ML20217B230
| ML20217B230 | |
| Person / Time | |
|---|---|
| Issue date: | 10/06/1999 |
| From: | Birmingham J NRC (Affiliation Not Assigned) |
| To: | Carpenter C NRC (Affiliation Not Assigned) |
| References | |
| PROJECT-689, TASK-*****, TASK-RE NUDOCS 9910120186 | |
| Download: ML20217B230 (4) | |
Text
-.
b ("\\ N O M A.
i l.
O bl4\\
UNITED STATES g
j NUCLEAR REGULATORY COMMISSION 0
WASHINGTON, D.C. 20656-0001 October 6, 1999 MEMORANDUM TO: Cynthia A. Carpenter, Chief Generic Issues, Environmental, Financial and Rulemaking Branch Division of Regulatory improvement Programs, NRR j
i FROM:
Joseph L. Birmingham, Project Manager
(
Generic issues, Environmental, Financial and Rulemaking Branch 9 Division of Regulatory improGem nt ogra s, I
SUBJECT:
SUMMARY
OF SEPTEMBER 21,1999, MEETING BETWEEN THE NUCLEAR REGULATORY COMMISSION (NRC) AND THE NUCLEAR ENERGY INSTITUTE (NEI) REGARDING CHANGES TO GUIDANCE DOCUMENTS USED TO IMPLEMENT 10 CFR 50.65(a)(4)
)
i On September 21,1999, the NRC staff held a public meeting in One White Flint North with representatives from the Nuclear Energy Institute (NEI) to provide feedback on NEls proposed changes to the final draft NUMARC 93-01, Section 11 " Assessment of Risk Resulting from Performance of Maintenance Activities"(Attachment 1). This was the third public meeting held j
to discuss the proposed industry guidance developed to implement 10 CFR 50.65(a)(4). Two i
previous meeting were held on June 19 and July 9,1999 to discuss the same topic.
During the meeting, the NRC staff focused on severalissues that need to be clarified before the staff would pursue endorsement of the final draft Section 11 to NUMARC 93-01. The meeting agenda topics included:
f i
Low Safety-Significant SystemsfTrains in Scope of (a)(4) Assessments e
Assess and Manage Maintenance Configurations Screening Methods When Different Screening Methods are Used Limitations in Screening Methods Credit for Management Actions / Compensatory Measures Risk Thresholds Definition of Unavailability
[
A copy of the public meeting agenda is provided in Attachment 2 to this memorandum. The NRC staff provided NEl with their position on the scope of systems, structures, and 7 9 components (SSCs) included in the industry pre-maintenance safety assessment program described in Draft Guide (DG) 1082," Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants," the NRC stated that the scope should include those SSCs modeled in probabilistic risk assessments (PRAs) plus all other SSCs considered to be risk significant (high safety significant (HSS)) by the licensees' maintenance rule expert panels. In 9910120186 991006 O%
d PDR REVGP ERONUMRC 1
PDR a9 77c; j LyQf,T(loDbSr'j
6 C. Carpenter addition, licensees chould include low safety significant (LSS) SSCs that meet the following conditions for inclusion in pre-maintenance safety assessment programs:
(1) the SSC is a support system for a HSS SSC, (2) the SSC has dependencies with another low safety significant SSC (3) the SSC failure could increase any initiating event frequency, or (4) the SSC is in a relatively low frequency cutset that becomes a significant contributor to the plant core damage frequency (or large early release frequency) when multiple SSCs are out of service.
NEl's final draft version of NUMARC 93-01, Section 11.3.3, Scope of the Assessments for Power Operating Conditions, does not clearly define the 4 types of SSCs listed above for SSC 4
systems and trains within the scope of the Paragraph (a)(4) assessments. The NEl stated that
{
they will evaluate whether all the criteria noted above should be added to their guidance document.
The NRC also discussed methods licensees should use to assess and manage increases in risk due to planned maintenance activities. The final draft NUMARC 93-01, Section 11, uses methods that mimic the NRC's significance determ! nation process (SDP) as an initial screening tool for evaluating the risk significance of relatively simple maintenance configurations. The NRC staff stated that the SDP process was established for NRC inspectors to evaluate the risk significance of events and inspection findings. It is not appropriate for use in assessing the risk significance of planned maintenance activities. Because of the complexity of maintenance configurations (i.e., more than 2 risk significant systems or trains out of service (OOS) for maintenance), the NRC also stated that the initial screening tools in Section 11 lack sufficient detail to adequately assess risk. In Section 11, the likelihood Rating Matrix table would have to be revised with site specific probabilistic risk assessment (PRA) insights of a particular plant type (e.g., Combustion Engineering PWR plant and/or General Electric BWR plant). The matrix could also be similar to a plant specific two dimensional risk-informed matrix for it to be useful as a risk-informed assessment screening tool of preplanned maintenance configurations. The risk screening assessment tool should also be based on the configuration specific core i
damage probability (CDP) and not an average annual risk assessment of core damage frequency (CDF) which is the metric used in the SDP.
During the maintenance rule baseline inspections, the NRC determined that for more complex configurations, most licensees use their site specific PRA insights in a risk-informed safety ass 6ssment procedure cr the licensees risk analyst re-quantified the actual risk using the site specific PRA models and/or a risk monitor (e.g., equipment out of service (EOOS) monitor).
Based on this information, the final draft Section 11 guidance should clearly state when section j
11 screening tools do not have sufficient detail and a more complex assessment tool should be completed using site specific PRA information.
The NRC also stated that the draft final Section 11 did not contain sufficient details on licensee management actions and compensatory measures. These could be used to allow licensees to take credit for management actions and other compensatory measures to reduce the risk significance of a particular configuration and keep the plant at a lower risk level.
e 1
?
C. Carpenter DG 1082 proposes initial screening thresholds of cielta CDP and delta LERP of SE-7 and SE-8 respectively for risk significant maintenance configurations. A copy of the SDP performance thresholds (i.e., delta CDF and delta large early release froquency (LERF)) is provided in j to this memorandum. Tne NRC staff continues to assess whether the SDP i
thresholds should be consistent with screening thresholds used for other regulatory applications and industry initiatives (e.g., Regulatory Guide 1.174, EPRI PSA Applications Guide, EPRI Temporary Design Change). A table entitled "Use of Risk information in the NRC and Industry Programs," also contains delta CDF and delta LERF thresholds and is provided in Attachment 4 to this memorandum.
The NRC also discussed their views on an appropriate definition for unavailability. The NRC believes that one definition should be used consistent with NRC regulatory programs and industry initiatives for tracking system unavailability (e.g., NRC Performance Indicators in the Inspection and Oversight Process, institute of Nuclear Power Operations (INPO) Equipment Performance and Information Exchange (EPIX) database definition). This will assure consistent and uniform application between different regulatory programs and industry initiatives and should reduce licensees' burden since one definition will result in less effort to track unavai! ability time. The INPO EPlX database definition for unavailability is provided in to this memorandum.
The attendance list for this meeting is provided in Attachment 6.
Project No. 689 Attachments: As stated cc w/att: See next page DISTRIBUTION:
Hard Coov EMail PUBLIC SCollins RZimmerman GTracy, EDO JBirmingham RGEB R/F BSheron WKane DMatthews SNewberry OGC BBoger FGillespic CCarpenter FAkstulewicz ACRS TOuay RCorreia FTalbot PWen G:\\RGEB\\NEl\\msum0921.wpd
)
OFFICE RGEB j4f) SC:RkEih[
NAME JBirmingham FAk'sthwfcz DATE 10/ f /99 10/
[99
4 Nuclear Energy institute Project No. 689 cc:
.Mr. Ralph Beedle Ms. Lynnette Hendricks, Director Senior Vice President Plant Support.
and Chief Nuclear Officer Nuclear Energy Institute Nuclear Energy Institute Suite 400 Suite 400 1776 l Street, NW 1776 l Street, NW Washington, DC 20006-3708 Washington, DC 20006-3708
- Mr.' Alex Marion, Director Mr. Charles B. Brinkman, Director Programs -
Washington Operations Nuclear Energy institute ABB-Combustion Engineer lng, Inc.
Suite 400 12300 Twinbrook Parkway, Suite 330 1776 l Street, NW Rockville, Maryland 20852 Washington, DC 20006-3708 Mr. David Modeen, Director Mr. Robert R. Campbell, President Engineering Nuclear HVAC Utilities Group Nuclear Energy Institute Tennessee Valley Authority Suite 400 1101 Market Street, LP4J-C 1776 l Street, NW Chattanooga, TN 37402-2801 Washington, DC 20006-3708 Mr. Anthony Pietrangelo, Director Mr. Dennis Adams Licensing Nuclear HVAC Utilities Group Nuclear Energy Institute Comed Suite 400 1400 Opus Place 1776 i Street, NW Downers Grove, IL 60515 Washington, DC 20006-3708 Mr. Jim Davis, Director Operations Nuclear Energy Institute I
Suite 400 1776 i Street, NW Washington, DC 20006-3708 Mr. H. A. Sepp, Manager Regulatory and Licensing Engineering Westinghouse Electric Company i
P.O. Box 355 Pittsburgh, Pennsylvania 15230-0355
F
(
I:<
~.
N ti C L E A R E NE R GY IN SilTUT E 7cul. E #
NUCLEAR GENERATION DMSION September 2,1999 Mr. Bruce A. Boger Director Division ofInspection Program Management Office of Nuclear Regulatory Regulation U. S. Nuclear Regulatory Commission Washington, D. C. 20555 0001
SUBJECT:
Final Draft Revisions to NUMARC 93-01, Industry Guideline for Monitoring the Effectiveness ofMaintenance at Nuclear Power Plants, to Address Final Rulemaking tc 10 CFR 50.65
Dear Mr. Boger:
Enclosed for NRC's review and endorsement are ilnal draft revisions to NUMARC 93 01. These revisions were developed to serve as implementation guidance for the final rulemaking to the plant configuration assessment provision of the maintenanco rule as published in the Federal Register on July 19,1999, and reflect discussions conducted in a series of meetings with NRC staff. This document has been subjected to review and comment by the fullindustry.
NRC's July 13,1999 memorandum from the EDO to the Commissioners discussed the overall plan and schedule for development of the guidance. We request NRC endorsement of the guidance, following a public comment period, through issuance of Revision 3 to NRC Regulatory Guide 1.160.
If you or your staff h we any questions, please contact me at (202) 739-8081 or Biff Bradley at (202) 739 8083.
Sincerely, Anthony R. Pietrangelo I
i REB /ARP/ngs Enclosure c:
Mr. Theodore R. Quay, NRC/NRR Mr. Richard P. Correia, NRC/NRR
% $ L\\ o c,.p M lt3dho m r.
m,-,~0,0~
oc 2ce.. m.
.-o~,
m 73.,xc
,.. m,, n o,.
g
- e n
'?
FINAL DRAFT
11.0 ASSESSMENT
OF RISK RESULTING FROM PERFORMANCE OF MAINTENANCE ACTMTIF.S 11.1 Reference
Before performing maintenance activities (including but not limited to surveihance, post-maintenance testing, corrective and preventive maintenance), the licensee shall assess and manage the increase in risk that may result from the proposed maintenance activities.
The scope of structures, systems, and components (SSCs) to be included in the i
assessment may be limited to thcse SSCs that a risk-informed evaluation process has j
shown to be significant to public health and safety.
11.2 Background-Maintenance activities must be performed to provide the level of plant equipment reliability necessary for safety, and should be carefully managed to achieve a balance between the benefits and potential impacts on safety, reliability and availability.
The benefits of well managed maintenance conducted during power operations include increaed system and unit availability, reduction of equipment and system deficiencies that could impact operations, more focused attention during periods when fewer activities -
are competing for specialized resources, and reduction of work scope during outages. In addition, many maintenance activities may be performed during power operation with n smaller net risk impact than during outage conditions, particularly for systems whose perfonnance is most important during shutdown, or for which greater functional
' redundancy is available during power operations.
11.3 Guidance This section provides guidance for the development of an approach to assess anri manage
. the risk impact expected to result from performance of maintenance activities. Assessing the risk means using a risk-informed process to evaluate the overall contribution to risk of the planned maintenance activities. ManaginF the risk means providing plant personnel with proper awareness of the risk, and taking actions as appropriate to control the risk.
The assessment is required for maintenance activities performed during power operations or during shutdown. Performance of maintenance during power operations should be
. planned and scheduled to properly control out-of-service time of systems or equipment.
Planning and scheduling of maintenance activities during shutdown should consider their impact on performance of key shutdown safety functions.
11.3.1 Assessment Process, Control, and Responsibilities
j m
f.:
- a f
FINAL DRAFT
?
(The process for conducting the assessment and using the result of the assessment in plant
' decisionmaking should be proceduralized. The procedures should denote responsibilities i
for conduct and use of the assessment, and should specify the plant functional
. organizations and personnel involved, including, as appropriate, operations, engineering.
and risk assessment (PSA) personnel.
In special situations where the normal assessment tools may be unavailable or not
. applicable, it may be necessary to rely on operatorjudgment as the basis for the assessment. This situation should be addressed by the proceduralized process above, q
l
- 11.3.2 General Guidance for the Assessment - Power Operations artd Shutdown j
i
.1.
Power Operating conditions are defined as plant modes other than hot shutdown, cold shutdown, refueling, or defueled. Section 11.3.3 describes the scope of SSCs subject to the assessment during power operations. Section 11.3.5 describes the scope of
.SSCs subject to the assessment during shutdown.
'2. The assessment method may use quantitative approaches, qualitative approaches, or blended m'ethods.-'In general, the assessment should consider:
The degree of redundancy available for performance of the safety function (s) served by the out-of-service SSC
. The duration of the out-of-service condition
. The likelihood of an initiating event or accident that would require the performance of the affected safety function.
The likelihood that the maintenance activity will increase the frequency of an initiating event to an extent that is significant to safety.
l Component and system dependencies that are affected.
e' 3.' The assessments may be predetermined or performed on an as-needed basis.
' 4. The degree of depth and rigor used in assessing and managing risk should be commensurate with the safety significance of the SSCs planned for maintenance, and
. the impact of the maintenance activity on the train or system function.
~ 5.1The assessment should take into account whether the out-of-service SSCs could be promptly restored to service if the need arose due to emergent conditions. The assessmeni should consider the time necessary for restoration with respect to the time at which performance ofits safety function would be needed.
]
p h [,.
3 4
L[
FINAL' DRAFT Appendix B contains a specific definition of" unavailability" for the purposes of monitoring and goal setting as discussed in Section 9.0. The " unavailability" l
~ definition is more restrictive than the provisions ofitem 5 above, which are based on realistic conditions and assumptions. The " unavailability" definition is not required for use during performance of the plant configuratica assessment.
)
The following examples illustrate the distinction between the " unavailability" j
l definition and the assessment process approach:
_ An SSC out-of-service for monitoring, surveillance, or simple maintenance, and.
which would require more than one simple operator action to recover its function, would be considered " unavailable" for monitorin'g purposes, but could still be considered functional for the configuration assessment, as long as its function could realistically be recovered prior to its need during the accident sequence.
~ An SSC undergoing surveillance, and with its automatic actuation disabled, but e
recoverable through a single proceduralized action in the control room (or
{
remotely, by a dedicated ' tationed operator), would be considered "available" for s
monitoring purposes, as well as functional for the configuration assessment.
- 6. Emergent conditions may result in the need for action prior to conduct of the assessment, or could change the conditions of a previously performed assessment.
Examples include plant configuration or mode changes, additional SSCs out of service E
due to failures, or significant changes in external conditions (weather, offsite power availability). The following guidance applies to this situation:
The safety assessment should be performed (or re-evaluated) to address the changed plant conditions on a reasonable schedule commensurate with the safety
)
significance of the condition. Based on the results of the assessment, ongoing or planned maintenance activities may need to be suspended or rescheduled, and SSCs may need to be returned to service.
Performance (or re-evaluation) of the assessment should not interfere with, or delay, the operator and/or maintenance crew from taking timely
'hms to restore the equipment to service or take compensatory actions.
If the plant configuration is restored prior to conducting or re-evaluating the e
assessment, the assessment need not be conducted.
11.3.3 Scope of Assessment for Power Operating Conditions 10 CFR 50.65(a)(4) states "The scope of the Systems, Stmetures and Components (SSCs) to be addressed by the assessment may be limited to those SSCs that a tisk-informed evaluation process has shown to be significant to public health and safety". Thus, the
. scope of SSCs subject to the (a)(4) assessment provision will not include all SSCs that meet the section (b)(1) and (b)(2) maintenance rule scoping criteria.
m 1
, ja 3
p FINAL DRAFT i
The intent of the assessment scope is to include SSCs'of high safety significance, as well as SSCs that may not in themselves be of high safety significance, but could, in
- combination with other SSCs, have a significant impact on overall plant risk. The (a)(4) assessment scope may be limited to the following scope of SSCs-
}
1.' Those SSCs included in the scope of the plant's level one, internal events probabilistic j
safety assessment (PSA)i,2,3, and;
- 2. SSCs in addition to the above that have been determined to be high safety significant -
(risk significant) through the process Jescribed in Section 9.3 of this document.'
)
(1). Appendix E provides information on PSA attributes.
(2) SSCs within the plant PSA scope may be eliminated from funher consideration for the (a)(4) assessments if they are evaluated and shown to have minimal safety significance regardless of plant configuration. The expen panel may be used to facilitate these determinations.
(3) If the plant PSA includes level two considerations (containment performance, release frequency), the scope of the (a)(4) assessment may optionally include the scope of the level two PSA. Otherwise, inclusion within the assessment scope of SSCs important to ' containment perfonnance may be covered by inclusion of high safety significant SSCs as discussed in item 2 of the above section. Section 9.3.1 of this Edocument discusses the importance of containment perfonnance as a consideration in
. identifying risk signific' ant (high safety significant) SSCs, and is repeated below:
"Most of the methods described below identify risk'significant SSCs with respect to core damage. It is equally important to identify as risk significant-those SSCs that prevent containment failure or bypass that could result in an unacceptable release. Examples might include the containment spray system, containment cooling system, and valves that provide the boundary between the reactor coolant system and low pressure systems located outside containment."
a
9 y
u FINAL' DRAFT 11.3.4 Assessment Methods for Power Operating Conditions Removal from service of a single structure, system (when not composed of redundant trains) or component,' is adequately covered by existing Technical Specifications requirements, including the treatment of dependent components. Thus, the assessment
- for removal from service of a single SSC for a reasonable amount of time (e.g., the Technical Specifications allowed out-of-service time, or a commensurate time for a non-1 Technical Specification SSC), need only consider if unusual external conditions are present or imminent (e.g., severe weather, offsite power instabilit/).
Simultaneous removal from service of multiple SSCs requires that an assessment be performed using quantitative, qualitative, or blended methods. Sections 11.3.4.1 and
' 11.3.4.2 provide guidance regarding quantitative and qualitative considerations, respectively.
11.3.4.1 - Quantitative Considerations
- 1. The assessment process may be perfonned by a tool or method that considers quantitative insights from the PSA. This can take the form of using the PSA model, or using e safety monitor, matrix, or list derived from the PSA insights. In order to properly suppon the conduct of the assessment, the PSA must have certain attributes, and it must reasonably reflect the plant configuration. Appendix E provides infonnation on PSA attributes. Section 11.3.7.1 provides guidance on various approaches for using the output of a quantitative assessment to manage risk.
- 2. If the PSA is modeled at a level that does not directly reflect the SSC to be removed from senice (e.g., the RPS system, diesel generator, etc. has been modeled as a
" single component" in the PSA), the assessment should include consideration of the
- impact of the out of service SSC on the safety function of the modeled component.
SSCs are considered to support the safety function if the SSC is significant to the success path for function of the train or system (e.g., primary pump, or valve in primary flowpath). However, if the SSC removed from senice does not contribute significantly to the train or system safety function (e.g., indicator light, alarm, drain valve), the SSC would not be considered to support the safety function.
11.3.4.2 Qualitative Considerations
- 1. The assessment may be performed by a qualitative approach, by addressing the impact of the maintenance activity upon key safety functions, as follows:
Identify key safety functions affected by the SSC planned for removal from senice.
e'~ Consider the degree to which removing the SSC from senice will impact the key safety functions.
r l;'..
FINAL DRAFT Consider degree of redundancy, duration of out-of-service condition, and appropriate compensatory measures, contingencies, or protective actions that could be taken if appropriate for the activity under consideration.
- 2. For power operation, key plant safety functions are those that ensure the integrity of the reactor coolant pressure boundary, ensure the capability to shut down and maintain the reactor in a safe shutdown condition, and ensure the capability to prevent or mitigate the consequences of accidents that could result in potentially significant offsite exposures.
Examples of these power operation key safety functions are:
Containment Integrity (Containment Isolation, Containment Pressure and Temperature Control);
Reactivity Control; e
Reactor Coolant Heat Removal; and e
Reactor Coolant Inventory Control.
- 3. The key safety functions are achieved by using systems or combinations of systems.
The configuration assessrnent should consider whether the maintenance activity would:
Have a significant impact on the performance of a key safety function, considering the remaining degree of redundancy for trains or systems supporting the key safety ftmetion, and considering the likelihood of an initiating event Involve a significant potential to cause a scram or safety system actuation Result in significant complications to recovery efforts.
- 4. The assessment should consider plant systems supporting the affected key safety functions, and trains supporting these plant systems.
l
- 5. Qualitative considerations may also be necessary to address external events, containment perfomiance issues, and SSCs not in the scope of the level one, internal l
events PSA (e.g., included in the assessment scope because of expert panel considerations). In these cases, the assessment may need to include consideration of actions which could affect the ability of the containment to perform its function as a fission product barrier. ?!ith regard to containment performance, the assessment
'should consider:
l<
FINAL DRAFT Whether new containment bypass conditions are created, or the prabability of
=
containment bypass conditions is increased; i
Whether new containment penetration failures that can lead to loss of containment isolation are created; and.
If maintenance is performed on SSCs of the containment heat removal system (or SSCs upon which this function is dependent), whether redundant contaimnent heat removal trains should be available.
- 6. External event considerations involve the potential impacts of weather or other external conditions relative to the proposed maintenance evolution. For the purposes of the assessment, weather, extemal flooding, and other -xtemal impacts need to be considered if such conditions are imminent or have a hig?., 'obability of occumng during the planned out-of-service duration. An example where these considerations l
are appropriate would be the long-term removal of exterior doors or floor plugs.
- 7. 'Intemal flooding considerations should be addressed if pertinent. The assessment should consider the potential for maintenance activities to cause intemal flood hazards, and, for maintenance activities to expose SSCs to flood hazards in a manner that degrades their capability to perform key safety functions.
11.3.5 Scope of Assessment for Shutdown Conditions The scope of the Systems, Stmetures and Components (SSCs) to be addressed by the assessment for shutdown conditions are those SSCs necessary to support the following shutdown key safetyfunctions (from Section 4 of NUMARC 91-06):
Decay heat removal capability Inventory Control Power Availability Reactivity control Containment (primary / secondary)
The shutdown key safety functions are achieved by using systems or combinations of systems. The shutdown assessment need not be performed for SSCs whose operability is not required by Tecimical Specifications during shutdown mode, unless these SSCs are considered for establishment cf backup success paths or compensatory measures
FINAL DRAFT i
11.3.6 Assessment Methods for Shutdown Conditions l
NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management, i
Section 4.0, provides a complete discussion of shutdown safety considerations with respect to maintaining key shutdown safety functions, and should be consider ed in
~ developing an assessment process that meets the requirements of 10 CFR 50.65(a)(4).
Performance of the safety assessment for shutdown conditions generally involves a l
qualitative assessment with regard to key safety functions, and follows the same general l
process described in Section 11.3.4.2 above. (Those plants that have performed
{
shutdown PSAs can use these PSAs as an input to their shutdown assessment methods.)
However, there are some different considerations than the at-power assessment. These include:
- 1. The shutdown aucssment is typically focused on SSCs "available to perform a function" versus SSCs "out of service" in the case of power operations. Due to decreased equipment redundancies during outage conditions, the outage planning and control process may involve consideration of contingencies and backup methods to achieve the key safety functions, as well as on measures that can reduce both the likelihood and consequences of adverse events.
- 2. Assessments for shutdown maintenance activities need to take into account plant conditions and multiple plant configurations that impact the shutdown key safety 1
functions. The shutdown assessment is a component of an effective outage planning and control process.
i
- 3. Maintenance activities that do,not necessarily remove the SSC from service may still impact plant configuration and impact key safety functions. Examples could include:
A valve manipulation that involves the potential for a single failure to create a draindown path affecting the inventory control key safety function A switchyard circuit breaker operation that involves the potential for a single i
failure to affect availability of AC power.
l Because of the special considerations of shutdown assessments, additional guidance is
[
provided below with respect to each key safety function:
11.3.6.1 Decay Heat Removal Capability Assessments for maintenance activities affecting the DHR system should consider that l
other systems and components can be used to remove decay heat depending on a variety l
of factors, including the plant configuration, availability of other key safety systems and components, and the ability of operators to diagnose and respond properly to the event.
w.
3 o-FINAL DRAFT For example, assessment of maintenance activities that impact the decay heat removal key l
safety function should consider:-
L initial magnitude of decay heat L
e time to boiling -
e time to core uncovery-e e. time to containment closure (PWR) i initial RCS water inventory condition (e.g., filled, reduced, mid-loop, refueling l
e canal filled, reactor cavity flooded, etc.)-
. RCS configurations (e.g., open/ closed, nozzle dams installed or loop isolation
. valves closed, steam generator manways on/off, vent paths available, temporary covers or thimble tube plugs installed, main steam line plugs installed, etc.)
natural circulation capability,with heat transfer to steam generator shell side l
e (P_WR)
If the fue.1 is offloaded to the spent fuel pool during the refueling outage, the decay heat removal function is shifted from the RCS to the spent fuel pool. Assessments for maintenance activities should reflect appropriate planning and contingencies to address loss of SFP coolmg.
)
11.3.6.2 Inventory Control 4
Assessments for maintenance activities should address the potential for creating inventory loss flowpaths. For example,
. For BWRs, maintenance activities associated with the main steam lines (e.g.,
- safety / relief valve removal, automatic depressurizatien system testing, main steam isolation valve maintenance, etc.) can create a drain down path for the reactor cavity and fuel pool. This potential is significantly mitigated through the use of main steam plugs.
. For BWRs, there are potential inventory loss paths through the DHR system to the suppression pool when DHR is aligned for shutdown cooling.
.~e For PWRs, assessments for maintenance activities during reduced inventory operations are especially important. Reduced inventory operation occurs when the water level in the reactor vessel is lower than 3 feet below the reactor vessel flange o
f.
FINAL DRAFT A special case of reduced inventmy operation for PWRs is mid-loop operation, which occurs when the RCS water level is below the' top of the hot legs at theirjunction with the reactor vessel. Similar conditions can exist when the reactor vessel is isolated from steam generators by closed loop isolation valves or nozzle dams with the reactor vessel head installed or prior to filling the reactor cavity. Upon loss of DHR under
- these conditions, coolant boiling and core uncovery can occur if decay heat removal is not restored or provided by some alternate means. In addition, during mid-loop
- operation, DHR can be lost by poor RCS level conaol or by an increase in DHR flow (either of which can ingest air into the DHR pump).'
11.3.6.3-Power Availability
- Assessments should consider the impact of maintenance activities on availability of electrical power. Electrical power is required during shutdown conditions to maintain cooling to the reactor core and spent fuel pool, to transfer decay heat to the heat sink, to achieve contamment closure when needed, and to support other imponant functions.
' Assessments for maintenance activities involving AC power sources and
-distribution systems should address providing defense in depth that is commensurate with the plant condition.
' Assessments for maintenance activities involving the switchyard and transformer e
yard should consider the impact on off:;ite power availability.
AC and DC instmmentation and control power is required to support systems that provide key safety functions during shutdown. As such, maintenance activities affecting power sources, inverters, or distribution systems should consider their functionality as an important element in providing appropriate defense in depth.
11.3.6.4 Reactivity Control The main aspect of this key safety function involves maintaining adequate shutdown margin in the RCS and the spent fuel pool. For PWRs, maintenance activities involving addition of water to the RCS or the refueling water storage tank have the potential to result in Boron dilution.- During periods of cold weather, RCS temperatures can also decrease below the minimum value assumed in the shutdown margin calculation.
11.3.6.5' Containment - Primary (PWR)/ Secondary (BWR)
. Maintenance activities involving the need for open containment should include evaluation of the capability to achieve containment closure in sufficient time to mitigate potential fission product release. This time is dependent on a number of factors, including the decay heat level and the amount of RCS inventory available.
^
.f :
u.
FINAL DRAFT l
r 3
For BWRs, technical specifications may require secondary containment to be closed under certain conditions, such as during fuel handling and operations with a potential to drain the vessel.
i In addition to the guidance in NUMARC 91-06, for plants which obtain license amendments to utdize shutdown safety admmistrative controls in lieu of Technical Sp~ecification requirements on primary or secondary containment operability and i
ventilation system operability during fuel handling or core alterations, the following guidelines should be included in the assessment of systems removed from service:
During fuel handling / core alterations, ventilation system and radiation monitor availability (as defined in NUMARC 91-06) should be assessed, with respect to filtration and monitoring of releases from the fuel. Following shutdown, radioactivity in the RCS decays away fairly rapidly. The basis of the Technical Specification operability amendment is the reduction in doses due to such decay. The goal of maintaming ventilation system and radiation monitor availability is to reduce doses even further below that provided by the natural decay, and to avoid unmonitored releases.
A single normal or contingency method to promptly close primary or secondary containment penetratior a should be developed Such prompt methods need not completely block the penetretion or be. capable of resisting pressure. The purpose is to enable ventilation systems to draw the release from a postulated fuel handling accident in the proper direction such that it can be treated and monitored.
11.3.7 Managing Risk The assessment provides insights regarding the risk sigmficance of maintenance activities. The process for managing risk involves using the result of the assessment in plant decisionmaking to control the overall risk impact. This is accomplished through prudent planning, scheduling, coordinating, monitoring, and adjusting maintenance activities. The following guidance is applicable:
The risk impact of maintenance activities may be controlled by defining appropriate action levels that are based on the result of the configuration assessment. Action levels describe, for a maintenance activity or group of l
activities, what plant actions beyond routine scheduling should be undertaken to ensure awareness and control of risk. For example, a plant could designate four action levels, ranging from "no additional actions necessary" to " operating shift awareness" to " management pre-approvals and compensatory measures" to
" unacceptable condition." Section 11.3.11 discusses factors that should be considered in~ establishing the action levels.
' For maintenance configurations involving higher risk for a short duration, the duration of the maintenance activity may be minimized through appropriate
7 I
7 FINAL DRAFT planning and preparation,'such as briefings, training on mockups, and
- prestagmg necessary materials and equipment. Appropriate site personnel 1should be at' a heightened state of risk awareness while the plant is in the
. configuration.
For maintenance activities involving potentially higher risk, consideration may also be given to reducing the level of risk by enhancing the ability to restore the -
equipment to service in the event it is needed, even if this could result in a
- longer duration for the overall maintenance activity (e.g., performing activities in sequence rather than in parallel).
The effective control of risk increases due to an unexpected failure of a risk-important SSC can be reasonably assured by planning for contingencies, or coordinating, scheduling, monitoring, and modifying the duration of planned maintenance activities.
11.3.7.1 Action Levels The process for management of risk should include establishment oflevels for actions as discussed above. ' Action levels may be determined qualitatively or quantitatively, or in combination, and should address power operating conditions
' and shutdown conditions. The following factors should be considered in establishing action levels:
l The remaining mitigation capability, e.g., the degree of redundancy available for performance of the safety function served by the out-of-service SSC, including consideration of compensatory measures and contingencies. A greater degree of redundancy should result in a lower risk impact
. The duration of the out-of-service condition. A shorter duration should result in a smaller risk impact, if other factors are equal.
The expected frequency of the initiating evcnt for which the performance of the s
safety function would be required. A lower frequency ofinitiators should result in a lower risk impact.
L
.One process for determining action levels could be modeled on the NRC " Significance Determination Process" (SECY-99-007). This process provides a mechanism for factoring into the action level determination both the likelihood of a potential initiating event (such as a loss of offsite power) and the amount of redundancy present for the safety function which is affected.- This method would be applicable for SSCs addressed in the PSA, as well as those SSCs in the configuration assessment scope that are not addressed in the P5A. Though it was developed for on-line conditions, a variation of this method could be used for shutdown conditions as well.
,- j -
2
~
FINAL DRAFT
- The matrices on the following page depict the use of this process. The first matrix provides a likelihood rating based on expected initiating event frequency and duration of the out-of-service condition. The event frequencies listed in the first table are approximate. Plant specific information (e.g., PSA insights) may be used to adjust the listed categories to more closely reflect the initiating event frequencies for a given plant.
Further, if the proposed maintenance activity would increase the frequency of an initiating event, this may be taken into account by changing the affected initiating event frequency to reflect the increase (to the extent that it would move to a different category in the " frequency" column.)
The likelihood rating is used in the second matrix (the risk significance estimation matrix) to establish a " color" indicative of risk significance, based on the remaining mitigation capability. This color is used as a basis for establishment of action levels.
- The process would be applied for each SSC out of service, and for each event which the
' SSC mitigates, (e.g., if three SSCs are out-of-service, each of which serve to mitigate two events, six colors would be determined). The intent of this approach is to remain in the green or white zones, taking into account any other SSCs out-of-service that would affect the remaining mitigation capability for the same event (s). If the evaluation indicates that i
the yellow zone would be entered, compensatory measures should be established to effectively return to the white zone). In general, the following action guidelines could be applied:
Green -
no action White -
operating shift awareness Yellow -
management approval, establishment of compensatory measures, briefings, prestaging, mockups Red -
unacceptable condition The above is an example only, and variations or additional actions could be established on the basis of this method.
l:
FINAL DRAFT Likelihood ratine matrix
\\
Approx. freq.
Example event type Duration of out-of service condition
> 30 3 days-
<3 days 30 days days IE-1 to IE-2 per LOOP, SGTR, stuck open B
C D
year SRV (BWR), MSLE (outside containment), loss of 1 SR bus, loss ofinstrument air, fire IE-2 to IE-3 per small LOCA (PWR), stuck C
D E
year open PORV/SRV, MFLB, ilood 1E-3 to IE-4 per med LOCA (PWR), small D
E F
year LOCA (BWR), MSLB inside containment, loss of all service water 1E-4 to IE-5 per large/ medium LOCA (BWR)
E F
G year 1E 5 per year or large LOCA (PWR),
F G
H less ISLOCA, vessel rupture, severe earthquake Risk significance estimation matrix Remaining mitigation capability Duration 23 trains 1
2 trains 1
Itrain 0
.of or 2 redundant redundant Condition redundant system + 1 system Factor systems train from above A
green white yellow Red red red B
green green white Yellow red red C
green green green White yellow red D
green green green Green white red E
green green green Green green yellow F
green green green Green green white G
green green green Green green green H
green green green Green green green
,., y t:
l FINAL DRAFT Other methods for establishing action levels may include the use of quantitative insights from the PSA, (these may need to be coupled with qualitative considerations for maintenance involving risk-sigmficant systems which are not modeled in the PSA.) A number of acceptable approaches exist, and may be used singularly or in combination. Considerations are as follows:
The baseline risk level from which the risk increase is assessed may be the standard annual baseline risk level (incorporating the contribution to risk of equipment out-of-service due to maintenance), or the "zero maintenance" model, which corresponds to a condition where all equipment is in service and the only contribution to risk is the random failure rates for components and operators and random initiating event frequencies, i
J The action level may include consideration of a specific value of the CDF (or LERF, if calculated) that results from the maintenance activity. This value may be defined as an absolute risk level, or as a relative increase to one of the baseline levels discussed above.
The action level may include consideration of the incremental risk increases due to individual maintenance activities over a set time period. This approach involves consideration of the integrated risk incurred over a period of time a onfiguration or condition exists, and can be expressed ns core damage probability (CDP) or large early release frequency probability (LERP).
The action level may include consideration of a cumulative risk value, based on computing the total cumulative risk due to maintenance activities over a specific 4
interval.
Due to differences in plant type and design, there is acknowledged variability in baseline core damage frequency. Further, there is variability in containment performance that may impact the relationship between baseline core damage frequency and baseline large early release frequency for a given plant or class of plants. Therefore, determination of the appropriate method or combination of methods as discussed above, and the corresponding quantitative decision criteria, are plant unique activities.
11.3.8 Documentation The following are guidelines for documentation of the safety assessment:
- 1. The purpose of this section of the maintenance rule is to assess impacts on plant risk or key safety fimetions due to maintenance activities. This purpose should be effected through establishment of plant procedures that address process, y
responsibilities, and decision approach, it may also be appropriate to include a L
[i;..
l-FINAL DRAFT l
reference to the appropriate procedures that govern planning and scheduling of maintenance or outage activities. The precess itself should be documented.
- 2. The normal work control process suffices as a record that the assessment was performed. It is not necessary to document the basis of each assessment for removal of equipment from service as long as the process is followed. For evaluation of removal from service of multiple SSCs using a predetermined approach (such as a safety monitor, list, or matrix), no further documentation is necessary unless additional special considerations (such as compensatory measures, or consideration ofissues beyond the scope of the assessment tool) are involved.
I J
g FINAL DRAFT t
Appendix B 1
Definitions Current definition of Unavailability:
The numerical complement of availability. An SSC that cannot perform its intend function. An SSC that is required to be available for automatic operation must be available and respond without human action.
Proposed definition of Unavailability Equipment out of service (e.g. tagged out) for corrective or preventive maintenance is considered unavailable. Support system unavailability may be counted against either the support system, or the front line systems served by the support system. The treatment of support system unavailability for the maintenance rule should be consistent with its treatment in the plant PSA. Performance criteria should be established consistent with whichever treatment is chosen.
Unavailability is calculated as follows:
planned unavailable hours + unnlanned unavailable hours required hours (1) SSCs out of service for surveillance testing are considered unavailable, unless the test configuration is automatically overridden by a valid starting signal, or the function can be immediately restored either by an operator in the control room or by a dedicated operator stationed locally for that purpose. Restoration actions must be contained in a written procedure, must be uncomplicated (generally, a single action), and must not require diagnosis or repair. Credit for a dedicated local operator can be taken only if(s)he is positioned at the proper location throughout the duration of the test for the purpose of restoration of the train should a valid demand occur
I i
l j
FINAL DRAFT 4
ts l
APPENDIX E PSA attributes:
The PSA performs two functions for the (a)(4) assessment:
- 1. Used for determination of scope of SSCs to which the assessment applies
- 2. Used to evaluate risk impact in the performance of the assessment (or as the basis for the assessment tool), if the assessment is performed quantitatively.
The PSA model should include the following characteristics, or, if not, its limitations for use in supporting the assessment should be compensated for by additional qualitative evaluation. The EPRI PSA Applications Guide (EPRI TR-105396) discusses considerations regarding PSA attributes, maintenance, and use in decisionmaking. This guidance should be considered in determming the degree of confidence that can be placed in the use of the PSA for the assessment, and whether additional qualitative considerations should be brought to bear:
- 1. The PSA should address internal initiating events.
- 2. The PSA should provide level one insights (contribution to core damage frequency).
- 3. The PSA is not required to be expanded to quantitatively address containment performance (level 2), external events, or conditions other than power operation. Use of such an expanded PSA is an option.
- 4. The PSA should be reviewed periodically and updated as necessarr to provide reasonable representation of the current plant design.
- 5. The PSA should include consideration of support systems and dependencies for SSCs that impact plant risk. NEl document 99-XX, " Industry PSA Peer Review Process,"
includes additional infonnation for evaluation of the correct treatment of these attributes in a PSA l
l r
i_
n l
i i
l
)
PUBLIC MEETING NEl AND NRC September 21,1999 l
NEl'S NUMARC 93-01, SECTION 11, GUIDANCE FOR 50.65(a)(4)
)
AGENDA Assess and Manage Maintenance Configurations Screening Method When Used '
Identifylimits of Method Credit for Compensatory Measures Risk Thresholds Definition of Unavailability Low Safety-Significant Systems / Trains in Scope of (a)(4) Assessments.
g 3
d t
S euw n
R m
e n
in m
h i
O o
et c
r a
f c n t
T n
no t
n
)
i) e c A
A o
6 g5 dh n
it r
i t C
a iE f
a i
m (E g
d nw I
r(
i o
v aF n
cy D
d mR yF a ft e
eR Bof N
yE f E t
e l
I a
dt E
m nfeL d
a s
s a nsL i
s s r
a aA a nA h
od t
C o
Bs(
Bi(
Ln n
L n
.a e
n5 e n4 N
i d h si s
o h
sh E
nt nnE A D Bw t i t niE i
sl ai oo(
oc waa t
MO piF p u (F be t
k c
sd e
h s uD eD ERdCWe e
t n
e RMNnr s
si agc RrC ri i O
Eol T y r A O y n A D p eb l
t e
e s
a FL Espn Eoduy ol Lr a
r I
t och pe ahLt RA RRm Ht ei afiRt ef f i
t o
ami t
dio a EU PT gen Wl o
u nwEl mw d
s i
s u
gt et ef e
gi m n Y gi t
e s
n t
uco s
e E P nt R
e Rht m
y ri t
on e
i E E e
e ht an t s diis t
dii rl ug cim SC e ws e ws e
n t
r ss a L
y at on r
n s
i t o
pa am NN l
ue c
t c
l e
e c
f c me qme oie e EO u
r f
e nidl c
nib CC ns c
Rs s
e n
s gv a ee I
e n t
I vc va va niot srp L
in im a
pe m
i t
t tc a c
r c
r l
e c
G em e
o e
o Pco c jr jf jf nt a
N bo b
r b
r at 1 n n of oe oe I
r p
p nlaU 1
e e e
e T
np nn nn op A
o oi oi f
rf n t d t
s t
s eoo s
e i
s e
r s e U
rt r
ec e
g e
g p yt t t a L
ne nn nn nir r
a r
a aie l
r p oh oh A
o x bp l
V Ce CC CC Pao E
~
4 M
>mI o3 g oQ aH o_ghQ*
n i
e 4
4 7
0 0
0 0
0 1
1 1
1 1
t 1
t t
oc n
V g
oc
)
)
t a Y
a "s e
t n
na d ps T n
dpi mo o
o 8
ii sI Gnr e m yR ems ei it t
e l
s Aet eil eiy gi d
c ei c e aO c ea a c*e A
e Rr r nI o u n n e o u cC AR PaA aD c
o r
r!
l o
N S
Pa P
V M
" V r
[
(
P 7
e g
g t
0 b
e e
l "m R "s S
e hs0 8
ER M
gs-a N
t e9 Dp dn s"
E i
A s c9 Ee eo e
(
E R
r t.
r Mc*
e oY c
1 ip a
R G
v rC R. c us e
G P
a qe t
r O
O E
n
" eR i
R S
U R
in P
YR la "e
"e e
T c
c w
c S
"3 itn n
o n
o n
t 0
ak a t
i w"ia Lk a U
8 isc s
c y i lc D
sRf o
f rRf L
b i
L in e
in N
O u
n S
ig ig V
ig I
D S
S S
N 1
A o
t C
ly n
n o
kt 1
t R
'e la a
N "s
s n ia P
p g I
N ik c r
Rmn nsi s
o Rc F
t s"t nii o
C N
P ea erin i f f
c m
E Th o
a on C
e t
I s
F Nig e
N C
P ig s
r M
o S
A
" S O
f e
T c
8 I
n 5
A n
a 0
"e M
o l
n" "t
id 0
i R
b u
R ta r od n
G B
a O
ce eie a
/
I t
t Rid p
h ai ic 8
G F
r l
P pi e
t 9
uu "f
/
E N
Epu r
c ul in 0
R Faq AG c
I v e S
A n
E R ig 3
K a
/
U S
0 N
S U
1 I
s R
P o
e t
F n
r e
le i
O F
l
/y c
E 7
R ly" la "s 4
n d
1 d
me r
u e
i S
1 HE lae t mw Sg e
G GL o
n d
U 1GHF N.
f
/
lo ya e
e I
r ol s
R is r
D NA eh s
u y
R C
VC 3
la f
i 0
F 8
n D
r A
e F
ll C
y t
ly "d
's m "s 4
a a
e o
t r
7 R
e L
l 1.W E t
ae t
mw n
P e
la 9
Sg L
o 1O/
N, lo a
ya D
ic u
r GLF ol g
r
. h eh C
f D
NA e
f R
C C
VC a
O R
3 s
7 4
4 0
0 0
0 1
1 1
1 y;> gg8$ eI?S bo
'o
- i'
l ' JJohn Wilcox - uncvail.wpo Page 1 I
DEFINITION OF UNAVAILABILITY Causes of planned unavailable hours include, but are not lirnited to, the following:
preventive maintenance, corrective maintenance on non-failed trains, or inspection requiring e
a train to be mechanically and/or electrically removed from service planned support system unavailabinty causing a train of a monitored system to be e
unavailable (e.g., ac or de power, instrument air, service water, component cooling water, or room cooling) testing, unless the test configuration is automatically overridden by a valid starting signal, or e
the function can be immediately restored either by an operator in the control room or by a dedicated operator stationed locally for that purpose. Restoration actions must be contained in a written procedure, must be uncomplicated (generally, a single action), and must not require diagnosis or repair. Credit for a dedicateo local operator can be taken only if (s)he is positioned at the proper location throughout the duration of the test for the purpose of restoration of the train should a valid demand occur The intent of this paragraph is to allow licensees to take credit for restoration actions that are virtually certain to be successful (i.e.,
probability nearly equal to 1) during accident conditions.
any modification that requires the train to be mechanically and/or electrically removed from e
service i
l:
i r
NEl/NRC MEETING ON GUID/i.NCE DOCUMENTS FOR 10CFR 50.46(a)(4)
September 21,1999 List of Attendecs NAME ORGANIZATION Tony Pietrangelo NEl Biff Bradley NEl Larry Wild ABB CEOG Jean Liaw Maintenance Rule Clearinghouse Kim Green NUSIS Deann Raleigh Bechtel Joe Birmingham NRC Frank Talbot NRC Frank Gillespie NRC Wayne E. Scott, Jr.
NRC J. D. Wilcox, Jr.
NRC Jack Foster NRC Garreth Parry NRC Richard P. Correia NRC Theodore R. Quay NRC Mark Reinhart NRC See-Meng Wong NRC Doug Coe NRC Tom Bergman NRC Ed Ford NRC l
i i
E i
C. Carpenter DG 1082 proposes initial screening thresholds of delta CDP and delta LERP of SE-7 and SE-8 respectively for risk significant maintenance configurations. A copy of the SDP performance thresholds (i.e., delta CDF and. delta large early release frequency (LERF)) is provided in to this memorandum. The NRC staff continues to assess whether the SDP
' thresholds should be consistent with screening thresholds used for other regulatory applications and industry initiatives (e.g., Regulatory Guide 1.174, EPRI PSA Applications Guide, EPRI Temporary Design Change). A table entitled "Use of Risk Information in the NRC and Industry Programs,' also contains delta CDF and delta LERF thresholds and is provided in Attachment 4 to this memorandum.
The NRC also discussed their views on an appropriate definition for unavailability. The NRC believes that one definition should be used consistent with NRC regulatory programs and industry initiatives for tracking system' unavailability (e.g., NRC Performance Indicators in the Inspection and Oversight Process, Institute of Nuclear Power Operations (INPO) Equipment Performance and Information Exchange (EPIX) database definition). This will assure consistent and uniform application between different regulatory programs and industry initiatives and should reduce licensees' burden since one definition will result in less effort to track unavailability time. The INPO EPIX database definition for unavailability is provided in i to this memorandum.
j The attendance list for this meeting is provided in Attachment 6.
Project No. 689 I
Attachments: As stated cc w/att: See next page DISTRIBUTION:
Hard Coov EMail PUBLIC SCollins RZimmerman GTracy, EDO JBirmingham RGEB R/F BSheron WKane DMatthews SNewberry OGC BBoger FGillespie CCarpenter FAkstulewicz
-ACRS TQuay RCorreia FTalbot PWen G:\\RGEB\\NEldnsum0921.wpd
/.J,
OFFICE RGEB $4/) SC:R@h[
NAME JBirmingham FAksdfwIcz DATE 10/ f /99 10/[9 [99
.'