ML24017A321

From kanterella
Jump to navigation Jump to search
(CN 92-001) IP 93804 Risk-Based Operational Safety and Performance Inspection (Public)
ML24017A321
Person / Time
Issue date: 01/15/1992
From:
NRC/NRR/DRO/IRIB
To:
References
CN 92-001
Download: ML24017A321 (1)
v  d  e


Text

NRC INSPECTION MANUAL PRAB

INSPECTION PROCEDURE 93804

RISK-BASED OPERATIONAL SAFETY AND PERFORMANCE INSPECTION

PROGRAM APPLICABILITY: 2515

SALP: SOSAQV-O

93804-01 INSPECTION OBJECTIVE

The objective of the risk based team inspection effort is to assess the operational readiness of a commercial nuclear power plant utilizing risk information presented in a reactor plant's site specific probabilistic risk assessment (PRA), or other generic risk information. The inspection focuses on safety significant components and potential accident mitigation and recovery actions.

Inspections conducted in accordance with this procedure are to determine that:

01.01 Plant challenges are minimized.

01.02 Safety systems, equipment, and components will be available, reliable, and operable.

01.03 Plant operators are capable of recognizing and responding appropriately to plant challenges, and capable of conducting timely and effective accident mitigation and recovery actions.

01.04 The licensee has appropriately factored available risk information into the reactor plant's programs, procedures and design.

93804-02 INSPECTION REQUIREMENTS

02.01 PRA Review Phase. This procedure assumes that a PRA or an individual plant evaluation (IPE) has been developed for the selected reactor plant. In other cases, generic risk information may be used to prepare a representative set of potential events.

An individual who possesses the expertise in PRA methodology necessary to extract risk information will be assigned by the region to perform the following:

Issue Date: 01/15/92 93804

a. Rank all accident sequences by core damage frequency. If core damage frequency information is not readily available, proceed with the requirements of 02.01.c.2, below.

93804 Issue Date: 01/15/92

b. Select the dominant accident sequences comprising at least 90 percent of total core damage frequency for the reactor plant.
c. Select one of the two following options (02.01.c.1 or c.2),

as appropriate, for fault tree information.

1. Limited Fault Tree Information. Identify accident initiators, system/component failures, potential operator errors, basic events, and recovery actions for the selected dominant accident sequences (that is, essen-tially, develop a list of potential events). Rank these items by their associated core melt frequencies.
2. Extensive Fault Tree Information. Identify the cut sets comprising at least 70 percent of the core damage frequency for each selected dominant accident sequence.

For each selected cut set, identify the potential events (initiating events, component failures, logic and control failures, and human errors) which comprise the cut set.

Rank the identified potential events by the relative importance measure (RIM). The RIM can be calculated by adding the frequencies of all cut sets in which the potential events appear (these values may be converted to whole numbers by multiplication by a convenient number, such as one million). If the Fussel-Vesely Importance Measure (FVIM) is given in the PRA, rank the potential events by FVIM instead of RIM.

d. Adjust the list of potential events based on known changes in plant configuration and/or plant operating and emergency procedures, or based upon strong post-PRA trends in plant operating history or component availability, reliability, or operability indicators. A pre-inspection trip (in addition to that of 02.02e below) may be necessary to obtain plant modification and/or operating experience information for this step of the PRA review.
e. Eliminate those potential events which are judged to be largely or totally insensitive to inspection effort (e.g. the frequency and severity of initiating events such as hurricanes are totally insensitive to inspection effort). However, their initial effect on reactor plant systems may be mitigated through modifications and operator actions. This aspect of hurricanes could therefore be inspected.
f. Eliminate those potential events reviewed in recent inspec-tions.
g. Combine potential events involving like components that can be inspected as a group (add their core damage frequency values).
h. Eliminate the lowest ranking (smallest core damage frequency value) potential events to obtain a listing of the 20 to 40 highest ranking potential events for the reactor plant.

Issue Date: 01/15/92 93804

i. Along with the ordered lists of potential events, provide the team leader with descriptions of the major accident sequences from which they were derived. Develop up to three accident scenarios for simulation or control room walk down.

02.02 Team Leader Preparation Phase

a. The team leader will develop inspection lines of inquiry through review of the PRA and the PRA derived information provided in 02.01 above.
b. The team leader will finalize the inspection team composition based on the inspection lines of inquiry developed in 02.02a above.
c. The team leader will prepare an inspection plan consisting of inspection matrices of team members versus potential events and their associated lines of inspection inquiry.
d. The team leader will prepare a preliminary schedule of the on-site activities of Section 02.04 below.
e. The team leader, or an assigned team member, will visit the licensee's reactor site, engineering organization, and (if necessary) simulator and corporate headquarters to obtain needed plant specific plans, training plans, drawings, reports, procedures, and operating history information.

02.03 Team Preparation Phase

a. The inspection team will meet for one week prior to the inspection to study the information developed, prepared, and collected in Sections 02.01 and 02.02 above.
b. Team members will obtain and review generic data which may be helpful in understanding the root cause of the potential events.
c. The team members will assist the team leader in the finaliza-tion of the inspection plan and inspection schedule. A plan for accident sequence simulation (or control room walk down) will be developed.
d. The team leader will coordinate inspection schedule changes with the licensee, as necessary.

02.04 On-Site Inspection Activities. Appendix B of the procedure provides examples of inspection checklists which the inspectors may prepare and use during the on-site phase of the inspection. Below are typical inspection techniques and program-matic and topical lines of inspection inquiry, not all of which may necessarily be used in any particular inspection.

a. Plant Walk-Throughs. The inspectors will focus on the status of equipment and rooms important to the interruption and mitigation of the identified high frequency core damage sequences.

93804 Issue Date: 01/15/92

b. Maintenance Reviews. The inspectors will determine whether preventive and corrective maintenance procedures (and prestaged materials) are adequate for effective and timely preservation and repair of equipment important to high frequency core damage sequences.
c. Surveillance and Calibration Reviews. The inspectors will determine whether selected surveillance and calibration procedures adequately address the performance of equipment important to high frequency core damage sequences.
d. Operations Reviews and Accident Simulations. The inspectors will determine whether high frequency core damage sequences have been adequately considered by the licensee through procedure reviews, training records reviews, operator interviews, and the observation of accident simulations (if conducted). The extent to which available risk information has been factored into emergency operating procedures should be addressed whether or not accident simulations are con-ducted. When simulations are conducted, particular emphasis should be placed on high core damage frequency accident sequences and the extent to which the emergency operating procedures reflect available risk information.
e. Plant Challenge Minimization and Mitigation Reviews. The inspectors will address, during all of the above and other independent inspection activities, whether plant hardware configurations and procedures for operations, maintenance, surveillance and calibration minimize the frequency and mitigate the severity of the identified accident sequence initiating events.
f. Performance Indicator Reviews. Although this inspection is not programmatic based, a performance indicator review which relates to on-site programs may be conducted to clarify the sources of identified licensee weaknesses. Table 1 provides recommended performance indicators and evaluation criteria to be used in evaluating licensee performance.
g. Administration/Records Follow-on Reviews (as necessary). When weaknesses are identified in a licensee program such as maintenance, surveillance, or calibration, a detailed review of station records and the administrative procedures for that program should be conducted. The review is not intended to be PRA focused. The administration/records review should address how effectively the licensee controls followup actions for safety related events within the program of interest. The review is intended to develop sufficient information for a conclusion as to whether the deficiencies noted during the PRA focused portion of the inspection were isolated or evidence of a more general managerial problem. The conclusion, incorporated in the inspection report, will serve as support-ing rationale for the conduct of regional and/or licensee followup activities, as appropriate.

02.05 Report Writing Phase. All team members will participate, in a single location, in an approximately one week long report

Issue Date: 01/15/92 93804 writing phase. The inspection will be documented in a standard inspection report and credited to this inspection procedure. The report should address equipment availability, operator performance and the minimization of safety system challenges.

93804-03 INSPECTION GUIDANCE

General Guidance. The following definitions are provided to aid in understanding and completing the activities discussed in this procedure. Although not necessarily identical to PRA industry definitions, they are considered sufficiently consistent to aid in the proper interpretation of terms in this procedure or industry PRA documents.

Definition of Terms

Accident Sequence. A combination of an initiating event and subsequent front-line system failures/successes that result in some definable negative outcome (such as a certain core damage state or a certain mode of off-site release of fission products). Accident sequences occur as one of a variety of possible combinations of component and operator failures called cut sets.

Availability. The probability that a system or component will perform satisfactorily when called upon, whether already in operation or in a standby status.

Basic Event. Observable failure of component or human action.

Challenge (Plant Challenge). An event which requires plant equipment or operators to respond to prevent a negative outcome such as core damage.

Consequence. A definable negative outcome of an accident sequence.

Frequently this term refers to the off-site public health effects and property damage associated with a core damage scenario which breaches containment.

Containment Response. The predicted level of containment system resistance to fission product transport.

Core Damage Frequency (Core Melt Frequency). The frequency (in events per reactor year) that a given accident sequence will occur and result in a specified reactor core damage state.

Cut set. Generally refers to a "minimal cut set" consisting of a minimum combination of faults which lead to a specified negative outcome (such as a system failure). The faults may be equipment failures, logic or control failures, and/or human errors. Cut sets can be thought of as unique versions of fault sequences.

Dominant Accident Sequence. An accident sequence with a relatively large core damage frequency value or a relatively large probability for releasing fission products from containment.

93804 Issue Date: 01/15/92 External Initiator. An event which challenges a reactor plant by affecting large numbers of unrelated components. Fires, storms, earthquakes, airplane crashes and floods are all external initia-tors.

Failure Mode (Component Failure Mode). The specific manner in which a given component does not succeed in performing its safety function in a given accident scenario.

Fault Tree. A logic diagram showing all possible combinations of equipment failures and human errors sufficient to prevent a front-line or support system from performing its safety function.

Front-Line System. A system which provides a basic safety function of a reactor plant (such as reactivity control, maintenance of core water inventory or pressure, core cooling or containment cooling).

Human Factor. The positive or negative effect of the operator on the reactor plant. This includes operator errors of both commission and omission.

Importance. A measure, on a relative scale, of the safety significance of a given potential event compared to other potential events.

Individual Plant Evaluation (IPE). An NRC-required evaluation to identify plant vulnerabilities and plant-specific features important to risk.

Internal Initiator. An event which challenges a reactor plant by affecting (at least initially) only one component, piece of equipment, or system. Such events may be either component failures or human errors.

Line of Inspection Inquiry. A fact, topic, or general area which requires further information for final resolution.

Operability. The capability of a system, subsystem, train, component, or device to perform its specified function(s), in addition to all necessary attendant instrumentation, controls, normal and emergency electrical power sources, cooling or seal water, lubrication, or other auxiliary equipment also being capable of performing their related support function(s). See Inspection Manual Part 9900, STS Section 1, "Operability."

Potential Events. Basic events in PRA, such as individual safety significant accident initiators, component failures, human errors, and accident mitigation and recovery actions.

Probability. The likelihood, expressed in events per reactor year, that a specific event will occur.

Procedure Error. This term encompasses mistakes in the preparation and promulgation of instructions to operators of plant equipment.

This term does not address operator errors in the performance of procedures.

Issue Date: 01/15/92 93804 Reliability. The expectation of continued satisfactory performance of a piece of equipment once it has begun operation (see the definition of "availability" above).

Risk. The probability of an event "coupled" with or multiplied by the severity of the consequence of that event. Therefore, core damage frequency itself specifies no "risk" unless the severity of the damage (the core damage state) is otherwise indicated.

Safety Significance. The status of a factor such that its degradation or improvement would result in a more than minimal change in overall plant risk.

Support System. A system which must successfully function for a front-line system to perform its safety function (such as the electrical power support system for emergency core cooling system pumps).

A probabilistic risk assessment (PRA) is an attempt to apply equipment and operator error information and "and/or" fault logic (Boolean Algebra) to quantitatively model the frequencies and consequences of reactor accidents. PRAs may address both internal accident initiators (such as pipe breaks, valve failures, and operator errors) and external accident initiators (such as storms, earthquakes, and fires). Fires are considered by PRA practitioners to be external because they, like earthquakes and storms, lead to the derangement of large numbers of unrelated components.

PRAs sometimes go beyond the computation of core damage frequencies to model containment response, fission product transport phenomena, and public health consequences. In this way PRAs become true risk studies rather than simply "core melt frequency" studies.

Not all PRAs assess all aspects of plant risk. Some PRAs are limited to computing core damage frequencies, while not addressing whether fission products will breach containment and be transported off-site. These are termed Level I PRAs. A Level II PRA goes further to describe the events leading to containment failure. A Level III PRA describes the expected off-site consequences after containment failure.

Equipment and component failures are modeled using one of two distinct methodologies, both of which may be used within the same PRA:

1. Component Level Analysis. The design of actual plant components is considered in specifying failure modes and failure frequencies. This approach is time consuming, complex and expensive.
2. Historical. Industrial failure data for identical or similar equipment to that actually installed in the plant is used to specify failure modes and failure frequencies. This approach is less exact but much less costly than component level analysis. Component failure modes are much less likely to be identified when historical failure information is used.

93804 Issue Date: 01/15/92 Probabilistic risk assessments are used to focus inspection lines of inquiry on safety significant components and practices. It is not intended that PRA guided inspection plans be highly prescriptive nor that the PRA be a "day-by-day" inspection guide to the team members. It is intended that inspection team members be allowed to inspect freely without undue regard to the nature of the original PRA information which initiated the line of inquiry, insofar as the readiness of the reactor plant and the operators to respond to plant challenges is being addressed. Figure 1 provides an overview of the rationale of PRA driven inspections.

It is possible that potential events of high safety significance may have root causes of failure which are insensitive to inspection.

That is, it may become clear during the preparation phase or the on-site inspection phase that further inspection effort, for any of a variety of reasons, will not enhance reactor safety. At the discretion of the team leader, such lines of inspection inquiry may be dropped.

Specific Guidance

03.01 PRA Review Phase. An inspection plan should be developed using the risk insights of postulated accident sequences, subsequent core damage frequency, and event importances. If the necessary technical expertise is not present within the region conducting the inspection, the Risk Applications Branch of the Office of Nuclear Reactor Regulation (PRAB/NRR) will assist in the performance of the PRA review phase of this inspection. It is also possible that, if no site specific PRA has been developed for a reactor plant, PRAB/NRR may be able to use generic PRA insights to prepare a representative set of potential events. Appendix A provides detailed examples of typical tables produced during the PRA review phase of this inspection.

a. - b. No inspection guidance.
c. Not all PRAs provide extensive fault tree cut set information.

Some PRAs rely on extensive and detailed event trees; thus two options are provided.

d. - g. No inspection guidance.
h. Potential events will typically be selected based on their involvement with high totals of core damage frequency.

However, the PRA reviewer may deem it appropriate, based on the nature of the PRA information, to select some potential events because of their appearance in large numbers of cut sets (frequency of appearance importance) or their status as accident sequence interrupters. The tables in Appendix A are an example of both frequency of appearance and total core damage frequency importance indicators prepared by the PRA reviewer.

i. No inspection guidance.

03.02 Team Leader Preparation Phase. The team leader will be an experienced inspector capable of managing a multi-disciplinary

Issue Date: 01/15/92 93804 inspection team. He is responsible for sending the site access letter to the licensee and coordinating team schedules and logistics. He leads the entrance and exit meetings with the licensee. He interfaces with the licensee during the inspection, usually through a designated licensee point of contact. He briefs and assigns work to the team members and coordinates team activi-ties. He conducts the daily team meetings and ensures that the inspection remains focused on minimization of challenges, equipment availability and operational readiness.

a. The inspection team leader will review the PRA and the PRA derived information provided in 02.01h above. The team leader will identify the lines of inspection inquiry for the PRA focused inspection (i.e. the initiating events, front line systems, support systems, rooms, equipment, components, mitigating features, programs [e.g. maintenance, surveil-lance], and operator actions associated with each potential event). To the extent provided in the PRA, component failure modes will be identified.

The team leader will judge whether the inspection lines of inquiry should be organized along programmatic area, engineer-ing specialty or safety system lines.

The team leader should be trained in PRA methodology and techniques so that he may effectively apply the PRA review results in the development of the inspection lines of inquiry.

The team leader should have taken the "PRA Basics for Inspection Application" course. Other PRA related courses such as "PRA Fundamentals" and "Accident Phenomenology and Containment Response" would be desirable for this individual to have taken.

b. Four to six experienced inspectors (who have taken the "PRA Basics for Inspection Application" course or an equivalent regional training course) will make up an inspection team as follows:
1. Team leader/systems engineer
2. Mechanical engineer
3. Electrical engineer
4. Instrumentation and control engineer
5. Specialists in programmatic areas (such as operations, maintenance, surveillance, fire protection, quality assurance, calibration, health physics), technical disciplines (such as metallurgy, seismic design or human factors) or system function and design (such as reactor protection, or core design and control) will be assigned to the team as indicated by the results of the PRA review. Such specialists may be available within the region or from NRC Headquarters and may replace one or more of the engineers at the team leader's discretion.

93804 Issue Date: 01/15/92 The team leader will review the technical expertise of the prospective team members and consider whether team member additions or replacements are necessary, given the lines of inspection inquiry suggested by the PRA information. The PRA review results will thereby drive the composition of the inspection team.

c. Appendix A provides an example of an inspection plan matrix which relates specific component failures to programmatic lines of inspection inquiry. A variety of such matrices may be necessary to determine inspector assignments and provide the inspectors with the PRA insights necessary to achieve the inspection goals. It is left to the team leader, based on the identified lines of inspection inquiry, to determine the specific types of matrices to be developed for each inspec-tion.

The team leader will not normally assign himself any inspec-tion lines of inquiry so that he may adequately manage the inspection effort.

d. The on-site inspection activities include plant walk-throughs, individual inspection efforts, and accident simulations (to be conducted on the licensee's plant specific simulator) as listed in Section 02.04 above. The team leader will coordi-nate this schedule with the licensee.

Since a PRA-focused team inspection does not differ greatly in duration (approximately two weeks) or in execution from most other team inspections, standard scheduling, organiza-tional, and inspection techniques are employed as follows:

1. Entrance meeting.
2. Visual inspections of equipment and rooms, investigation of sources of plant challenges, operator/technician interviews, observation of operator and technician performance during licensee conducted simulated opera-tional events and maintenance, surveillance and calibra-tion activities, and programmatic oriented paperwork reviews.
3. Daily team meetings to consider findings.
4. Daily team leader meetings with a designated licensee point of contact for the inspection.
5. Pre-exit meeting to review, finalize, and critique the presentation of the inspection findings.
6. Exit meeting with the licensee, resident inspector, and appropriate regional representatives.
e. The pre-inspection trip is critical to the success of the inspection due to the importance of addressing the root causes of potential events. A plant operator's readiness to cope with emergency or severe accident sequences is evaluated

Issue Date: 01/15/92 93804 through simulations (on a computer controlled control room simulator) or through control room walk-downs. Therefore, a major objective of the pre-inspection trip is to obtain pre-existing and pertinent simulation procedures from the plant specific simulator, if in existence. Plant operating experience is very important in "fine tuning" the information provided in the PRA. Plant documents are crucial in estab-lishing actual hardware availability, reliability and operability rates. Specific documents which may aid in root cause of failure determinations are discussed in Appendix C.

03.03 Team Preparation Phase

a. No inspection guidance.
b. There are many documents which may assist the inspectors in the determination of generic root causes of failure of plant components, equipment and systems. Appendix C provides an extensive listing of such documents.
c. - d. No inspection guidance.

03.04 On-Site Inspection Activities

a. Plant Walk-Throughs
1. Plant walk-throughs should emphasize the rooms and locations which contain systems, equipment and components important to the interruption or mitigation of the high frequency core damage sequences identified during the PRA review and inspection plan development phases of the inspection. The inspectors should pay special attention to whether the licensee has factored operability informa-tion into reactor plant housekeeping programs and equipment configurations.
2. Pre-marked P&IDs, equipment operating procedures and a knowledgeable plant operator will assist in making the plant walk-throughs productive.
3. The accuracy and legibility of the posting of rooms, cubicles, bays and equipment should be noted.
4. Special emphasis should be placed on locating modifica-tions (such as documented or undocumented jumpers) which depart from the configuration assumed in the PRA.
5. Environmental factors which have the potential to cause concurrent failure of redundant equipment (such as sprinklers) should be noted.
6. Accident specific environmental factors (such as steam plumes) which may reduce the capability of operators and equipment to perform their safety functions should be addressed.

93804 Issue Date: 01/15/92

7. Equipment operability at normal, local and alternative control locations under normal and accident conditions should be considered.
b. Maintenance Reviews
1. Selected records of preventive and corrective maintenance activities conducted during the last two years should be reviewed, with emphasis on the identified important systems, equipment and components and their failure modes. The inspector should check for reasonableness of performance frequency, procedural compliance, presence of appropriate approval signatures, adequate technician qualifications, correct parts replacement, conformance with vendor requirements, appropriate post-maintenance testing coverage and retest criteria, and supervi-sory/QA/QC signatures.
2. At least one maintenance activity should be observed during actual or simulated performance.
3. Review the licensee's program for trending of corrective maintenance problems. Note whether the licensee has conducted the engineering evaluations necessary to identify root causes of failure and has implemented appropriate procedural changes indicated by the evalua-tions. Note that the PRA's nominal equipment availabil-ity and reliability information may not be in total agreement with operating experience.
4. Determine whether the extracted PRA information suggests that certain corrective maintenance activities may need to be conducted on an emergency basis during an accident sequence. Licensee preparations for such activities should be reviewed.
5. Multiple component failures may be necessary for an accident sequence to proceed. Determine whether the licensee is cognizant of which components are accident sequence interrupters and has appropriately emphasized the prevention of probable failure modes of these components in the maintenance program.
c. Surveillance and Calibration Reviews
1. Surveillance and Calibration activities to be reviewed should be related to the identified potential events and component failure modes. Special emphasis should be placed on surveillances and calibrations which address the performance of components which are known accident sequence interrupters.
2. At least one surveillance and one calibration activity should be observed during actual or simulated perfor-mance.

Issue Date: 01/15/92 93804

3. The records of recently conducted surveillance and calibration activities should be reviewed to establish that acceptance criteria are appropriate, frequency of performance is reasonable, the procedures are technically adequate, technicians had appropriate qualifications, restoration lineups were accurate and performed satisfac-torily, and that test failure followup was comprehensive and aggressive. Reference to technical specifications and vendor technical manuals may be helpful in conducting this review.
d. Operations Reviews and Accident Simulations
1. Normal, abnormal and emergency operating procedures should precisely identify equipment, be technically correct, clearly written, and adequate for the preven-tion, mitigation of and recovery from the dominant accident sequences being addressed by this inspection.
2. Interviews with licensed and unlicensed plant operators, training records reviews and normal, abnormal and emergency procedure reviews should be conducted. During interviews, operator familiarity with the characteristics and locations of plant equipment, local and/or alternate control devices, communications equipment and environmen-tal survival equipment, plant procedures and high frequency core damage should be addressed. Particular emphasis should be placed on operator knowledge of the entry points for symptom oriented emergency operating procedures, if any.
3. A plant specific simulation of dominant accident se-quences on a station simulator may or may not be con-ducted as part of the risk focused assessment. The team leader and regional management will make every effort to have simulations conducted on station simulators, if available. If a plant or station specific simulator is available, plant operator conduct of high frequency core damage scenarios on the simulator should be requested by the team leader. Appendix B provides a checklist which may be used when observing simulations of plant chal-lenges and operator responses.
e. Plant Challenge Minimization and Mitigation Reviews. No inspection guidance.
f. Performance Indicator Reviews. As indicated in Table 1, the performance indicators may be evaluated by inspecting some of the applicable licensee programs listed in the second column.

The third column in the table provides the evaluation criteria. For example, the evaluation of the performance indicator "Preventive Measures" may be done by looking into the licensee's surveillance program. This could involve the examination of surveillance procedures, records, and the nature of past surveillance findings. This information may be used to determine if the visual inspection activities conducted by the licensee are effective in achieving the

93804 Issue Date: 01/15/92 objectives of the surveillance program. The overall evalua-tion criterion for this is characterized in the third column of the table as "Effective visual inspection procedures".

Similarly, other recommended programs and the associated criteria for the evaluation of "Preventive Measures" are listed in columns two and three, respectively.

g. Administration/Records Follow-on Reviews (as Necessary). No inspection guidance.

03.05 Report Writing Phase. No inspection guidance.

93804-04 RESOURCE ESTIMATE

The direct inspection effort necessary to fully implement this inspection procedure is estimated to be 400 hours0.00463 days <br />0.111 hours <br />6.613757e-4 weeks <br />1.522e-4 months <br />, based on five inspectors on site for two weeks. This estimate is for planning purposes only, and the actual effort for a specific plant may be substantially more or less.

93804-05 REFERENCES

10 CFR 50.55a(g), "Inservice Inspection Requirements."

NUREG/CR-1050, "Probability Risk Assessment (PRA) Reference Document," September 1984.

NUREG/CR-2300, Vol. I & II, "PRA Procedures Guide," January 1983.

NUREG/CR-3085, "Interim Reliability Evaluation Program: Analysis of the Millstone Point Unit 1 Nuclear Power Plant," February 1983.

NUREG/CR 3511, "Interim Reliability Evaluation Program: Analysis of the Calvert Cliffs Unit 1 Nuclear Power Plant," March 1984.

NUREG/CR-4377, "Evaluations and Utilizations of Risk Importances,"

August 1985.

NUREG/CR-5637, "Generic Risk Insights for Westinghouse and Combustion Engineering Pressurized Water Reactors," November 1991.

NUREG/CR-5692, "Generic Risk Insights for General Electric Boiling Water Reactors," May 1991.

Regulatory Guide (RG) 1.33, "QA Program Requirements (Operation),"

Appendix A "Typical Procedures for Pressurized Water Reactors and Boiling Water Reactors," August 16, 1978.

RG 1.71, "Welder Qualification for Areas of Limited Accessibility,"

December 1973.

RG 1.39, "Housekeeping Requirements for Water-Cooled Nuclear Power Reactors," Revision 2, September 1977.

Issue Date: 01/15/92 93804 NRC Generic Letter 83-28, "Required Actions Based on Generic Implications of Salem ATWS Events," July 8, 1983.

END

Attachments:

Figure 1, Rationale of PRA Driven Inspections

Table 1, Performance Indicators and Evaluation Criteria

Appendices:

A. Examples of PRA Review and Inspection Plan Development Tables

B. Inspection Checklists

C. Sources of Plant and Component Operational Data and Related Interpretative Analyses

93804 Issue Date: 01/15/92 Figure 1

RATIONALE OF PRA DRIVEN INSPECTIONS

[THIS PAGE INTENTIONALLY LEFT BLANK]

Issue Date: 01/15/92 F-1 93804 Figure 1 TABLE 1

PERFORMANCE INDICATORS AND EVALUATION CRITERIA

Performance Indicator Related Programs Evaluation Criteria

Equipment Availability

Preventive Measure Surveillance NEffective visual inspection procedures

Administrative NEquipment tagging &

posting NHousekeeping

Preventive NTimeliness Maintenance NEQ Program

Implementation Corrective NPost-maintenance Maintenance testing

& restoration NEquipment failure

Trending Fire Prevention NPotential fire sources/

detection

QA/QC NEffectiveness Failure Detection Surveillance & NTimeliness Calibration NVisual surveillances NAlarms & indicators NProcedural adequacy &

system restoration NStaff qualification &

conduct of tests Corrective Measure Surveillance & NAdequate procedures &

Calibration conduct of test NRestoration of system

&"As Left" conditions Corrective Maintenance NTimeliness NResolution of failure root-causes NStaff familiarity and qualification

Issue Date: 01/15/92 T-1 93804 Table 1 TABLE 1 (Continued)

Performance Indicator Related Programs Evaluation Criteria

Staff Readiness

Procedure Operation NAccuracy, clarity system lineups

Human Factors Simulation NJumpers & connectors NEquipment accessibility and identification NEmergency access &

communications

Records NNumber of Failures due to human errors

Document Electrical NBreaker load lists NP&IDs, wiring diagrams, manuals

Staff Qualification Operation NFamiliarity with equipment NKnowledge of Alternate methods and local operations NDetection of events, failures, & isolated equipment NFamiliarity with Alarms, indicators, &

procedures NTS and safety awareness

93804 Table 1 T-2 Issue Date: 01/15/92 APPENDIX A

EXAMPLES OF PRA REVIEW AND INSPECTION PLAN DEVELOPMENT TABLES

Table A.1 is an example of the ranking (by a PRA expert) of dominant accident sequences by core damage frequency where the sequences were described through the use of an alphanumeric coding scheme. Note that the PRA reviewer does not subsequently have to conduct an analysis of the typically large number of component fault trees and accident sequence cut sets to identify the relevant potential events leading to core damage.

Table A.2 is an example listing of potential events derived from the accident sequence codes of table A.1. Eleven of the most dominant accident sequences were analyzed in developing Table A.2.

Note that the potential events of Table A.2 were assigned both a frequency of appearance importance index and a total core damage frequency (times 1,000,000) importance index ("Potential Event Importance Index"). Note also that, in this table, the potential events remain categorized rather than ranked by one or the other of the importance indices. It is later, from the ranked potential events and their constituent component/operator faults, that the team leader can judge whether inspection lines of inquiry should be organized along programmatic area, engineering specialty or safety system lines.

Table A.3 relates specific component failures (derived from potential events) to programmatic lines of inspection inquiry. Note that Table A.3 was developed from a different PRA than Table A.1 and Table A.2.

Issue Date: 01/15/92 A-1 93804 Appendix A Table A.1 Example listing of dominant accident sequences (Millstone Unit 1 IREP results)

[THIS PAGE INTENTIONALLY LEFT BLANK]

93804 Appendix A A-2 Issue Date: 01/15/92 Legend used in Table A.1

[THIS PAGE INTENTIONALLY LEFT BLANK]

Issue Date: 01/15/92 A-3 93804 Appendix A Table A.2 Example of potential events listing (Millstone Unit 1 IREP results)

[THIS PAGE INTENTIONALLY LEFT BLANK]

93804 Appendix A A-4 Issue Date: 01/15/92 Table A.3 Example of inspection matrix (Calvert Cliffs Unit 1 team inspection plan)

[THIS PAGE INTENTIONALLY LEFT BLANK]

Issue Date: 01/15/92 A-5 93804 Appendix A APPENDIX B

INSPECTION CHECKLISTS

A. PHYSICAL PLANT WALK-THROUGH CHECKLIST

The following areas should be observed during the walk-through.

1. Fire prevention and detection
a. Detectors
b. Flammable materials and potential fire sources
c. Electrical ground wires and exposed electrical wires
d. Fire barriers, and doors
2. General Housekeeping
a. Cleanliness (e.g., tools, waste, storage, etc.)
b. Emergency lighting
c. Unusual conditions (e.g., security doors, leaks)
3. Equipment
a. Cracked or broken parts
b. Foundations, supports, restraints and snubbers
c. Corrosion
d. Leaks
e. Running sounds
f. Nameplates, markings and tags, identification and posting of rooms, systems and equipment
g. Local indicators
h. Insulation and heat tracing
i. Evidence of excessive movement as a result of water hammer

Issue Date: 01/15/92 B-1 93804 Appendix B

j. Missing handles, nuts and bolts
k. Misalignment and vibration
l. Bearing cooling and mechanical over-heating
m. Valve position and chain-locks
n. Equipment accessibility and control panels
4. Environment
a. Room ventilation
b. Temperature and humidity control
c. Possible interactions with adjacent equipment or the accident environment that has the potential for causing multiple failures of redundant component.

B. MAINTENANCE CHECKLIST

1. Corrective Maintenance
a. Completed Maintenance

(1) Were required administrative approvals and reviews completed before and after the work?

(2) Were QA/QC reviews included, and was vendor/outside contractor work controlled?

(3) Did qualified personnel perform the activity?

(4) Were procedures and manuals adequate to perform the activity?

(5) Were the applicable acceptance criteria met?

(6) Was the resolution and disposition of deviations and nonconformances adequate?

(7) Were post-maintenance testing, adjustments, and calibrations performed and documented?

(8) Was post-maintenance operational testing performed in place, if not, was justification provided?

(9) Were recurring failures evaluated and preventive measures included (e.g., trend analyses, generic implications, multiple failures of redundant components, root causes)?

(10) Were corrective actions and the resolution of failures made in a timely manner?

93804 Appendix B B-2 Issue Date: 01/15/92 (11) Were expendable parts or materials (e.g.,

filter, lubricant, oil) and replacement parts clearly identified and controlled?

b. Maintenance In Process

(1) Have proper operational personnel been notified and clearance issued?

(2) Is an approved work order used?

(3) Are approved procedures, drawings, manuals, and instructions used?

(4) Are proper parts and materials used?

(5) Are qualified personnel performing the work?

(6) Are qualified equipment, tools, and instruments used?

(7) Are proper jumpers and lifted leads maintained?

(8) Are personnel and radiological requirements observed?

(9) Have qualified personnel isolated the system/components using proper procedures (tagging, opening breakers)?

(10) Are TS LCOs checked prior to the work?

(11) Are adequate system lineups and restoration accomplished after completion of the work?

(12) Are functional tests adequate and are they performed after completion of the work?

(13) Are instrument readings and "As Left" indications within the acceptance criteria?

2. Preventive Maintenance
a. Are responsibilities and methods for establishing PM frequency defined?
b. Are PM master schedules available and implemented?
c. Has an EQ program been established and implemented in the PM program?
d. Are upgrading programs established based on repetitive failures or trending program?
e. Have vendor PM provisions been incorporated into the program?

Issue Date: 01/15/92 B-3 93804 Appendix B

f. Are periodic surveillance inspections performed?

C. SURVEILLANCE AND CALIBRATION CHECKLIST

1. Surveillance
a. Completed Surveillance

(1) Was the test performed within the time frequency specified in the Technical Specifications or the station program?

(2) Were tests on pumps and valves performed in accordance with the approved Inservice Test program?

(3) Were approved procedures used?

(4) Were administrative requirements met, including reviews and approvals?

(5) Did test results meet the acceptance criteria?

(6) Were tests performed by qualified personnel?

(7) Were appropriate actions taken for situations where the acceptance criteria could not be satisfied?

(8) Did tests satisfy the test objectives and did they include all of the required hardware and logic?

b. Surveillance in Process

(1) Are approved procedures used?

(2) Have proper operational personnel been notified and clearances issued?

(3) Are qualified personnel conducting the test?

(4) Is special test equipment calibrated?

(5) Are test prerequisites and TS LCOs met?

(6) Are administrative requirements met?

(7) Does the "As Left" condition meet the acceptance criteria?

(8) Are appropriate actions taken if the test fails to meet acceptance criteria?

(9) Are procedures technically correct, surveillance objectives met and are instructions clear?

93804 Appendix B B-4 Issue Date: 01/15/92 (10) Are proper system lineups and restorations accomplished after completion of the test?

2. Calibration
a. Completed Calibration

(1) Were approved procedures used?

(2) Did qualified personnel perform the calibration?

(3) Was calibration equipment traceable?

(4) Were administrative requirements met?

(5) Were "As Found" and "As Left" conditions recorded?

(6) Did the "As Left" conditions meet the acceptance criteria and were the acceptance criteria within the TS requirements?

(7) Were correction factors, conversion factors, and calculations correct?

(8) Were calibrations within the required accuracy and did they include considerations relative to the calibration instrument tolerance and drift?

(9) Were return-to-service provisions satisfied?

(10) Was calibration performed within the prescribed frequency?

(11) Is there a potential for the miscalibration of redundant components?

b. Calibration In Process

(1) Are approved procedures used?

(2) Are procedures adequate and instructional steps clear to perform the test?

(3) Are qualified personnel performing the test?

(4) Have administrative requirements been satisfied?

(5) Is special calibration equipment calibrated and traceable?

(6) Are test prerequisites and TS LCOs met?

Issue Date: 01/15/92 B-5 93804 Appendix B (7) Are "As Found" values within the acceptance criteria? If not, are setpoints adjusted within the acceptance criteria?

(8) Have acceptance criteria and setpoints included allowances for instrument drift, errors, and tolerances?

(9) Is the instrument properly returned to service after calibration?

D. SIMULATION CHECKLIST

1. Are Operators familiar with the equipment and procedures?
2. Are Operators knowledgeable of the operations?
3. Are Operators able to demonstrate that event symptoms can be detected in a timely manner?
4. Are Control room alarms and indications adequately used to detect, respond to and recover from the events?
5. Are procedures technically correct and are operational instructions written to perform the operations?
6. Can communications between the control room and local operators be established promptly?
7. Can emergency access to the local equipment and rooms be established promptly, with or without normal power for the security doors or access control computer?
8. Are alternate methods of operations outside of the control room available, and are operators familiar with the operations?
9. Should automatic actuations or functions fail, are operators familiar with other optional operations, either manually or locally?
10. Are operators familiar with the responses and consequences of each operation?
11. Do the normal and emergency operating procedures include proper check-off lists for valves and system lineups?
12. Do operators understand administrative requirements under emergency situations?
13. Are operators familiar with TS requirements?
14. Can operators identify abnormal conditions without control room alarms by using instrument readings?

93804 Appendix B B-6 Issue Date: 01/15/92 E. ADMINISTRATION CONTROLS CHECKLIST

1. Have written procedures been implemented for controlling station activities? These include:
a. Security and access controls
b. Equipment controls, locking, tagging
c. Shift and relief turnover
d. Log entry and record retention
e. Bypass of safety functions and jumper controls
f. Reporting requirements
2. Have criteria and responsibilities for designating safety-related and non-safety-related activities been established?
3. Have criteria and responsibilities for review and approval of safety-related activities been established?
4. Have provisions to change procedures been established and implemented?
5. Have criteria and responsibilities of the personnel performing safety-related activities been established and implemented?
6. Have criteria and responsibilities for housekeeping and cleanliness controls been established and implemented?
7. Review recent minutes of on-site safety review committee meetings.

Issue Date: 01/15/92 B-7 93804 Appendix B APPENDIX C

SOURCES OF PLANT, SYSTEM, AND COMPONENT OPERATIONAL DATA AND RELATED INTERPRETIVE ANALYSES

A. Analysis and Evaluation of Operational Data (AEOD)

1. Trends and Pattern Analysis of Operational Data :

Periodic statistical reports on plant level events such as reactor trips and emergency safety feature actuation events.

2. Accident Sequence Precursor Program: Technical summary reports involving system level events of severe character, i.e., loss of system function. Good source of important common cause failure experience.
3. Engineering Evaluation and Technical Review Reports :

Topical reports on selected safety significant events or design weaknesses, indepth, and usually of generic interest.

4. AEOD Semi-Annual Reports : Important summary of AEOD activities and personnel assignments.
5. Licensee Event Report (LER) and Part 21/50.55(e) Data Bases: Computer data bases maintained by Oak Ridge National Laboratory (ORNL) for AEOD. AEOD will assist in obtaining Regional access to data bases or providing specialized reports on demand.
6. NPRDS Trends and Pattern Program: Periodic statistical reports on component level failure, based on Nuclear Plant Reliability Data System (NPRDS) data base.

Designed to flag such problems as excessive component failure trends for specified classes of components.

7. Abnormal Occurrence Reports to Congress : Quarterly reports of safety significant events involving NRC licensees.
8. Nonreactor Event Reports: Periodic reports summarizing events involving NRC licensees engaged in nonreactor activities, e.g., fuel cycle, medical, radiography.
9. Foreign Reactor Incident Literature : Literature assembled by AEOD and periodically distributed.

Issue Date: 01/15/92 C-1 93804 Appendix C B. Inspection and Enforcement

1. Information Notices : Notices summarizing safety significant events with suggested corrective actions of generic importance.
2. Bulletins & Orders : Generic or plant specific modification in hardware or procedures requiring action by licensees, frequently based on operational events of safety significance.

C. Nuclear Regulatory Research

1. Risk Analysis and Operations Reports: Research reports of operational experiences and related analyses such as:
a. NUREG/CR-1205, "Data Summaries of Licensee Event Reports of Pumps at U.S. Commercial Nuclear Power Plants."
b. NUREG/CR-1331, "Data Summaries of Licensee Event Reports of Control Rods and Drive Mechanism at U.S.

Commercial Nuclear Power Plants."

c. NUREG/CR-1362, "Data Summaries of Licensee Event Reports of Diesel Generator at U.S. Commercial Nuclear Power Plants."
d. NUREG/CR-1363, "Data Summaries of Licensee Event Reports of Valves at U.S. Commercial Nuclear Power Plants."
e. NUREG-1032, "Evaluation of Station Blackout Accidents at Nuclear Power Plants."
f. Interim Reliability Evaluation Program (IREP) and Reactor Safety Study Methodology Application Program (RSSMAP) Reports providing Level I PRA Information on Selected Plants.
2. Engineering Technology Reports : Research reports incorporating operational experience. The following reports, issued under the Nuclear Plant Aging Research (NPAR) Program, are excellent sources of important reliability insights at the component level and provide state-of-the-art hardware availability indicators.
a. NUREG/CR-4156, "Operating Experience and Aging-Seismic Assessment of Electric Motors."
b. NUREG/CR-4234 "Aging and Service Wear of Electric Motor-Operated Valves Used in Engineering Safety-Feature Systems of Nuclear Power Plants."
3. PRA Risk-based Inspection Guides (RIGs): RIGs are listed in IMC 2515, Appendix C.

93804 Appendix C C-2 Issue Date: 01/15/92 D. Nuclear Reactor Regulation

1. Independent Assessments of Site Specific PRA's.
2. Minutes of Weekly Operating Reactor Events Meeting conducted by Licensing.

E. Regional Office

1. Daily reports.
2. Inspection reports.
3. SALP evaluation reports.

F. Nuclear Industry

1. Nuclear Plant Reliability Data System (NPRDS) : INPO supported data base, contact AEOD for possible data retrieval.
2. INPO Safety Evaluation Reports and Operational and Maintenance Reports : INPO generated reports involving plant events of generic interest, obtainable through INPO.
3. Nuclear Power Experience: A service that provides a well organized summary of significant operational events of Light Water Reactors.
4. Industry Supported PRA's : Level I, II, and III PRA's providing a broad range of plant specific information.

END

Issue Date: 01/15/92 C-3 93804 Appendix C

Retrieved from "https://kanterella.com/w/index.php?title=ML24017A321&oldid=3682435"