Forwards Copy of Revised NUMARC 9301,Chapter 11, Assessment of Risk Resulting from Performance of Maint Activities, for Placement in PDR

ML20210F527
Person / Time
Issue date:	07/28/1999
From:	Scott W NRC (Affiliation Not Assigned)
To:	Quay T NRC (Affiliation Not Assigned)
References
NUDOCS 9907300222
Download: ML20210F527 (13)
v • d • e

Text

.

jk July 28,1999 4

NOTE TO: Theodore Quay, Chief Quality Assurance, Vendor inspection, Maintenance and Allegations Branch i

THRU: Richard Correia, Chief Reliability and Maintenance Section FROM: Wayne Scott Quality Assurance, n

$ Ve[dorfinspection, Maintenance and Allegations ra

SUBJECT:

REVISED NUMARC 9301, CHAPTER 11, " ASSESSMENT OF RISK RESULTING FROM PERFORMANCE OF MAINTENANCE ACTIVITIES" On July 27,1999, we received the subject document via e-mail from Mr. Biff Bradley of the Nuclear Energy Institute. I have attached a copy. This document should be placed in the PDR as soon as possible.

cc: PDR, NUDOCS g90 g 0' 's a 1 cm1 pu w [t g

/

300095 9907300222 990728 PDR REVGP ERONUMRC PDR

.M . - .

p

)

$. fpl' DRAFT Yl# f f 11.0 ASSESSMENT OF RISK RESULTING FROM PERFORMANCE OF MAINTENANCE ACTIVITIES l 11.1 Reference 10 CFR 50.65(a)(4) l Before performing maintenance activities (including but not limited to surveillance, post-maintenance testing, corrective and preventive maintenance), the licensee shall assess and manage the increase in risk that may result from the proposed maintenance activities. The scope of structures, systems, and components (SSCs) to l be included in the asses sment may be limited to those SSCs that a risk-informed i evaluation process has shown to be significant to public health and safety.

l 11.2 Background Maintenance activities must be performed to orovide the level of olant eouioment reliability necessary for safety. and should be carefully managed to achieve a balance between the benefits and potential impacts on safety, reliability and availability.

The bene 6ts of well managed maintenance conducted during power operations include increased system and unit availability, reduction of eauioment and system de6ciencies that could imoact operations. more focused attention during periods when fewer activities are competing for specialized resources, and reduction of work scope during outages. In addition, many maintenance activities may be performed during power operation with a smaller net risk impact than during outage conditions, particularly for systems whose performance is most important during shutdown, or for which greater functional redundancy is available during power operations.

11.3 Guidance This section provides guidance for the development of an approach to assess and manage the risk impact expected to result from performance of maintenance activities. - Assessing the risk means using a risk-informed process to evaluate the overall contribution to risk of the planned maintenance activities. Managing the risk means providing plant personnel with proper awareness of the risk, and taking actions as appropriate to control the risk.

The assessment is required for maintenance activities performed during power L operations or during shutdown. Performance of maintenance durine oower operations should be planned and scheduled to properly control out-of-service time of systems or equipment. Planning and scheduling of maintenance activities during 7/22/99 1

..~

DRAFT l

)

shutdown should consider their impact on performance of key shutdown safety functions.

l 11.3.1 Assessment Process, Control, and Responsibilities l

l l The process for conducting the assessment and using the result of the assessment in

! plant decisionmaking should be proceduralized. The procedures should denote l responsibilities for conduct and use of the assessment, and should specify the plant functional organizations and personnel involved, including, as appropriate, operations, engineering, and risk assessment (PSA) personnel.

11.3.2 General Guidance for the Assessment - Power Operations and l

Shutdown

1. Power Operating conditions are defined as plant modes other than hot l shutdown, cold shutdown, refueling, or defueled. Section 11.3.3 describes the scope of SSCs subject to the assessment during power operations. Section 11.3.5 describes the scope of SSCs subject to the assessment during shutdown.

2. The assessment method may use quantitative approaches, qualitative approaches, or blended methods. In general, the assessment should consider:

. The degree of redundancy available for performance of the safety function (s) served by the out-of-service SSC e The duration of the out-of-service condition

. The likelihood of an initiating event or accident that would require the performance of the affected safety function.

i e' The likelihood that the maintenance activity will increase the frequency of an initiating event. .

J

. Component and system dependencies that are affected. )

3.' The assessments may be predetermined or performed on an as-needed basis.

L 4. The degree of depth and rigor used in assessing and managing risk should be i

! commensurate with the safety significance of the SSCs planned for maintenance, >

and the impact of the maintenance activity on the train or system function.

l

5. The assessment should take into account whether the out-of-service SSCs could be promptly restored to service if the need arose due to emergent conditions.

The assessment should consider the time necessary for restoration with respect 7/22/99 2

r l

. DRAFT r

! to the time at which performance ofits safety function would be needed.

Examples include.

l i

= An SSC out-of-service for monitoring or surveillance mg.a be capable of l ]

prompt restoration of function, whereas an SSC out of service for extensive maintenance would typically not be promptly available.

. An SSC placed in pull-to-lock (automatic feature disabled) would still be i functional in that the system would start if switched to run.

6. Emergent conditions may arise which require action prior to conduct of the assessment, or which change the conditions of a previously performed assessment. Examples include plant configuration or mode changes, additional SSCs out of service due to failures, or significant changes in external conditions (weather, offsite power availability). The following guidance applies to this situation:

. The safety assessment should be performed (or re-evaluated) to address the changed plant conditions on a reasonable schedule commensurate with the safety significance of the condition. Based on the results of the assessment, ongoing or planned maintenance activities may need to be suspended or i rescheduled, and SSCs may need to be returned to service.

. Performance (or re-evaluation) of the assessment should not interfere with, or delay, the operator and/or maintenance crew from taking timely actions to restore the equipment to service or take compensatory actions.

. If the plant configuration is restored prior to conducting or re-evaluating the assessment, the assessment need not be conducted.

11.3.3 Scope of /.ssessment for Power Operating Conditions The scope of the Systems, Structures and Components (SSCs) to be addressed by the assessment for power operating conditions is as follows:

1. Those SSCs included in the scope of the plant's level one, internal events probabilistic safety assessment (PSA), and;.

2. SSCs in addition to the above that have been determined to be high safety i

significant (risk significant) through the process described in Section 9.3 of this

! document.

l Note 1: Appendix E provides information on PSA attributes.

7/22/99 3

l DRAFT Note 2: SSCs within the plant PSA scope may be eliminated from further consideration for the (a)(4) assessments if they are evaluated and shown to have minimal safety significance regardless of plant configuration.

. Note 3: If the plant PSA includes level two considerations (containment performance, release frequency), the scope of the (aX4) assessment may optionally include the scope of the level two PSA. Otherwise, inclusion within the assessment scope of SSCs important to containment performance may be covered by inclusion of high safety significant SSCs as discussed in item 2 of the above section. Section 9.3.1 of this document discusses the importance of containment per formance as a consideration in identifying risk significant (high safety significant) SSCs, and is repeated below:

"Most of the methods described below identify risk significant SSCs with respect to core damage. It is equally important to identify as risk significant those SSCs that prevent containment failure or bypass that could result in an unacceptable release. Examples might include the containment spray system, containment cooling system, and valves that provide the boundary between the reactor coolant system and low pressure systems located outside containment."

11.3.4 Assessment Methods for Power Operating Conditions The assessment for removal from service of a single SSC for a reasonable amount of time (e.g., the Technical Specifications allowed out-of-service time, or a commensurate time for a non-Technical Specification SSC), need only consider if unusual conditions are present or imminent (e.g., severe weather, offsite power instability).

Sections 11.3.4.1 and 11.3.4.2 provide guidance for the conduct of the assessment prior to planned maintenance activities that simultaneously affect more than one SSC. ,

As noted, the assessment may be performed using quantitative, qualitative, or blended methods. Additional guidance is provided below:

11.3.4.1 Quantitative Considerations For maintenance resulting in simultaneous removal from service of multiple SSCs within the scope of the PSA, the assessment process may be informed by a tool or method that considers quantitative insights from the PSA. This can take the form of using the PSA model, or using a safety monitor, matrix, or list derived from the PSA insights. Appendix E provides information on PSA ,

attributes.

7/22/99 4 i

_E . _

I DRAFT. 4 If the PSA is modeled at a level that does not directly reflect the SSC to be removed from service (e.g., the RPS system, diesel generator, etc. has been modeled as a " single component" in the PSA), the assessment should include consideration of the impact of the out of service SSC on the safety function of the modeled component. SSCs are considered to support the safety function if the SSC is significant to the success path for function of the train or system (e.g.,

primary pump, or valve in primary flowpath). However, if the SSC removed from service does not contribute significantly to the train or system safety function (e.g., indicator light, alarm, drain valve), the SSC would not be considered to support the safety function.

11.3.4.2 Qualitative Considerations

1. The assessment may be performed by a qualitative approach, by addressing the impact of the maintenance activity upon key safety functions, as follows:

. Identify key safety functions affected by the SSC planned for removal from service.

. Consider the degree to which removing the S.SC from service will impact the key safety functions.

. . Consider degree of redundancy, duration of out-of-service condition, and appropriate compensatory measures, coatingencies, or protective actions that can be taken.

2. For power operation, key plant safety functions are those that ensure the integrity of the reactor coolant pressure boundary, ensure the capability to shut down and maintain the reactor in a safe shutdown condition, and ensure the i capability to prevent or mitigate the consequences of accidents that could result i in potential offsite exposure comparable to 10 CFR Part 100.

Examples of these power operation key safety functions are:

• Containment Integrity (Containment Isolation, Containment Pressure and Temperature Control);

. Reactivity Control; e Reactor Coolant Heat Removal; and

. Reactor Coolant Inventory Control.

7/22/99 5 l

m N1 t x P 3. The key safety functions are achieved by using systems or combinations of systems, that could include redundant subsystems or trains. For the purposes of the equipment out-of-service assessment, SSCs are considered to support a key l Lsafety function if they: 1 I

u

. . Have a significant impact on the performance of a key safety function; or l'

.. .Have a significant potential to challenge a key safety function, such as SSCs whose failure.would result in a scram or safety system actuation, or would significantly complicate recovery efforts, l

4. The aralysis should include the assessment of plant systems supporting the i affected key safety functions,'and trains supporting these plant systems If the removal from service of an SSC results in the unavailability of one train of r a multi-train system, the assessment should consider this impact, and should not assume that full function of the system is maintained.

6.' ' Qualitative considerations may also be necessary to address external events, containment performance issues, and SSCs not in the scope of the level one, internal events PSA (e.g., included in the assessment scope because of expert panel considerations). In these cases, the assessment may need to include consideration of actions which could affect the ability of the containment to perform its function as a fission product barrier. With regard to containment performance, the assessment should consider:

. Whether new containment bypass conditions are created, or the probability of l l . containment bypass conditions is increased; e Whether new containment penetration failures that can lead to loss of 1

' containment isolation are created; and.

• If maintenance is performed on components of the containment heat removal

system, whether redundant containment heat removal trains should be i available.

l L

7. External event considerations involve the potential impacts of weather and flooding, conditions with regard to the proposed maintenance evolution. For the purposes -of the assessment, weather and' external flooding need to be considered if such conditions are imminent or have a high probability of occurring during the planned out-of-service duration. An example where thew considerations are ,

appropriate would be the long-term removal of exterior doors or floor plugs.

Internal flood issues are associated with the potential for a condition to exist

during a planned maintenance evolution when one maintenance activity poses.

Ni p 7/22/99 6

i DRAFT an increased risk of flood and a second activity exposes to that flood hazard these '

SSCs needed to perform key safety ftmetions.

11.3.5 Scope of Assessment for Shutdown Conditions The scope of the Systems, Structures and Components (SSCs) to be addressed by the assessment for shutdown conditions are those SSCs necessary to support the following shutdown key safety functions (from Section 4 of NUMARC 91-06):

• Decay heat removal capability

• Inventory Control

{

• Power Availability 1

• Reactivity control  !

1 I

e Containment (primary / secondary) i The shutdown key safety functions are achieved by using systems or combinations I of systems, that may include redundant subsystems or trains. The shutdown )

assessment need not be performed for SSCs whose operability is not required by Technical Specifications during shutdown mode, unless these SSCs are considered for establishment of backup success paths or compensatory measures 11.3.6 Assessment Methods for Shutdown Conditions NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management, j Section 4.0, provides a complete dis;:nssion of shutdown safety considerations with i respect to maintaining key shutdown safety functions, and should be considered in developing an assessment process that meets the requirements of 10 CFR 50.65(a)(4).

Performance of the safety assessment for shutdown conditions generally involves a qualitative assessment with regard to key safety functions, and follows the same i general process described in Section 11.2.4.2.3 above. (Those plants that have performed shutdown PSAs can use these PSAs as the basis for their shutdown assessment methods.) However, there are some different considerations than the i at-power assessment. These include:

The shutdown assessment is typically focused on SSCs "available to perform a function" versus SSCs "out of service" in the case of power operations. Due to decreased equipment redundancies during outage conditions, the outage planning and control process involves consideration of contingencies and backup i 7/22/99 7 e

n 1 I

DRAFT l l

i methods to achieve the key safety functions, as well as on measures that can reduce both the likelihood and consequences of adverse events.

3 Assessments fbr shutdown maintenance activities need to take into account ]

1 plant conditions and multiple plant configurations that impact the shutdown key safety functions. .The shutdown assessment is a component of an effective 1 outage planning and control process Maintenance activities that do not necessarily remove the SSC from service may still impact plant configuration and impact key safety functions. Examples include:

. A valve manipulation that involves the potential for a single failure to create a draindown path affecting the inventory control key safety function  !

l

. A switchyard circuit breaker operation that involves the potential for a single failure to affect availability of AC power.

Because of the special considerations of shutdown assessments, additional guidance is provided below with respect to each key safety function:

11.3.6.1 Decay Heat Removal Capability 1

Assessments for maintenance activities affecting the DHR system should consider that other systems and components can be used to remove decay heat depending on a variety of factors, including the plant configuration, availability of other key )

safety systems and components, and the ability of operators to diagnose and respond pro.perly to the event. For example, assessment of maintenance activities that impact the decay heat removal key safety function should consider:

e initial magnitude of decay heat e time to boiling

. time to core uncovery a time to containment closure e initial RCS water inventory condition (e.g., filled, reduced, mid-loop, refueling canal filled, reactor cavity flooded, etc.)

I l

7/29/99 8

g DRAFT

. ' RCS configurations (e.g, open<e:osed, nozzle dams installed or loop isolation valves closed, steam generava nanways on/off, vent paths available, temporary covers or thimble tche plugs installed, main steam line plugs

! installed, etc.)

e natural circulation capability with heat transfer to steam generator shell side If ths fuel is offloaded to the spent fuel pool during the_ refueling outage, the decay heat removal function is shifted from the RCS to the spent fuel pool. Assessments for maintenance activities should reflect appropriate planning and contingencies to 1 l

. address loss of SFP cooling.

l 11.3.6.2 Inventory Control' Assessments for maintenance activities should address the potential for creating inventory loss flowpaths. For example,

. For BWRs, maintenance activities associated with the main steam lines (e.g.,

safety / relief valve removal, automatic depressurization system testing, main steam isolation valve maintenance, etc.) can create a drain down path for the reactor cavity and fuel pool.

. For BWRs, there are potential inventory loss paths through the DHR system to i 1

the suppression pool when DHR is aligned for shutdown cooling

. Assessments for maintenance activities'during reduced inventory operations are .

especially important. Reduced inventory operation occurs when the water level in the rmetor vessel is lower than 3 feet below the reactor vessel flange i

. A special case of reduced inventory operation for PWRs is mid-loop operation, which occurs when the RCS water level is below the top cf the hot legs at their junction with the reactor vessel. Similar conditions can exist when the reactor vessel is isolated from steam generators by closed loop isolation valves or nozzle dams with the reactor vessel head installed or prior to filling the reactor cavity.

Upon loss of DHR under these conditions, coolant boiling and core uncovery can occur if decay heat removal is not restored or provided by some alternate means.

In addition, during mid-loop operation, DHR can be lost by poor RCS level control or by an increase in DHR flow (either of which can ingest air into the DHR pump).

11.3.6.3 Power Availability

' Assessments should consider the impact of maintenance activities on availability of electrical power. Electrical power is required during shutdown conditions to 7/22/99- 9

s DRAFT l

+c maintain cooling to the reactor core and spent fuel pool, to transfer decay heat to the heat sink, to achieve containment closure 'vhen needed, and to support other important functions.

. Assessments for maintenance activities involving AC power sources and )

distribution systems should address providing defense in depth that is l commensurate with the plant condition.

. Assessments for maintenance activities involving the switchyard and f transformer yard should consider the impact on offsite power availability.

. AC and DC instrumentation and control power is required to support systems that provide key safety functions during shutdown. As such, maintenance activities affecting power sources, inverters, or distribution systems should consider their functionality as an important element in providing appropriate defense in depth.

11.3.6.4 Reactivity Control The main aspect of this key safety function involves maintaining adeouate shutdown margin in the RCS and the spent fuel pool. Maintenance activities 1 involving addition of water to the RCS or the refueling water storage tank have the l potential to result in Boron dilution. During periods of cold weather, RCS temperatures can also decrease below the minimum value assumed in the shutdown margin calculation.

11.3.6.5 Containment - Primary (PWR)/Secondsry(BWR)

Maintenance activities involving the need for open containment should include evaluation of the capability to achieve containment closure in sufficient time to mitigate potential fission product release. This time is dependent on a number of factors, including the decay heat level and the amount of RCS inventory available.

In addition to the guidance in NUMARC 91-06, for plants which obtain license amendments to utilize shutdown safety administrative controls in lieu of Technical Specification requirements on primary or secondary containment operability and ventilation system operability during fuel handling or core alterations, the following )

guidelines should be included in the assessment of systems removed from service:

i

. During fuel handling / core alterations, ventilation system and radiation monitor availability (as defined in NUMARC 91-06) should be assessed, with respect to filtration and monitoring of releases from the fuel. Following shutdown, radioactivity in the RCS decays away fairly rapidly. The basis of the Technical Specification operability amendment is the reduction in doses 7/22/99 10 1

DRAFT due to such decay. The goal of maintaining ventilation system and radiation monitor availability is to reduce doses even further below that provided by the natural decay, and to avoid unmonitored releases.

. A single normal or contingency method to promptly close primary or secondary containment penetrations should be developed. Such prompt methods need not completely block the penetration or be capable of resisting pressure. The purpose is to enable ventilation systems to draw the release from a postulated fuel handling accident in the proper direction such that it can be treated and monitored.

1 11.3.7 Managing Risk 1 1

The assessment provides insights relative to the risk-significance of maintenance activities. The process for maraging risk related to ,

maintenance activities involves using the result of the assessment in plant I decisionmaking to control the risk increases. This is accomplished through prudent planning, scheduling, coordinating, monitoring, and adjusting ,

maintenance activities to manage the risk impact. This process should include an understanding of the nature (e.g., affecting the key safety function, the core damage, or large early release frequency) and associated actions based on that understanding. j

. The risk impact of maintenance activities may be controlled by defining appropriate action levcis. These actions can include operating shift personnel awareness, plant management approval, and establishment of compensatery actions, contingency plans, or alternate success paths.

. The effective control of risk increases due to an unexpected failure of a risk-important SSC can be reasonably assured by planning for contingencies, or coordinating, scheduling, monitoring, G modifying i the duration of planned maintenance activities. l

• For maintenance configurations involving higher risk for a short duration, the duration of the maintenance activity should be minimized through appropriate planning and preparation, such as briefings, training on l mockups, and prestaging necessary materials and equipment.

Appropriate site personnel should be at a heightened state of risk awareness while the plant is in the configuration.

11.3.7.1 Action Levels 7/22/99 11 J

r DRAFT l

The process for management of risk should include establishment oflevels for actions as discussed above. The following factors should be considered in establishing the action levels:

I

. The remaining mitigation capability, e.g., the degree of redundancy available for performance of the safety function served by the out-of-service SSC, including consideration of compensatory measures and contingencies. A l greater degree of redundancy should result in a lower risk impact t-

! . The duration of the out-of-service condition. A shorter duration should result in a smaller risk impact.

! . The expected frequency of the initiating event for which the performance of the safety function wculd be required. A lower frequency ofinitiators should result in a lower risk impact.

The matrices on the following page represent one method to determine action levels. l These matrices are the same as those used in the NRC draft " Significance l l Determination Process" for inspection findings (reference). The first matrix provides a likelihood rating based on expected initiating event frequency and duration of the out-of-service condition. The event frequencies listed in the first table are approximate. Plant specific information (e.g., PSA insights) may be used to adjust the listed categories to more closely reflect the initiating event frequencies i for a given plant. Further, if the proposed maintenance at.tivity would increase the frequency of an initiating event, this may be taken into account by changing the affected initiating event frequency to reflect the increase (to the extent that it would move to a diffe7ent category in the " frequency" column.)

The likelihood rating is used in the second matrix (the risk significance estimation matrix) to establish a " color" indicative of risk significance, based on the remaining mitigation capability. This color is used as a basis for establishment of action levels.

The process would be applied for each SSC out of service, and for each event which the SSC mitigates, (e.g., if three SSCs are out-of-service, each of which serve to mitigateL two events, six colors would be determined).. The intent of this approach is to remain in the green or white zones, taking into account any other SSCs out-of-service that would affect the remaining mitigation capability for the the same l l event (s). - If the evaluation indicates that the yellow zone would be entered, compensatory measures should be established to effectively return to the white zone). In general, the following action guidelines could be applied:

1

' Green - no action White - operating shift awareness 7/22/99- 12 i'

p r-DRAFT Yellow - management approval, establishment of compensatory l measures, briefings, prestaging, mockups Red- unacceptable condition The above in an example only, and variations or additional actions could be ~ i established on the basis of this method. l i

i i

I i

l l

f f-

{

i L

7/22/99 13

DRAFT Likelihood rating matrix Approx. freq. Exariple event type Est. Likelihood Rating 1-10 yr reactor trip, loss of main A B C feedwater, loss of condenser 10-100 yr - LOOP, SGTR, stuck open SR\B C D (BWR), MSLB (outside containment), loss of 1 SR '

bus, loss ofinstrument air, fire 100-1,000 yr small LOCA (PWR), stuck ope 6 D E PORV/SRV, MFLB, flood 1,000 $10,000 yr med LOCA (PWR), small LOCa E F (BWR), MSLB inside containment, loss of all service water 10,000-100,000 yr large/ medium LOCA (BWR) E F G Grealer than large LOCA (PWR), ISLOCA, F G H 100,000 yr vessel rupture, severe earthquake Durs tion of out-of > 30 days 3 dayo- 3& 3 dsys service days condition Bis)c significance estimation matrix Remaining mitigation capability Scensrio 83 trai ns or 21 redundant 2 trains 1 redundant 1 trai i 0 Likelihood redundan system + 1 system t systems train A green -

white yellow red red red B greer greer white yellow red red C greer greer greer whitc yellow red D greer greer greer greer whitc red E greer greer greer greer greer yellow F greer greer greer greer greer whitc G greer greer greer greer greer greer H greer greer greer greer greer greer 7/22/99 14

DRAFT Oth:r methods for establishing action levels may include use of quantitative insights from the PSA. A number of acceptable approaches exist, and may be used singularly or in combination.

. The baseline risk level from which the risk increase is assessed may be the standard annual baseline risk level (incorporating the contribution to risk of equipment out-of-service due to maintenance).

. The baseline risk level from which the risk increase is assessed may be the "zero maintenance" model, which corresponds to a condition where all equipment is in service and the only contribution to risk is the random failure rates for components and operators and random initiating event frequencies.

• The action level may include consideration of a specific value of the CDF (or LERF, if calculated) that results from the maintenance activity. This value may be defined as an absolute risk level, or as a relative increase to one of the baseline levels discussed above.

• The action level may include consideration of the incremental risk increases due to individual maintenance activities over a set time period. This approach involves consibation of the integrated risk incurred over a period of time a configuration or condition exists, and can be expressed as core damage probability (CDP) or large early release frequency probability (LERP).

. The action level may include consideration of a cumulative risk value, based on computing the total cumulative risk due to maintenance activities over a specific interval.

Due to differences in plant type and design, there is acknowledged variability in baseline core damage frequency. Further, there is variability in containment performance that may impact the relationship between baseline core damage frequency and baseline large early release frequency for a given plant or class of plants. Therefore, determination of the appropriate method or combination of methods as discussed above, and the corresponding quantitative decision criteria, are plant-unique activities.

11.3.8 Documentation The following are guidelines for documentation of the safety assessment:

1. The purpose of this section of the maintenance rule is to assess impacts on plant risk or key safety functions due to maintenance activities. This purpose should be effected throagh establishment of plant procedures that address process, responsibilities, and decision approach. It may also be 7/22/99 15 L- _ _ - - - - -

~

n 1...

'.. DRAFT f

appropriate to include a reference to the appropriate procedures that govern

! planning and scheduling of maintenance or outage activities. The process itself should be documented.

2. The normal work control process sliould suffice as a record that the 1 assessment was performed. It is not necessary to document the basis of each assessment for removal of equipment from service as long as the process is followed. For evaluation of removal from service of multiple SSCs using a predetermined approach (such as a safety monitor, list, or matrix), no further documentation is necessary unless additional special considerations (such as

compensatory measures, or consideration ofissues beyond the scope of the assessment tool) are involved.

3. In special situations where the normal assessment tools may be unavailable or not applicable, it may be necessary to rely on operatorjudgment as the basis for the assessment. This situation should be addressed by the proceduralized process above.

i 7/22/99 16

DRAFT NUMARC 93-01, R2, Appendix B Definitions Current definition of Unavailability:

The numerical complement of availability. An SSC that cannot perform its intend function. An SSC that is required to be available for automatic operation must be available and respond without human action.

Proposed definition of Unavailability Unavailability = olanned unavailable hours + unplanned unavailable hours required hours Availability: An SSC is available ifit is capable of performing its intended function ]

under realistic conditions. A SSC is still considered available ifit can be restored to i functional status within the timeframe associated with realistic conditions using proceduralized operator actions. Faulted exposure time should be accounted for using reliability - not be included as a term in unavailability.

(Realistic conditions are "best estimate" conditions assumed in establishing PSA success criteria which includes credible design basis accident conditions.)

l 7/22/99 17