribute to Barrier Integrity ne concept of the cornerstone approach, including the barrier integrity cornerstone, was discussed in the Performance Assessment Workshop held in Bethesda, MD, on September 28 through October 1,1998.
During a breakeut session for further development of the barrier integrity comerstone, the working group expanded its specific focus from containment systems to barriers. After extended consideration, the workshop attendees determined the barriers should be subdivided into three categories: fuel cladding, reactor coolant system, and containment. In order to achieve the desired results, the group then determined that the key attributes of these tnree elements should be: (1) Design Control,(2) Human Performance, (3) Procedure Quality, (4) Configuration Control, and (5) Equipment / Barrier Performance.
He NRC staff determined that these were the appropriate key attributes for further development.
Specific areas to measure were identified for each of the noted key attributes. The means to measure performance in each of these specific areas were also identified. These means include the use of performance indicators isk informed inspection activities, and licensee corrective action prograrns. The followiag sections diswss each of the key attributes, the are.as to measure, and the recommended C-1
l Appendix C performance indicators and risk-informed inspections and oversight activities needed to support each of the three barriers comprising the overall barrier integrity comerstone. Diagrams depicting the barrier integrity cornerstone, along with the key attributes and the areas and means of measurement, are shown in Figures Cl, C2, and C3. Table Cl is a summary of the proposed performance indicators associated with the barrier integrity comerstone. Table C2 is a summary table for the barrier integrity cornerstone which provides further information on the means of measurement.
C.3 Key Attskbutes Affecting Tuel Cladding C.3.1 Design Control Licensees are respons:ble for the oversight of nuclear fuel vendors regarding their design and manufacturing quality of the actual fuel pins. Vendor quality assurance programs and oversight should detect errors with regard to manufacturing, packaging, shipping, etc. Because of this, reactor licensees need not be individually inspected or assessed with regard to nuclear fuel design quality. Undetected fuel pin or assembly manufacturing errors should be revealed during startup physics testing. If significant problems were detected, shutdown would be accomplished and corrective actions taken, avoiding significant risk.
Proper reactor core design is essential to assuring that subsequent power operation can be conducted without challenging the integrity of the fuel cladding. The core design analysis, including the core operating limits report and the reload analysis, establishes the operational limitations for core power operation, with sufficient margin to ensure that thermal limits are not exceeded during anticipated transients. Core design analyses must be completed with sufficient rigor and quality to demonstrate that, in the proposed core configuration, the nuclear fuel cladding will maintain its integrity.
The conduct of physics testing during startup following refueling activities in part provides a verification that the reactor core exhibits the characteristics predicted 'y the design analysis. This testing is conducted prior to any significant power operation so that errors during testing would not be likely to cause any fuel cladding degradation. The proper completion of physics testing is essential to ensure that the core design will adequately support subsequent high power reactor operation without challenging the established thermal limits and ultimate'y the nuclear fuel cladding.
The reactor coolant system a:tivity performance indicator may be used as a means of measuring performance in this key attiibute.
C.3.2 Human Performance Nuclear fuel cladding integrity can be challenged by inappropriate hnman actions, including improperly performed reactivity manipulations, inadequate chemistry control practices, improper implementation of foreign material exclusion programs, and inappropriately positioned fuel assemblies during refueling, as examples. The introduction of foreign material into the reactor vessel or connected systems could lead to degraded fuel barrier performance by limiting coolant flow past fuel pins or assemblies or by damaging fuel cladding as a result of direct impact on fuel cladding surfaces. Foreign material could also cause mitigating systems such as control rods to fail or be degraded.
The RCS activity performance indicator may be used as a measure of performance in this key attribute.
Licensee problem identification and corrective action programs should provide adequate assurance that adverse trends in human performance, particularly as they relate to the barrier integrity comerstone, are promptly identified and corrected.
C-2
_ =
t Appendix C l
- uam.am.r W e.a.ses.y P,
ac, W
.w Key:
1 r
. c m.e en acu c.%
a I
I l
I r
~
c l
- w e.
coed caem l
\\
l
/
- =_
~ ~
.~ _
l l
Figure C1 l
I l
l l
l i
I i
l l
l I
l 4
4 t
1 C-3
Appendix C
" h taenema
.W asas meerey ban.n.er W 8ames8w %
ca mmwe Key:
CAP e comen AmenPreyom aca 8CS LAG e nomar comern system Lamess pero 6ed. ineerened LCR e
Last Omaarse Rae (AAas) pgl e Rak trWorn.dInspasons 351 e keerwup truseeen these RCs See sgame
- swomesas, he 0,,,
- coep, 4 tems Ca'*W Ceres W
.=-=
=
se aus W hamme up m%
esume
- W W
eu esemanen w
haguese
= = = =,
- emass, amene a esp
- ,,
- ,,~
~
~
sammmme i tuus Figure C2 l
l I
l I
i i
e e
r p
C-4 1
1 4
1 i
Appendix C i
6 I
l i
l l
l i
I l
48 8 8** e'**
tasmen.
81C8 8'eeuw'issey a.
gene e.sygy Pasieansay of e"
thenmer fisse Cseamg key:
Coeff a Centearse Leenage aamse.
W e wentseisen i vs.mi.en Weisesy er r sist e Anse intermes enseemens M
e adesnesiance Asie CAP e Conocese Agnan Pveywn w:-ll
==c *
~
l
-e l
l De 9.e.s eneyes u.usess -
.am.a.ma e 8 8 " 888
.a-
~
7
.s, 1
Figure C3
\\
r I
i 4
'i s
4 n
C-5
Appendix C C.3.3 Procedure Quality Procedures that direct activities which have the potential to affect fuel cladding integrity must be adequately established and maintained. Procedures included in this area involve reactivity control, foreign material exclusion, chemistry control, refueling activities, fuel handling, reactor vessel assembly, and physics testing. Inadequate procedures could cause problems which lead to degradation of fuel cladding integrity.
The reactor coolant systern activity performance indicator may be used as a means ofmeasuring performance in this key attribute. To the extent that there are procedure deficiencies associated with the above noted activities, they should be identified as root causes of problems in other areas, including the configuration control key attribute. Additionally, adverse trends involving procedure deficiencies should be resolved by effective implementation ofindividual licensee corrective action programs.
C.3.4 Configuration Control Fuel cladding degradation can result from either inadequate human or equipment performance. With regard to human performance, refueling operators must ensure that new and previously-used nuclear fuel assemblies are properly handled and stored, properly positioned, and correctly oriented in the specified core locations. Control rod positions (patterns) during plant operation must be properly established and maintained. Plant operators must conduct reactivity manipulations in a well-controlled and deliberate manner. With regard to equipment performance, reactivity control systems (including control rod drives) must be properly configured and maintained. Some baseline inspection is warranted in this area because of the risk to fuel cladding integrity associated with either inadequate human or equipment performance in the above described areas.
Maintaining proper water chemistry in the reactor coolant system (RCS) is also essential to the long term reliability of both the nuclear fuel and the RCS pressure boundary. A failure to maintain the proper chemistry conditions has the potential to result in degradation (and ultimately failure) of the nuclear fuel cladding. The reactor coolant system activity performance indicator may be used as a means of measuring performance in this key attribute. Additionally, adverse trends involving configuration control should be resolved by effective implementation ofindividual licensee corrective action programs.
C.3.5 Equipment / Barrier Performance Though it would be preferable to assess the extent of fuel cladding degradation rather than monitor actual cladding failures, a practical means of conducting such an assessment is not available. As a result, a means of monitoring fuel cladding failures must be established. Since perforation of nuclear fuel cladding results in the release of fission products to the RCS, increases in RCS radioactivity level can be directly correlated to the integrity of the fuel cladding barrier. A performance indicator which trends RCS radioactivity level provides an objective means of assessing the overall performance of the nuclear fuel cladding. In boiling water reactors, fuel cladding failures will also be detected t)y main steam line or condenser offgas radiation monitors.
l Loose parts in the reactor coolant system, most importantly in the reactor vessel, can lead to various l
problems, including damage to the nuclear fuel cladding, either by direct impact on the fuel pins or by limiting RCS fluid flow past individual pins or assemblies. Minimizing the number of frequency ofloose i
parts in the reactor vessel is partly controlled by licensee foreign material exclusion (FME) programs, however loose parts can also be introduced by degradation or failures of components which are intemal to the reactor coolant or connected systems. Monitoring and limiting the frequency of reactor vessel loose part events should reduce the potential for fuel cladding failures.
C-6
Appendix C C.4 Key Attributes Affecting Reactor Coolant System C.4.1 Design Control Maintaining confidence in loss of coolant accident frequency estimates requires assuring the quality of design modification activities which can potentially impact the RCS strength margins and therefore the likelihood of an RCS pressure boundary rupture. This assumes that the original design of the RCS was adequate and has been proven through hydrostatic testing. The quality of RCS design modification implementation will be measured in a risk informed manner through specific requirements in the baseline inspection program. No performance indicator has been developed to measure the design control attribute.
C.4.2 Human Performance Human performance can affect RCS integrity through routine operation and emergency operation and through mairnenance and surveillance activities. Proper performance of these activities helps maintain assurance tliat LOCA frequency does not increase significantly.
Operator errors which cause RCS heatup or cooldown or pressure / temperature limits te be exceeded provide a leading indication of the potential for future pressure boundary leaks. Such events can cause existing microscopic cracks in passive RCS pressure boundary components to grow. Verification that the results oflicensee engineering analysis following an event of either excessive heatup or cooldown, or operation outside of allowable pressure / temperature limits, are satisfactory and that related human factors have been corrected will be performed on a reactive basis as needed and will not be a part of the baseline inspection program.
Most human performance deficiencies related to routine maintenance and surveillance testing of the RCS have not been shown to be particularly risk significant and will be monitored by licensee corrective action programs. The area of configuration control will be included in the baseline inspection program as noted below and will assess human performance as well as other causes of configuration control deficiencies.
Licensed operator training program implementation in the area of mitigation of the potential for pressurized thermal shock (PWRs), water hammer within the RCS, and maintaining reactor coolant pump or recirculation pump seal cooling during off normal conditions will be examined in a risk-informed manner through specific requirements in the baseline inspection program.
Severe Accident Management Guidelines (SAMGs) may include strategies for dealing with issues that could impact RCS integrity. They are considered under the emergency preparedness cornerstone.
C.4.3 Procedure Quality Adequate procedures for routine operations, maintenance, surveillance testing, and emergency operations conditions are necessary to maintain assurance that LOCA frequency estimates remain relatively low.
The adequacy of routine operations and maintenance procedures that could affect the engineered strength margins of the RCS pressure boundary could appear as causal factors of deficiencies in other key attributes such as modification work quality, configuration control, and equipment and barrier performance. Thus, no specific measurement of routine procedure quality is warranted. This area will be monitored by licensee corrective action programs.
C-7 1
Appendix C Changes to emergency operating procedures (EOPs) and to off-normal procedures invoked by EOPs in the area of mitigation of the potential for pressurized thermal shock (PWRs), water hammer within the RCS, and maintaining reactor coolant pump or recirculation pump seal cooling during off-normal conditions will be examined in a risk-informed manncr through specific requirements in the baseline inspection program.
C.4.4 Configuration Control Proper configuration control is necessary to maintain assurance that LOCA frequency estimates remain j
relatively low. Configuration control refers to maintaining operational control over physical conditions which, if such control is degraded, may result in a loss of RCS integrity. Inspection activities related to maintenance and operational realignments of the RCS during shutdown conditions will be performed in a risk-informed manner through specific requirements in the baseline inspection program.
Configuration control also includes maintaining operational control over RCS chemistry conditions (and possibly secondary chemistry conditions for PWRs) that could impact the engineered strength margin of RCS components. His area will be monitored by licensee corrective action programs.
C.4.5 Barrier and Equipment Performance i
RCS leakage is the most direct measure of RCS barrier performance. All other key attributes under RCS integrity are aimed at measuring or inspecting areas that are known to contribute to the increased probability that RCS integrity could fail. An actual RCS leak is, by definition, a breach of RCS integrity and a direct indicator of the performance of the RCS pressure boundary. Research sponsored by the industry and NRC has determined that the RCS pressure boundary passive components have a high probability of experiencing a leak prior to a rupture (i.e.," leak before-break" analysis). Therefore, two performance indicators have been identified that can offer an objective perspective on the probability of more catastrophic failure potential: the rate of occurrence and magnitude of small RCS pressure boundary leaks.
The condition of passive RCS pressure boundary components such as piping, welds, and valves is monitored by the licensee to maintain confidence in LOCA frequency estimates as degradation can potentially impact the RCS strength margins and the likelihood of an RCS pressure boundary rupture. A performance indicator has been proposed for this area (i.e., inservice Inspection Results). In addition to i
this performance indicator or until the indicator is fully developed, the baseline inspection program will assess the effectiveness of the inservice inspection program in a risk-informed manner.
Active RCS pressure boundary components are defined here to include safety relief valves, power operated relief valves, and reactor coolant pump or recirculation pump seals and associated seal cooling equipment. Failure of active components can have a direct impact on RCS integrity. A high availability and reliability of the active components is expected through the licensee's implementation of the maintenance rule. Any problems related to these components will be identified through NRC verification of the licensee's implementation of the maintenance rule.
C.5 Key Attributes Affecting Containment C.S.1 Design The margins of safety in the containment design result in a containment ultimate pressure capacity substantially higher than design, and provide an inherent capability to withstand the extreme pressure C-8
Appendix C loads associated with severe accident phenomena. He safety margins could be reduced ifinadequate plant modifications are implemented. Therefore, it is important to assure that the containment structures and systems are maintained consistent with the original design. Design control issues stemming from deficient modifications will be identified by inspection of risk-significant plant modification packages and post-modification testing.
The structural integrity of the containment building and the operational capability of SSCs important to maintaining containment functionality were established through the original design and licensing review and confirmed through the pre-operational test and inspection program. This included conducting baseline integrated leak rate tests and system level tests to confirm containment structural integrity, containment heat removal capabilities, and containment isolation capabilities. Periodic leak rate testing in accordance with Appendix J provides assurance that containment structures and components remain capable of resisting postulated design loads and preventing leakage in excess of technical specification limits (for design basis accident conditions). Continued operational capability will be reviewed through risk informed inspection of design features of containment systems not subject to periodic testing.
C.5.2 Human Performance Human errors during routine operations and maintenance activities (e.g., errors affecting configuration control or equipment / barrier availability or reliability) can affect the functionality of the containment and potentially increase risk. The effectiveness of the control room operators and technical support center stafTin maintaining containment integrity during response to an event will also impact risk. Issues related to human performance during routine operations and maintenance activities are expected to be identified and resolved by the licensee's corrective action program. Where significant problems in these areas are identified by the licensee corrective program or by other means, inspection followup of associated causal human performance deficiencies might be warranted and could be assessed in a reactive inspection.
Issues related to performance under accident conditions will be identified through NRC observation of licensed operator training programs and through NRC's oversight oflicensee emergency preparedness capabilities.
C.5.3 Procedure Quality Inadequate procedures can complicate plant response by causing plant personnel to take inappropriate actions during plant operations, maintenance, testing, and emergency response. This can occur for reasons such as a missing step, ambiguous or confusing language or organization, or errors in the procedure stemming from inadequate supporting technical analyses.
He nJcquacy of routine operations and maintenance procedures that could affect containment futionality should be evident in activities under other key attributes such as modification work quality, configuration control, and equipment / barrier performance. Inspection will review the adequacy of test procedures to test those design functions being verified. No other specific measurement of routine procedure quality is needed. However, this area could be a root cause ofinadequate performance in configuration control or equipment / barrier availability / reliability. Where significant problems in these areas are identified by the licensee corrective program or by other means, inspection of associated causal procedure quality deficiencies might be warranted and could be assessed in a reactive inspection.
The quality of EOPs and other off-normal procedures invoked by the EOPs is central to assuring that appropriate actions will be taken by the operator to protect and preserve containment integrity under accident conditions. Procedures which could significantly impact containment functionality and offsite I
risk include those related to depressurizing the RCS; controlling containment pressure, temperature, and C-9
Appendix C hydrogen concentrations using engineered safety features; flooding containment; and venting containment. Problems related to procedure quality will be identified through risk-informed inspection of l
licensee EOP modification packages.
C.S.4 Configuration Control Inadequate control of the lineup of containment penetrations and containment-related SSCs could decrease or directly compromise containment functionality. Examples of configuration control problems include mispositioning containment isolation valves, leaving containment penetrations open or unable to be rapidly closed during shutdown when needed, or inadvertently isolating containment heat removal systems. Performance indicators would not be expected to be useful for trending significant configuration control problems because such problems occur rarely. Problems related to maintaining the risk-significant containment SSCs in their prope'r condition will be identified by the licensee's corrective l
action program, and by inspection of containment configuration during risk significant evolutions.
l It is also important that the plant be operated within containment design limits, such that the containment is in a condition ready to accommodate a design basis accident or severe accident. Significant deviations i
from design limits are not expected since the plant is equipped with various design features (e.g., alarms and interlocks) to protect key systems / functions and is operated in accordance with technical specifications. Also, the design of the containment structure contains substantial margins such that l
modest deviations from design limits will not impact containment functionality. However, extreme deviations of certain containment parameters (such as low suppression pool level and loss of an inerted i
environment) could threaten containment integrity. Inspection is not required because compliance with technical specification requirements for containment parameters is adequate. Noncompliance would j
generally be indicated by control room indications and alarms and would require reporting and prompt 1
action to address.
C.5.5 Barrier and Equipment Performance j
Containment integrity can be inferred if all of the following conditions are met for the risk-significant penetrations: (1) all normally closed containment isolation valves and hatches are in the appropriate position,(2) isolation valves and penetrations which are permitted to be open during power or shutdown can be closed in a timely manner, and (3) the total leak rate is within acceptable limits. Failure to close containment penetrations or excessive leakage through large containment penetrations could result in a loss of containment functionality and a risk-significant release to the environment. A high availability and reliability of the containment isola _ tion function (and associated containment isolation valves and penetrations)is expected through implementation of the licensee's maintenance program. Any problems related to containment isolation should be identified through NRC verification of the licensee's implementation of the maintenance rule. Finally, the leak rate for containment will be trended by a performance indicator.
Given that containment isolation is achieved, certain SSCs are required to assure that containment functional integrity will be maintained during design basis and severe accidents (e.g., containment sprays and hydrogen control). Failure of these SSCs could lead to containment over-pressure or other containment release modes. A high availability and reliability of the containment-related SSCs is expected through the licensee's implementation of the maintenance rule. Any problems related to containment-related SSCs will be identified through NRC verification of the licensee's implementation of the maintenance rule.
C.6 Performance Indicators - Barrier Integrity C-10
i Appendix C Reactor Coolant System (RCS) Activity Level
{
This performance indicator provides an objective means of measuring fuel cladding integrity in the equipment / barrier performance key attribute area. It also provides a measure of performance of certain aspects of the other key attribute areas. An increase in RCS radioactivity level can be directly correlated to the performance (integrity) of the fuel cladding barrier since perforation of the cladding will result in the release of fission products to the RCS. Monitoring RCS activity is important from a risk-informed perspective since a failure of fuel cladding is by definition a breach of one of the three barriers to fission product release in the " defense-in-depth" protection scherne. This performance indicator is the maximum calculated reactor coolant system specific activity per month. He data required to develop this performance indicator is already being generated frequently at each reactor facility through analysis of l
RCS samples as required by technical specifications. i he thresholds for this indicator have a regulatory basis which is only indirectly linked to a risk basis. They will be set at 50 percent and 100 percent of the technical specification limit based an expert panel process using the NEl proposal as an input. Additional NRC atteation is warranted to determine the cause ofincreased RCS activity at a level of 50% of the i
technical specification limit (Increased Regulatory Response Band). Individual plant technical specifications would require plant shutdown within a short time after RCS activity exceeds the technical specification limit (Required Regulatory Response Band).
One limitation of this performance indicator is that it will only indicate when fuel cladding has actually failed, and will no; indicate a slow degradation in cladding condition prior to penetration. In spite of this limitation, this type ofmonitoring is sufficient to indicate the overall " health" of the nuclear fuel cladding.
i If unacceptably high radioactivity levels are indicated in the RCS, individual licensee technical l
specifications would require that appropriate remedial actions be implemented before an unacceptable degree of fuel cladding degradation occurred.
4 Verification activities associated with this performance indicator could be conducted by performing periodic observations of primary water chemistry sampling and analysis to ensure that licensee personnel are accurately collecting and recording the necessary data.
RCS 12akage Two perfonnance indicators are proposed to be used to measure equipment and barrier performance for the RCS. The first direct measure is "RCS leak rate" This performance indicator is the maximum calculated reactor coolant system leak rate per month. The data required to develop this performance indicator is already being generated frequently at each reactor facility through RCS leakage determination as required by technical specifications. This indicator relies upon existing technical specification definitions (identified leakage plus unidentified leakage) and therefore needs no new definition of terms or verification strategy. The thresholds for this indicator have a regulatory basis as opposed to a direct risk basis. They will be set at 50 percent and 100 percent of the technical specification limit based an expert panel process using the NEI proposal as an input. Additional NRC attention is warranted to determine the cause of elevated RCS leakage at a level of 50% of the technical specification limit (Increased Regulatory Response Band). Individual plant technical specifications would require plant shutdown within a short time after the RCS leak rate exceeds the technical specification limit (Required Regulatory Response Band).
The second direct measure of RCS barrier integrity could be defined as," Occurrence rate ofindividual RCS pressure boundary (as defined by technical specifications) leaks, measured on a per fuel cycle basis, that contribute to identified RCS leakage, that are not primary-to-secondary leakage, and that exist when RCS integrity is required by technical specifications." His performance indicator requires further C-11
)
Appendix C development.
RCS Inservice Inspection Results A potentia; performance indicator to monitor the degree of degradation of the RCS barrier could be "the percentage ofindividual inservice inspection tests performed within [TBD] that require disposition against ASME acceptance standards"(steam generator tube inspections are treated separately under the initiating events cornerstone). Such an indicator can be objectively derived and a threshold set that is related to historically good industry performance. By using a percentage indicator, instead of an absolute number indicator, it is less likely to influence the assessment of non-destructive examination (NDE) examiners as the number count of flaw indications increases. Verification and validation of this performance indicator should include ensuring that industry operating experience is being applied to the selection of areas for NDE. This performance indicator requires further development.
Containment Ieakage ne estimated "as-found" integrated leak rate for the containment provides a reasonable indication of what cctually existed during operation, and provides an indication of the leak-tight integrity of the containment barrier. Measurement data would be based on the last integrated leak rate test result, l
modified by the results of subsequent local leak rate tests. The data would be reported as a fraction of the design basis leak rate (L.). Licensees currently collect this data as required by 10 CFR Part 50 Appendix J. Data would be reported quanerly a!! hough, in some quarters, no new data would be collected at a particular site. The threshold for increased regulatory oversight (Increased Regulatory Response Band) would have a regulatory basis and would be set at a leak rate corresponding to the plant's technical specification limit for allowable containment leakage. Use of the technical specification value provides j
considerable margin since offsite risk is not significantly increased until the containment leak rate approaches 100 percent per day (i.e., several orders of magnitude greater than L. Leakage at the technical specification limit is not risk significant, so this threshold provides an element of defense in depth. A threshold for the Required Regulatory Response Band is not proposed since licensees are expected to make repairs to the containment and to reduce the leak rate below L, in a short time or shut down in accordance with technical specification requirements.
Two limitations with this performance indicator should be noted:
(1) "As-found" leak rate data is not collected in a consistent manner at all plants. Specifically, some plants perform the Type C tests at the end rather than at the beginning of the refueling outage. The leak rate data for those plants may not reflect the actual leak rate that existed during power operation, particularly if the isolation valves are cycled during the outage. Some changes to licensee practices may be needed to achieve consistency.
(2) ne data obtained from integrated and local leak rate tests is gathered relatively infrequently. In accordance with Appendix J, licensees are required to perform integrated leak tests (Type A tests) on a frequency of 3 tests every 10 years, and to leak test Type B and Type C components during each reactor shutdown for refueling, but in no case at intervals greater than 2 years. Licensees adopting Option B of Appendix J can extend the integrated leak test frequency to one test every 10 years, and extend the test interval up to 60 months for Type B penetrations (except personnel airlocks) and Type C components (except main steam and feedwater isolation valves in BWRs, and containment purge and vent valves in PWRs and BWRs). He extended test interval for those excepted components would be limited to 30 months. Hus, depending on the licensee's test program, updates to the
{
performance indicator would occur on an infrequent basis.
l l
C.7 Inspection Areas-BarrierIntegrity C-12 l
1
Appendix C C.7.1 Inspection Areas - Fuel Cladding Integrity Configuration Control In order to provide confidence in the defense in depth element provided by the fuel cladding barrier, certain inspections are needed to supplement the performance indicator. Fuel cladding degradation can result from both inadequate human and equipment performance. Control rod configurations (patterns) must be properly established and maintained to ensure that abnormal alignments do not result in challenges to core thermal limits and ultimately fuel cladding integrity. Reactivity manipulations must be conducted in a well-controlled and deliberate manner to provide assurance that reactor power operation will remain within the limits established by technical specifications. Reactivity control systems must also be properly configured to prevent and/or mitigate adverse reactivity transients and neutron flux distributions. Performance based inspection activities to address these issues include:
- 1. Periodic observations of licensed operators during the conduct of reactivity manipulations (e.g. to ensure adherence to vendor-provided fuel preconditioning limits). Inspection in this area should be conducted during signi6 cant reactivity manipulations (e.g. >20% in the power range), and during plant startups and shutdowns.
- 2. Evaluations of maintenance activities associated with reactivity control systems (e.g. control rod drives, rod block monitors, rod worth minimizers, etc.) to ensure that they remain capable of performing their functions following the work. Periodic observation ofinstrument channel calibrations and functional tests of reactivity control equipment should also be included. Control rod drive mechanism work, including hydraulic control units for BWRs, should also be periodically assessed.
l 3.
Verifications of nuclear instrument performance to ensure that they are properly calibrated and provide protection signals at the proper set points.
4.
Reviews of computer-generated thermal limit reports to verify that defined safety limits and operating margins are preserved.
i l
Corrective Action Program l
In addition, deficiencies associated with certain other activities which could affect fuel cladding integrity and reduce confidence in the measure of defense in depth which it provides should be monitored during the planned baseline inspection oflicensee corrective action programs. Possible focus areas include errors associated with:
I Core design analysis
=
Start up physics testing a
Human performance (e.g. procedure adherence, etc.)
a Procedure quality Primary water chemistry control Refueling
=
Loose parts monitoring and foreign material exclusion C.7.2 Inspection Areas - Reactor Coolant System Design Control Maintaining continued confidence in LOCA frequency estimates will include measuring the quality of C-13
i l
I 1
Appendix C i
design modification or temporary modification activities that could increase the probability of an RCS l
pressure boundary rupture. The definition of RCS pressure boundary used here, for inspection purposes, l
extends beyond the passive pressure retaining piping, valves, and other components covered by ASME code requirements. It also includes active components such as reactor coolant pump or recirculation j
pump seals and safety relief valves.
As a measure of the quality of design control as it is related to the RCS barrier, an inspection should review a sample ofproposed risk-significant modification packages that affect the RCS pressure boundary, including active components. Rese will include those which could simultaneously impact both RCS integrity and mitigation system reliability or performance. As opportunities occur to observe the quality of work in progress in this area, including post-modification testing, inspectors should assess the ability of the licensee to maintain the design pressure retention capability of the RCS pressure boundary, which forms the basis for assurance that LOCA frequency estimates remain low. Because of their potential importance to risk during station blackout (SBO) conditions, plants having relatively i
significant contributions to core damage frequency from SBO, reactor coolant pump or recirculation i
pump seal replacement or modification should receive high priority, particularly for those seals whose design has not been enhanced for high temperature service (e.g., Westinghouse high temperature RCP seals). In addition, because the presence of pressure relief valves (e.g., code safety valves and power operated relief valves) increases the opportunity for LOCAs due to failures to rescat following lifting, replacement or modification of these components should also receive high priority. The inspection procedure for this area should provide historical insights of causes for pressure boundary failures so as to i
alert the inspector to the most likely problem areas. For example, for passive components attention should be paid to modifications that might increase mechanical fatigue (e.g., small diameter piping attached to much larger diameter piping), or thermal fatigue (e.g., stratification ofliquids or turbulent mixing of hot and cold fluids), or use of material compositions that could increase corrosion susceptibility (e.g., IGSCC, PWSCC), or that might increase the probability of water hammer *. Similar historical insights should be collected for pump seals and relief valves and used as inspection guidance.
- Welding Research Council Bulletin #382, June 1993," Nuclear Piping Criteria for Advanced Light-Water Reactors, Volume 1 Failure Mechanisms and Corrective Actions, ISSN 0043-2326, provides an excellent overview of historical insights for piping degradation mechanisms.
Human Performance As a measure of post accident or event human performance, the inspection program should include licensed operator requalification program implementation with emphasis on simulator obsen'ation in the areas of mitigation of potential for pressurized thermal shock (PWRs), water hammer within the RCS, and maintaining reactor coolant pump or recirculation pump seal cooling during off-normal conditions.
Emergency Operating Procedures LOCAs can occur as a consequence of certain other accident sequences. He contribution to core damage i
frequency from these consequential LOCAs can vary dramatically between plants. Usually an implicit assumption is that emergency operating procedures (EOPs) are relatively effective in preventing serious degradation of the RCS pressure boundary during such sequences. These operator actions include those j
that mitigate the impact to passive components (e.g., piping) from pressurized thermal shock and mechanical shock due to water hammer, and to active components such as operator actions to restore cooling to reactor coolant or recirculation pump seals following a station blackout.
To measure the quality of emergency operating procedures as they relate to the RCS barrier, inspection C-14
Appendix C should sample modification packages for emergency operating procedures (and off-normal procedures which are referenced) that could affect the RCS pressure boundary, including active components.
Although this review should focus on the modification, it should also include a broad review of the underlyinh EOP strategy in the area affected by the modification to ensure that the strategy remains sound and in accordance with its intended objectives as described in licensee EOP basis documents.
Configuratiot Control Configuration control refers to maintaining system alignment control over active components of the RCS pressure boundary (e.g., isolation valves, PORVs, pump seals) which, if such control is degraded, may result in a loss of RCS integrity. This is not generally modeled in risk assessments of at-power conditions. However, inter system LOCAs (ISLOCAs) are often modeled as catastrophic failures of normally closed valves whose function is to prevent high pressure RCS coolant from over-pressurizing low pressure components such as those associated with decay heat removal systems. Although such events have a very low estimated occurrence frequency, the resulting coolant loss is not recoverable in the containment and therefore not available for long term core and containment heat removal. This makes ISLOCA contribution to risk very sensitive to the valve failure frequency estimate. However, spontaneous catastrephic failure of a valve is not nearly as likely as an operator mis-positioning event.
Such operator-induced events would M more likely during shutdown plant conditions when maintenance and system re-alignments are in progress. Therefore, the risk significance oflSLOCA events is increased during periods of operator manipulation of active pressure boundary components and in particular where an ISLOCA could degrade mitigation equipment capability.
The baseline inspection program should assess configuration control as it relates to RCS barrier integrity during shutdown operations. This should include RCS and associated / attached systems (e.g., Low Temperature Overpressure Relief Valves) configuration and manipulations to assure that RCS integrity is maintained and controlled.
Barrier and Equipment Performance The rate at which RCS pressure boundary leaks (ASME definition) occur is a proposed performance indicator, which in combination with an RCS leak rate performance indicator gives a complete picture of the RCS barrier performance. However, until the " rate ofleaks" indicator is fully developed, inspection is warranted to monitor the rate and cause (if known) of such leaks and to assess the adequacy oflicensee corrective actions.
Similarly, until the inservice inspection perfonnance indicator is fully developed, inspection is warranted to assess the adequacy of the inservice inspection program scope, including the use of plant-specific risk insights and industry operating experience As another aspect of equipment performance, reactor coolant pump or recirculation pump seals and associated cooling equipment and RCS pressure relief valves should be inspected through verification inspections of the licensee's implementation of the maintenance rule. The focus of these inspections should be on performance that may indicate an increasing probability of RCS pressure boundary failure (e.g., pump seal failure, stuck open relief valve).
Corrective Action Program In addition, deficiencies associated with certain other activities which could affect the RCS integrity and reduce confidence in the measure of defense in depth which it provides should be monitored during the planned baseline inspection oflicensee corrective action programs. Possible focus areas include errors C-15 1
Appendix C associated with:
Human performance deficiencies related to routine maintenance and surveillance testing of the RCS
=
Adequacy of routine operations and maintenance procedures that could affect the engineered strength margins of the RCS pressure boundary RCS chemistry conditions a
C.7.3 Inspection Areas - Containment Design Control As a measure of how design control affects the containment barrier and in order to ensure that the design basis and PRA assumptions remain valid, inspectors should perform a design review of a sample of risk-significant modifications or temporary modifications. In addition, for this limited set of modifications, inspectors should conduct a performance-based inspection of the post-modification testing.
Priority should be given to review of modifications that may:
adversely impact the functionality of systems important to long term containment pressure control and degraded core hydrogen control (e.g., sprays, Mark I hardened vent, isolation condenser, igniters) increase the likelihood or magnitude of steam / fission products bypassing the suppression pool or ice condenser (e.g., vacuum breakers, ice condenser components) reduce the availability / reliability ofisolating 'atge diameter containment penetrations (> 2 inches) which connect to the containment airspace (e.g., purge / vent valves, vacuum breakers, actuation system) extend the time required to achieve containment closure during shutdown reduce the containment ultimate pressure capacity or introduce new containment failure modes (temporary containment equipment hatches)
The inspector should consult the plant-specific risk study to identify the most risk-significant containment-related SSCs for a particular plant, and to establish a basis for selecting the design changes to be reviewed. Continued operational capability will be reviewed through risk informed inspection of design features of containment systems not subject to periodic testing.
Human Performance As a measure of how human performance in an accident or event situation affects the containment barrier, the NRC should continue to conduct inspections oflicensed operator training to confirm that risk-significant human actions are addressed within the training program, and that control room crews are able to effectively carry out the risk-significant human actions during simulated accident: involving these actions. The NRC should also confirm the adequacy of the licensee's self-assessment ofits severe accident management (SAM) capabilities as part of NRC's oversight oflicensee emergency preparedness programs.
Test Procedures Inspection is needed to confirm that tert procedures adequately test those system design features being verified. Those design features not verified by routine testing will be subject to risk informed inspection.
Emergency Operating Procedures Inspection is needed to confirm the quality of EOPs which affect the containment boundary. The quality of the plant-specifi EOPs was verified through the NRC's EOP inspection program conducted in 1988-1991. Using the current EOPs as a baseline, information is needed only on risk-significant changes to the procedures. The inspector should sample EOP modification packages that could affect containment integrity, isolation capabilities or SSCs important to LERF (such as ATWS response, containment C-16
l l
l Appendix C venting, and manual depressurization). Although this review should facus on the modification, it should r'so include a broad review of the underlying EOP strategy in the area affected by the modification to ensure that the strategy remains sound and in accordance with its intended objectives as described in licensee EOP basis documents.
Configuration Control Inspection is recommended to confirm the adequacy of configuration control as it affects the containment boundary and SSCs important to LERF. The risk-significant penetrations would be identified based on the plant specific risk study,and are expected to comprise a small fraction of the total containment penetrations. The inspector should verify proper containment configuration during risk-significant evolutions (e.g. PWR mid-loop operation, BWR cavity drain downs, etc.). His should include a review of the licensee's provisions for achieving containment closure in a timely manner (i.e., prior to RCS steaming) during periods when the containment is permitted to be open. Inspections in this area are important because the high safety significance of these activities.
Barrier and Equipment Performance Inspection is needed as a measure of equipment performance related to the containment barrier.
Reliability and availability data for containment penetrations which constitute the major pathways for release to the environment provides an indicator of the reliability of the containment isolation function.
As part of the baseline inspection program for maintenance rule oversight, the inspector should perform a periodic review of the availability and reliability information for those penetrations important to LERF.
These penetrations would be identified based on the plant-specific risk study, and are expected to comprise a small fraction of the total containment penetrations. He penetrations are expected to include the large diameter piping penetrations through which the containment air space or reactor coolant system could communicate with the outside environment (e.g., purge / vent penetrations and MSIVs), personnel airlocks, and equipment hatches.
The inspector should also review the information from the licensee's maintenance program for each SSC judged to be important for controlling the LERF. He risk-significant SSCs are containment-and plant-specific and should be selec.ed on the basis of their importance to large release frequency in the plant-specific risk study. He SSCs which should be considered for monitoring include those critical for:
short and long term pressure control (e.g., containment spray and fan coolers in PWRs; suppression pool cooling, isolation condenser, drywell/wetwell sprays, and drywell/wetwell vents in BWRs), and degraded core hydrogen control (i.e., hydrogen igniters for ice condenser and Mark III containments and inerting in Mark I and 11 containments).
The necessary reliability and availability data for the major containment isolation components and SSCs important to LERF are expected to be available from the licensee's implementation of the maintenance rule. During the maintenance rule baseline inspection, the inspector should verify that the licensee accurately collects and assesses the needed data.
Corrective Action Program In addition, deficiencies associated with certain other activities which could affect containment functionality and reduce confidence in the measure of defense in depth which it provides should be monitored during the planned baseline inspection oflicensee corrective action and self assessment programs. Possible focus areas include licensee follow-up of:
Instances in which measured leakage is found to exceed L.
Human errors impacting containment integrity that are identified as root causes of problems in other l
C-17
Appendix C areas Procedure deficiencies impacting containment performance that are identified as root causes of problems in other areas Failures to maintain the proper status of risk-significant containment isolation valves and penetrations Failures to maintain containment parameters within design limits TABLE C1 -
SUMMARY
OF PROPOSED INDICATORS FOR THE BARRIER INTEGRITY CORhTRSTOST Measure Purpose Indicator Thresholds i
RCS Activity To provide indication Maximum calculated activity level 50% of TS of fuel barrier (microCuries per gram dose equivalent Limit; integrity and Iodine-131) per month 100% ofTS occurrence of Limit cladding failure RCS Leak Rate To provide indication Maximum calculated leakage rate 50% of TS of the potential for a (gallons per minute)per month Limit; breach of the RCS (identified plus unidentified) 100% ofTS Limit RCS Leak To provide a measure Occurrence rate ofindividual RCS TBD Occurrence of the frequencyof pressure boundary leaks (as defined by Rate RCS leaks technical specifications), measured on a (Future) per fuel cycle basis, that contribute to identified RCS leakage, that are not primary-to secondary leakage, and that exist when RCS integrity is required by technical specifications RCS Inservice To provide indication The percentage ofindividual inservice TBD Inspection of the potential for inspection tests performed within [TBD)
Results RCS failure that require disposition against ASME (Future) acceptance standards Containment To provide indication Total leakage (fraction of the design 100% of TS leakage that containment basis leak rate, L.) from containment as Limit with leakage will remain determined from the last integrated leak respect to L.
below levels rate test, updated by the "as found" corresponding to a results of subsequent local leak rate large radiological tests required by 10 CFR 50, Appendix release, given that J
containment closure is achieved C-18
Appendix C TABLE C2 - BARRIER INTEGRITY KEY ATTRIBUTES AND MEANS TO MEASURE Barrier - Key Areas to Means to Maastre Discussion Attributes Measure Fuel Cladding Core Design Performance Design errors could lead to cladding defects or integrity -
Analysis indicator (RCS failures, the effect of which would be seen in Activity) the performance indicator. Gap release is Design Control assumed in certain design basis accidents.
Design errors would not be expected to cause a risk significant increase in the gap release.
Errors in the core design analysis should be 4
detected during start up physics testing and t
data review Physics Corrective Physics testing is conducted while low in power; Testing Action Program where design errors are not likely to challenge cladding integrity. Should significant problems be identified, shutdown and corrective actions would be accomplished.
Fuel Cladding Procedure Performance Failure to adhere to procedures, assuming that integrity -
Adherence Indicator (RCS it results in adverse consequences, would be Activity),
seen in the RCS activity performance indicator Human Corrective or should be identified as a root cause of Performance Action Program problems measured in other key attribute areas (see Fuel Cladding integrity - Configuration Control)
Foreign Performance The corrective action program would be expected Materials Indicator (RCS to identify and correct FME problems. In some Exclusion Activity),
cases, FME problems could lead to cladding (FME)
Corrective defects which would be identified by the RCS Action Program activity performance indicator.
Fuel Cladding Quality of Performance in the worst case, inadequate procedures could integrity -
Procedures indicator (RCS result in fuel cladding damage, which would be Which Could Activity),
reflected in the RCS activity performance Procedure impact Corrective indicator. Less significant procedure Quality Cladding Action Program deficiencies should be captured as root causes of problems measured in other key attribute areas C-19
Appendix C I
Barrier - Key Areas to Means to Measure Discussion Attributes Measure Fuel Cladding Reactivity inspection Monitor those activities which could lead to Integrity -
Control fuel cladding degradation. Abnormal control rod alignments or reactivity manipulations 1
Configuration during plant operation can result in reduction Control in margins to core thermal limits and even challenge thermal limits during transients, leading to cladding degradation or failure.
Misconfigured or malfunctioning reactivity control systems may fail to prevent or mitigate l
areas of unacceptably high neutron flux in the core which could lead to fuel cladding damage.
l Cladding perforation is by definition a breach l
of the fuel barrier and a reduction in the defense-in-depth for prevention of fission product release to the environment.
Primary Corrective Problems resulting from inadequate water l
Chemistry Action Program, chemistry controls tend to develop owly and l
Control Performance should be adequately identified and resolved by l
Indicator (RCS effective implementation of licensee self-l Activity) assessment and corrective action programs. The
.RCS activity performance indicator would provide l
a back-up.
Core Loading Corrective Fuel loading errors committed during the Action Program, refueling process should be detected while very Performance low in power during start up physics testing.
Indicator (RCS Improperly placed or oriented fuel assemblies Activity) can lead to localized areas of high neutron flux with adverse consequences. Fuel assembly mispositioning errors should be identified l
l during independent verification of the core configuration prior to vessel head re-i installation. The licensee's corrective action l
program is expected to identify and resolve this l
type of problem, as well as problems involving cladding damage during handling. The RCS activity performance indicator would provide a back-up.
l l
4
)
C-20 i
l l
Appendix C Barrier - Key Areas to Means to Measure Discussion Attributes Measure Fuel Cladding Reactor Performance RCS radioactivity level measurements provide a t.
Integrity -
Coolant Indicator (RCS reliable means of indicating when nuclear fuel System (RCS) Activity) cladding has been compromised, resulting in a Equipment /
Activity direct and objective measure of the integrity of Barrier the fuel cladding barrier. This Pi is important Performance from a risk-informed perspective since a failure of fuel cladding is by definition a breach of one j
of the three barriers to fission product release i
in the " defense-in-depth" fission product release protection scheme.
Loose Parts Performance Besides FME issues (described in the " Fuel l
Indicator (RCS Cladding integrity - Human Performance" key l
Activity),
attribute above), loose parts can be introduced j
into the reactor vessel by poor maintenance practices or failures of internal structural components. In some cases, loose parts could lead to cladding defects which would be identified by the RCS activity performance indicator.
Reactor Coolant Modifications inspection Review proposed permanent or temporary System modification packages for risk-significant integrity -
SSC's, including the associated 10 CFR 50.59 safety evaluations. This effort should ensure Design Control that design bases and risk analyses assumptions are' preserved. Inspection should also focus on post modification testing to verify that "as-left" equipment or barrier performance is satisfactory. The scope of this effort should focus on the most risk-significant modifications, for example those which could simultaneously impact both RCS integrity as well as mitigation system performance or reliability.
- Reactor Coolant Routine Corrective Errors (including failures to adhere to System Performance Action Program established procedures) should be captured as i
l Integrity -
root causes of problems measured in other key i
attributes i
Human Performance i
j C-21 e
t
1 Appendix C
' Barrier - Key Areas to Meansto Measse Discussion Attributes Measure Post Accident initial Observe licensed operator initial and or Event Operator Exams requalification examinations with focus on Performance and actions which are designed to protect the Requalification integrity of the RCS barrier.
These actions Program include those that mitigate the impact to Ir.spections passive components (e.g. piping) from direct thermal impacts (e.g. pressurized thermal shock) and mechanical shocks (e.g. water hammer), and actions to restore cooling to reactor coolant / recirculation pump seals during conditions affecting the adequacy of cooling to these seals.
Reactor Coolant Routine Corrective Operations, maintenance and surveillance System procedures Action Program procedure deficiencies should be captured as Integrity -
root causes of problems measured in other key attributes Procedure Quality Emergency inspection Focused review of proposed risk significant Operating changes to EOPs. The quality of EOPs and other Procedures off normal procedures go hand-in-hand with (EOP) and effective human performance to provide adequate Related Off-assurance that RCS pressure boundary components Normal will be protected during accidents or events Procedures involving these procedures. The quality of these procedures is equally risk significant as that noted for the human performance area discussed above. During the review of proposed EOP changes, consider the conduct of a broader review of the subject EOP to ensure that the overall accident mitigation strategy is still valid.
Reactor Coolant System inspection Periodically verify during plant shutdown System Alignment periods (when operator manipulation of RCS Integrity -
pressure boundary components like isolation valves is most frequent) that the configuration Configuration of the RCS and connected systems is properly Control maintained. The consequences of mis-positioned RCS boundary valves resulting in a LOCA can be high when the resulting coolant loss is not recoverable in the containment and therefore not
)
available for long term core and containment i
heat removal.
i l
C-22
Appendix C Barrier - Key Areas to Meansto Measure Discussion Attributes Measure Primary and Corrective Problems resulting from inadequate water Secondary Action Program chemistry controls tend to develop slowly and Chemistry should be identified and resolved by internal Control licensee processes Reactor Coolant Reactor Performance Wnitor the extent of RCS leakage. An actual RCS Systern Coolant Indicator (RCS ieak is, by definition, a breach of RCS integrity integrity -
System Leak Rate) and a reduction in the defense-in-depth for Leakage protection against fission product release. RCS Equipment /
leakage is a direct indicator of the performance Barrier of the RCS pressure boundary. Research has Performance determined that the RCS pressure boundary has a high probability of experiencing a leak prior to a rupture (i.e.
- leak-before break").
Therefore, the extent of such leaks offers an objective perspective on the probability of a more catastrophic failure.
l Performance Monitor the rate of occurrence of RCS pressure Indicator (RCS boundary leaks. RCS pressure boundary leaks, by Leak Occurrencedefinition, are breaches of RCS integrity and Rate) reduce defense-in-depth for protection against (Potential) fission product release. Research has determined that the RCS pressure boundary has a high probability of experiencing a leak prior to a rupture (i.e. " leak-before-break").
l Therefore, the rate of occurrence of such leaks offers an objective perspective on the probability of a more catastrophic failure.
Inspection Until the above potential performance indicator is available for rate of occurrence of RCS pressure boundary leaks, the baseline inspection program will monitor the rate and cause (if known) of such leaks and assess the adequacy of licensee corrective actions.
Inservice Inspection ISI programs, when effectively implemented, inspection provide a proactive means to assess the overall (ISI) Results integrity of the RCS. Emphasis will be placed on the use of industry operating experience to assess the adequacy of the inservice inspection program scope, including the use of plant-specific risk insights.
I i
1' C-23 1
. - - ~
Appendi,y C Barrier - Key Areas to Means to Measure Discussion Attributes Measure Performance Monitor the number of RCS defects identified Indicator (RCS during licensee ISI. Implicit in the generally ISI Results) low LOCA frequency estimates resulting from (Potential) plant risk assessment studies is the expectation that effective quality assurance activities (such as ISI) will monitor and maintain the engineered strength margins of the reactor coolant pressure boundary. A relatively large number of identified defects resulting from ISI would indicate either a robust ISI program, deficient RCS design or construction, or poor l
RCS pressure boundary maintenance.
Active RCS Maintenance inspection should provide oversight of the Component Rule licensee's implementation of the maintenance l
Performance Verification rule, which includes monitoring the performance l
of reactor coolant or recirculation pump seals, safety / relief valves, etc. Poor performance associated with the active RCS components could j
invalidate the assumptions made in risk l
assessment studies and increase the potential l
for LOCAs.
l Containment Structural.
Performance Established during the initiallicensing and i
integrity -
Integrity indicator pre-operational testing and inspection process; i
(Containment continuing adequacy in this area is assessed Design Control Leakagr4 through inspection of related modifications (see l
below) and is monitored by leak rate testing (the performance indicator is described below).
Operational Inspection Established during the initial licensing and l
Capability pre-operational testing and inspection process.
l Continuing adequacy in this area is assessed through inspection of related modifications (see below) and inspection of design features of
(
containment systems not subject to periodic testing (see test procedures below).
C-24
Appendix C Barrier - Key Areas to Mearc to Measure Discussion
{
Attributes Measure l
Modifications inspection Review proposed permanent or temporary l
modification packages for risk-significant SSC's, including associated 10 CFR 50.59 safety
, evaluations, to ensure that design bases and risk analyses assumptions are preserved.
Inspection should also focus on post-modification testing to verify that "as-left" 1
equipment or barrier performance is satisfactory.
Containment Routine Corrective Human performance errors during routine l
Integrity -
Performance Action Program operations, maintenance, and surveillance (including failures to adhere to established Human procedures) should be captured as root causes of Performance problems measured in other key attributes l
Post-Accident initial Continue to assess licensed operator training, or Event Operator Exams with focus on actions design to protect Performance and containment integrity. Risk studies indicate Requalification that certain operator actions can have a Program significant impact on plant risk. In BWRs these inspections include actions to inhibit the automatic depressurization system and subsequently depressurize the RCS manually, align suppression pool cooling, control reactor level during an ATWS, and vent the containment. For PWRs these include actions to switch over from the injection to the recirculation phase of core cooling, feed and bleed using HPl and PORVs, and recover normal and emergency power.
Containment Routine inspection Procedure deficiencies should be captured as integrity -
Operations, root causes of problems measured in other key Maintenance attributes. Inspection will confirm whether and test procedures adequately test those system Procedure Surveillance design features being verified. Important Quality Procedures design functions not verified by testing will be subject to risk informed inspection (see design
- operational capability, above) i J
C-25
Appendix C Barrier - Key Areas to Means to Meastre Discussion Attributes Measure Emergency inspection Focused review of proposed risk-significant Operating changes to emergency operating procedures.
Procedures During this review of proposed EOP changes, consider the conduct of a broader review of the subject EOP to ensure that the overall accident mitigation strategy is still valid.
Containment Lineup of Corrective Errors in maintaining the proper status of risk-Integrity -
Containment Action Program significant containment penetrations and SSCs Penetrations should be infrequent and identified via control and SSCs room alarms and indications and routine Configuration important to surveillances Control LERF Inspection Verify that the containment is in the proper configuration and that open penetrations can be closed in a timely manner during risk-significant evolutions (e.g. "mid-loop" operation with fuelin the vessel at a PWR).
Since defense-in-depth protection against a fission product release is already reduced in these circumstances, added assurance of the viability of. timely and effective containment isolation is needed Containment Corrective Errors in maintaining the proper containment Design Action Program design parameters, many estabiished by technical Parameters specifications (e.g. torus level in BWR), should Maintained be infrequent and easily identified (i.e. via control room alarms and indications).
Containment Steam Covered under equipment performance attribute of the Initiating Integrity -
Generator Events Cornerstone and configuration control attribute of RCS Tube barrier integrity and Equipment /
ISLOCA Barrier Prevention Performance C-26
Appendix C Barrier - Key Areas to Mems to Meastre Discussion Attributes Measure Containment Performance Monitor the "as-found" containment leak rate l
Isolation indicator data. "As-found" data is important because it l
Systems (Containment provides an objective and reasonable indication Reliabili,ty Leakage) of what actually existed during preivious plant l
and operation. The P1 would be reported as the Availability combined total leak rate of,all the penetrations, as a fraction of the site specific L,.
I Maintenance Inspection should provide oversight of the Rule licensee's implementation of the maintenance Verification rule, which includes monitoring the performance of containment isolation SSCs which constitute i
major release pathways to the environment (i.e.
t important to LERF).
Risk-Maintenance inspection should provide oversight of the important Rule licensee's implementation of the maintenance Support Verification rule, which includes monitoring the performance Systems of containment support systems which could Availability adversely impact the functionality of the and containment. For example, these systems could Reliability include containment spray and hydrogen ignitors.
l l
1 i
4 l
C-27 i
J
Appendix D Emergency Preparedness Cornerstone GENERAL DESCRIPTION Emergency Preparedness (EP) is the final barrier in the defense in depth approach to safety that NRC regulations provide for ensuring the adequate protection of the public health and safety.
Emergency Preparedne'ss is a fundamental cornerstone of the Reactor Safety Strategic Performance Area.10 CFR Part 50.47 and Appendix E to Part 50, define the requirements of an EP program and the licensee commits to implementation of these requirements through an Emergency Plan (the Plan).
Statement of Objective Ensure that the licensee is capable ofimplementing adequate measures to protect the public health and safety in the event of a radiological emergency.
I Desired Result / Performance Expectation Demonstration that reasonable assurance exists that the licensee can effectively implement its emergency plan to adequately protect the public health and safety in the event of a radiological emergency.
I KEY ATTRIBUTES OF LICENSEE PERFORMANCE THAT CONTRIBUTE TO EMERGENCY PREPAREDNESS Measures taken to protect the public from the effects of a radiological emergency must necessarily involve action by both licensee and State and local governmental authorities in the vicinity of the reactor. The facets of the EP program that involve actions by licensee staff are generally referred to as onsite EP. The EP program, procedures and systems maintained to implement governmental actions are referred to as ofsite EP. The licensee is responsible for developing and implementing the onsite EP program and provides support to the offsite program as required. The NRC is responsible for assessing the adequacy of the overall program, but relies on the Federal Emergency Management Agency (FEMA) to assess the offsite program. The development and collection ofperformance indicators (PIs) for offsite EP by licensees is not considered necessary or appropriate at this time, because FEMA performs regular assessments of offsite EP programs.
The key attributes of an EP program are those program elements that are critical to achievement of the performance expectation. These key attributes are depicted in Figure I and are: ERO performance as demonstrated during simulated and actual events, Emergency Response D-1 AT7EuuovT 7_
Appendix D Mer:
"4
- %*o""." *.
0"
."*,/.:: l2 lll*
- "l":::.'"4="
,,:lla,,,
g-A y
{
= -.
- =._
=
~ ' _
~
Figure 1 Organization (ERO) readiness to implement the Plan, the readiness of the facilities and equipment that support the ERO, the quality of procedures that support EP, and Offsite EP.
ERO Performance The implementation of the Plan is dependant on the performance of the ERO in their EP assignments. The technical aspects of these assignments generally align with the expertise of the individual, but also include duties unique to EP. The opponunity to demonstrate proficiency is provided during drills, exercises and events that require implementation of the Plan. There are many areas important to Plan implementation, but the most risk significant areas of ERO performance are:
Timelv and accurate classification of events; including the recognition of events as potentially exceeding emergency action levels (EALs) and any assessment actions necessary to support classification; this is measured by a Pl.
Timelv and accurate notification of offsite governmental authorities; including adequate performance of notifications as specified in the Plan; this is measured by a Pl.
D-2
Appendix D Timelv and accurate develonment and communication of protective action recommendations to offsite authorities; including providing appropriate protective action recommendations (PARS) to governmental authorities, the decision making process to develop PARS and accident assessment as necessary to support PAR development; this is measured by a Pl.
ERO Readiness Implementation of the Plan is dependant on the readiness of the ERO to respond to emergencies.
Licensee training programs provide the ERO knowledge base, but drills and exercises provide opportunities to gain proficiency in individual dutie: and team functions in the integrated organization. Self assessment of performance during drills and exercises identifies successful performance and areas for improvement. Se:f assessment and corrective action resolution is critical to ERO proficiency. In this way, the drill program ensures a high level of ERO proficiency. In addition, timely ERO augmentation of on shift personnel is critical to overall performance. The most risk significant areas of ERO readiness are:
ERO Drill Participation: including participation in drills and other appropriate opportunities for proficiency development (and supplemented by self assessment of performance and con ective action-see below); this is measured by a PI.
ERO Performance Assessment: including self assessment of performance and identification of deficiencies in ERO performance, conduct of reviews required by 10 CFR 50.54 (t),
identification of trends in deficiencies and the efficacy of the corrective action program; this is measured by inspection.
Timelv ERO Augmentation; including the functioning of notification systems, adequacy of ERO response and adequacy of the duty roster to provide 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> stafTmg; this is measured by inspection.
Facilities and Equipment Facilities and equipment required to implement licensee emergency response are specified in the Plan. The readiness of facilities and equipment to support ERO operations is a risk significant area:
Availability of the Alert and Notification System; including the ability of the systems to perform their design function; this is measured by a Pl.
Availability of facilities and ecuipment; including surveillance of communications channels, facilities and equipment; this is measured by inspection.
D-3
Appendix D Procedure Quality Emergency Plan Implementing Procedures (EPIPs) are used by the ERO to implement the Plan.
The response is tested regularly in drills and exercises and the quality of EPIPs is generally improved through assessment of performance. The emergency action levels (EALs) are delineated in the Plan and implemented through the use of an EPIP. Changes in EALs may be made by the licensee in accordance with 10 CFR 50.54 (q), but must be approved by NRC.
Other procedures, such as severe accident management guides (SAMG) are also important to emergency response. The risk significant areas of procedure quality are:
Classification of events; this is measured by a Pl.
Notification of offsite covernmental authorities; this is measured by a Pl.
Develooment and communication ofprotective action recommendations to offsite authorities; this is measured by a Pl.
Configuration of the EALs; this is measured by inspection.
Imnlementation of SAMG; this is measured by inspection.
Offsite EP State and local govemmental authorities are responsible for maintaining the offsite EP programs and implementing protective actions to protect the public health and safety. While the licensee must supply appropriate information to governmental authorities to allow the timely implementation of protective actions, only governmental authorities are authorized to implement these actions. Implementation of offsite Plans is assessed in regular FEMA evaluations.
PERFORMANCE INDICATORS Compliance of EP programs with regulation is assessed through observation of response to simulated emergencies and through routine inspection of onsite programs. Demonstration exercises involving onsite and offsite programs, form the key observational tool used to support, on a continuing basis, the reasonable assurance finding that adequateprotective measures can and will be taken in the event ofa radiological emergency. This is especially true for the most risk significant facets of the EP program. This being the case, the PIs proposed for onsite EP draw significantly from performance during simulated emergencies and actual declared emergencies, but are supplemented by direct NRC inspection and inspection oflicensee self assessment. NRC assessment of the adequacy of offsite EP will rely (as it does currently) on D-4
\\
Appendix D regular FEMA evaluations.
1.0 Drill, Exercise and Actual Event Performance (DEP); data colleced quarterly, for use in a six month trend and a two year rolling average.
This PI consists of: The fraction, numerator and denominator, of successful performance actions over all opportunities for:
Classification of Emercencies Notification Protective Action Recommendation Basis:
Recognition and subsequent classification of events is a risk significant activity.
Classification leads to augmentation of the ERO, as appropriate to the emergency class and notification of governmental authorities.
Timely and accurate notification of offsite authorities is a risk significant activity.
Notification leads to mobilization of governmental authorities, as appropriate.
The timely and accurate development and communication ofPARs is a risk significant activity. It requires that several supporting activities be performed including: assessment of plant conditions, quantification of radiological release magnitude, projection of the potential dose to the public and communication to government authorities. Communication of PARS leads to actions by governmental authorities to protect the public health and safety.
If the ERO consistently performs these activities in a timely and accurate manner, it indicates that the EP prog.am is operating at or above the threshold oflicensee safetyperformance above which the NRC can allow licensees to address weaknesses with NRC oversight through a risk informed baseline inspection program.
Requirements:
Only activities that the licensee formally assesses for the timely and accurate performance of classification, notification and PAR development and communication, may be included in this statistic. Simulated emergency events that are identified as in advance ofperformance opportunities for this PI shall be included in the statistics, i.e., a candidate opportunity can not be removed from the data set due to poor D5
l Appendix D perfonnance. Opportunities shall include actual emergency declarations and the biennial exercise and may include other drills of appropriate scope and operating shift simulator evaluations conducted by the licensee training organization.
A drill may be considered of appropriate scope ifit provides a proficiency development opportunity for the ERO that involves, or reasonably simulates the interaction as appropriate, of the control room, TSC, OSC, EOF, field monitoring teams, damage control teams and offsite governmental authorities, e.g., a field monitoring team may only interact with the EOF, the control room may only interact with the TSC, but the TSC may interact with the EOF, control room, OSC and government.
Operating shift simulator evaluations may be included only when the scope requires classification (ifit were a real event) and notifications are performed at least to the point of filling out the appropriate forms and demonstrating sufficient knowledge to perform the actual notification.
However, there is no intent to disrupt ongoing operator qualification programs. Appropriate operator training evolutions should be included in the statistics only when EP aspects are consistent with training goals.
There is no requirement to include any given drill or traming evolution and no minimum is set for these observational opportunities. However, analyses performed on the data will recognize that a PI value generated by a greater number of opportunities more accurately represents licensee performance. Statistical opportunities should include multiple events during a single drill, evolution, etc., if supported by the scenario as follows:
each expected recognition and classification opportunity should be
- included, notification opportunities should include notifications made to the state / local governmental authorities for initial emergency classification, upgrade of emergency class, initial PARS and changes in PARS, (periodic follow up notifications / briefings provided when classification or PARS have not changed are not included) and PAR opportunities should include the initial PAR and any appropriate PAR change.
D-6 I
. ~.
i Appendix D Data Reporting Frequency Data would be reported every 3 months PI Threshold The threshold for the white zone is two fold:
< 75% for the previous six months
=
I
< 90% for the previous two years
=
The first threshold, also referred to as "short-term performance threshold" is designed to trigger NRC action if the licensee's performance declines over the past 6 months. The second threshold, also referred to as "long-term performance threshold" is designed to trigger NRC action upon licensee's performance declines over the past 24 months. This dichotomy between "short-term" l
and "long-term" thresholds was deemed necessary to balance the significance of short-term and L
long-term performance indications (a decline in performance over a long period of time may be more significant than a sharp decline noted in a shorter period).
Basis for the 24-months Threshold I
The long-term performance threshold of 90 % has been determined based on an analysis of emergency prepredness inspection findin;;s from 1994 to 1997. The findings were extracted from inspection reports of NRC evaluated biennial exercises. A systematic assessment of each finding related to the risk-significant areas (classification, notification, PARS) was performed to determine successful performance and the number of opportunities. Successful performance was rolled up for each 24 month period and the corresponding average and standard deviation calculated. The following results were found:
24 months Number of Estimated Average of Standard period Failures Number of Successes Deviation Opportunities
- 1996-1997 24 680 96 %
9%
l 1994-1995 27 730 96 %
7%
4 1
4 opportunities per exercise for Classification and 4 opportunities for Notification 1
e D-7 4
4
Appendix D 2 opportunities per exercise for PARS Examining Inspection reports was found to be a timely and convenient method to access past performance data similar to that which will be used for the DEP Pl. However, inspection reports only address the opportunities associated with NRC evaluated exercises, which are a small part of the opportunities that licensees have to measure Drill / Exercise performance. Other licensee opportunities to measure performance stem from non-NRC evaluated drills, shift simulator evaluations, and actual emergency events. Data regarding those opponunities were not available for analysis to determine the DEP Threshold. However, the data extracted from NRC evaluated exercises is believed to represent a sample of typical licensee performance. In any given 24 month period, about 70 exercise inspections are performed by the NRC (68 were performed in the period 1996-1997 and 73 in the period 1994-1995), representing about 700 opportunities for classification, notification and PARS for the whole industry. On a plant-specific basis however, this corres;ionds to approximately 10 opportunities per 24 months. In the future, it is expected that licensees will collect and report annually 60 or more Drill / Exercise performance opportunities.
Based on the analysis ofinspection findings, an emergency preparedness expert panel composed of NRC and industry representatives came to agreement on the value for the long-term threshold.
The panel developed the threshold by taking the past 4 year average, diminishing it by one standard deviation, and rounding it up. The panel reached consensus with a 90 % long-term threshold.
Basis for the 6-months Threshold Like the long-term threshold (24 months), the short-term threshold (6 months) has been selected based on the inspection findings analysis. The short-term threshold is less stringent that the long-term threshold to allow licensee to correct problems and yet, indicate trends. An emergency preparedness expert panel composed of NRC and industry representatives came to agreement on fixing this threshold at 75%.
Discussion of past individual plant performance against the thresholds Analyses ofindividual plant performance against the 24 month threshold were performed for the period 1994-1997. Had Pls been in use in this period, they would have shown the following:
Number of Plants Total Number of Plants Percent of Plants not Meeting the Meeting the Threshold Threshold 1994 1m 70 98.5 %
D-8
Appendix D 1995 3m 70 96 %
1996-7m 70 90 %
1997 m
Cooper m
Cooper, Palo Verde, Wolf Creek m
Haddam Neck, Three Mile Island, Prairie Island, Quad Cities, Palo Verde, River Bend, Washington Nuclear 2 This analysis confirms the reasonableness of the value chosen for the long-term threshold.
Threshold Limitations In 1998, the NRC identified Clinton ae 5 plant with a large number of concerns in emergency preparedness. However, The DEP PI for Clinton for the past 4 years indicates outstanding performance. Therefore, the indicator would not have identified Clinton weaknesses. In contrast, the DEP PI for Three Mile Island appropriately shows the decline in perfonnance that was identified in 1997 during NRC inspections.
Tests ofindividual plant performance against the 6 month threshold have not been performed due to the lack of sufficient plant-specific data in any 6 month interval. It is believed that sufficient data will be available in the future to validate the short-term threshold. The 6 month threshold could be validated after a year ofimplementation. This will also give an opportunity to revisit the 24 month threshold.
Yellow Zone Thresholds The threshold for the yellow zone is two fold:
< 55% for the previous six months
< 70% for the previous two years
=
Threshold Basis An emergency preparedness expert panel composed of NRC and industry representatives came to agreement to utilize the 55% and 70% thresholds for the yellow zone of the DEP Pl. There is some basis in the statistics for the 70% value in that 30 below the industry average is about 73%.
This was rounded down due to the severity of the Yellow Zone threshold. These values will be revisited after two years ofimplementation.
D-9
4 Appendix D 2
Implementation Proposals I
For sake of first-time implementation, the long-term threshold tandem of 90/70% (green / red zone) should not be used until sufficient data have been gathered (24 months of data). In contrast, the shon-term threshold tandem of 75/55% could be used after 6 months of data. If necessary for implementation, it could be assumed that in the 3 months prior to implementation, all licensees demonstrated 96 % successful performance, which corresponds to the past four years average. This may not be necessary if the PI based assessment program is not j
implemented until sufficient data is accumulated.
l Verification 1
There are three aspects of PI data verification critical to this PI:
The licensee self assessment program must accuratelyjudge successful performance of classification, notification and PAR development and communication. This requires that the self assessment program be inspected to ensure veracity of data collection.
t 1
Performance opportunities should be verified to be of sufficient depth to simulate ERO activation.
i The statistics of data collected from drills and other training evolutions should be verified j
periodically.
i 2.0 Emergency Response Organization Drill Participation (ERO)
This PI consists of: Percentage of ERO and operating shift crews that have participated in a drill, exercise or an actual event in the past 24 months and 36 months.
?
l Basis:
EP programs ensure the readiness of ERO personnel, facilities and equipment to support response to emergencies and protect the public health and safety. The licensee self assessment program is critical to ensuring readiness and does so through identification and correction of deficiencies. Drills and exercises tax the i
ERO, EPIPs and supporting facilities and equipment and self assessment of these events is a critical element of ensuring readiness.
l The previous PI, DEP, measures the performance of segments of the ERO in risk i
significant activities during simulated and actual emergencies. However, the i
breadth and scope of the ERO activities include several important supporting areas not fully measured by DEP, such as accident assessment, dose projection, D-10
i Appendix D damage control, worker protection, and the ability to work as an integrated team i
under (simulated) emergency conditions. ERO measures opportunities that the j
total ERO has been given to gam proficiency as an integrated organization. It is j
expected that the licensee will assess these training opportunities to identify areas 2
for improvement and that the corrective action program will ensure improvements i
are carried out. It is expected that these proficiency development opportunities l
will contribute to overall ERO readiness. In this way ERO indicates the j
proficiency of the ERO. ERO indirectly measures facilities and equipment j
readiness, training program efficacy and procedure quality because the licensee j
self assessment program can be expected to improve deficiencies in these areas t
uncovered in drills and exercises.
l If a licensee consistently ensures that the ERO is proficient, it indicates that the EP program is operating at or above the threshold oflicensee safetyperformance j
above which the NRC can allow licensees to address weaknesses with NRC j
oversight through a risk informed baseline inspection program.
\\
4 Requirements:
The ERO panicipation is intended to include the minimum positions j
committed to in the Plan and operating shift crews. This would include
}
positions required for the functioning of the control room, TSC, OSC and i
EOF during Plan implementation. Plant workers, security personnel and
}
others that are on shift or may be called in to support the emerg'ency but do not fill positions on EP duty rosters or are not part of the operating shift i
crews, are not required to be included in this PI. However, positions that
)
are formally on the EP duty roster, but not committed to in the Emergency Plan and others imponant to emergency response may be included.
Participation may be as a participant, mentor, coach, evaluator or controller (but not as an observer). Only panicipation in the drills, j
exercises and evolutions that are used to provide input to the DEP PI may be used in the statistics for this PI. Multiple assignees to a given ERO 1
position could take credit for the same drill if their participation is a l
meaningful and thorough opponunity to gain proficiency in the assigned j
position.
l Evaluated simulator evolutions that contribute to the DEP PI statistics 4
- ould be considered for operation shift crew participation. However, there j
is no intent to disrupt ongoing operator qualification programs.
j Appropriate operator training evolutions should be included in the statistics only when EP aspects are consistent with training goals. If all l
crews have panicipated in more than one evaluated simulator evolution D-11 i
i
l l
l l
Appendix D during the measurement period,it may only be counted as 100% and not more.
Data Reporting Frequency Data would be provided every 3 months S
PI Threshold The threshold for the white zone is two fold:
< 80% for the previous two years
< 90% for the previous three years Threshold Basis No past data was readily available to help set the threshold value. An emergency preparedness expert panel composed of NRC and industry representatives came to an agreement to utilize the 80% and 90 % thresholds for ERO readiness. These values will be revisited after a year of implementation.
Yellow Zone Thresholds The thresholds for the yellow zone are:
< 60% for the previous two years
< 70% for the previous three years Threshold Basis These thresholds were agreed upon between an NRC and industry representative emergency preparedness expert panel.
Imnlementation Proposals The ERO readiness performance indicator and corresponding thresholds can be implemented immediately if the licensee has supporting data, otherwise at least two years of data would have to be collected before implementation.
t i
D-12
Appendix D Verification Verification of the statistics used to generate the PI value is critical to this Pl.
3.0 Alert and Notification System Availability (ANSA)
This PI consists'of: Percent availability of Alert and Notification System Basis:
The Alert and Notification System (ANS) is a critical link for alerting and notifying the public of the need to take protective actions. ' Generally, the licensee maintains the ANS and state and/or local governmental authorities are responsible for activating it when necessary. Assurance that the system has a high rate of availability increases the assurance that the licensee can protect the public health and safety during an emergency.
If an EP program consistently ensures that the ANS is in a high state of readiness it indicates that the program is operating at or above the threshold oflicensee safetyperformance above which the NRC can allow licensees to address weaknesses with NRC oversight through a risk informed inspection program.
Requirements:
Statistical information gathered in support of system availability reports given to FEMA would form basis of this Pl. It is proposed that the following rules be applied to gathering of this data:
Failure of a siren is indicated by failure of any portion of the system that would have prevented it from performing its safety function, i.e., creating its design sound level and pattern.
The period assumed for the failure would be in accordance with FEMA direction on gathering statistics.
Periodic testing is in accordance with FEMA guidance and actually tests the ability of the siren to perform its intended safety function.
Data Reporting Frequency Data would be provided every 3 months PI Threshold The threshold for the white zone is:
D-13
Appendix D
< 94% for the previous year
=
Threshold Basis i
The threshold of 94% has been determined based on an analysis of yearly sirens availability for l
1995,1996 and 1997 for approximately 20 plants. The two lowest values found were 91.1 % and l
95.1%, the rest of the values were all above 96%. The sirens availability average for the 20 plants was 97.9%. An emergency preparedness expert panel composed of NRC and industry representatives came to an agreement to utilize a 94% threshold for sirens availability. This value will be revisited after a year ofimplementation.
Yellow Zone Threshold i
The threshold for the yellow zone is:
< 90% for the previous year Threshold Basis This threshold is based on the FEMA acceptance criteria for sirens availability. It has been agreed upon by an emergency preparedness expert panel composed of NRC and industry representatives. However, it should be noted that the FEMA acceptance criteria is based on a calendar year, while this PI is a rolling average.
Implementation Proposals For sake of first-time implementation of the Alert and Notification System performance indicator and thresholds, it could be assumed that 6 months prior to implementation, all licensees demonstrated 97.9 %'of sirens availability performance, which corresponds to the calculated past four years average for the plants sampled. Alternately, the PI may not be implemented until adequate data is available.
Verification Verification of the statistics used to generate the PI value is critical to this Pl.
I i
INSPECTION AREAS The inspection areas discussed below are necessary to ensure the licensee EP program is i
operating at or above the threshold oflicensee safetyperformance above which the NRC can allow licensees to address weaknesses with NRC oversight through a risk informed baseline D 14 3
Appendix D inspectionprogram. These inspection elements represent the risk significant areas that are necessary to complement the proposed PI program for an EP program operating in the green zone.
1 Verification the collection of PI statistics and that data gathering is in compliance with the guidelines described for Pls.
Verify by observation of drills and the biennial exercise, the capability of the licensee self assessment program to assess performance during drills, exercises, actual declared events and operator simulator evaluations r.ad provide an accurate assessment of successes and failures during performance opporttmities.
Verify that Alert and Notification System availability testing is in compliance with guidance.
Inspect licensee ERO augmentation tests.
1 t
l Inspect and approve EAL changes as required by 10 CFR 50.54(q).
l Review the adequacy of the self assessment and corrective action program to correct areas requiring improvement to ensure the comerstone objective continues to be met l
including:
l ERO proficiency in general, l
ERO ability to diagnose plant accident conditions, formulate mitigating actions and implement them under accident conditions, readiness and quality of EP equipment and facilities, direct interface with offsite authorities during exercises and drills, e.g., in j
the area of PAR communication and technical support, adequacy of communication channel testing and timely correction of
=
j communication channel deficiencies, audits conducted under 10 CFR Part 50.54 (t) implementation of severe accident management guidance during drills, and adequacy of worker protection during exercises and drills.
l i
D-15 l
Appendix D Table 1 EMERGENCY PREPAREDNESS KEY ATTRIBUTES AND MEANS TO MEASURE Key Attribute Areas to Measure Means to Comments Measure ERO Performance Timely and accurate PI Recognition and subsequent classification of classification ofevents is a risk events significant activity. Classification should lead to activation of the ERO as appropriate to the emergency class and notification j
of governmental authorities.
Timely and accurate PI Timely and accurate notification notification of offsite of offsite authorities is a risk govemmental significant activity. Notification authorities should lead to mobilization of govemmental authorities, as appropriate.
Timely and accurate PI The timely and accurate development and development and communication communication of of PARS is a risk significant protective action activity. It requires that several recommendations to supporting activities be performed offsite authorities in a timely manner to develop the PAR. Communication of PARS should lead to actions by governmental authorities to protect the public health and safety.
D-16
l l
Appendix D 1
l Key Attribute Areas to Measure Means to Comments Measure ERO Readiness ERO Drill PI ERO measures opportunities that l
Participation the total ERO has been given to gain proficiency as an integrated organization. It is expected that the licensee will assess these training opportunities to identify areas for improvement and that the corrective action program will ensure improvements are carried out. It is expected that these j
proficiency development j
opportunities will contribute to overall ERO readiness. In this way ERO indicates the proficiency of the ERO.
Demonstration of Inspection Augmentation of on shift timely augmentation personnel with the ERO is critical of the ERO to implementing the Plan in a timely manner during emergencies. This is a risk significant area of EP.
Licensee self Inspection Self assessment of ERO assessment performance and identification of deficiencies is critical to maintaining an adequate level of ERO performance to give reasonable assurance. Conduct of reviews recuired by 10 CFR 50.54 (t) and the efficacy of the corrective action program to j
correct identified deficiencies and i
identify trends in deficiencies j
would be inspected.
i D-17 e
i
Appendix D i
Key Attribute Areas to Measure Means to Comments Measure Facilities and AvailaMity of the PI The Alert and Notification System Equipment Alert and (ANS)is a criticallink for alerting Notification System and notifying the public of the need to take protective actions.
Generally, the licensee maintains the ANS and state and/or local goyernmental authorities are responsible for activating it when necessary. Assurance that the system has a high rate of availability increases the assurance that the licensee can protect the public health and safety during an y
emergency.
Availability of Inspection Facilities, communications equipment and channels and equipment that are facilities critical to the functioning of the ERO during emergencies must be maintained. The licensee self assessment program will address these areas and the inspection would evaluate this self l
assessment.
l Procedure Quality Classification of PI EPIPs are used to classify events.
events The quality of the EPIPs will be reflected in the DEP PI as integral to the measured success rate.
Notification of offsite PI EPIPs are used to notify governmental governmental authorities. The authorities quality of the EPIPs will be I
reflected in the DEP PI as integral to the measured success rate.
D-18 1
l
(
l Appendix D Key Attribute Areas to Measure Means to Comments Measure Development and PI EPIPs are used to develop and communication of communicate PARS. The quality protective action of the EPIPs will be reflected in recommendations to the DEP PI as integral to the offsite authorities measured success rate.
EAL changes are in Inspection Licensees may change the EAL accordance v+h set, but NRC must approve the 50.54 (q) change. This inspection element will review any changes against the requirements of 50.54 (q) and approve the change as appropriate.
SAMG Inspection SAMG drills are generally implementation implemented by the ERO.
Licensees will assess the effectiveness of that implementation and this inspection element will evaluate the self assessment.
Offsite EP Implementation of FEMA State / local governmental State and local Evaluation authorities are responsible for emergency plans implementing emergency plans that include protective actions to protect the public health and safety. FEMA evaluates the effectiveness ofimplementation.
l j
D-19
1 i
Appendix D Table 2 Performance Indicators PIName Measurement Area Definition Threshold Drill / Exercise Timely and accurate Fraction,(numerator The threshold for the Performance (DEP) '
classification of and denominator,) of white zone is two events successful fold:
performance events Timely and accurate over all opportunities 75% for the previous notification of offsite for:
six months governmental authorities Classification of 90% for the previous Fmergencies two years Timely and accurate development and Notification The threshold for the communication of yellow zone is two protective action Protective Action fold:
recommendations to Recommendation offsite authorities 55% for the previous six months 70% for the previous two years
(.
l
\\
i D-20 4
{
ll..
Appendix D i
i l
PIName Measurement Area Definition Threshold l
Emergency Emergency Response Percentage of ERO The threshold for the
Response
Organization and operating shift white zone is:
Organization Drill readiness crews that have Participation (ERO) panicipated in a drill 80% for the previous or exercise in the past two years i
24 and 36 months.
90% for the previous three years The threshold for the yellow zone is:
60% for the previous two years 70% for the previous three years Alen and Availability of the Percent availability The threshold for the Notification System Alert and of Alert and white zone is:
Availability (ANSA)
Notification System Notification System 94 % for the previous year ne threshold for the yellow zone is:
90% for the previous year I
i l
1 l
D-21 2
i 1
Appendix E Occupational Exposure Cornerstone General Description This cornerstone includ,es the attributes and the bases for adequately protecting the health and safety of workers involved with exposure to radiation from licensed and unlicensed radioactive material during routine operations at civilian nuclear reactors. The desired result is the adequate protection of worker health and safety from this exposure. The cornerstone uses as its bases the occupational dose limits specified in 10 CFR 20 Subpart C and the operating principle of maintaining worker exposure "as low as reasonably achievable (ALARA)" in accordance with l
10 CFR 20.1101. These radiation protection criteria are based upon the assumptions that a linear relationship, without threshold, exists between dose and the probability of stochastic health effects (radiological risk); the severity of each type of stochastic health effect is independent of dose; and nonstochastic radiation-induced health effects can be prevented by limiting exposures below thresholds for their induction. Thus,10 CFR Part 20 requires occupational doses to be maintained ALARA with the exposure limits defined in 10 CFR 20 Subpart C constituting the maximum allowable radiological risk. Industry experience has shown that the occurrences of uncontrolled occupational exposure which potentially could result in an individual exceeding a l
dose limit have been low frequency events. These potential overexposure incidents are associated with radiation fields exceeding 1000 millirem per hour (mrem /hr) and have involved l
the loss of one or more radiation protection controls (baniers) established to manage and control l
worker exposure. The probability of undesirable health effects to workers can be maintained within acceptable levels by controlling occupational exposures to radiation and radioactive materials to prevent regulatory overexposures and by implementing an aggressive and effective ALARA program to monitor, control and minimize worker dose.
Occupational Exposure Key Attributes Those attributes which affect worker exposure at an operating facility are shown in Figure 1.
These attributes affect the licensee's ability to control individual worker exposures and, furthermore, to maintain occupational exposures ALARA The control of occupational exposure i
can be maintained at an acceptable level by minimizing human performance errors, implementing quality programs and processes, and assuring the proper design and use of plant equipment and instrumentation for radiation protection activities. Acceptable perfonnance within these key attributes would result in a low frequency of significant occupational exposure events which could result in a regulatory limit being exceeded or in the ineffective implementation of ALARA program resulting in unnecessary occupational exposure.
l i
E-1 l
l i
l Appendix E ou ms My wr m % Tamo.
oo
- % w om-I umtrtsesene Wmh i TSH%rmtrtmne a wwram*==
m.m,w m m
nemw amm l
"O' w mx=
g l
nm e-gg
-a l
U
! ll""'
- g
{*{ %
m.
l l
Figure 1 l
Within each occupational exposure comerstone attribute, specific areas for measurements either by performance indicators or by inspection activities have been identified for assessment.
Facilities, Equipment, Instrumentation Inoperable monitoring instrumentation and inadequate source temi control can result in significant unplanned exposures. For selected facility areas, e.g., Boiling Water Reactor (BWR)
Transverse Incore Probe (TIP) drive room, reliable and accurate area radiation monitors (ARMS) can remotely identify transient high dose rate fields to reduce the potential for uncontrolled exposure. In addition, the use of chemical decontamination processes and the proper design and E-2 t
j Appendix E installation of shielding associated with equipment and systems having elevated source tenns can be used to effectively reduce the potential for uncontrolled or unnecessary occupational exposures. The effectiveness of this key area in meeting the cornerstone objective is dependent upon acceptable radiation protection procedures for source term evaluation and reduction and for maintenance and calibration of radiation protection systems and equipment. These measurement areas are considered to be site specific and more appropriately assessed through the baseline inspection process.
Program / Processes l
l The technical adequacy of radiation protection procedures and proper implementation ofprogram l
processes contribute to the control and minimization of occupational exposures. Improper l
radiological surveillances have resulted in significant uncontrolled occupational exposure from l
direct exposure to radiation sources or from intakes of radioactive material. The establishment of l
administrative and physical radiation protection controls serve as additional mechanisms (barriers) preventing uncontrolled worker access to high radiation, significantly contaminated and airborne areas. The development of aggressive dose expenditure goals, combined with l
detailed work planning, accurate assessment of associated radiological conditions and l
establishment of adequate controls are necessary to implement an effective ALARA program. In l
particular, these planning, monitoring and control activities increase in importance during l
outages when interfaces between personnel and high radiation and contaminated systems increase. Within this cornerstone attribute, the PI can monitor the performance in a limited number of measurement areas with the majority of assessment requiring direct baseline inspection effort.
Human Performance Human perfonnance can significantly affect occupational worker exposures during work activities conducted in elevated dose rate and contaminated areas. Inadequate performance by l
health physics technicians (HPTs) or workers can result in a loss of the multiple radiation protection barriers established to prevent uncontrolled exposures. In addition, adherence to proper radiation protection practices is necessary to implement an effective ALARA program. A i
combination of PI information and inspection is proposed to properly assess this area.
Performance Indicators A combined performance indicator (PI) is proposed to assess licensee performance in controlling worker doses during work activities associated with high radiation fields or elevated airborne radioactivity areas The PI was selected based upon its ability to provide an objective measure of an uncontrolled measurable worker exposure or a loss of access controls for areas having radiation fields exceeding 1000 millirem per hour (mrem /hr). The data for the PI are currently E-3 l
t Appendix E being collected by most licensees in their corrective action programs. The PI either directly measures the occurrence of unanticipated and uncontrolled dose exceeding a percentage of the regulatory limits or identifies the failure of barriers established to prevent unauthorized entry into those areas having dose rates exceeding 1000 mrem /hr. He indicator may identify declining performance in procedural guidance, training, radiological monitoring, and in exposure and contamination control prior to exceeding a regulatory dose limit (Table 1). The effectiveness of the licensee's assessment and conective action program is considered a cross-cutting issue and is addressed elsewhere. De three components of the occupational radiological occurrence (ORO) PI are defined as follows:
l Occupational Radiological Occurrence l a.
Technical Specification High Radiation Area (TS HRA) Occurrence: A single nonconformance with TS controls or comparable 10 CFR Pan 20 requirements applied to high-radiation areas (HRAs) with dose rates greater than or equal to (2) 1000 millirem per hour (mrem /hr). Where licensee TSs do not address controls for HRAs 21000 mrem /hr, nonconformance with comparable provisions in licensee procedures will define an occurrence.
I b.
Very High Radiation Area (VHRA) Occurrence: A single nonconformance with 10 CFR Part 20 and/or licensee procedural requirements regarding radiation protection controls, i.e., postings, area surveys, personnel monitoring, administrative controls and physical barriers associated with VHRAs, areas having radiation fields 2 500 rad /hr at one meter.
I c.
Uncontrolled Exposure Occurrence: A single occurrence resulting in one or more uncontrolled occupational exposures equal to or exceeding (2) 10 percent (%) of the 10 CFR Pan 20 non-stochastic and/or 2% of the stochastic limits specified in 10 CFR Part 20. For minors and declared pregnant women, an uncontrolled exposure occurrence will be defined as doses >20 % of the stochastic limits detailed in 10 CFR 20.1207 and 10 CFR 20.1208. For skin exposure from " hot particles," an occurrence will be defined as exposures 2100 % of the current established limit.
Calculational Method: Rolling sum of PI components la through le based on either the previous 36 month (long-term) or previous 12 month (shon term) interval. Data to be collected quarterly (every three months).
Thresholds Increased Regulatory Oversight (Green-White): Six or more occupational radiological occurrences, summation of la through Ic, within a rolling three-year interval or three or more occurrences within a rolling twelve-month interval.
E-4 l
Appendix E The preliminary short and long-term thresholds are based on a review and analysis of quarterly occupational radiological occurrence data provided by 28 licensee sites for the period January 1996 through September 1998 (i.e.,11 quarters or 2.75 years). From analysis of the data provided, a long-term average of approximately 1.3 occurrences per site within the three-year interval was calculated. Based on the mean and the associated standard deviation, approximately 95 percent of the sites were expected to have five OROs within a three year interval. An expert panel composed of NRC and industry representatives agreed to utilize six or more occurrences within a three year interval for the preliminary long-term threshold. The short-term threshold was established at 50 percent of the long-term threshold, i.e., three (3) or more occurrences within a year.
Sites exceeding either the long or short-term PI thresholds were compared against those sites with performance in occupational radiation protection activities identified by NRC regional staff as not meeting or declining from industry standards. For the 12 identified sites, data were not available for five sites, three sites exceeded either the short or long-term thresholds, two sites trended above the long-term average of 1.3 OROs per three-year interval, and two sites did not exceed the threshold and were not above the average ORO three-year average. Although, two sites not identified by the NRC staff as not meeting or having declining performance exceeded the PI thresholds; the identified OROs transpired early in the three-year interval and prior to the cunent SALP cycle. Excluding one site, all the facilities exceeding the preliminary thresholds were rated as SALP Category 2 or 3 in the plant support area. For the one plant support SALP Category 1 site which exceeded the threshold, the identified occupational radiological occurrences were prior to the current SALP cycle. None of the other sites ranked by NRC staff as meeting the industry norm or as a SALP Category 1 in plant support exceeded the preliminary threshold data. The alignment of NRC staff and plant support SALP ratings with the performance indicator thresholds advances their initial use in assessing licensee performance.
Additional data are being collected to enhance the analysis and verification of the ORO perfonnance indicator.
(White - Yellow) Twelve or more occupational radiological occurrences, summation of Ia through Ic, within a rolling three-year interval or six or more OROs within a rolling twelve-month interval.
An occupation exposure expert panel agreed to establish a preliminary threshold for the white-yellow zone as double both the short-and long-term threshold criteria. As expected, no sites which provided the initial ORO data exceeded the established threshold. These values will be reviewed subsequent to accumulat on of additional data and a year of program implementation.
i l
Inspection Areas l
The purpose of the PI is to allow the inference to be made that, if the PI is below the threshold, E-5
Appendix E then performance within that key attribute is appropriately monitored and controlled by the licensee. From an analysis of the industry experience, the proposed PI alone will not reflect licensee performance within each of the key attributes. Licensee performance in radiologically risk-important areas not covered by the PI will be assessed through a baseline inspection program. Table 2 details areas where PI and inspection are required for proper assessment of the comerstone.
Facilities, Equipment, Instrumentation Licensee performance associated with the identified measurement areas in this key attribute are site specific and should be evaluated as a component of baseline inspections. For example, area radiation monitors used to identify potentially significant transient high dose rate areas vary among licensee sites, and the availability and operability of those monitors should be assessed through baseline inspection. Source reduction methods, e.g., shut-down chemistry and the use of shielding to reduce potential high dose fields during outage operations, are also site specific and should be reviewed as part of the base-line inspection activities.
Program / Processes The proposed PI is expected to measure licensee performance only in controlling areas with dose rates exceeding 1000 mrem /hr or where a significant uncontrolled dose to an individual results from either extemal radiation sources or from intemally deposited radioactive material.
Assessment of source term monitoring and reduction are site specific and highly dependent upon previous operational history, current work scope, and worker experience. Assessment of the ALARA activities will require direct inspection to evaluate licensee performance by comparing established goals to actual dose expenditures, with the established goals benchmarked to previous performance by the licensee.
Human Performance l
The PI may not identify all instances of degraded performance in this area. For example, a recent failure of a health physics technician to assess radiological conditions and implement proper i
radiation protection controls for workers resulted from an improper evaluation of an alarm from a worker's electronic dosimeter. Direct inspection was necessary to determine the root cause of the degraded performance. Baseline inspection will assess the proficiency of health physics technicians in covering high dose rate (but less than 1000 mrem /hr) and high collective dose l
tasks and the proficiency of workers involved in such tasks.
t t
E-6
Appendix E TABLE 1: OCCUPATIONAL EXPOSURE PERFORMANCE INDICATORS Pl Measurement Area Definition' Thresholds A single occurrence resulting (Green -White) Increased Uncontrolled Exposure Procedures; Exposure and in one or more uncontrolled Regulatory Oversight: Six or Occurrence contamination monitoring and occupational exposures in more occupational radiological 2100 mrem control; Training excess of 10% of the non-occurrences within a rolling stochastic and/or 2% of the three-year interval or three or stochastic limits specified in more occurrences within a or 10 CFR Part 20'.
rolling twelve-month interval.
Technical Specification A single TS or 10 CFR Part 20 (White - Yellow) Twelve or liigh Radiation Area Procedures; Exposure and nonconformance for ilRAs more occupational radiological (TS HRA) contamination monitoring and with dose rates 2 1000 occurrences within a rolling Nonconformance c ntrol; Training mrem /hr. Where licensee TSs three-year interval or six or do not address IIRA controls, more occurrences within a pr cedural nonconformance or rolling twelve-month interval.
will define the Pl.
Very liigh Radiation Area Procedures; Exposure and A single nonconformance with White-Red: None Proposed (VIIRA) contamination monitoring and 10 CFR Part 20 and/or Nonconformance control; Training licensee procedural requirements regarding VHRA controls.
' For minors and declared pregnant women, an uncontrolled exposure occurrence will be defined as doses equal to or exceeding (2)20% of the stochastic limits detailed in 10 CFR 20.1207 and 10 CFR 20.1208. For skin exposure from " hot particles," an occurrence will be defined as doses 2100 % of the current established limit.
E-7 i
r
Appendix E i
TABLE 2: OCCUPATIONAL EXPOSURE KEY ATTRIBUTES AND MEANS TO MEASURE Key Attribute Areas To Measure Means to Measurement Comments Review licensee programs for identifying and properly l
Plant monitoring source terms resulting in high radiation areas Facilities / Equipment Source Term Baseline (llRAs). For transient high dose rate areas, e.g., resin
/ Instrumentation Monitoring Inspection transfer operations, incore drive manipulation, and primary coolant leakage verify operability of select area i
radiation monitors (ARMS). Source term monitoring would be site specific and would be assessed by baseline inspection.
i Review licensee programs for source term control.
Source ferm Baseline include plant modifications, shielding, and chemical l
Reduction inspection decontamination activities. Program activities are site specific and would be assessed by baseline inspection.
i Performance Indicator Review licensee procedures for identifying and reducing Procedures (PI);
elevated radiation field source terms. Evaluate the Baseline adequacy of procedures for maintaining and calibrating Inspection area radiation monitors.
The PI assesses performance in HRAs with dose rates >
Program / Process Guidance PI; 1000 mrem per hour (mrem /hr) and in VilRAs. For
/ Procedures Baseline Inspection llRAs between 100 - 1000 mrem /hr baseline inspection would assess performance.
1 E-8 i
Appendix E TABLE 2: OCCUPATIONAL EXPOSURE KEY ATTRIBUTES AND MEANS TO MEASURE Key Attribute Areas To Measure Means to Measurement Comments Exposure &
P1 The P1 assesses performance in HRAs 21000 mrem /hr Contamination Baseline Inspection and VHRAs. For HRAs between 100 - 1000 mrem /hr Monitoring / Control baseline inspection would assess performance.
Inspection of ALARA program performance is site ALARA Planning Baseline Inspection specific and will be assessed through baseline inspection.
Assessment should be benchmarked against previous history.
Human Performance HPT Qualifications Inspection & PI Baseline inspection to assess proficiency ofIIPTs
& Performance l
covering high dose rate and high collective dose tasks.
The PI may indicate degraded performance in HRAs 2 1000 mrem /hr and VHRAs.
Radiation Worker inspection & Pl Baseline inspection to evaluate proficiency of workers Training /
involsed in high dose rate and high collective dose tasks.
Performance The PI may assess degraded performance in HRAs >
1000 mrem /hr and VHRAs.
E-9
_________n
Appendix F Public Exposure Cornerstone General Description This cornerstone includes the attributes and the bases for adequately protecting public health and safety from exposure to radioactive material released into the public domain as a result of routine civilian nuclear reactor' operations. The desired result is the adequate protection ofpublic health and safety from this exposure. These releases include routine gaseous and liquid radioactive effluent discharges, the inadvertent release of solid contaminated materials, and the offsite transport of radioactive materials and wastes. The cornerstone uses as its bases, the dose limits for individual members of the public specified in 10 CFR 20, Subpart D; design objectives detailed in Appendix I to 10 CFR Part 50 which defines what doses to members of the public from effluent releases are "as low as reasonably achievable" (ALARA); and the exposure and contamination limits for transportation activities detailed in 10 CFR Part 71 and associated Department of Transportation (DOT) regulations. These radiation protection standards require doses to the public be maintained ALARA with the regulatory limits constituting the maximum allowable radiological risk based on the linear relationship between dose received and the probability of adverse health effects.
Public Exposure Key Attributes Licensee performance attributes that affect public exposure resulting from routine operations at a licensed facility are shown in Figure 1. The attributes affect a licensee's ability to accurately monitor and effectively control doses to members of the public from either direct exposure or release of radioactive materials into the public domain. Licensees can control and accurately measure or estimate doses to members of the public by sustaining acceptable human performance; ensuring the quality of established programs and processes; and optimizing reliability and accuracy of radioactive effluent processing and monitoring equipment.
Acceptable performance within these key areas is pan of a defense-in-depth strategy corroborating that doses to members of the public from routine civilian nuclear reactor operations are within established limits and are maintained ALARA. The performance indicator (PI) selected for this cornerstone assess the licensee's ability 13 effectively control and minimize, and accurately monitor radiation exposure to members of the public from routine operations.
Within each attribute of the public exposure comerstone, both performance indicator information and baseline inspection are required to assess licensee performance.
F-1 i
Appendix F Rme Eissas.
w ru m = u w ro y,n n
l GXN
= (PsteQueCak21emW me ami en, w on,.o.
a
. n.c mi a* mne==2=
ashsta fr.ww #es.e og ew m wommmamm a =, nm het Fadle.I Augun/ Ra
~
'%~
'-=~
- =
a~
.m.
==
.o
= = -
.= -
^
~ 8'W' b 088E8E8888 b h%
a==
=,,
c.
Figure 1 Facilities, Equipment and Instrumentation Improper installation or modification, inaccurate calibration and reduced availability of meteorological systems, process radiation monitoring system (RMS) detectors and sampling systems, and associated counting room equipment adversely affect licensee performance in achieving and demonstrating compliance with effluent regulatory limits and design objectives.
Similar issues affect the effectiveness of the radiological environmer.ial monitoring program (REMP) equipment. The performance of radioactive waste (radwaste) processing, effluent sampling and monitoring equipment and instrumentation can be assessed, in pan, by projected and measured offsite doses, and by RMS operability and availability. For transportation F-2
_ -. ~ -
Appendix F activities, shipping packages not prepared in accordance with their applicable design requirements, e.g., with the appropriate Certificate of Compliance (CoC) specifications for Type B shipments, increase the potential for unexpected exposure or loss of radioactive material which could result in uncontrolled and unnecessary exposures to members of the general public.
The unconditional release of materials from protected areas requires the use of sensitive radiation survey equipment properly setup and calibrated to demonstrate the absence of significant contamination which could result in unnecessary dose to members of the public. Technically adequate procedures must be available for the meteorological and radiation systems design, modification, and calibration, for transport package preparation, and for counting room instrumentation setup and calibration.
Program / Process Procedures must be technically adequate and implemented appropriately to conduct proper radiological effluent processing, and effective control and accurate monitoring of subsequent liquid and gaseous releases. Adequate procedures for routine system operation are required to ensure acceptable performance of meteorological instrumentation, radwaste processing, and process RMS equipment. For transportation activities, procedural guidance is necessary for proper evaluation of radwaste and material radionuclide quantities and types, for the subsequent selection and preparation of shipping packages and for conducting surveys to ensure that pack. age radiological doses and contamination levels are within regulatory limits. The performance of radiological surveys for the unconditional release of potentially contaminated materials from licensee protected areas requires appropriate policy and technical guidance for handling and processing a wide variety of potentially contaminated materials. The PI will allow assessment, in part, ofprocedures and guidance for radwaste processing, effluent RMS operation, and for the smvey and release of potentially contaminated materials outside oflicensee's protected areas.
Human Performance Human performance can directly affect radwaste processing, effluent monitoring, and transportation activities. Human errors have contributed to incorrect release of radwaste tanks, inaccurate determination of RMS set points, and to abnormal and unmonitored effluent releases to the surrounding environs. In addition, health physics technician errors in conducting radiation surveys have contributed to shipping container dose rates or contamination levels exceeding regulatory limits or to the improper unconditional release of contaminated solid materials into the public domain. The identified PI will be combined with baseline inspection activities to assess human performance.
Performance Indicators F-3
. ~ - -
_. ~.
i Appendix F One P1 for the radioactive effluent release program has been initially developed to monitor for inaccurate or increasing projected offsite doses (Table 1). The effluent radiological occurrence (ERO) PI does not evaluate performance of the radiological environmental monitoring program (REMP) which will be assessed through the routine baseline inspection. For transponation activities, the infrequent occurrences of elevated radiation or contamination limits in the public domain from this measurement area precluded identification of a corresponding indicator. A second PI has been proposed for future use to monitor the inadvenent release ofpotentially contaminated materials which could result in a measurable dose to a member of the public. These indicators will provide panial assessments oflicensee radioactive effluent monitoring and offsite material release activities and were selected to identify decreasing performance prior to exceeding public regulatory dose limits.
Public Radiation Exposure Performance Indicators 1.
Process Effluent Radiological Occurrences: Nonconformance with Radiological Effluent Technical Specifications (RETS) pursuant to radiological effluent releases; and excluding abnormal releases and out of service monitors, radioactive effluent release attributes reponable to the NRC in accordance with 10 CFR Part 20, Appendix I to 10 CFR Pan 50, and Offsite Dose Calculation Manual (ODCM). For licensees having RETS removed from the Technical Specifications, nonconformance with comparable ODCM provisions.
Calculational Method: Rolling sum of process effluent radiological occurrences (EROS) based on either the previous 36 month (long-term) or previous 12 month (short term) interval. Data are to be collected quarterly (every three months).
Thresholds:
(Green-White Threshold) Increased Regulatory Oversight: Seven or more EROS within a rolling three-year interval or four or more EROS within a rolling twelve-month interval.
The preliminary shon and long-term thresholds were based on a review and graphical analysis of Licensee Event Repon (LER) data associated with process RMS activities provided by all sites for the period from January 1995 through December 1997, i.e. three years. Based on a graphical plot of the plant LER frequency data, approximately five percent of the sites had seven or more LERs during the period reviewed. An expen panel composed of NRC and industry representatives agreed to utilize seven or more occurrences within a tnree year interval for the preliminary long-term threshold. The shon term threshold was proposed as four or more occurrences within a rolling 12 month interval.
F-4
1 Appendix "
Sites exceeding either the short-or long-term PI threshold were compared against those sites with performance in effluent measurements activities identified by NRC regional staff as not meeting or declining from industry standards. Of 12 sites identified by regional staff as performing below industry standards, four facilities exceeded either the short or long-term ERO PI thresholds. From subsequent review and discussion of the effluent monitoring LERs, the expert panel verified that not all events reportable to the NRC in accordahce with the ODCM or RETS were included in the data submitted for benclunarking. Following receipt of additional reportable data from semiannual effluent reports these threshold values will be reviewed further.
(White - Yellow Threshold) Fourteen or more EROS within a rolling three-year inten'al or eight or more occurrences within a rolling twelve-month intenal.
An public exposure expert panel agreed to establish a preliminary threshold for the white-yellow zone as double both the short-and long-term threshold criteria. As expected, no
)
sites which provided the initial ERO data exceeded the established threshold. These values will be reviewed subsequent to accumulation of additional data and a year of program implementation.
(Yellow - Red Threshold) None Proposed 2.
Unauthorized P.adioactive Material Release: Release of radioactive material (s) from licensee control which could reasonable result in public exposure in excess of 1 millirem per year (mrem /yr) total effective dose equivalent (TEDE).
This PI is proposed for future use to assess licensee performance in effectively monitoring and preventing measurable dose to members of the public from the unconditional release of solid materials from the licensee protected area. The PI will be implemented subsequent to development of dose assessment methodology.
Calculational Method: To Be Determined (TBD)
Thresholds: TBD Inspection Areas For comerstone measurement areas assuring and maintaining a defense in depth strategy regarding public health and safety which are not amenable to monitoring by the proposed PI, performance will be assessed through baseline inspection. For example, improper process RMS equipment designs and calibrations may not be identified by the currently proposed P1 and would be reviewed as part of baseline inspection. For transportation and REMP activities, assessments F-5
_ _ _ _ _ ~
Appendix F will be conducted through the baseline inspection program. Comerstone attribute measurement areas and their relationship to assessment by baseline inspection or PI are detailed in Table 2.
All inspections are to be risk-informed or based on assessments of systems or processes necessary to maintain a defense-in-depth strategy regarding unexpected or unnecessary radiation levels or radioactive contammation within the public domain.
Facilities, Equipment and Instrumentation The PI monitors performance in processing and monitoring radioactive effluents discharged into unrestricted areas. However, the proposed PI can only monitor acceptable performance assuming the systems and equipment (meteorological and RMS detectors and samplers) used in the radioactive effluent release and offsite dose assessments are installed, maintained and calibrated accurately, and the associated programs are implemented effectively. Baseline inspection are necessary to determine the adequacy of design modifications and calibrations of radioactive waste processing equipment and effluent monitoring instrumentation.
For transportation and REMP measurement areas, performance will be assessed through baseline inspection. In the transportation area, packaging for Type B radwaste or radioactive material shipments in accordance with the applicable certificate of compliance should be verified. For the REMP ineasurement area, inspection will include verification of sampling equipment location and cperability.
Program / Process The effectiveness of the radioactive waste processing and effluent monitoring, and transportation activities are dependent on technical adequacy of, and the proper implementation of procedures. Inadequate procedures have resulted in improper effluent release setpoints and or incorrect determination of effluent radionuclide concentrations. Within the transportation area, the determination ofradionuclide types and quantities are dependent on technically adequate site specific procedures. Also, monitoring for the tmconditional release of potentially contaminated materials from the protected area is dependent on consistent policy and technically adequate procedures. The PI does not evaluate situations were monitors were out-of-service or evaluation of abnormal releases. Inspection activities should verify acceptability oflicensee action for these situations. Inspection should verify completion of QC sample analyses and acceptability of results for effluent measurements. In addition, inspection should ve-ify the licensee program and methods for identifying radionuclides and quantities in shipments and for preparing marking, labeling and placarding for all packaging.
Human Performance Human errors can significantly affect performance within the public exposure comerstone.
F-6
l t
1 Appendix F Inadequate perfonnance of radiological surveys have contributed to instances of the unintentional release oflicensed radioactive material or to transportation package dose and contamination i
l levels exceeding regulatory limits. Human performance errors also have resulted in the release i
of radioactive waste from incorrect waste tanks, missed compensatory samples for out-of-service l
monitors and improperly calibrated detectors, These measurement areas will be assessed through baseline inspection to verify completion of applicable Hazardous Material Training requirements for all personnel involved in processing and loading packages of radioactive materials for transportation. Baseline inspection will also verify qualifications, training, and proficiency of health physics and chemistry technicians and radwaste operations staffinvolved in effluent processing.
I I
l
- )
i F-7 i
. _. _ _ ~. _ - - - - - -
Appendix F f
TABLE 1: PUBLIC EXPOSURE PERFORMANCE INDICATOR PI Measurement Area Definition Thresholds Nonconformance with (Green-White Threshold)
Radiological Emuent Technical Increased Regulatory Process Emuent Radiological Offsite Dose Specifications (RETS) pursuant Oversight: Seven or more Occurrence Process Radiation Monitor to radiological emuent releases; emuent radiological and excluding abnormal releases occurrence (EROS) within a and out of service monitors, rolling three-year interval or I
radioactive cmuent release four or more occurrences attributes reportable to the NRC within a rolling twelve-month I
in accordance with interval.
10 CFR Part 20, Appendix I to 10 CFR Part 50, and OfTsite Dose (White - Yellow Threshold)
Calculation Manual (ODCM).
Fourteen or more EROS within For licensees having RETS a rolling three-year interval or removed from the Technical eight or more occurrences Specifications, nonconformance within a rolling twelve-month j
with comparable ODCM interval.
pmvisions.
(Yellow-Red Threshold)
[
h None i
[
l i
F-8 h
1 I
Appendix F a
TABLE 1: PUBLIC EXPOSURE PERFORMANCE INDICATOR PI Measurement Area Definition Thresholds Unauthorized release of Unauthorized Radioactive radioactive material from the Material Release Occurrence Radioactive Exposure /
protected area which could (TBD)
(Proposed -To Be Material Controls reasonably result in a member of Developed) the public exceeding 1 mrem /yr TEDE F-9
Appendix F TABLE 2: PUBLIC EXPOSURE KEY ATTRIBUTES AND MEANS TO MEASURE l
Key Attribute Areas To Measure Means to Measure Comments Process Radiation The PI monitors performance in processing and Plant Facilities, Monitoring System (RMS )
Baseline (BL) monitoring radioactive effluents discharged into Equipment &
Radiological Environmental Inspection unrestricted areas. Regulatory Guide 1.109 defines those Instrumentation Monitoring Program significant release pathways to be monitored. The (REMP)
Performance proposed PI monitors acceptable performance assuming Configuration Controls:
Indicator (PI) correct system installation or modifications. Baseline Design & Installation inspection to be conducted on modifications of radioactive waste processing equipment and efliuent monitoring instrumentation.
RMS and Counting Room Baseline Baseline inspection to be conducted of calibration of Detector Calibrations inspection process RMS detectors and counting room laboratory instrumentation associated with effluent monitoring activities.
Meteorological Monitoring Baseline Baseline inspection verifies operability of meteorological t
inspection instrumentation Site specific review of transportation activities required.
Transportation Baseline Inspection to verify proper packaging for representative Packaging Configuration Inspection shipments. For Type B Shipments, verify implementation of Certificate of Compliance requirements.
F-10
i 4
i Appendix F t
TABLE 2: PUBLIC EXPOSURE KEY ATTRIBUTES AND MEANS TO MEASURE t
Key Attribute Areas To Measure Means to Measure Comments Review licensee procedures for maintaining, modifying, Procedures PI and calibrating meteorological and RMS equipment.
f Baseline Evaluate procedures for setup and evaluation of
[
Inspection counting room equipment and for preparation of I
transport packages.
Program / Process Projected Dose PI Verifies that radwaste processing and subsequent
[
releases meet regulatory limits and are ALARA
\\
Radwaste Processing PI For normal operations, PI establishes that releases are Efiluent Monitor Baseline acceptable. The PI does not evaluate situations were i
Operations Inspection monitors were out of service or evaluation of abnormal releases. Inspection activities should verify acceptability i
oflicensee action for these situations.
Radioactive Material PI The PI assesses licensee ability to monitor and control i
Control: Inadvertent releases of radioactive material and contamination i
Release which could result in a measurable dose to a member of I
the public.
Emuent Measurement Baseline Inspection verifies completion of QC sample analyses Quality Control Inspection and acceptability of results for emuent measurements
)
i i
F-11 l
t
I Appendix F TABLE 2: PUBLIC EXPOSURE KEY ATTRIBUTES AND MEANS TO MEASURE Key Attribute Areas To Measure Means to Measure Comments Transportation: DOT Baseline Verify licensee program and methods for identifying requirements Inspection radionuclides and quantities in shipments and for preparing marking, labeling and placarding for all packaging.
Human Verify qualifications and training of health physics or Performance Technician / Operations Baseline chemistry technicians involved in emuent processing.
Qualifications Inspection Verify training ofradwaste operations staff. Emuent release occurrence PI may indicated degraded performance in this measurement area.
Verify completion of applicable Hazardous Material HazMat Training Baseline Training requirements for all personnel, i.e., HP, Chem, inspection Operations and Maintenance, involved in processing and loading packages of radioactive materials for transportation.
Proficiency Baseline Observe HP, Chem and Operations staff proficiency in Inspection conducting radioactive pruce.ssing and release activities.
b F-12 t
l Appendix G Physical Security Cornerstone General Description This cornerstone addresses the attributes and establishes the basis to provide assurance that the physical protection system can protect against the design basis threat of radiological sabotage as I
defined in 10 CFR 73.l(a). The key attributes in this comerstone are based on the defense in l
depth concept and are intended to provide protection against both external and internal threats.
To date, there have been no attempted assaults with the intent to commit radiological sabotage and, although there has been no PRA work done in the area of safeguards, it is assumed that there exists a small probability of an attempt to commit radiological sabotage. Although radiological l
sabotage is assumed to be a small probability, it is also assumed to be risk significant since a I
successful sabotage attempt could result in initiating an event with the potential for disabling of I
the safety systems necessary to mitigate the consequences of the event with substantial consequence to public health and safety. An effective security program decreases the risk to public health and safety associated with an attempt to commit radiological sabotage.
t l
Statement of Objective l
l To protect against the design basis threat of radiological sabotage Desired Result / Performance Expectation
}
l Provide high assurance that activities involving special nuclear material are not inimical to the l
common defense and security and do not constitute an unreasonable risk to the public health and safety. The physical protection program shall be designed to protect against the design basis threat of radiological sabotage.
l I. Physical Security Kev Attributes The attributes that provide protection against the threat of radiological sabotage are shown in Figure 1. Those attributes provide the licensees the ability to provide defense in depth against both an extemal and an intemal threat. Acceptable performance in the areas to be measures in the key attributes will provide assurance of the licensees' ability to protect against the threat of l
radiological sabotage.
l Within each key attribute of the physical security cornerstone, specific areas for measurement either by performance indicators or by inspection activities have been identified for assessment.
I P
i G-1
1 1
1 l
Appendix G n== muer W-m
- amwa=
m
- ww w.
m
- An=remme e
- re== tr asy a===== aneomanme m
- neuram M
w
- = As===n n=
a-orw w l
m,
== %
g
=
a
=
=
a ao mener a un Figure 1 A. Physical Protection System l
Within this key attribute, the areas to measure are barriers (protected and vital areas), Intrusion Detection System, and Alarm Assessment System. Operability of this system is necessary to detect and assess safeguards events and to provide the first line of defense in the defense-in-depth l
concept for protection against radiological sabotage. In the event of a malevolent act, the l
intrusion detection system identifies the existence of the threat, the barriers provide a delay to the person (s) posing the threat and the alarm assessment system is used to determine the scope of the threat. Data for the Physical Protection System are used to evaluate the scope of, and to initiate a G-2 i
Appendix G response to, the threat. Within this comerstone attribute, Pls will be used to monitor the capability and availability of these systems to perform their intended function.
B. Access Authorization System Within this key attribute, the areas to measure are the Personnel Screening process, the Fitness-for-Duty (FFD) program, and the Behavior Observation program. The personnel screening l
process is the process used to verify the trustworthiness of personnel prior to granting unescorted
)
' access to the protected area. The process includes psychological testing, a criminal history l
check, a background check, and reference checks with previous employers. The FFD program includes pre-employment, random, and for-cause testing for alcohol and illicit drugs. The Behavioral Observation program is conducted by supervisors and management personnel designed to detect behavior changes which, ifleft unattended, could lead to acts detrimental to the public health and safety. Within this area, data currently collected can be used for Pls to l
monitor the effectiveness of the implementation of the programs.
i C. Access Control 1
Within this key attribute, the areas to measure are the effectiveness of the search function l
(personnel, package, and vehicle) and the Identification and Authorization process. The search function is to prevent the introduction of contraband (firearms, explosives, incendiary desices) that could be used to attempt to commit radiological sabotage. The search function also screens l
for prohibited articles, such as alcohol and illegal drugs. The Identification and Authorization process is to assure that, once personnel have been screened to verify their trustworthiness, those persons have a need for access and to confirm that only those persons who have been screened and have a need are granted access to the plant. During discussions between NEI, industry, and the NRC, it was concluded that meaningful tracking data on the performance of those processes was not practical since much of the performance is dependent on the quality of the implementation of the tasks. Assessment in this area will be through the baseline inspection process.
D. Response to Contingency Events Within this key attribute, the areas to measure are the Protective Strategy and the implementation of the Protective Strategy. The protective strategy includes pre identified target sets of vital i
safety equipment that must be protected to assure safe shutdown of the plant, a plan to get properly trained response personnel with the appropriate armament in place within pre-determined time lines in order to protect the plant against the design basis threat. The implementation of the protective strategy includes demonstrating that the strategy works and can successfully protect against the design basis threat through drills and exercises. Licensees conduct drills / exercises periodically but may not do so on a periodicity that provides a minimum G-3
Appendix G number of valid data points during the course of the year that are considered necessary for a Pl.
Until there is a consistent approach that would provide these data points, assessment in this area will be through the baseline inspection process.
II. Performance Indicators The following PIs are p' oposed to assess licensee performance in the Physical Protection and r
Access Authorization Systems. The PIs were selected based on their ability to provide objective measures ofperformance.
A. Physical Protection System The performance for this system will be measured by the percent of the time all components (barriers, alarms and assessment aids) in the systems are available and capable of performing their intended function. When systems are not available and capable ofperforming their intended function, compensatory measures must be implemented. Compensatory measures are considered acceptable pending equipment being retumed to service, but historically have been found to degrade over time. The degradation ofcompensatory measures over time, along with the additional costs associated with implementation of compensMory measures provides the incentive for timely maintenance /I&C support to retum equipment to service. The percent of time equipment is available and capable of performing its intended function will provide data on the effectiveness of the maintenance process and also provide a method ofmonitoring equipment degradation as a result of ageing that could adversely impact on reliability. The reporting of equipment percent availability will be accompanied by the reporting ofcompensatory hours for equipment out of service due to equipment failure, the compensatory hours expended for equipment out of service due to extreme environmental conditions (severe storms, heavy fog, heavy snowfall, sun glare that renders the assessment system temporally inoperative, etc.) and for planned maintenance and modifications. The extreme environmental and planned maintenance and modifications compensatory hours will not be considered as equipment unavailability as part of the PI but are part of the total compensatory hours and will provide information on events that are contributing to equipment unavailability.
The tracking of equipment availability will provide an indication of the effectiveness of maintenance of the systems. Compensatory hours expended are currently tracked by the licensees, however they are not in all cases sorted by the categories proposed to be reported.
Reporting this data should result in minimal additional burden. The data in this area will be reported as two PIs, one as the percent availability for the protected area system and one for the vital area system.
The thresholds for an acceptable percent availability for the systems are have been developed based on the professionaljudgment of the NRC, NEl, and industry peer working group on what G-4 l
=.. - -
Appendix G is the appropriate level of performance. Industry historical data was collected in an attempt to benchmark the thresholds. However, because of the lack of consistency in past data collection l
and categorization processes obtaining a valid basis for the thresholds was not possible. The l
collegial decision on the thresholds by the industry group will be subject to review after data has i
been gathered for a period of time and some history is established. The thresholds that are proposed are 95-100% availability will be in the green band,85-94% will be in the white band, and below 85% will be'in the yellow band. The thresholds should be reviewed after a 2 year period to evaluate their validity and make adjustments ifnecessary.
B. Access Authorization System The performance indicator for this system will be the number of reponable events that reflect l
program degradations. This data is currently available and diere are regulatory requirements to j
repon significant events in the areas of Personnel Screening and FFD. The Behavior Observation significant events are captured in the FFD reporting requirements.
The thresholds for determining acceptable implementation of these programs were developed based on the professionaljudgement of the NRC, NEI, and industry peer working group. An l
attempt was made to benchmark the thresholds to validate the collegial decisions of the peer group. The bench marking data generally confirmed the perception that overall these programs were working as intended and did identify several programs with known weaknesses. However, because of a lack of consistency in the criteria used for reponing the data, complete confidence in the bench marking process was not possible. Standardization of the data reponing will be addressed during the V&V process. There r ill be 2 PIs for this area, one for access control and one for FFD. The thresholds that are proposed are: 0-2 reportable events per year in either area will put the area in the green band,3-5 reportable events per year will put the area in the white band, and 6 or more per year will be in the yellow band. The thresholds will should be reviewed after a 2 year period to evaluate their validity and to make adjustments if necessary.
III.
Inspection Areas A. PhysicalProtection Areas This area will be assessed by a PI after the initial V & V inspection is done to review the testing requirements for each system to assure performance standards and testing periodicity are appropriate to provide valid data for the PI.
B. Access Authorization System l
This area will be assessed by a PI after the initial V & V inspection is done to confirm implementation is acceptable and that reporting thresholds for significant events meet regulatory G-5 l
l
i Appendix G expectations. The initial V&V inspection will serve to ensure valid data is used for the Pls.
C. Access Control The areas of Search and Identification and Authorization will be inspected as part of the baseline inspection program. The inspection will consist of procedure reviews, self assessment reviews, and observation by the inspector. These are areas where the effectiveness ofperforming the task determines the effectiveness of the processes and also areas where the tasks are performed by numerous personnel in the security organization. Failure to properly perform the tasks could result in the introduction of contraband or unauthorized personnel into the protected area.
D. Response to Contingency Events The areas to measure of Protective Strategy and Implementation of Protective Strategy will be inspected as part of the baseline inspection process. Tne inspection *. vill consist of review of training and qualification records, the protective strategy, drill and exercise scenarios, drill critiques, and the results of a requested demonstration of the ability to defend against the design basis threat in order to prevent an act of radiological sabotage. This is the last line of defense in the physical security defense in depth process.
I a
G-6 I
i l
i i
i Appendix G l
Table 1
{
Physical Security Key Attributes and Means to Measure Key Attribute Areas to Measure Means to Comments Measure l
Physical Protection Barriers PI Data on system availability and capability to detect and assess
[
System Intrusion Detection V&V safeguards events t
Alarm Assessment Access Control Search Inspection ne inspection will consist of procedure reviews, self assessment
[
Identification and reviews, and observation by the inspector. Tasks in this area are Authorization performed by numerous personnel and the effectiveness of the
+
process is dependent on the proper performance of the task to prevent the introduction of contraband or unauthorized persoris into the protected area.
Access Authorization Personnel Screening PI Data on process implementation is available to assess the
{
Fitness-for-Duty V&V performance in this area.
i Behavior Observation l
Response to Protective Strategy inspection The inspection will consist of review of training and qualification t
contingency events Implementation of records, the protective strategy, drill and exercise scenarios, drill Protective Strategy cdtiques, and the results of a requested demonstration of the ability to defend against the design basis threat in order to prevent an act of radiological sabotage. This is the last line of l
defense in the security defense in depth process.
j i
b s
G-7 l
i
Appendix G Table 2 Physical Securky Performance Indicators I
PI Measurement Area Definition Thresholds l-Availability of Physical Protection Area Each PI is a percent of time the systems 95-100% availability-green band l
protected area systems
- Barriers are available and capable of performing 85-94% availability-white band to perform their
- Intrusion Detection their intended function to detect and assess 84% orless availability-yellow
~
intended functions
- Alarm Assessment safeguards events band 2-Availability of vital area systems to perform theirintended functions l
L 3-Acceptable Access Authorization Each PI is the number of reportable events 0-2 reportable events-green band l
implementation of the System that reflect problems in the implementation 3-5 reportable events-white band access authorization
- Personnel Screening of the programs. These processes should 6 or more reportable events-i programs
- Fitness-for-Duty be able to verify persons granted yellow band i
1 4-acceptable
- BehaviorObservation unescorted access to the protected area are implementation of the trustworthy and reliable and not under the j
FFD & behavior influence of any substance that adversely observation programs affects their ability to safely and completely perform their duties, and to I
provide reasonable measures for the early detection of any change in trustworthiness and reliability.
l G-8 f
i l
Appendix H Supporting Analysis for Performance Thresholds for the Initiating Event and Mitigating Systems Cornerstone PIs H.1 Introduction The purpose of this appendix is to provide the results of analyses performed in support of the establishment of risk-informed performance thresholds. Section H.2 defines the scope of the analyses and PIs addressed. Section H.3 describes the analysis approach and the process by which the thresholds were established. The results are provided in Section H.4, and work still to be performed is discussed in Section H.5.
[
H.2 Scope The analyses described in this appendix were performed to support the establishment of thresholds for those PIs for which PRA models could be used to provide a risk perspective, and for which industry-wide data were available. As will be discussed in Section H.3,in establishing the thresholds an important input was information on the range of values exhibited by the Pls across the plants. Not all the data required to achieve this was readily available and therefore thresholds were not developed for all the PIs that could, in principle, be addressed using PRA models. Data was provided by NEI on unplanned scrams and on the SSPIs, with the following exceptions: a) unavailability SSPI data was not provided for the PWR decay heat removal system, and while tne ra.v data is available to the NRC, it was not possible to analyze it in the time available to complete this document, and b) data for the SSPI reliability indicators were not provided. Data on the occurrences of risk significant scrams were obtained from the draft report INEEIJEXT-98-00401, Rates ofInitiating Events at U.S. Commercial Nuclear Power Plants, 1987 through 1995, April 1998. Thus the Pls for which analyses are reported in this appendix l
are:
Initiating Event PIs l
Reactor Trips Risk Significant Scrams Mitigating Systems PIs - SSPI availability indicators for:
l l
PWRs Emergency Diesel Generators, Auxiliary Feedwater System (AFW),
High Pressure Injection System (HPSI),
Decay Heat Removal System (RHR)*.
H1
/ W rs c u w R 7_.
l l
1 Appendix H BWRs Emergency Diesel Generators, High Pressure Coolant Injection System (HPCI, HPCS),
High Pressure Decay Heat Removal System (RCIC, IC),
Decay Heat Removal System (RHR).
- Because of the unavailability of data, for the PWR RHR system, the thresholds were established indirectly, by making use of those established for the BWR RHR system.
H.3 Anproach to Establishino Thresholds H.3.1 Overview Three thresholds were established in accordance with the Figure 2 of the main report. The green-white threshold corresponds to declining performance, the white yellow threshold to substantially declining perfonnance, and the yellow-red threshold to unacceptable performance.
When establishing the thresholds it was taken as guiding principles that they should not result in a large number of false positives (resource concem), and that thresholds should be set to capture meaningful changes.
PRA models were used to provide a risk-perspective on the thresholds. This was done by performing sensitivity studies to investigate how the core damage frequency (CDF) of the plants varies as the values of the PIs change. The analyses were performed by NRC staff or their l
contractors with the SAPHIRE code, using seven NRC-developed simplified models (SPAR l
models) and six licensee PRA models that were available at the INEEL. In addition, results from i
twelve licensee PRA models were provided by NEI. While, for most cases, the PRA results were able to provide information relevant to establishing the white-yellow and yellow-red thresholds, in some cases, the CDF results are insensitive to large changes in the parameters corresponding to the PIs. For these cases, an attemate approach to choosing thresholds was required.
l i
H.3.2 TechnicalIssues There are some technical issues related to the nature of PIs and PRAs that affect the way the PI i
data and the PRA results are used:
i l
The nature of the PIs for the initiating event and mitigating systems comerstones is such that they are based on either the number of events, or the magnitude of events, or both, and therefore, each PI at a particular plant is subject to fluctuations with time.
PRA models evaluate risk as a time-averaged quantity, based on the mean value of the l
parameters associated with the PIs. The statistical fluctuations discussed above are not l
l H-2 a
e-y
Appendix H l
accounted for even in an uncertainty analysis, which typically would address an epistemic (state of knowledge) uncertainty in the mean value, rather than the aleatory (statistical) variation.
SSPIs are calculated using both unavailability associated with the planned removal from service for testing, preventive and correective maintenance and the estimated unavailability due to failure that occurred at some unknown time prior to being revealed.
These SSPI values are not directly comparable to the parameters used for PRA basic events which model the planned unavailability and the failure contributions separately.
In addition, the failure contributions are accounted for differently, using simple binomial or standby failure rate models for failures on demand and constant failure rate models for failures to run. He impact of this on the use of the PRA results is discussed in Section H.4.2.
Thus there are two sources of variation to take into account when creating a decision model based on PRA input; the change in the (time-averaged) quantity provided by the i
PRA, and the statistical fluctuations. Therefore, to establish meaningful thresholds for the proposed indicators what is needed is:
a characterization of the range of values of the PI that denote acceptable performance, taking into account how those values fluctuate over different reporting periods.
the establishment of a relationship between the PIs and PRA model parameters that allows an assessment of how big a change in PI values is required to result in a risk-significant increase in CDF.
For the PI to be a sensitive indicator ofchange, the change in the PI corresponding to a risk significant threshold has to be greater than the expected statistical fluctuations.
H.3.3 Approach The following approach has been adopted.
The creen-white threshold To determine the green-white threshold, it is necessary to define what is acceptable performance.
The green-white threshold for the PI was chosen to be commensurate with a generically l
achievable level of performance and takes into consideration the statistical variability arising
{
from the random nature of the contributing events as seen across the entire population of plants.
1 Data for the unavailability PIs was provided by NEI for all except the RHR system for PWRs.
1 4
l Appendix H For the purpose of establishing the green-white threshold, histograms were provided of the maximum value recorded for each PI for all the plants (Figures H.1 through H.6). The threshold was determined by the simple approach of choosing a value to no more than two significant figures that is such that about 95% of the plants have observed data values that would be in the green zone, and is therefore established on a generic basis. This method depends only on the j
number of plants with less than acceptable performance, but not on determining by how much their performance exceeds the norm. Alternative approaches, such as using the mean plus two standard deviations of the PI values to set the threshold puts more weight on the actual values of l
the PIs, and could be biased by the poor performers in a non-conservative direction. His l
threshold value may be higher or lower than the value of the corresponding parameter used in licensee's PRAs. Dat the threshold is reasonable from a risk standpoint was demonstrated by the fact that use of the threshold in the sample of PRA models used for the sensitivity studies would have resulted in an increase in CDF ofless than 1E-05/ reactor year.
The white-vellow threshold l
There is no clear regulatory definition of unacceptable risk in numerical terms that can be used to j
calibrate declining or unacceptable performance. However, in RG 1.174, the NRC has established acceptance guidelines for allowing changes to the licensing basis that relate to changes in CDF and LERF. Specifically, for CDF, an increase in the range of IE-06 to IE-05/ reactor year would be acceptable, under certain conditions and with staff review and approval, while cuanges resulting in an increase greater than IE-05/ reactor year would not be acceptable.
While these acceptance guidelines are intended for permanent changes to the licensing basis, it would be consistent to also apply these to changes resulting from operating practices, using the argument that if the degradation in performance were uncorrected, it would lead to a permanent increase in CDF. Furthermore, a change in CDF of 1E-05/ reactor year is used in the stafTs regulatory analyses as one element in determining the requirement for a backfit. Thus, it was decided that the white-yellow threshold should be determined on the basis of sensitivity analyses to identify that mean value of the PRA parameter associated with the PI that would increase CDF by an amount that corresponds to a substantially declining performance, which has been chosen as IE-05/ reactor year. For the PI to be a meaningful indicator, this increase must be significant compared with the expected statistical variation captured by the setting of the green-white threshold. In comparison with the way the green-white threshold is determined, this approach is somewhat conservative in that it does not increase the value to compensate for the expected statistical variation. However, since this is only an indicator of performance rather than a criterion for regulatory action, this is considered appropriate.
The vellow-red threshold A truly unacceptable performance would likely correspond to a change in CDF well in excess of l
lE-05/ reactor year, and is chosen as corresponding to a change in CDF of IE-04/ reactor year.
l Appendix H The yellow-red thresholds were determined by identifying the PI values that would correspond to increases in CDF of IE-04.
H.3.4 General Discussion of Approach The results of the sensitivity analyses indicated variability that could be associated to some extent with design differences although there is also variability due to PRA modeling differences.
Therefore, while it is suggested that different values may be appropriate for the thresholds for some SSPIs depending on the degree of redundancy of the associated system, or depending on the plant or system design features, the sample of studies performed in support of this activity is too small to be def'mitive, and further work is needed as described in Section H.5.
While no data were provided with which to investigate the reliability green-white thresholds, sensitivity studies were performed for the reliability parameters of PRAs. As discussed in Section H.4.2, because of the way in which the unavailability SSPIs are evaluated, these studies were used in the determination of thresholds for the unavailability SSPIs for redundant systems.
Because the models used for the sensitivity studies did not provide an easy way to calculate LERF, they do not provide a complete risk perspective. However, the Pls addressed here are associated with the initiating event and mitigating system comerstones only. The containment issues are addressed in the barrier cornerstone.
l In addition to the sensitivity studies performed to establish the thresholds, a limited number of l
studies were performed to investigate the risk impact of more than one of the Pls increasing l
sunultaneously, and are discussed in section H.4.4.
H.4 Results H.4.1 Initiating Events Two PIs are proposed; the number of unplanned scrams in 7000 critical hours; and the number of risk-significant scrams in a three year period.
H.4.1.1 Number of Unplanned Scrams There is a direct relationship between this PI and a parameter in the PRA models, namely the frequency ofinitiating events. However, in performing the sensitivity studies, a simple scaling of all initiating event frequencies by the same factor, would result in a proportionate increase in CDF. Bearing in mind that the purpose of this indicator is to determine when it is appropriate for NRC to initiate a response, and that initiating events are not all equal in their risk significance, it was considered more meaningful to perform sensitivity studies by increasing the frequencies H-5
Appendix H only of those initiating events that are expected to occur. Therefore the frequencies of those rare, but potentially risk significant initiating events such as LOCAs, SGTR, LOSP, and failure of a suppon system were not increased when performing the sensitivity studies. If any of these potentially risk significant scrams were to occur, it is highly likely that a reactive inspection would be initiated.
The data obtained from NEI (Figure H.1) for the number of unplanned scrams indicates that, for the vast majority of plants, the frequency of unplanned scrams has consistently been less than 3 per year, for the last three years. Funhermore, the data in the draft AEOD study on initiating l
events (INEEL/ EXT-98-00401, April 1998) indicates that the averge number of semms is i
2.1/ reactor year. These two pieces of evidence argue for setting the green-white threshold at 3.
(Even though there may be minor differences in the evaluation of the denominators of these l
estimates, this will not make a significant difference to the conclusions drawn here.)
Since the average value for scram frequency used in the IPEs is 7.4/ year based on the AEOD repon, a generic value of 3 for the threshold will not constitute a concern about the level of risk.
The results in Table 1 indicate that the number of scrams that would lead to a change in CDF greater than 1E-05/ reactor year is somewhere in the range of 5 to greater than 10. The numbers in parentheses for the Palo Verde, Brunswick, and Comanche Peak IPE models, reflect the results of using a smaller set ofinitiating events that correspond to those relatively uncomplicated scrams, such as reactor trips, that are expected to occur more frequently. Based on the results in Table 1, the white-yellow threshold is proposed to be set at 6, with the caveat that, if a scram results from an event that is caused by a loss of a critical function (heat removal, pressure boundary) or loss of a support system, it will be subject to a reactive inspection. One of the NEl plant studies resulted in a frequency of only 4.5, but these studies were performed by increasing the frequency of all scrams (including LOSP) by the same factor, thus distorting the picture with respect to the more common reactor trips.
The studies indicate that the yellow-red threshold is at such a high value that it is realistically unachievable.
H.4.1.2 Number of Risk-Significant Scrams Data from the INEEL draft report INEEL/ EXT-98-00401 on the number of scrams which involved more than simply a reactor trip suggest that an appropriate value for the green-white threshold is 4 events in three years, or 1.33 per reactor year.
The sensitivity studies were performed by increasing the frequency of a selected number of the initiating event used in the PRA models, namely those representing loss of the power conversion system. The Loss of Offsite Power and losses of support systems were not included since they H-6 l
l
Appendix H have a disproportionate impact on CDF and furthermore are relatively more rare, and would in l
any case initiate a more significant regulatory response. The results of these studies are given in Table 2.
The results for Palo Verde are considerably lower than those for the other plants, and this is largely due to the design of the plant, which does not allow feed and bleed as an altemate method I
of decay heat removal, ielying entirely on the auxiliary feedwater systems. Based on these j
results, the white-yellow threshold is set at 10 per three years for all plants except those for which feed and bleed is not an option. These plants will be treated in a design specific way. The
{
l yellow-red threshold is again significantly higher and is realistically unachievable.
H.4.2 Unavailability The SSPI unavailability indicator does not have a one-to-one correspondence with a parameter in l
l the PRAs. In PRAs, the unavailability parameter typically only represents the ratio of the time the train was out of service (tagged out) to the time required to be available. The SSPI includes a contribution from the so-called fault exposure time, which is an estimate of the time the train was unavailable due to a failure before that failure became revealed. Thus it contains some of he impact of the failures which would be included in the failure to start and run events in the PRA.
Thus in performing the sensitivity analyses for redundant systems the correct way is intermediate between the two approaches below:
a) increase the unavailability basic event. This is somewhat of an underestimate because typically multiple unavailability cutsets are deleted as being disallowed by tech specs.
b) increase the failure to start and run contribution (including the CCF term if necessary). This is conservative because it is expected that a significant contribution to the SSPI is from the out-of-service unavailability that would not occur simultaneously in multiple trains as it is limited by technical specifications.
For the single train systems such as HPCI, HPCS, and RCIC, the two are equivalent in their impact on CDF.
H.4.2.1 BWR High Pressure Injection Systems (HPCI, HPCS) and High Pressure Core Cooling System (RCIC)
The SSPI data provided by NEI suggests a suitable value for the green-white boundary is.04 l
(Figure H.2). This is on the same order as the value used for the total unavailability on demand of a HPCI or RCIC train used in PRAs (failure to start and run and unavailability due to maintenance). It is also on the same order as typical values used for the HPCS system including H-7
i Appendix H Table 1 Sensitivity to Number of Scrams Plant Model type Base Case frequency Frequency giving Frequency giving increase in CDF of >lE-increase in CDF of >lE-05/yr 04/yr Perry SPAR 2 63 9
>50 Brunswick SPAR 2.8 73
>50 Crystal River SPAR 2.28
>10
-50 Kewaunce SPAR 2.25
>10
-35 North Anna SPAR 2.52
>10
-45 Seabrook SPAR 2.26
>10
>100 Surry IPE 2.75
>10
>100 River Bend IPE 4.42
>10
>100 Crystal River IPE Palo Verde' IPE 33 (285) 5 (6)
<30 Brunswick' IPE 2 4 (2.27) 86 (1135)
>100 i
Comanche Peak' IPE 43 (2.9) 5-6 (8.2)
Plant I (PWR)
NEl 3
10 Plant 2 (PWR)
NEl
!4 4.5 Plant 3 (PWR)
NEI 5
34 Plant 4 (PWR)
NEl 7
27 Plant 5 (P%R)
NEl 2 75 70 Plant 6 (PWR)
NEl I 95 103 Plant 7 (PWR)
NEl 1.1 9.1 Plant 8 (PWR)
NEI 1.04 4.66 Plant 9 (BWR)
NEI 4
10 Plant 10 (B%%)
NEl 623 18.8 Plant !I (BWR)
NEI 1.5 22 Plant 12 (BWR)
NEl
.71 9.12
- NEI plant studies include all trips (not LOCAs). Results were not provided for changes in CDF of IE-04.
j
' The numbers in parenthesis result from using the subset of uncomplicated scrams (see text)
I H-8
Appendix H Table 2 Results of Sensitivity Studies for Risk-Significant Scrams Plant Base Case Frequency Frequency giving an Frequency giving an increase in CDF >lE-increase in CDF >lE-05/ year 04/ year Brunswick
.77 5.2 46 River Bend 2.76
-70
>100 Palo Verde
.46 1.15 7
Surry
.15 3.6 34 Comanche Peak 1.41 3.5 21 Note: The IPE model for Crystal River had no general transient category contribution.
the HPCS diesel generator system.
The sensitivity studies result in a range of values for the white-yellow boundary, with the lowest value being at about the.04 value (see Table 3). This value, for the Perry plant, was, however, specifically for the HPCS pump excluding the diesel generator. Since the HPCS pumps typically demonstrate a lower unavailability than do the steam-driven HPCI pumps, this suggests that the indicators should be treated separately. The results show that, for all the other plants, there is significant margin between the value associated with the white-yellow threshold and either the PRA values assumed or the white-green threshold value, and on the basis of these results, a white yellow threshold of.12 is proposed, with a yellow-red threshold of.5 for HPCI. For HPCS, when the diesel generator is excluded, the threshold should be lower. The white-yellow threshold is proposed as.04, with the yellow-red threshold set at.2.
The data provided by NEI averaged the data between the HPC1/HPCS and RCIC/IC systems.
Therefore, the thresholds for RCIC are the same as those for HPCI.
I H.4.2.2 Diesel Generator Unavailability:
1 l
l The SSPI data provided by NEI suggests establishing the green-white boundary at.025 (Figure i
H.3).
!f i
i H-9 i
I i
i
.m
1 1
j Appendix H The results of the sensitivity studies performed in support of establishing thresholds are given in Table 4. As discussed above, there is no direct correspondence between the SSPI indicators and the parameters used in PRA models. Therefore, to explore the risk implications of variation in the indicator values two sets of sensitivity studies were performed using the IPE models: 1) the sensitivity studies designated as " unavailability" were performed by changing the basic events in the PRA models that represented unavailability due to test and maintenance. He PRA models delete cutsets that represent two or more trains out of service at the same time. 2) the sensitivity j
studies designated as "unreliability" were performed by changing basic events representing failure to start, failure to run, and common cause failure by the same factor. These studies indicate that for the unavailability parameter, the four train plant (Brunswick) and three train (Surry) allow a larger increase over the base case than the two train plants. For the unreliability
~
studies, this difference is not as marked, although for the four diesel plants the factor increase over the base case is generally higher than for the two diesel plants (3 and higher versus 2). For j
the four diesel plants the common cause failure models play a more significant role and the increase in CDF is more linear with the increase factor than for the two diesel plants.
1 The SPAR models are not well suited for performing these studies as there is only one term j
representing the sum of failure to stan and run and unavailability. Furthermore, the modeling of
)
common cause failures is fairly conservative compared to licensee-generated PRA models. The NEI studies were performed by increasing the values for one train at a time an J therefore, with the exception of plant 1, the results for unavailability and unreliability were comparable. The i
j conclusions here are based on the studies performed with the IPE models. Previous studies j
performed in NUREG 1032 demonstrated that the impact ofincreasing the unreliability of a 4
single train has a bigger effect on two train versus three or four train systems, even taking into j
account the effect of common cause failures. Basically the reason is that for the two train systems the contributors to system failure probability from the independent failures, (p ) are
)
comparable to those from the CCF term (pp), whereas for the higher redundant systems the dominant term is the CCF term (yp6p for a four train system using a multiple Greek letter i
parameterization of CCF probability), and the p' terms are much less significant. The impact i
increases with unreliability. Because of this, and guided by the sensitivity studies performed, it j
is recognized that there probably ought to be a different threshold for the plants with higher redundancy. The sensitivity studies performed suggest that, for the interim, for two train plants, a white-yellow threshold of.05 and a yellow-red threshold of.1 be used, and, for plants with j
three or more trains, the white-yellow threshold is set at.1, with the yellow-red at.2. Because i
this is based on a sample of only one for the four train plants, this should be confirmed by performing sensitivity studies for more plants.
If a reliability PI is developed, it would then be appropriate to redefine the unavailability PI to reflect the " tagged" out-of-service contribution, and this would allow a significant distinction between the new unavailability indicators for higher redundancy plants.
H-10
Appendix H Table 3 Sensitivity of CDF to BWR HPI unavailability Plant Model type Syman Sam Case pruneter Rauo Colman Rauo parameter Ratio Paremmer value for SWd Colman 5 valw for Column 8 Value ACDF >1E.
value ao colman ACDF >lE.
to colman 4 05 4
04 Pwry SPAR HPCS 3.7E43 3.942
-1
>to
>.2 5
7.5
-10 l
.0126
>.13 3.25
>10
>J 40 RCIC
.0106
.5 12.5 50
>.5
.04
>.4 to
>10
>.75
>15 ROC
.058
.4 10 7
-1 Plant 9 NE!
HPCI A18
.13 3.25 ROC
.022
.23 5 75 Plant 10 NEl HPCI
.026
.48 12 ROC
.025
.58 14 5 Plant il NE!
.0126
.48 12 38 ROC
.01
.43 11 43 Piant 12 NE)
.0075 3
123 66 ROC
.0045
.48 12
>100 Notes:
- For NEl plants, only the change in unavailability giving ACDF = IE-05 was provided
'The results for this sensitivity study include the HPCS diesel generator, and from the point of view of unreliability correspond more closely to the HPCI system.
I
]
H-11 4
k I
i, J
Appendix H Table 4 Sensitivity Studies for Diesel Generators Plant Model Parameter type Base Pararneter Ratio Ratio Parameter Ratio type Case value for column column value for column Param ACDF>l
- 5. threshold 5: column ACDF>l E.
8: column 4 eter E-05 value 4
04 value Perry SPAR Unavailability
.038
.12 4.8 1
Reliability
.038
.08 3.2 2
.19 5
Brunswick SPAR Univailabihty
.037
.14 5.8 1
Unreliability
.037
.05 2
135
.1 Brunswick IPE Unavailabihty
.038 38 15.3 10 1
Unreliability
.04
.12 5
3
>.25 River Bend IPE Unavailability
.028
.06 2.4 2.15 I
Unreliability
.12
.2 8
1.7
.7 6
Surry IPE Un vailability
.01
.06 24 6
.5 Unrehability
.024
.048 2
2 5
Palo Verde IPE Unavailability
.0105
.04 1.6 4
.2 Unreliabihty
.017
.043 1.7
-2.5
.17 10 Comanche IPE Unavailabihty
.015
.045 1.8 3
.3
-20 Peak Unreliability
.096
.18 7.2 2
.5 5
Crysta!
IPE Unasailability
.0063
.16 64
-10
>.5 River Unrchabihty
.0214
.06 2.4 3
.6 10 Plant 1 NEl Un vailability
.019
.022 Plant 2 NEl Unavailabihty
.012
.103 Plant 3 NE1 Unas silability
.018
.67 Plant 4 NEl Unavallability
.014
.26 Plant 9 NEl Unavailabilary
.006 I
Plant 10 NEl Unavailability
.03 1
H-12 i
l
Appendix H H.4.2.3 BWR Residual Heat Removal System:
The SSPI data provided by NEI suggest a green-white threshold of.015 (Figure H.4). This, however, is higher than unavailabilities typically used in PRAs, which are in the range.003
.01.
The PRA evaluations from both IPE and SPAR models showed that the CDF was insensitive to the unavailability values, largely because common cause effects and the assessment of the failure of the operators to initiate RHR dominate. While the SPAR models showed some sensitivity to the reliability values, the IPE models did not. PRA models are not likely to give much insight into the setting of the thresholds, because of the way the function is typically modeled as being backed up be containment venting, and because of the long time available for taking action.
Therefore, aitemate approaches are required to set the thresholds. One approach is to set the white-yellow threshold using the AOTs. The threshold is therefore set at.05, which corresponds to about two occunences of unavailability corresponding to an AOT of 7 days in any one year.
H.4.2.4 PWR Auxiliary Feedwater Systems:
NEI provided data that represented an average train unavailability, which in many cases included a mixture of motor driven and turbine driven pump trains. Data collected on turbine driven and motor driven pumps indicate that both the reliability and unavailability are different by as much as an order of magnitude. Furthermore, PRA results have shown that the turbine driven train is important to cope with medium term station blackout scenarios. Because of this, it is proposed that the indicators should be provided separately for turbine driven and motor driven trains.
The current averaged data suggests a green-white threshold of.02 (Figure H.5), although it should perhaps be less for the motor driven trains. The value of.02 is on the order of the failure probabilities (unavailability + unreliability)used for motor driven pump trains in PRA models whereas experience data suggests a lower value (see NUREG/CR 5500, Vol.1). The failure probabilities used in IPEs for turbine driven trains are about a factor of 5 higher. The experience captured in NUREG/CR 5500 shows a bigger difference with the failure probability of the motor driven trains being lower and that of the turbine driven trains being higher than assumed in PRAs. Therefore, perhaps the threshold for the turbine driven train on its own should be higher.
Table 5 summarizes the results of sensitivity studies performed on AFW model parameters.
Since, for all the models used, there is only one turbine driven train, only the unavailability sensitivity is reported. For the motor driven trams, when there is more than one train, both unreliability and unavailability results are presented. The data are difficult to interpret, partly because of differences in the way the systems are modeled, and the assumptions made about the turbine driven train running failure rates. However, the table indicates that there is a margin between the values used in PRAs and those values that would give an increase of IE-05 to the CDF of at least a factor of three. Thus, as interim values, the white-yellow threshold is set at.06.
The y ellow-red threshold could be considerably higher, but for now it is proposed to be set at.12.
H-13
- - - - -. - _ _. ~
l Appendix H
' Note that, because ofits design features that do not allow feed and bleed as a means of decay heat removal, the threshold for the Palo Verde plant must be established differently, and considerably lower.
H.4.2.5 PWR High Pressure Injection Systems:
The data supplied by NEI suggest a green-white threshold of.015 (Figure H.6). Very few of the sensitivity studies showed any significant impact on CDF, and therefore, the PRA models are not useful for setting the thresholds. The reason varies, and could be a function of the modeling, or of the fact that the HPSI pumps are in some plants backed up by charging pumps, or in other plants they double up as charging pumps, which eliminates the failure to start as a failure mode for one of the redundancies.
In any case, the same approach is taken to set the white-yellow threshold as in the case of the BWR RHR system.
H.4.2.6 PWR RHR Unavailability In the absence of data on the SSPI, the green-white threshold was chosen to be the same as that for the BWR RHR system, i.e.,.015.
The results of the sensitivity studies performed using the PRA unavailability term showed very little sensitivity of CDF to significant changes in the parameter. This was also the case for the sensitivity studies performed using the reliability parameters for those sensitivity studies performed by NEI. This was to be expected as these studies are perfonned changing the parameters for only one train. Sensitivity studies performed using the licensees' PRA/IPE models again showed that the unreliability parameters could be increased by a significant amount before changing CDF significantly. The SPAR models showed a greater effect. This appears to be due to the higher CCF probabilities used in those models compared to those used in the PRA models. Lower values than those used in the SPAR models are supported by the AEOD CCF data base. There is probably a case to be made for differentiating between those plants that require RHR pumps for high pressure recirculation and those that do not. However, it has to be bome in mind that in many cases PRAs model the success path for small LOCAs as sump recirculation rather than initiation of RHR. The impact of this needs to be explored before setting thresholds.
For the interim, it is suggested that the thresholds be the same as those for the BWR RHR system.
H-14
Appendix H l
Table 5 AFW sensitivity Studies Plant model Pump Pararm:ter Base case Value that gives Value that gives type driver ACDF = IE-05 ACDF = IE 04 i
Crystal SPAR Turbine 3.2E-02
.15 River
{
Motor 3 9E.03 no change no change San Onofre SPAR Turbine 3.7E-02 7E-02
.1 l
Motor Unavailabilny 4.5E-03
.I
>.5 Unreliability x 1.5 Kewaunee SPAR Turbine 3.2E 02 no change no change Motor Unavailability 3.9E-03 no change no change Unreliability
> x10 North Anna SPAR Turbine 3.5E 02 4
?
Motor Unavailability 38E-03 no change no change Unrelishility
> x10 Seabrook SPAR Turbine 3.3E-02
.15 1
Motor Unavailability 1.0E-2
>.5 I
Unreliability
- x4 Comanche IPE Turbine 2.7E 02 6E-02 l
Peak Motor Unavailability 3.7E 03
.I
?
Unreliability 2.5E-2
-7.5E 02 Palo Verde' IPE Turbine 4E 03 4E42
>.2 Motor Unavailability 7.5E 3 7E 2 Unreliability 2.543 7.5-03
>x10 Surry IPE Turbine 1.93E-02 1.9E-1 1
Motor Unavailability 2.7E 03 4E 02
>.2 Unreliability 7.5E 03
>7.5E 02 Crystal IPE Turbine /
Unavailability /
No data River Motor Unreliability Notes to table 5: for the SPAR models, the unreliability calculations were performed multiplying all trains by the same factor. The parameter values are the same as those given for the turbine driven and motor driven trams.
l 8 Note that the unreliability required to produce a change in CDF of IE 05 is considerably lower than that for the other PWRs again becaux of
{
the design features of the Palo Verde plant.
l l
H-15 i
l 1
I I
Appendix H H.4.3 Summary The results of the threshold evaluations are summarized in Table 6.
Table 6 Summary of Thresholds Performance Indicator Green-White threshold White Yellow threshold Yellow-Red threshold Number of Unplanned scrams 3
6
>25 per 7000 critical hours Number of Risk-significant 4
10
>20 scrams per three year period ssPI BWR HPCI unavailability
.04
.12
.5 (also used for RCIC), or HPCs (diesel generator included) ssPI BWR HPCs
.015 (based on RHR/HPst)
.04
.2 unavailability (diesel generator excluded) ssPI EDG unavailabihty
.025
.05 (2 EDGs)
.1 (2 EDGs)
.I (>2 EGDs)
.2 (>2 EDGs) ssPI BWR RHR unavailability /
.015
.05 TBD ssPI PWR RHR unavailability ssPI PWR AFW unavailability
.02
.06
.12 ssPI PWR HPsl unavsilability
.015
.05 TBD Noic: Numbers in parentheses for EDO unavailability refer to plants with three or more diesel generators H.4.4 Sensitivity to Multiple Changes Several sensitivity studies were performed to investigate the impact of an increase in more than one of the PIs simultaneously. The effect of two PIs being increased by the same factor is not surprisingly greater than either of the two taken individually. However, the result is not multiplicative but more nearly additive. However, the sensitivity analyses also demonstrated that the white-yellow threshold for all Pls was r.ot determined by the same plant. Sensitivity analyses were performed for two of the plant models, Surry and Bmnswick, to demonstrate the following:
first, that setting all the PIs at the green-white threshold does not imply the risk will be increased significantly; and second, that setting all the PIs at the white yellow thresholds can result in a significant increase in CDF. The results are tabulated in Table 7.
These results deserve some comment. The fact that the increase for Suny is not in excess of IE-05 even when all the Pls are taken to their white-yellow threshold is a result of the fact that the H-16
,.m.,_.._.
-m.,
Appendix H Surry model was not limiting in determming any of the thresholds. However, as the Brunswick results indicate, the impact can be significant. This can be taken as a demonstration that two or more PIs in the white band should be treated as being more significant than only one being in the white band.
Table 7 Results of changing all PI parameters i
Plant Increase in CDF with all PIs Increase in CDF with all Pls at the green-white threshold at the white-yellow threshold Brunswick 8.56E-07 1.4E-05 (using 2 EDG threshold) 2.14E-05 (using the >2 EDG threshold)
Surry 2.51E-07 9.91E-06 H.5 Further Work The current assessment of PI thresholds is based on a relatively small number of sensitivity l
studies, using PRA models of differing levels of detail. They show significant differences in results. It is desirable to broaden the range of sensitivity studies to include a greater number of plants. More effort is needed to understand these results, and to determine whether it is I
reasonable and meaningful to establish different thresholds for classes of plants that are identified by specific design differences such as the degree of redundancy, or even whether it would be more desirable to make them plant-specific. In addition, the reliability characteristics of turbine driven pumps appear to be sufficiently different from those of motor driven pumps that it makes sense to look at them separately. The following specific activities are proposed:
(contingent) analysis of the results of sensitivity studies provided by NEl, performed in accordance with the approach used by NRC staff, and in particular to determine the feasibility of establishing more firmly different thresholds plants with different degrees of redundancy, and with different design features.
separate analysis of data on turbine driven pump and motor driven pump trains (again contingent on receiving data from industry). In addition, for those plants that do not have feed and bleed capability, different thresholds need to be established.
analysis of PWR DHR data to establish thresholds.
l analyses to support the establishment of thresholds for new PIs, or ref'mement of Pls.
H-17 i
.-h-____=4.1
..ma
_J_Aa 3 s.r_.-_-___e.a6-uAss-A__44 ak_.h.
A-.am-J.
A2mu wm u
Ja.nea4m-M=._a-sL__.mp-mmue
_se_a.a w.mamm aw e a w
.4m,_.,_
4-u_
.u___.,m_a__.______.m4 a
f I
g l
l l
005 j
46 96 66 99' I
I i
. se l
. rs j
st 9L CL CL tt L9 k
49 9
es a
is f O
II E h
.e t
=
b 2
l b
g, g
I I
l c'
=
o, Lt PC tt SE sZ Et 65 i
e i
i i
f 95 CL l
1 05 L
I I
s e
a e
N O
c, e
n n
O WW Eb M W DNY
ggy 96
.g w s.
u -.,
gg i
i e
i 8A i
i
.w, -.. ~.. ~,,..
. gg i
i i
~.n,-...
gg i
i
=
.~
. -~.
gg i
i.
i se i
a l
3 a
g E E9 i
_... _ _. _ ~ g so n
gg
}
E ": n ea V
y ss i
m.
g a.
g,
.e Z
g e._
g, g
,,f,,
u i
i i
=
i i
---~w.-
p i
rr 1 r 4 g
6C gg
. ~
g i
i gg i
DC i
st i
~ _.,
gg i
Cz i
i i
i g,
6 g
3 3
8 8
8 8
9 5
e e
o o
ll
set J tot ame== tot
=====:
se 1
16 se re l
=
6:
I E
sz
- s i
54
{
i _
11 69 an l-to e
M E8
=
a.
gg g
l 4
l n
{
{
ts h
69 l
st w
C' 69 et 9C 1
,c tt i_
se l
se er si l-et C'
l am m s
E s
t 3
s 8
8 3
5 a
a e
o o
a 3
6JC4-%-dm>
==J
-.. - --*e-mma
--m---5-==M----d
--Ja
.-de e mE4_5 4-A*._.
4-
.m._-.
-.E 4___.E_.A4Ad__me,.
m4SE.=__a.h.4.o 42miA
__m_uee-S_a._.JhAm.A _a 4 A m
4emsa.--,me.smam..--EmmetmW d-e4 s
i d
i I
)
a i
1 1
4 l
..-. ~ " "' Con i
t
.. m.
i pg g-i s-
.o.,
C6 z,,
f,
[. - _,7 4'*
u i
.t r.
U-ff i
n.u 1
- - - a i
s,.--
Of e
i g
-. ~ -..*
.-- w.. -~. ~.L w s -n--
gp
~~
M i
-_u gg 4
E9 i
II i
j 3
E gg
.i e
,g i
i me!
1
=
Ik-i 4
.~-r a
p
-m I
_._m.
s...
g, IAs i
i g,
i 1
i 4,
Or e
i 0
i
--.~
4C f
M 1
a gg
. m-m samq g
t t
4 w.,--.
i g
4 i
sm-m-
.m m rr m
~
ry i
e 3
m-gg 3
i i
gg 4
i k
mm------
pg 1
6 i,
g E.
E.
5 E
3 1
e i
i 4
e l
4 4
i 4
l l
l SQL I -
101 I
L6 l
l l-
- ~ -
a l
1 69 I
CS 1
09 g
i g
tl k
14 e
n h
,, K u
I-OS l
l Cf us-l N
LC GZ
,6 9
l b
,h e
m_
m
,_.__...._2.
m.
l i
j Sol e
'S LOL 46 l
1
"==
rs se g
es
=#
N C9
@CD 08 i
g
""I n m
=
1' g
-w sm Id 4
w
.E j
g
_ _ _T 99 2
7 9
]..
a E
08 m:==
2 g
a===
l 49 09 4
1 j
l g,
a===m i
l M:I II
~
52 11 P6 l
y l
l ma s
g a
e a
g
i I
l APPENDIX 1 BENCHMARKING THE PERFORMANCE INDICATORS i
j INTRODUCTION
{
Benchmarking is one triethod used for validating the Pls. It involves collecting and analyzing Pl data for plants that NRC senior managers have previously identified as watch list plants, J
declining performers, and superior performers. The purpose of benchmarking is to determine if the Pls can (1) differentiate between plants perceived as superior, average, declining, and poor performers, and (2) identify declining performance in a timely manner so that increased regulatory attention can be applied before performance becomes unacceptable. Performance differences between plants would be reflected in the number and magnitude of Pls in the Regulatory Response (white) and Required Regulatory Response (yellow) bands for each plant.
Timely response would be evidenced by declining trends prior to the occurrence of risk-significant events; the goal is that the Pls go through the white band before reaching the yellow band, with only a few instances of a PI going directly from green to yellow, and that Pts will very rarely go directly from green to red. The validity of this benchmarking process is based on the assumption that the Senior Management Meeting (SMM) process identified the right plants at the right time.
INITIATING EVENTS, MITIGATING SYSTEMS, AND BARRIERS CORNERSTONES
Background
NEl performed a benchmarking analysis on a set of eight plants that they categorized as excellent, average, or declining performers, plus eight NRC watch list plants, as shown in Table
- 1. (Quad Cities Units 1 and 2 were never on the NRC's watch list but they did receive several trending letters, the latest in early Table 1. NEI Benchmark Plants 1998.) The indicators they used are the ones originally proposed in their draft white paper, Excellent:
Average:
A New Regulatory Oversight Process, dated Summer Calvert Cliffs 1&2 July 27,1998, (RCS Activity, RCS Leakage, Turkey Point 3&4 Containment Leakage, Unplanned Scrams-Watch List:
Safety System Actuations [SSAs], and Declining:
Dresden 2&3 Transients) except the Reliability and Fort Calhoun LaSalle 1&2 Availability of Risk-Significant systems, St. Lucie 1&2 Quad Cities 1&2 structures, and components and Shutdown Salem 1&2 Operating Margin. Since NEl did not have unavailability data at the time, they used Safety System Failures (SSFs) from the NRC Pl program as a surrogate. They used monthly or quarterly data from July 1995 through June 1998 for RCS activity, RCS leakage, and containment leakage provided by the plants. NEl also used annual data from 1990 to 1997 on Scrams, Safety System Actuations, and Safety System Failures (SSFs) from AEOD annual reports, and data from 1990 to 1995 on Transients from an NUS database of licensee monthly I1
reports. All of this data had been plotted by NEl and provided to the NRC. (NEl subsequently received and plotted SSPI data from the third quarter of 1995 through the second quarter of 1998.) NEl documented insights they had gleaned from their analysis of these data, including typical Pl characteristics for each plant performance category which showed a correlation i
between the Pls and performance. These insights were obtained primarily from the SSF and l
Transients indicators. They concluded that the set of indicators provides an overall perspective of safety performance, and that the indicators do distinguish between levels of performance in l
enough of the indicators simultaneously to be a viable assessment tool.
[
l Scope l
The staff reviewed the NEl benchmarking analysis and performed its own independent analyses to answer the following questions:
- 1. Do the Pls as a set differentiate between superior, average, declining trend, and watch list plants as designated by the SMM process?
- 2. How effective are individual Pls at differentiating between plants with different levels of i
l performance as designated by the SMM process?
- 3. Do the Pls demonstrate timely response (i.e., do not go directly from green to red)?
- 4. Do the Pls show declining trends for plants in SMM designated performance categories l
prior to SMM actions? If so, which ones are most effective ? If not, would they be l
expected to show a declining trend?
- 5. Do the Pls show declining trends prior to ASP events? If so, which ones are most effective?
- 6. How well does the set of Pts conform to those selected by Arthur Andersen for use in the trending methodology currently being used in the SMM process?
- 7. Do small decreases in the green-white thresholds c@ture more of the watch list and i
declining trend plants (sensitivity analyses)?
l To perform its analyses, the staff selected a set of 17 plants, including five plants identified by the NRC as superior performers, four average plants, four plants that have received trending letters from the NRC, and eight watch list plants (see Table 2).
l While NEl used the Pls they originally proposed, the workshop and public meetings Table 2. NRC Benchmark Plants that have been held since then have resulted in agreement on the set of indicators Superior:
Average:
described herein. There were a number of Callaway Davis Besse changes in both Pl definitions and Turkey Point 3&4 Point Beach 1&2 calculational methods. Also, NEl in their Vogtle 1&2 TMI1 analysis used annual rather than quarterly values. In addition, there are some Trending:
Watch List:
inconsistencies in the data from plant to plant Cooper Crystal River 1 and from year to year. However, the staff D.C. Cook 1&2 Indian Point 3 believes that these Pls are close enough to Hope Creek LaSalle 1&2 l
the proposed set of indicators to be useful for this benchmarking effort. Additional analysis and refinement of the Pls will be performed during the pilot program.
1-2
Barrier Pl (RCS Activity, RCS Leakage, and Containment Leakage) data are not readily available to the staff since they are not required to be reported. In addition, our schedule did not allow much time for data compilation, calculation, and plotting. Therefore the staff used the data NEl provided to us for our analyses.
The SSPl data provided to both NEl and NRC were for 1995 through mid-1998; however the SSPl data are averaged over a three year period, so the 1995 data includes data from 1992.
Because the NE! Transient data ended in 1995, the staff supplemented it with transient data from NRC databases for 1995 through 1997. SSPl, Scram, Safety System Actuation, and Safety System Failure data from NRC databases were used to check the accuracy of the NEl dua, and there were no significant problems. However, while NEl and NRC SSPl data were consistent with each other, there appear to be inconsistencies in the SSPI data from plant to plant. This concem was discussed with INPO but has not yet been resolved.
Although data back to 1990 were available, industry performance improved substantially between then and 1993, and we found that the earlier data dominated the results and masked more recent plant performance. Therefore the staff used data from 1993 on. Forits analyses, the staff selected plants whose SMM designations had changed between 1994 and 1993, to see if declining or improving trends could be identified before and/or after a plant's status changed.
This included plants added to the list of superior performers (Callaway, Turkey Point, Vogtle),
plants that received trending letters (D.C. Cook) and then corrected the adverse trend (Cooper, Hope Creek), and plants added to (Crystal River, LaSalle, Maine Yankee, Millstone) or removed from (Indian Point 3) the watch list. We used the annual values of the Pls from 1993 through 1997, except for the SSPl data which comprised quarterly values of 3 year moving averages from 1995 through mid-1998.
Method The staff analyzed the data for the set of plants selected by NEl and the set selected by the staff, and developed Table 3 to help find answers to the seven questions. The table shows the lowest performance band and the highest value for each PI for which data were available throughout the 5 year period from 1993 to 1997 (mid-1998 for SSPl). These values did not necessarily occurin the same year. The staff also looked at the minutes of the SMM discussions and talked to the appropriate program managers to understand why the selected plants were discussed, sent trending letters, or placed on the watch list. There were of course a number of reasons, some of which we would have expected the Pls to identify and others that would only be found by inspection. In Table 3, under the Method of Problem Identification, we have listed the one that we concluded was more likely to have identified the problems, although both Pls and inspection would have been involved. We also looked at each plant's Pls the year before the SMM action to see if they provided a leading indication. Table 3 was usefulin analyzing the effectiveness of the Pls as a set and individually, in performing sensitivity analyses of the thresholds, and in identifying plants in the yellow band to assess the timeliness of the Pls.
The staff looked at the Pls year by year for the watch list and declining trend plants, and those plants that had an ASP event of >105 conditional core damage probability (CCDP) between 1995 and 1997. We also reviewed the correlation analyses performed by Arthur Andersen in developing the trending methodology currently used in the SMM process to determine if the proposed Pls are among those that would be expected to identify SMM discussion plants.
b3
Results The staffs analyses resulted in the following findings with regard to the seven questions addressed in this study:
- 1. Do the Pls as a set differentiate between superior, average, declining trend, and watch list plants?
The set of Pls do differentiate between watch list and other plants in both the number and magnitude of the Pls. Watch list plants typically have two or three Pls wellinto the white band. Superior performers have at most one Pl in the white band, and average or declining
' plants have two Pls relatively low in the white band. It is difficult, however, to differentiate between St. Lucie (NEl declining trend plant) and some of the watch list plants on the basis of the Pts alone.
- 2. How effective are individual Pls at differentiating between plants with different levels of performance?
The most effective Pls for differentiating between SMM designated plant performance levels are SSFs and Transients, largely because they have the most non-zero data points and are considered to be more leading indicators to SSPis and reactor scram indicators, respectively. In the Arthur Andersen statistical analysis of the existing NRC Pls, SSFs correlated highly with the discussion plant list. It is the most consistent of the proposed Pls in identifying the watch list plants. SSFs provided additionalinformation not available in tne other Pls. All of the watch list plants (14) and four of the seven (57%) declining trend plants were in the white band, while only two average plants (33%) and no superior plants were in the white. In the case of Transients, six watch list plants (43%), two declining trend plants (29%), one average plant (17%), and one superior plant (17%) were in the white. The barrier Pts were not available for all plants. Of those plants with data, one of four (25%) superior plants was in the white band, along with two of three (67%) average plants, two of three (67%) declining trend plants, and one of eight (12.5%) watch list plants. The Scram Pl was in the white band for no superior plants, one of six (17%) average plants, three of seven (43%) declining trend plants, and five of fourteen (36%) watch list plants. The SSA PI was in the green band for all plants except one declining trend plant that was in the white band; that plant was also in white band in Scrams, Transients, and the high-pressure injection SSPl.
The SSPI was out of the green band for none of the superior plants, five of six (83%)
average plants (including two plants in the yellow band), two of seven (29%) declining trend plants, and four of the thirteen (31%) watch list plants for which the data were available.
- 3. Do the Pls demonstrate timely response (i.e., do not go directly from green to red)?
Only two of the plants we benchmarked, Point Beach Units 1 and 2, went into the yellow band between 1993 and 1997. This occurred in just one indicator, the Emergency AC (EAC)
Pl. The indicator was in the white band from the first quarter of 1993 (when the SSPI started) through the second quarter of 1996. It was in the green band from the third quarter of 1996 through the first quarter of 1997, then went into the yellow band in the second quarter of 1997. Although the Pl went directly from the green band to the yellow, the NRC would have had substantial opportunity to engage the licensee on this issue in prior periods I-4
Table 3 Benchmarking Summary Safety System Peebrmance Indicator Method of Performa RCS RCS Contaln-Transient (Unavaltabinty)
Problem nee Plant Activity' Leessge' ment Screme' SSAe' SSFe*
e > 20%*
Identifiestle Category Leekage' EAC' HPF AFW RNR*
n Escenen T..-
G G
G G(1)
G (1)
G(1)
G(2)
G (0 011)
G (0 012)
G (0 007)
NA NA t (net)
Turkey P13 G
G G
G (1)
G (1)
G (3)
G (7)
G (0 007)
G (0 009)
G (0 018)
NA NA Superto r (MRC)
Turkey Pt 4 G
G G
G p)
G (1)
G (2)
W(12)
G (0 007)
G (0 011)
G (0 013)
NA NA Canaway W(10)
G G
G p)
G (0)
G (3)
G (5)
G (0 021)
G (0 012)
G (0 013)
NA NA Vogfie 1 No Data No Data No Data G p)
G p)
G (3)
G (3)
G (0 006)
G (0 004)
G (0 002)
NA NA Vogtie 2 No Data No Data No Data G p)
G (1)
G p)
G (3)
G (0 006)
G (0 003)
G (0 006)
NA NA Average Ca vert 1 G
G W(10)
G (3)
G 0)
G (3)
G (6)
W(0 027)
G (0 013)
G.o 012)
NA NA e
(NEI)
Calvert 2 C
G W(10)
W (4)
G 0)
G p)
W (9)
W(0 027)
G (0 008)
W(0 024)
NA NA Average Davts-Besse No Data No Data No Data G (1)
G (0)
G (2)
G (5)
G (0 004)
G (0 008)
G (0 005)
NA NA (NRC)
Pt Beach 1 No Data No Data No Data G p)
G (1)
W(12)
G (3)
Y (0 051)
G (0 003)
G (0 013)
NA NA Pt Beach 2 No Data No Dets No Data G (t)
G (2)
W(10)
G p)
Y (0 051)
G (0 003)
G (0 011)
NA NA Tut 1 G
G G
G (1)
G (1)
G (2)
G (4)
G (0 021)
W(0 018)
G (0 004)
NA NA Decnning StLude1 G
G G
W (5)
W(4)
G (3)
W(14)
G (0 016)
W(0 027)
G (0 010)
NA NA (NEf)
St Lude 2 G
W(10)
G G (2)
G (1)
G (1)
W(22)
G ( 0 010)
C (0 010)
G (0 019)
NA NA Ft Calhoun W(50)
W(10)
G G (3)
G (2)
G (3)
G (4)
G ( 0 012)
G (0 001)
G (0 003)
NA NA l
Decnning D C Cook 1 No Data No Data No Data G (2)
G (1)
W(6)
G (2)
G (0 014)
G (0 007)
G (0 010)
NA INS l
(NRC)
D C Cook 2 No Data No Data No Data W(4)
G (0)
W(6)
G (1)
G (0 014)
G (0 006)
G (0 008)
NA fMS Cooper No Data No Data No Da's G (1)
G (1)
W(11)
G p)
G (0 011)
G (0 029)
NA G (0 014)
P1 Nope Creek G
G No Data W(5)
G (2)
W(7)
G (7)
G (0 018)
W(0 042)
NA G (0 006)
P1 I-5
Safety System Performance Indicator Method of Performe RCS RCS Contain.
Trenelent (UnaveNet Hity)
Proedem nee Plant Activity' Leenage' rnent Scroms' SSAs*
SSFe' e > 20%*
IdenttRcatio Category Leshage' EAC' HPf' AFW' RHR' n
Watch Dresden 2 No data G
O G (1)
G (2)
W(9)
G (9)
G (0 019)
G (0 015)
NA W(0 017)
PI Ust (net)
Dresden 3 No date G
G W(4)
G (2)
W(9)
G (7)
G (0 019)
G (0.018)
NA G (0 011)
Pt Salem 1 0
0 G
W(5)
G (3)
W(11)
W(26)
G (0 014)
G (0 009)
G (0.009)
NA INS Salem 2 G
G G
G (2)
G (2)
W(11)
W(23)
G (0 014)
G (0 010)
G (0 005)
NA INS Guad Cnies 1 0
W(tO)
No data G (1)
G (0)
W(8)
W(13)
W(0 026)
W(0 07f)
M4 C (0.000)
P1 Oued Callee 2 O
G No date W(5)
G (1)
W(t3)
W(14)
W(0 026)
G (0 037)
NA G (0 001)
Pl LaSame 1 G
G G
G (3)
G (3)
W(0)
G (7)
G (0.012)
G (0.021)
NA O (0 009)
Pt i
e Lassee 2 G
G G
W(4)
G (3)
W(6)
G (4)
G (0 012)
G (0 029)
NA G (0.000)
PI watch Uet Mestone 1 No date No date No dets G (1)
G (1)
W(2t)
G (7)
G (0.018)
G (0 012)
NA G (0 005)
INS (NRC)
Mestone 2 No date No date Nodea W(5)
G (2)
W(17)
G (7)
G (0 013)
G (0 007)
G (0 010)
NA INS r
Mestone3 No dets No date No data G (1)
G (t)
W(21)
G (5)
G (0 016)
G (0 013)
G (0 020)
NA INS Mame No date No dets No data G (2)
G (0)
W(6)
W(12)
No data No data No data No data INS Yankee Indian P'. 3 G
G No data G (2)
G (2)
W(14)
W(9)
W(0 026)
G(0003)
G (0 006)
NA INS Crystal R 3 No data No data No data G (1)
G (2)
W(9)
G (8)
G (0 009)
G (0 012)
G (0 007)
NA Pt 1
7.be wecator has entered the wtute or W band, the r_.e or quarters
.. those E wh es ir@cated 2
values in 0 are the merimum numtwr of events wohin e essender year over the pened 1993 to 1997. m:-.
assessed using thresholds of 3 (ge), e (w-y). and 25 (y-s) 3 Values in 0 are the mewimum number of events within a calendar year over the pertod 1993 to 1997; performance essessed using a threshold of 5 4
values in 0 are the monimum number of events within a calender year over the period 19e3 to 1997; performance essessed veing a Sweshold of 8 5
Performance essessed using threshchts of 0.025 (M 0 050 (w-y), and 010 (y4) 8 Performance essessed using thresholds of 0 015 for PWRs and 0 04 for BWRs (ge). 0 050 for PWRs and 0.12 lbr BWRs (w-yk and T80 for PWRs and 0 50 for BWRe (y-r) 7 rersarmance essessed usine threshohts of 0 02 (ewt 0.08 (w-y) and O.t2 (y4) 8 Performance essessed usin0 thresholds of 0.015 (g-w). 0.05 (w-y). and TBD (y-r)
I-6
~
when the PI showed early declining trends (i.e. dropped in to the white band). There were no instances in which a P1 was in the red band for any of the plants analyzed.
- 4. Do the Pls show declining trends for plants in SMM designated performance categories prior to SMM actions? If so, which ones are most effective? If not, would they be expected to show a declining trend?
The staff looked at the Pls for each of the selected watch list plants in the year prior Table 4. Watch List Plant to its going on the watch list. The only Pls Sensitivity Analysis that entered the white band in that year were SSFs for 6 of the 14 plants (43%),
and Transients for 3 plants (21%). A
-2
-1 0
+1
+2
)
sensitivity analysis, in which the threshold S s 12 8
6 5
4 was adjusted up and down by 1 or 2, produced the results shown in Table 4.
3 3
3 2
Moving the threshold down (lowering it) would be expected to capture additional plants, while moving it up (raising it) would be expected to capture fewer plants. The table shows the total number of plants captured as the thresholds are changed. Of the 14 watch list plants selected for this analysis,7 of them had problems that should be identified by Pls - Dresden 2 and 3, Quad Cities 1 and 2, LaSalle 1 and 2, and Crystal River 3. In the year before going on the watch list, the SSF indicator went into the white band for Dresden 3 and Crystal River 3, and the Transients indicator went into the white band for Dresden 2 and 3. By lowering the SSF threshold from 5
)
to 4, Quad Cities 1 and LaSalle 2 would be captured. Lowering the SSF threshold to 3 would pick up Dresden 2 and LaSalle 1. Changing the Transients threshold would not capture any additional watch list plants Salem 1 and 2 and Millstone 1 an'd 2 went into the white band for SSFs, although we would not have expected their problems to be identified by Pls. Maine Yankee was in the white band for Transients, although we did not expect the problems there to be identified by Pls.
- 5. Do the Pls show declining trends prior to ASP events? If so, which ones are most effective?
l There were 11 significant (>105 CCDP) ASP events in 1995 through 1997 affecting 13 units.
For each affected plant, the staff looked at the Pls in the year prior to the event. The ASP event at Comanche Peak was a reactor trip with AFW unavailable, and the Unplanned Scrams (4) and Transients (11) at Unit 2 were in the white band. This would have provided l
l the NRC with an opportunity to look into the licensee's performance prior to the ASP event.
However, the AFW SSPI was near the middle of the green band. There were three other ASP events where any of the Pls were in the white band the year prior, and in each case it was the Transients indicator only. Two of the events involved EDG failure or unavailability, l
with the EAC SSPI wellinto the green band. The third event was an HPl line leak. In the two other ASP events involving reactor trips, each licensee had just one scram the year prior and l
no other Pls in the white band. In the four other events in which one train of AFW was i
I-7
,. - + - -.-
unavailable, the AFW SSPI at each plant was in the green band and no other Pts in the white band. The other ASP events included two LOOPS with no Pls in the white band.
- 6. How well does the set of Pls conform to those selected by Arthur Andersen for use in the trending methodology currently being used in the SMM process?
The staff looked at the correlations of the current Pls to the SMM discussion plants that was performed by Arthur Andersen. Those indicators that had a high correlation included scrams, SSFs, forced outage rate (FOR), equipment forced outages per 1000 critical hours (EFO),
and several of the cause codes. The proposed Pl set includes indicators that are similar to I
those. Scrams per 7,000 critical hours is similar to the current scrams except that it includes manual scrams as well as automatic scrcms and is calculated as a rate. The Transients indicator captures FOR and EFO information. The SSF indicator is the same as the one used in the current Pl program. The cause codes measure programmatic causes of events. If those programmatic weaknesses manifest themselves as degradations in performance that affect comerstone objectives, they should result in events that are captured in the proposed Pls or risk-informed inspections.
- 7. Do small decreases in the green-white thresholds capture more of the watch list and declining trend plants (sensitivity analyses)?
A sensitivity analysis, in which the green-white threshold was adjusted up and down, produced the results shown in Table 5. The Number of Plants column indicates the number of plants for which data were available for that Pl. The table shows the total number of plants captured as the threshold is changed. This analysis shows that Unplanned Scrams are sensitive to small increases and decreases in the threshold, and that Transients are sensitive to small decreases in the threshold. The SSPI and Barriers indicators are essentially insensitive to small changes, with the exception of the AFW SSPl.
Conclusions As a result of this benchmarking effort, the following conclusions were reached:
1
- 1. The SSF indicator is the most effective at identifying watch list and declining trend plants identified in the SMM process. All of the watch list plants and four of the seven declining trend plants entered the white band in SSFs some time between 1993 and 1997. NEl used SSFs as a surrogate for the SSPl. Our analysis showed that it was not particularly useful for that purpose. This may have been due to the limited number of SSPl systems, inconsistent reporting of the SSP) data from plant to plant, or limitations in our ability to use the reliability portion of the indicator. However, the SSF indicator provided information not found in the other Pls. Therefore the SSF indicator was added to the set of proposed indicators. The next most effective indicator with respect to identifying watch list plants is Transients. By their nature, SSFs and Transients are considered to be leading indicators of the more risk-important indicators, Scrams, Risk-Significant Scrams, and the SSPl. They have no Required Regulatory Response threshold because they themselves are not risk-significant. They do, however, provide the best correlation with plant performance, as defined by the SMM process, for those plants analyzed.
I-8
Table 5. Performance Indicator Sensitivity Analysis Number Number Change of Plants
-2
-1 0
+1
+2 Scrams 33 22 13 9
5 0
SSAs 33 16 6
1 0
0 SSFs 33 21 21 20 16 15 Transients 33 18 12 10 8
8 Number
% Change of Plants
-20
-10 0
+10
7 7
2 2
5 4
3 2
3 1
1 0
2 2
1 1
0 Number
% Change of Plants
-20
-10 0
+10
+20 RCS Act 18 2
2' 2
2 2
RCS Leak 20 5
3 3
2 1
Ctmnt 16 2
2 2
2 2
Leak
- A 10 percent decrease in the wNte-yellow threshold would put both plants in the yellow band.
- 2. The barrier Pls provided minimal differentiation between plant performance categories as identified by the SMM process. Few plants crossed into the white zone between 1993 and 1997, and those that did included one or two in each performance category. These results were rather insensitive to the thresholds. The plants typically spiked wellinto the white band and retumed to the green band the next quarter. The barrier Pls appear useful for specific, normally short duration problems.
- 3. The SSA indicator proposed by NEl did not differentiate between plants or add any new information. Only one plant, a declining trend plant, was in the white band, and it was also in the white band for Transients. Lowering the threshold by one would capture two average plants and three watch list plants, all of which were identified by other Pls. In addition, the I-9
i i
SSA indicator did not show a strong correlation to the discussion plants in Arthur Andersen's analysis. For these reasons, we do not include SSAs in our proposed set of indicators.
- 4. The Scrams indicator did a pretty good job of differentiating between the performance categories, but it only identified about one-third of the watch list plants, j
- 5. Most of the SSPls did not show declining performance consistent with the outcomes of the SMM process. The percentage of plants categorized as average that were out of the green band was much higher than any other performance category. The only yellow bands in our set of plants occurred in the Emergency AC SSPl indicator for Point Beach 1 and 2, classified as average performers. There may be inconsistencies in the reporting of the data; this will need to be investigated further.
- 6. The set of Pls did identify watch list plants prior to going on the watch list to some extent (i.e.
several Pls dipped into the white band). This snelysis indicates that adjusting the thresholds would be necessary to better match the outcomes of the SMM process.
- 7. As a result of the benchmarking analyses and detailed qualitative evaluation of the Pls in each comerstone area, the staffis confident that the overall set of Pls provides a reasonably accurate depiction of plant performance in those areas that the Pls monitor. We believe it is useful for determining when NRC inspection is warranted in those areas, and for allocating inspection resources to areas not covered by the Pls.
j EMERGENCY PREPAREDNESS CORNERSTONE
Background
There are three performance indicators for this cornerstone that measure the performance of the Emergency Response Organization (ERO) drill / exercise performance (DEP), the readiness of the ERO, and the Alert and Notification System availability (ANSA). Both long-term and short-term thresholds have been established for each of these Pls for both the white and yellow bands; there are no red bands for these indicators. Each of the Pls is measured in percentages.
Scope This analysis evaluated the DEP and ANSA Pls, since data for the ERO Readiness PI were not readily available. To perform the DEP analysis, data was collected from 70 plants from 1994 through 1997. The data was compared to the 24 month threshold because data were not available in six month increments. For the ANSA analysis, siren data was obtained from 20 plants from 1995 through 1997.
Method The Pi data were analyzed to identify the lowest ERO and ANSA performance during the study period. This value was compared to the thresholds to identify the worst-case performance band.
Results The performance of the DEP went into the white band for 9 of the 70 plants analyzed in the 4 year period. Those plants are shown in Table 6, along with the lowest value of the Pl during the I-10
1 period. Of the 20 plants analyzed for the ANSA, only Turkey Point was in the white band, with a value of 91.1%.
Table 6. Emergency Preparedness Benchmarking Summary Haddam Palo Prairie Quad River Wolf Cooper Neck Verde Island Cities Bend TMI WNP 2 Creek DEP 70%
,80%
70%
80%
80%
80%
80%
80 %
85%
Conclusions in 1998 the NRC identified Clinton as a plant with a large number of concems in emergency preparedness. The DEP PI for Clinton for the past 4 years does not indicate any decline in performance. Therefore, the indicator would not have identified Clinton's weaknesses. In contrast, the DEP Pl for Three Mile Island appropriately shows the decline in performance that was identified in 1997 during NRC inspections. Cooper was also identified as a plant with performance problems and the Pl shows this status. In general, the plants identified by this analysis were consistent with those identified as having a deteriorating trend in EP performance.
Tests ofindividual plant performance against the 6 month threshold have not been performed due to the lack of sufficient plant-specific data in any 6 month interval. It is believed that sufficient data will be available in the future to validate the short-term threshold. The 6 month threshold could be validated after a year of implementation. This will also give an opportunity to revisit the 24 month threshold.
Evaluation of availability data for ANS systems shows the historical high reliability of these systems. Very few plants experience ANS availability below the threshold value and none experienced availability below the regulatory value of 90%. One plant did show availability below the threshold and this performance clearly represents an unusually low ANS system performance.
OCCUPATIONAL EXPOSURE CORNERSTONE
Background
There is one performance indicator for this comerstone that comprises the sum of three measures of licensee performance in controlling worker doses during work activities in elevated radiation fields or airbome radioactivity areas. The white band for the PI is either more than five occupational radiological occurrences in a rolling 3 year interval or more than two occurrences in a rolling 12 month interval. The yellow band is more than 11 occurrences in a rolling 3 year interval or more than five occurrences in a rolling 12 month interval. There is no red band for this Pl.
Scope 1-11
The staff and NEl both identified sites whose performance in occupational radiation protection l
activities was considered to be below or declining from industry standards. The combined list l
' totaled 14 sites. The staff also identified 12 sites considered to be good performers in occupational radiation protection activities. NEl provided data from 1996 through 1998 on 9 of the 14 poor performers and 7 of the 12 good performers. The plants were identified by numbers l
and not by plant names, The staff also collected the SALP categories in Plant Support for these plants, since plants with a 2 or 3 in that functional area normally have poor radiation protection l
programs.
Method l
The Pl data for the 16 plants was analyzed by the staff to compare the highest PI values (both 3 l
year and 1 year totals) to the thresholds and to identify the corresponding performance band.
1 Results i
The results are shown in Table 7. The table indicates the plant number, the highest P.1 value l
during the study period, the performance band corresponding to that total, and the Plant Support 1
Table 7. Occupational Exposure Benchmarking Summary Poor Performers Good Performers i
1 4
5 6
7 8
9 10 11 16 19 20 22 23 24 25 l
SALP Score 3
2 2
2 2
2 2
2 2
1 1
1 1
1 1
1 i
PJ W
G G
G W
W G
W W
G G
G G
G G
G(1)
Total (4)
(0)
(1)
(0)
(3)
(5)
(2)
(3)
(3)
(0)
(1)
(0)
(1)
(0)
(2)
SALP category at the time of the highest PI value. The PI values shown are the greatest 12 month total; only plant 8 exceeded the 3 year threshold (6 occurrences), and it was also identified by the 12 month threshold.
l Conclusions The benchmarking analysis showed reasonable agreement with the perceived performance of the plants. The plants considered to be good performers had Plant Support SALP is and l
generally low PI values; five of the nine plants considered to be poor performers had Pls in the l
white band and all had SALP categories of 2 or 3. (Plants number 7 and 11 were identified as poor performers by NEl but not by the NRC.) The alignment of NRC staff and Plant Support SALP categories with the performance indicator thresholds supports their initial use in assessing licensee performance.
PUBLIC EXPOSURE CORNERSTONE 4
}
1-12 l
l l
- - -.. ~ - -.
Background
There is one performance indicator for this comerstone which measures the number of occurrences of offsite reportable events. The white band for this Piis either more than six events in a rolling 3 year interval or more than three events in a rolling 12 month interval. The yellow band is either more than 13 events in a rolling 3 year interval or more than 7 events in a rolling 12 month interval.
Scope l
The staff and NEl both identified sites whose performance in effluent monitoring and offsite l
releases was considered to be below or declining from industry standards. The combined list l
totaled 15 sites. The staff also identified 12 sites considered to be good performers. NEl provided data from 1995 through 1997 on 11 of the 15 plants poor performers and 6 of the 12 good performers. The plants were identified by numbers and not by plant names.
l Method The Pl data for the 17 plants was analyzed by the staff to compare the highest PI values (both 3 year and 1 year totals) to the thresholds and to identify the corcesponding performance band.
Results The results are shown in Table 8. The taole indicates the plant number, the highest Pl value during the study period, and the perfonnance band corresponding to that total. The PI values shown are the greatest 12 month total; plants 2 and 5 exceeded the 3 year threshold (7 occurrences each), and were also identified by the 12 month threshold.
Table 8. Public Exposure Benchmarking Summary Poor Performers Good Performers 2
3 4
5 6
7 8
9 13 14 15 16 17 18 25 26 27 Pl W
G W
W G
G G
W G
G G
G G
G G
G GQ Total (5)
(2)
(4)
(4)
(0)
(0)
(0)
(4)
(3)
(0)
(0)
(1)
(1)
(2)
(0)
(2)
Conclusions The benchmarking analysis showed some agreement with the perceived performance of the plants. The plants considered to be good performers had generally low Pls and none of them entered the white band; 4 of the 11 plants considered to be poor performers had Pls in the white band. From subsequent review and discussion of the effluent monitoring LERs, the expert panel verified that not all events reportable to the i4RC in accordance with the ODCM or RETS were included in the data submitted for benchmarking. Following receipt of additional reportable data from semiannual effluent reports these threshold values will be reviewed further.
l PHYSICAL SECURITY CORNERSTONE l
I-13
I
Background
I There are four performance indicators proposed for this comerstone, two to measure the effectiveness of the Physical Protection System and two to measure the effectiveness of the Access Authorization System. The two measures of the Physical Protection System are the percent availability of security equipment for the protected area and for the vital area respectively.
l The thresholds have been developed based on the professionaljudgment of the NRC, NEl, and l
industry peer working group on what is the appropriate level of pedormance. The thresholds that j
are proposed are 95 to 100% availability for the green band,85 to 94% for the white band, and below 85% for the yellow band. The two measures of the Access Authorization System are the l
number of reportable events involving access control and fitness for duty. The thresholds for determining acceptable implementation of these programs were developed based on the l
professionaljudgement of the NRC, NEl, and industry peer working group. The thresholds that l
are proposed are O to 2 reportable events per year in either area for the green band,3 to 5 l
reportable events per year for the white band, and 6 or more per year for the yellow band.
Scope Industry historical data was collected in an attempt to benchmark the Physical Protection System Pls. However, because of the lack of consistency in past data collection and categorization processes, valid benchmarking was not possible. An attempt was made to benchmark the Access Authorization System Pls using data from 1996 and 1997. Data for the access control PI were available but fitness for duty reportable events could not easily be separated.
Method Access control reportable events during 1996 and 1997 were collected for nine plants that were categorized by the peer group as either poor or good performers. The worst performance band for each plant during the 2 year period was then identified.
Results The results of the benchmarking analysis are shown in Table 9. The table indicates the worst performance band and the corresponding number of annual events during the study period.
Table 9. Physical Security Benchmarking Summary Good Performers Poor Performers Palo San Wolf River St.
Water-Dresden Harris Verde Perry Onofre Creek Bend Lucie ford Access Centrol G(1)
G(2)
G(2)
G(1)
G(1)
G(1)
G(2)
G2 W(4)
Conclusions l
The access control data generally confirmed the perception that overall these programs were j
working as intended and did identify one program with known weaknesses. However, because of i
4 i
1-14 2
1
a lack of consistency in the criteria used for reporting the data, complete confidence in the benchmarking process was not possible. Standardization of the data reporting will be addressed during the verification and validation process.
The collegial decision on the thresholds by the industry group will be subject to review after data has been gathered for a period of time and some history is established. The thresholds should be reviewed after a 2 year period to evaluate their validity and to make adjustments if necessary.
I i
i
~
I-15 l
i l
l
Appendix J Team Charter PURPOSE The purpose of the taskforce is to develop details of the framework for a more objective, risk-t infon ned, performance-based approach to licensee performance assessment and related bases forinspection activities Information developed as part of the task will be used in the i
development of risk-informed baseline inspection and performance assessment tasks.
SCOPE This activity includes: articulation of the principals, bases, and logic of the framework; identification and evaluation of performance indicators (Pis) and associated performance thresholds for initialimplementation of the framework; and determining the limitations of Pls used for performance assessment and developing inspection bases for rebaselining the inspection program. The work of the taskforce will follow and build on the defining principals and comerstone development effort that was begun at the Performance Assessment Workshop held September 28,1998 through October 1,1998. It is recognized that this program will evolve and be refined over a period of years. Therefore, the intent the taskforce is to develop sufficient detail to allow the Commission to make a decision on the efficacy and direction of this new approach to licensee oversight and, if approved, lay the groundwork for initial implementation.
PRODUCT By November 25,1998, the task'orce will provide to the Director, Division of Inspection and Support Programs, NRR and the Director of NRR, documents describing the overall framework, performance indicators and thresholds, and related bases for the inspection program. These documents will contain the principles, bases, logic, and supporting technical information and will l
be in the form of appendices to a Commission Paper.
l i
1 e